This bug was fixed in the package linux-kvm - 5.4.0-1096.102 --------------- linux-kvm (5.4.0-1096.102) focal; urgency=medium * focal/linux-kvm: 5.4.0-1096.102 -proposed tracker (LP: #2026574) * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper - [Packaging] resync getabis [ Ubuntu: 5.4.0-156.173 ] * focal/linux: 5.4.0-156.173 -proposed tracker (LP: #2026585) * CVE-2023-3390 - netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE * Focal update: v5.4.241 upstream stable release (LP: #2023930) - scsi: ses: Handle enclosure with just a primary component gracefully - x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() - treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() - smb3: fix problem with null cifs super block with previous patch - pinctrl: amd: Use irqchip template - pinctrl: amd: disable and mask interrupts on probe - pinctrl: amd: Disable and mask interrupts on resume - pwm: cros-ec: Explicitly set .polarity in .get_state() - pwm: sprd: Explicitly set .polarity in .get_state() - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta - icmp: guard against too small mtu - net: don't let netpoll invoke NAPI if in xmit context - sctp: check send stream number after wait_for_sndbuf - ipv6: Fix an uninit variable access bug in __ip6_make_skb() - gpio: davinci: Add irq chip flag to skip set wake - sunrpc: only free unix grouplist after RCU settles - NFSD: callback request does not use correct credential for AUTH_SYS - xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs - usb: typec: altmodes/displayport: Fix configure initial pin assignment - USB: serial: option: add Telit FE990 compositions - USB: serial: option: add Quectel RM500U-CN modem - iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip - iio: dac: cio-dac: Fix max DAC write value check for 12-bit - tty: serial: sh-sci: Fix transmit end interrupt handler - tty: serial: sh-sci: Fix Rx on RZ/G2L SCI - tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty - nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() - nilfs2: fix sysfs interface lifetime - ALSA: hda/realtek: Add quirk for Clevo X370SNW - perf/core: Fix the same task check in perf_event_set_output - ftrace: Mark get_lock_parent_ip() __always_inline - can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access - tracing: Free error logs of tracing instances - net_sched: prevent NULL dereference if default qdisc setup failed - drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path - ring-buffer: Fix race while reader and writer are on the same page - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() - irqdomain: Look for existing mapping only once - irqdomain: Refactor __irq_domain_alloc_irqs() - irqdomain: Fix mapping-creation race - Revert "pinctrl: amd: Disable and mask interrupts on resume" - ALSA: emu10k1: fix capture interrupt handler unlinking - ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard - ALSA: i2c/cs8427: fix iec958 mixer control deactivation - ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() - ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} - Bluetooth: Fix race condition in hidp_session_thread - btrfs: print checksum type and implementation at mount time - btrfs: fix fast csum implementation detection - mtdblock: tolerate corrected bit-flips - mtd: rawnand: meson: fix bitmask for length in command word - mtd: rawnand: stm32_fmc2: remove unsupported EDO mode - niu: Fix missing unwind goto in niu_alloc_channels() - qlcnic: check pci_reset_function result - sctp: fix a potential overflow in sctp_ifwdtsn_skip - RDMA/core: Fix GID entry ref leak when create_ah fails - udp6: fix potential access to stale information - net: macb: fix a memory corruption in extended buffer descriptor mode - power: supply: cros_usbpd: reclassify "default case!" as debug - i2c: imx-lpi2c: clean rx/tx buffers upon new message - efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L - drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F - verify_pefile: relax wrapper length check - asymmetric_keys: log on fatal failures in PE/pkcs7 - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size - mtd: ubi: wl: Fix a couple of kernel-doc issues - ubi: Fix deadlock caused by recursively holding work_sem - i2c: ocores: generate stop condition after timeout in polling mode - watchdog: sbsa_wdog: Make sure the timeout programming is within the limits - coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug - xfs: show the proper user quota options - xfs: remove the kuid/kgid conversion wrappers - xfs: add a new xfs_sb_version_has_v3inode helper - xfs: only check the superblock version for dinode size calculation - xfs: simplify di_flags2 inheritance in xfs_ialloc - xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize - xfs: remove the di_version field from struct icdinode - xfs: set inode size after creating symlink - xfs: report corruption only as a regular error - xfs: shut down the filesystem if we screw up quota reservation - xfs: consider shutdown in bmapbt cursor delete assert - xfs: don't reuse busy extents on extent trim - xfs: force log and push AIL to clear pinned inodes when aborting mount - Linux 5.4.241 * [UBUNTU 20.04] [HPS] Kernel panic with "refcount_t: underflow" in mlx5 driver (LP: #2019011) - net/mlx5: cmdif, Avoid skipping reclaim pages if FW is not accessible - net/mlx5: Fix handling of entry refcount when command is not issued to FW * Disable hv-kvp-daemon if /dev/vmbus/hv_kvp is not present (LP: #2024900) - [Packaging] disable hv-kvp-daemon if needed * CVE-2023-35001 - netfilter: nf_tables: prevent OOB access in nft_byteorder_eval * CVE-2023-32629 - ovl: adhere to the vfs_ vs. ovl_do_ conventions for xattrs * CVE-2023-3141 - memstick: r592: Fix UAF bug in r592_remove due to race condition * CVE-2023-3111 - btrfs: check return value of btrfs_commit_transaction in relocation - btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() * CVE-2023-3090 - ipvlan:Fix out-of-bounds caused by unclear skb->cb * CVE-2023-1611 - btrfs: fix race between quota disable and quota assign ioctls * CVE-2022-0168 - cifs: move some variables off the stack in smb2_ioctl_query_info - cifs: prevent bad output lengths in smb2_ioctl_query_info() - cifs: fix NULL ptr dereference in smb2_ioctl_query_info() * CVE-2022-27672 - x86/speculation: Identify processors vulnerable to SMT RSB predictions - KVM: x86: Mitigate the cross-thread return address predictions bug - Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions * Severe NFS performance degradation after LP #2003053 (LP: #2022098) - SAUCE: Make NFS file-access stale cache behaviour opt-in * Encountering an issue with memcpy_fromio causing failed boot of SEV-enabled guest (LP: #2020319) - x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO * Focal update: v5.4.240 upstream stable release (LP: #2023601) - net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf() - power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition - iavf: fix inverted Rx hash condition leading to disabled hash - iavf: fix non-tunneled IPv6 UDP packet type and hashing - intel/igbvf: free irq on the error path in igbvf_request_msix() - igbvf: Regard vf reset nack as success - i2c: imx-lpi2c: check only for enabled interrupt flags - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() - net: usb: smsc95xx: Limit packet length to skb->len - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info - net: qcom/emac: Fix use after free bug in emac_remove due to race condition - net/ps3_gelic_net: Fix RX sk_buff length - net/ps3_gelic_net: Use dma_mapping_error - keys: Do not cache key in task struct if key is requested from kernel thread - bpf: Adjust insufficient default bpf_jit_limit - net/mlx5: Read the TC mapping of all priorities on ETS query - atm: idt77252: fix kmemleak when rmmod idt77252 - erspan: do not use skb_mac_header() in ndo_start_xmit() - net/sonic: use dma_mapping_error() for error check - nvme-tcp: fix nvme_tcp_term_pdu to match spec - hvc/xen: prevent concurrent accesses to the shared ring - net: mdio: thunder: Add missing fwnode_handle_put() - Bluetooth: btqcomsmd: Fix command timeout after setting BD address - platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl - hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs - scsi: qla2xxx: Perform lockless command completion in abort path - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 - thunderbolt: Use const qualifier for `ring_interrupt_index` - riscv: Bump COMMAND_LINE_SIZE value to 1024 - ca8210: fix mac_len negative array access - m68k: Only force 030 bus error if PC not in exception table - selftests/bpf: check that modifier resolves after pointer - scsi: target: iscsi: Fix an error message in iscsi_check_key() - scsi: ufs: core: Add soft dependency on governor_simpleondemand - scsi: lpfc: Avoid usage of list iterator variable after loop - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 - net: usb: qmi_wwan: add Telit 0x1080 composition - sh: sanitize the flags on sigreturn - cifs: empty interface list when server doesn't support query interfaces - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR - usb: gadget: u_audio: don't let userspace block driver unbind - fsverity: Remove WQ_UNBOUND from fsverity read workqueue - igb: revert rtnl_lock() that causes deadlock - dm thin: fix deadlock when swapping to thin device - usb: cdns3: Fix issue with using incorrect PCI device function - usb: chipdea: core: fix return -EINVAL if request role is the same with current role - usb: chipidea: core: fix possible concurrent when switch role - wifi: mac80211: fix qos on mesh interfaces - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() - i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() - dm stats: check for and propagate alloc_percpu failure - dm crypt: add cond_resched() to