lp:~ubuntu-kernel/ubuntu/+source/linux/+git/noble

Author: Stefan Bader
Author Date: 2026-03-06 14:22:38 UTC

UBUNTU: Ubuntu-6.8.0-106.106

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Pu Lehui
Author Date: 2026-05-03 19:37:00 UTC

riscv, bpf: Optimize bswap insns with Zbb support

BugLink: https://bugs.launchpad.net/bugs/2142235

Optimize bswap instructions by rev8 Zbb instruction conbined with srli
instruction. And Optimize 16-bit zero-extension with Zbb support.

Signed-off-by: Pu Lehui<pulehui@huawei.com>
Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>
Tested-by: Björn Töpel<bjorn@rivosinc.com>
Acked-by: Björn Töpel<bjorn@kernel.org>
Link:https://lore.kernel.org/bpf/20240115131235.2914289-7-pulehui@huaweicloud.com

(cherry picked from commit 06a33d024838414432b6c0f51f994e7f1695b74f)
Signed-off-by: Sarah Emery<sarah.emery@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Edoardo Canepa
Author Date: 2026-02-20 13:48:07 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-104.104.1

Signed-off-by: Edoardo Canepa <edoardo.canepa@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-13 17:29:37 UTC

UBUNTU: Ubuntu-6.8.0-102.102

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Mehmet Basaran
Author Date: 2026-02-12 23:40:42 UTC

UBUNTU: Ubuntu-hwe-6.17-6.17.0-16.16~24.04.1

Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-12 15:45:40 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-103.103.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-10 10:38:06 UTC

UBUNTU: Ubuntu-6.8.0-102.102

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-07 14:31:33 UTC

UBUNTU: Ubuntu-hwe-6.17-6.17.0-16.16~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-07 04:38:44 UTC

UBUNTU: Ubuntu-6.8.0-102.102

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-02-07 01:07:00 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-101.101.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Sean Heelan
Author Date: 2025-11-27 16:23:37 UTC

ksmbd: fix use-after-free in session logoff

commit 2fc9feff45d92a92cd5f96487655d5be23fb7e2b upstream.

The sess->user object can currently be in use by another thread, for
example if another connection has sent a session setup request to
bind to the session being free'd. The handler for that connection could
be in the smb2_sess_setup function which makes use of sess->user.

Signed-off-by: Sean Heelan <seanheelan@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Nazar Kalashnikov <sivartiwe@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CVE-2025-37899
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-01-19 15:57:17 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-100.100.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-01-10 01:48:24 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-94.96.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-01-09 15:33:10 UTC

UBUNTU: Ubuntu-hwe-6.17-6.17.0-14.14~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2026-01-09 13:25:14 UTC

UBUNTU: Ubuntu-6.8.0-94.96

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Herbert Xu
Author Date: 2025-11-19 01:03:00 UTC

crypto: essiv - Check ssize for decryption and in-place encryption

Move the ssize check to the start in essiv_aead_crypt so that
it's also checked for decryption and in-place encryption.

Reported-by: Muhammad Alifa Ramdhan<ramdhan@starlabs.sg>
Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template for ESSIV generation")
Signed-off-by: Herbert Xu<herbert@gondor.apana.org.au>

CVE-2025-40019
(cherry picked from commit 6bb73db6948c2de23e407fe1b7ef94bf02b7529f)
Signed-off-by: Ian Whitfield<ian.whitfield@canonical.com>
Acked-by: Tim Whisonant <tim.whisonant@canonical.com>
Acked-by: Philip Cox <philip.cox@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-12-13 15:54:11 UTC

UBUNTU: Ubuntu-6.8.0-91.92

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Stefan Bader
Author Date: 2025-12-01 11:26:44 UTC

UBUNTU: Ubuntu-hwe-6.17-6.17.0-9.9~24.04.2

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-11-24 11:13:53 UTC

UBUNTU: Ubuntu-6.8.0-91.92

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Stefan Bader
Author Date: 2025-11-20 08:36:06 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-37.37~24.04.1

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-11-18 13:42:33 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-90.91.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Manuel Diewald
Author Date: 2025-11-18 11:26:33 UTC

UBUNTU: Ubuntu-6.8.0-90.91

Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-11-15 04:22:27 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-89.90.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-11-15 03:00:06 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-37.37~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-11-14 12:30:44 UTC

UBUNTU: Ubuntu-6.8.0-89.90

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-15 14:54:05 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-88.89.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-14 20:17:33 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-36.36~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-11 14:26:08 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-35.35~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-11 11:46:06 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-87.88.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-10 19:10:47 UTC

UBUNTU: Ubuntu-6.8.0-87.88

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Kaixin Wang
Author Date: 2025-10-02 23:28:56 UTC

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.