dmcrypt_write() - sched/fair: sanitize vruntime of entity being placed - sched/fair: Sanitize vruntime of entity being migrated - tun: avoid double free in tun_free_netdev - ocfs2: fix data corruption after failed write - fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY - bus: imx-weim: fix branch condition evaluates to a garbage value - md: avoid signed overflow in slot_store() - ALSA: asihpi: check pao in control_message() - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() - fbdev: tgafb: Fix potential divide by zero - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized - fbdev: nvidia: Fix potential divide by zero - fbdev: intelfb: Fix potential divide by zero - fbdev: lxfb: Fix potential divide by zero - fbdev: au1200fb: Fix potential divide by zero - ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() - dma-mapping: drop the dev argument to arch_sync_dma_for_* - mips: bmips: BCM6358: disable RAC flush for TP1 - mtd: rawnand: meson: invalidate cache on polling ECC bit - scsi: megaraid_sas: Fix crash after a double completion - ptp_qoriq: fix memory leak in probe() - regulator: fix spelling mistake "Cant" -> "Can't" - regulator: Handle deferred clk - net/net_failover: fix txq exceeding warning - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write - s390/vfio-ap: fix memory leak in vfio_ap device driver - i40e: fix registers dump after run ethtool adapter self test - bnxt_en: Fix typo in PCI id to device description string mapping - net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only - net: mvneta: make tx buffer array agnostic - pinctrl: ocelot: Fix alt mode for ocelot - Input: alps - fix compatibility with -funsigned-char - Input: focaltech - use explicitly signed char type - cifs: prevent infinite recursion in CIFSGetDFSRefer() - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL - Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table - xen/netback: don't do grant copy across page boundary - pinctrl: at91-pio4: fix domain name assignment - NFSv4: Fix hangs when recovering open state after a server reboot - ALSA: hda/conexant: Partial revert of a quirk for Lenovo - ALSA: usb-audio: Fix regression on detection of Roland VS-100 - drm/etnaviv: fix reference leak when mmaping imported buffer - btrfs: scan device in non-exclusive mode - ext4: fix kernel BUG in 'ext4_write_inline_data_end()' - net_sched: add __rcu annotation to netdev->qdisc - net: sched: fix race condition in qdisc_graft() - firmware: arm_scmi: Fix device node validation for mailbox transport - gfs2: Always check inode size of inline inodes - Linux 5.4.240 * Focal update: v5.4.239 upstream stable release (LP: #2023600) - Linux 5.4.239 * CVE-2023-2124 - xfs: verify buffer contents when we skip log replay * CVE-2020-36691 - netlink: limit recursion depth in policy validation * CVE-2022-1184 - ext4: check if directory block is within i_size - ext4: fix check for block being out of directory size * CVE-2022-4269 - net: sched: extract qstats update code into functions - net: sched: don't expose action qstats to skb_tc_reinsert() - net/sched: act_mirred: refactor the handle of xmit - net: sched: remove unused tcf_result extension - net/sched: act_mirred: better wording on protection against excessive stack growth - act_mirred: use the backlog for nested calls to mirred ingress * Focal update: v5.4.238 upstream stable release (LP: #2023427) - ext4: fix cgroup writeback accounting with fs-layer encryption - xfrm: Allow transport-mode states with AF_UNSPEC selector - drm/panfrost: Don't sync rpm suspension after mmu flushing - cifs: Move the in_send statistic to __smb_send_rqst() - drm/meson: fix 1px pink line on GXM when scaling video overlay - clk: HI655X: select REGMAP instead of depending on it - docs: Correct missing "d_" prefix for dentry_operations member d_weak_revalidate - scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add() - ALSA: hda - add Intel DG1 PCI and HDMI ids - ALSA: hda - controller is in GPU on the DG1 - ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid - ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid - ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU() - netfilter: nft_redir: correct value of inet type `.maxattrs` - scsi: core: Fix a comment in function scsi_host_dev_release() - scsi: core: Fix a procfs host directory removal regression - tcp: tcp_make_synack() can be called from process context - nfc: pn533: initialize struct pn533_out_arg properly - ipvlan: Make skb->skb_iif track skb->dev for l3s mode - i40e: Fix kernel crash during reboot when adapter is in recovery mode - qed/qed_dev: guard against a possible division by zero - net: tunnels: annotate lockless accesses to dev->needed_headroom - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition - net: usb: smsc75xx: Limit packet length to skb->len - nvmet: avoid potential UAF in nvmet_req_complete() - block: sunvdc: add check for