If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                        | ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
                        | struct hsi_client *cl = ssi->cl;
                        | // use ssi

Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().

Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20240918120749.1730-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
(cherry picked from commit e3f88665a78045fe35c7669d2926b8d97b892c11)
CVE-2025-37838
Signed-off-by: Tim Whisonant <tim.whisonant@canonical.com>
Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
Acked-by: Alessio Faina <alessio.faina@canonical.com>
Signed-off-by: Edoardo Canepa <edoardo.canepa@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-10-10 12:48:36 UTC

UBUNTU: Ubuntu-6.8.0-87.88

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-22 17:09:01 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-86.87.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-22 11:23:00 UTC

UBUNTU: Ubuntu-6.8.0-86.86

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-19 22:09:00 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-34.34~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-18 15:02:36 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-85.85.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-18 12:24:13 UTC

UBUNTU: Ubuntu-6.8.0-85.85

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Eyal Birger
Author Date: 2025-08-20 01:02:00 UTC

xfrm: interface: fix use-after-free after changing collect_md xfrm interface

collect_md property on xfrm interfaces can only be set on device creation,
thus xfrmi_changelink() should fail when called on such interfaces.

The check to enforce this was done only in the case where the xi was
returned from xfrmi_locate() which doesn't look for the collect_md
interface, and thus the validation was never reached.

Calling changelink would thus errornously place the special interface xi
in the xfrmi_net->xfrmi hash, but since it also exists in the
xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when
the net namespace was taken down [1].

Change the check to use the xi from netdev_priv which is available earlier
in the function to prevent changes in xfrm collect_md interfaces.

[1] resulting oops:
[ 8.516540] kernel BUG at net/core/dev.c:12029!
[ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI
[ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary)
[ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 8.516569] Workqueue: netns cleanup_net
[ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0
[ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24
[ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206
[ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60
[ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122
[ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100
[ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00
[ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00
[ 8.516615] FS: 0000000000000000(0000)GS:ffff98fee73b7000(0000) knlGS:0000000000000000
[ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0
[ 8.516625] PKRU: 55555554
[ 8.516627] Call Trace:
[ 8.516632] <TASK>
[ 8.516635] ? rtnl_is_locked+0x15/0x20
[ 8.516641] ? unregister_netdevice_queue+0x29/0xf0
[ 8.516650] ops_undo_list+0x1f2/0x220
[ 8.516659] cleanup_net+0x1ad/0x2e0
[ 8.516664] process_one_work+0x160/0x380
[ 8.516673] worker_thread+0x2aa/0x3c0
[ 8.516679] ? __pfx_worker_thread+0x10/0x10
[ 8.516686] kthread+0xfb/0x200
[ 8.516690] ? __pfx_kthread+0x10/0x10
[ 8.516693] ? __pfx_kthread+0x10/0x10
[ 8.516697] ret_from_fork+0x82/0xf0
[ 8.516705] ? __pfx_kthread+0x10/0x10
[ 8.516709] ret_from_fork_asm+0x1a/0x30
[ 8.516718] </TASK>

Fixes: abc340b38ba2 ("xfrm: interface: support collect metadata mode")
Reported-by: Lonial Con<kongln9170@gmail.com>
Signed-off-by: Eyal Birger<eyal.birger@gmail.com>
Signed-off-by: Steffen Klassert<steffen.klassert@secunet.com>

CVE-2025-38500
(cherry picked from commit a90b2a1aaacbcf0f91d7e4868ad6c51c5dee814b)
Signed-off-by: Tim Whisonant<tim.whisonant@canonical.com>
Acked-by: Zixing Liu <zixing.liu@canonical.com>
Acked-by: Bethany Jamison <bethany.jamison@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-09-18 01:05:07 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-33.33~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-29 10:05:15 UTC

UBUNTU: Ubuntu-6.8.0-80.80

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-16 16:25:46 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-80.80.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-15 02:15:00 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-30.30~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-12 11:42:24 UTC

UBUNTU: Ubuntu-6.8.0-74.74

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-12 11:01:33 UTC

UBUNTU: Ubuntu-6.8.0-79.79

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-12 09:24:27 UTC

UBUNTU: Ubuntu-6.8.0-72.72

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-08 23:32:57 UTC

UBUNTU: Ubuntu-6.8.0-74.74

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-08 04:16:47 UTC

UBUNTU: Ubuntu-6.8.0-74.74

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-07 22:58:02 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-29.29~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-07 21:26:32 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-73.73.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-08-07 14:15:27 UTC

UBUNTU: Ubuntu-6.8.0-73.73

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Octavian Purdila
Author Date: 2025-07-12 01:28:21 UTC

net_sched: sch_sfq: move the limit validation

It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.

Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:

tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 depth 1
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows 1 divisor 1

This fixes the following syzkaller reported crash:

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in net/sched/sch_sfq.c:203:6
index 65535 is out of range for type 'struct sfq_head[128]'
CPU: 1 UID: 0 PID: 3037 Comm: syz.2.16 Not tainted 6.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x201/0x300 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0xf5/0x120 lib/ubsan.c:429
 sfq_link net/sched/sch_sfq.c:203 [inline]
 sfq_dec+0x53c/0x610 net/sched/sch_sfq.c:231
 sfq_dequeue+0x34e/0x8c0 net/sched/sch_sfq.c:493
 sfq_reset+0x17/0x60 net/sched/sch_sfq.c:518
 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
 tbf_reset+0x41/0x110 net/sched/sch_tbf.c:339
 qdisc_reset+0x12e/0x600 net/sched/sch_generic.c:1035
 dev_reset_queue+0x100/0x1b0 net/sched/sch_generic.c:1311
 netdev_for_each_tx_queue include/linux/netdevice.h:2590 [inline]
 dev_deactivate_many+0x7e5/0xe70 net/sched/sch_generic.c:1375

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 10685681bafc ("net_sched: sch_sfq: don't allow 1 packet limit")
Signed-off-by: Octavian Purdila <tavip@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit b3bf8f63e6179076b57c9de660c9f80b5abefe70)
[tswhison: Used q->limit in if check, because
8c0cea59d40c ("net_sched: sch_sfq: use a temporary work
area for validating configuration")
is missing. Leave NL_SET_ERR_MSG_MOD() in place.]
CVE-2024-57996
CVE-2025-37752
Signed-off-by: Tim Whisonant <tim.whisonant@canonical.com>
Acked-by: Ian Whitfield <ian.whitfield@canonical.com>
Acked-by: John Cabaj <john.cabaj@canonical.com>
Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-23 12:31:14 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-72.72.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-23 11:57:10 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-28.28~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-23 10:07:24 UTC

UBUNTU: Ubuntu-6.8.0-72.72

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-22 15:26:32 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-27.27~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-22 14:02:44 UTC

UBUNTU: Ubuntu-6.8.0-65.68

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-18 00:28:23 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-70.70.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-18 00:06:20 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-26.26~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-11 18:09:44 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-25.25~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-11 16:48:19 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-65.68.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-11 11:08:03 UTC

UBUNTU: Ubuntu-6.8.0-65.68

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-11 08:37:08 UTC

UBUNTU: Ubuntu-6.8.0-65.68

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Eric Dumazet
Author Date: 2025-06-25 23:00:00 UTC

net_sched: prio: fix a race in prio_tune()

Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer
fires at the wrong time.

The race is as follows:

CPU 0 CPU 1
[1]: lock root
[2]: qdisc_tree_flush_backlog()
[3]: unlock root
  |
  | [5]: lock root
  | [6]: rehash
  | [7]: qdisc_tree_reduce_backlog()
  |
[4]: qdisc_put()

This can be abused to underflow a parent's qlen.

Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog()
should fix the race, because all packets will be purged from the qdisc
before releasing the lock.

Fixes: 7b8e0b6e6599 ("net: sched: prio: delay destroying child qdiscs on change")
Reported-by: Gerrard Tai<gerrard.tai@starlabs.sg>
Suggested-by: Gerrard Tai<gerrard.tai@starlabs.sg>
Signed-off-by: Eric Dumazet<edumazet@google.com>
Link:https://patch.msgid.link/20250611111515.1983366-2-edumazet@google.com
Signed-off-by: Jakub Kicinski<kuba@kernel.org>

CVE-2025-38083
(cherry picked from commit d35acc1be3480505b5931f17e4ea9b7617fea4d3)
Signed-off-by: Tim Whisonant<tim.whisonant@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Wei-Lin Chang <weilin.chang@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-07-07 14:24:57 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-24.24~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Austin Rhodes
Author Date: 2025-07-03 17:50:22 UTC

UBUNTU: Ubuntu-lowlatency-hwe-6.11-6.11.0-1016.17~24.04.1

Signed-off-by: Austin Rhodes <austin.rhodes@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-30 10:27:16 UTC