mdesc_grab() returning NULL - ipv4: Fix incorrect table ID in IOCTL path - net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull - net/iucv: Fix size of interrupt data - ethernet: sun: add check for the mdesc_grab() - hwmon: (adt7475) Display smoothing attributes in correct order - hwmon: (adt7475) Fix masking of hysteresis registers - hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition - hwmon: (ina3221) return prober error code - media: m5mols: fix off-by-one loop termination error - mmc: atmel-mci: fix race between stop command and start of next command - jffs2: correct logic when creating a hole in jffs2_write_begin - ext4: fail ext4_iget if special inode unallocated - ext4: fix task hung in ext4_xattr_delete_inode - drm/amdkfd: Fix an illegal memory access - sh: intc: Avoid spurious sizeof-pointer-div warning - ext4: fix possible double unlock when moving a directory - tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted - interconnect: fix mem leak when freeing nodes - tracing: Check field value in hist_field_name() - tracing: Make tracepoint lockdep check actually test something - ftrace: Fix invalid address access in lookup_rec() when index is 0 - fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks - x86/mm: Fix use of uninitialized buffer in sme_enable() - drm/i915: Don't use stolen memory for ring buffers with LLC - serial: 8250_em: Fix UART port type - s390/ipl: add missing intersection check to ipl_report handling - PCI: Unify delay handling for reset and resume - HID: core: Provide new max_buffer_size attribute to over-ride the default - HID: uhid: Over-ride the default maximum data buffer value with our own - Linux 5.4.238 * Focal update: v5.4.237 upstream stable release (LP: #2023420) - fs: prevent out-of-bounds array speculation when closing a file descriptor - x86/CPU/AMD: Disable XSAVES on AMD family 0x17 - drm/connector: print max_requested_bpc in state debugfs - ext4: fix RENAME_WHITEOUT handling for inline directories - ext4: fix another off-by-one fsmap error on 1k block filesystems - ext4: move where set the MAY_INLINE_DATA flag is set - ext4: fix WARNING in ext4_update_inline_data - ext4: zero i_disksize when initializing the bootloader inode - nfc: change order inside nfc_se_io error path - iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands - iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options - iommu/amd: Add a length limitation for the ivrs_acpihid command-line parameter - ipmi:ssif: make ssif_i2c_send() void - ipmi:ssif: resend_msg() cannot fail - ipmi:ssif: Remove rtc_us_timer - ipmi:ssif: Increase the message retry time - ipmi:ssif: Add a timer between request retries - irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent - irqdomain: Fix domain registration race - iommu/vt-d: Fix PASID directory pointer coherency - SMB3: Backup intent flag missing from some more ops - cifs: Fix uninitialized memory read in smb3_qfs_tcon() - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier - ext4: Fix possible corruption when moving a directory - drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register - nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() - selftests: nft_nat: ensuring the listening side is up before starting the client - net: usb: lan78xx: Remove lots of set but unused 'ret' variables - net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver - net: caif: Fix use-after-free in cfusbl_device_notify() - bnxt_en: Avoid order-5 memory allocation for TPA data - netfilter: tproxy: fix deadlock due to missing BH disable - btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR - scsi: megaraid_sas: Update max supported LD IDs to 240 - net/smc: fix fallback failed while sendmsg with fastopen - riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode - ext4: Fix deadlock during directory rename - MIPS: Fix a compilation issue - alpha: fix R_ALPHA_LITERAL reloc for large modules - macintosh: windfarm: Use unsigned type for 1-bit bitfields - PCI: Add SolidRun vendor ID - media: ov5640: Fix analogue gain control - ipmi/watchdog: replace atomic_add() and atomic_sub() - ipmi:watchdog: Set panic count to proper value on a panic - drm/i915: Don't use BAR mappings for ring buffers with LLC - x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS - arch: fix broken BuildID for arm64 and riscv - powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT - powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds - s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 - sh: define RUNTIME_DISCARD_EXIT - UML: define RUNTIME_DISCARD_EXIT - s390/dasd: add missing discipline function - Linux 5.4.237 * Focal update: v5.4.236 upstream stable release (LP: #2020390) - staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script - staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh - Linux 5.4.236 * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper -- Portia Stephens