UBUNTU: Ubuntu-lowlatency-hwe-6.11-6.11.0-1016.17~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-27 08:30:40 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-24.24~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Stefan Bader
Author Date: 2025-06-26 12:36:57 UTC

UBUNTU: Ubuntu-hwe-6.11-6.11.0-29.29~24.04.1

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-24 00:14:24 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-24.24~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-23 22:54:03 UTC

UBUNTU: Ubuntu-hwe-6.11-6.11.0-29.29~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-23 21:31:41 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-62.65.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-23 21:09:08 UTC

UBUNTU: Ubuntu-hwe-6.11-6.11.0-28.28~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-23 14:31:11 UTC

UBUNTU: Ubuntu-6.8.0-64.67

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-23 13:16:39 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-64.67.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-18 12:43:54 UTC

UBUNTU: Ubuntu-6.8.0-63.66

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-17 22:11:56 UTC

UBUNTU: Ubuntu-hwe-6.14-6.14.0-23.23~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2025-06-17 18:56:32 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-63.66.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Cong Wang
Author Date: 2025-05-27 21:48:11 UTC

codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()

After making all ->qlen_notify() callbacks idempotent, now it is safe to
remove the check of qlen!=0 from both fq_codel_dequeue() and
codel_qdisc_dequeue().

Reported-by: Gerrard Tai <gerrard.tai@starlabs.sg>
Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250403211636.166257-1-xiyou.wangcong@gmail.com
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 342debc12183b51773b3345ba267e9263bdfaaef)
CVE-2025-37798
Signed-off-by: Ian Whitfield <ian.whitfield@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Edoardo Canepa <edoardo.canepa@canonical.com>
Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>

Author: Thadeu Lima de Souza Cascardo
Author Date: 2025-03-13 04:21:44 UTC

Bluetooth: btmtk: avoid UAF in btmtk_process_coredump

[ Upstream commit b548f5e9456c568155499d9ebac675c0d7a296e8 ]

hci_devcd_append may lead to the release of the skb, so it cannot be
accessed once it is called.

==================================================================
BUG: KASAN: slab-use-after-free in btmtk_process_coredump+0x2a7/0x2d0 [btmtk]
Read of size 4 at addr ffff888033cfabb0 by task kworker/0:3/82

CPU: 0 PID: 82 Comm: kworker/0:3 Tainted: G U 6.6.40-lockdep-03464-g1d8b4eb3060e #1 b0b3c1cc0c842735643fb411799d97921d1f688c
Hardware name: Google Yaviks_Ufs/Yaviks_Ufs, BIOS Google_Yaviks_Ufs.15217.552.0 05/07/2024
Workqueue: events btusb_rx_work [btusb]
Call Trace:
 <TASK>
 dump_stack_lvl+0xfd/0x150
 print_report+0x131/0x780
 kasan_report+0x177/0x1c0
 btmtk_process_coredump+0x2a7/0x2d0 [btmtk 03edd567dd71a65958807c95a65db31d433e1d01]
 btusb_recv_acl_mtk+0x11c/0x1a0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
 btusb_rx_work+0x9e/0xe0 [btusb 675430d1e87c4f24d0c1f80efe600757a0f32bec]
 worker_thread+0xe44/0x2cc0
 kthread+0x2ff/0x3a0
 ret_from_fork+0x51/0x80
 ret_from_fork_asm+0x1b/0x30
 </TASK>

Allocated by task 82:
 stack_trace_save+0xdc/0x190
 kasan_set_track+0x4e/0x80
 __kasan_slab_alloc+0x4e/0x60
 kmem_cache_alloc+0x19f/0x360
 skb_clone+0x132/0xf70
 btusb_recv_acl_mtk+0x104/0x1a0 [btusb]
 btusb_rx_work+0x9e/0xe0 [btusb]
 worker_thread+0xe44/0x2cc0
 kthread+0x2ff/0x3a0
 ret_from_fork+0x51/0x80
 ret_from_fork_asm+0x1b/0x30

Freed by task 1733:
 stack_trace_save+0xdc/0x190
 kasan_set_track+0x4e/0x80
 kasan_save_free_info+0x28/0xb0
 ____kasan_slab_free+0xfd/0x170
 kmem_cache_free+0x183/0x3f0
 hci_devcd_rx+0x91a/0x2060 [bluetooth]
 worker_thread+0xe44/0x2cc0
 kthread+0x2ff/0x3a0
 ret_from_fork+0x51/0x80
 ret_from_fork_asm+0x1b/0x30

The buggy address belongs to the object at ffff888033cfab40
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 112 bytes inside of
 freed 232-byte region [ffff888033cfab40, ffff888033cfac28)

The buggy address belongs to the physical page:
page:00000000a174ba93 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33cfa
head:00000000a174ba93 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0x4000000000000840(slab|head|zone=1)
page_type: 0xffffffff()
raw: 4000000000000840 ffff888100848a00 0000000000000000 0000000000000001
raw: 0000000000000000 0000000080190019 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888033cfaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff888033cfab00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff888033cfab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff888033cfac00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff888033cfac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Check if we need to call hci_devcd_complete before calling
hci_devcd_append. That requires that we check data->cd_info.cnt >=
MTK_COREDUMP_NUM instead of data->cd_info.cnt > MTK_COREDUMP_NUM, as we
increment data->cd_info.cnt only once the call to hci_devcd_append
succeeds.

Fixes: 0b7015132878 ("Bluetooth: btusb: mediatek: add MediaTek devcoredump support")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
CVE-2024-56653
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

Author: Imre Deak
Author Date: 2025-02-24 15:18:02 UTC

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

While receiving an MST up request message from one thread in
drm_dp_mst_handle_up_req(), the MST topology could be removed from
another thread via drm_dp_mst_topology_mgr_set_mst(false), freeing
mst_primary and setting drm_dp_mst_topology_mgr::mst_primary to NULL.
This could lead to a NULL deref/use-after-free of mst_primary in
drm_dp_mst_handle_up_req().

Avoid the above by holding a reference for mst_primary in
drm_dp_mst_handle_up_req() while it's used.

v2: Fix kfreeing the request if getting an mst_primary reference fails.

Cc: Lyude Paul <lyude@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com> (v1)
Signed-off-by: Imre Deak <imre.deak@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241204132007.3132494-1-imre.deak@intel.com

CVE-2024-57798
(cherry picked from commit e54b00086f7473dbda1a7d6fc47720ced157c6a8)
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Acked-by: Koichiro Den <koichiro.den@canonical.com>
Acked-by: Stewart Hore <stewart.hore@canonical.com>
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>

Author: Juerg Haefliger
Author Date: 2025-01-23 16:06:35 UTC

UBUNTU: [Packaging] linux-tools: Fall back to old python perf path

BugLink: https://bugs.launchpad.net/bugs/2089411

linux-tools from older kernels without these patches provide the
perf python library in a different/broken path, so we have to look
there as well. Sigh.

Signed-off-by: Juerg Haefliger <juerg.haefliger@canonical.com>
Acked-by: Kevin Becker <kevin.becker@canonical.com>
Acked-by: Agathe Porte <agathe.porte@canonical.com>
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>

Author: Lion Ackermann
Author Date: 2025-01-08 01:20:44 UTC

net: sched: fix ordering of qlen adjustment

Changes to sch->q.qlen around qdisc_tree_reduce_backlog() need to happen
_before_ a call to said function because otherwise it may fail to notify
parent qdiscs when the child is about to become empty.

Signed-off-by: Lion Ackermann <nnamrec@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 5eb7de8cd58e73851cd37ff8d0666517d9926948)
CVE-2024-53164
Signed-off-by: Ian Whitfield <ian.whitfield@canonical.com>
Acked-by: Magali Lemes <magali.lemes@canonical.com>
Acked-by: Benjamin M Romer <benjamin.romer@canonical.com>
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-12-04 02:48:36 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-50.51.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-12-04 02:01:07 UTC

UBUNTU: Ubuntu-hwe-6.11-6.11.0-13.14~24.04.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-12-02 15:17:18 UTC

UBUNTU: Ubuntu-6.8.0-51.52

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Wei Xu
Author Date: 2024-11-21 23:05:00 UTC

mm/mglru: only clear kswapd_failures if reclaimable

BugLink: https://bugs.launchpad.net/bugs/2087886

lru_gen_shrink_node() unconditionally clears kswapd_failures, which can
prevent kswapd from sleeping and cause 100% kswapd cpu usage even when
kswapd repeatedly fails to make progress in reclaim.

Only clear kswap_failures in lru_gen_shrink_node() if reclaim makes some
progress, similar to shrink_node().

I happened to run into this problem in one of my tests recently. It
requires a combination of several conditions: The allocator needs to
allocate a right amount of pages such that it can wake up kswapd
without itself being OOM killed; there is no memory for kswapd to
reclaim (My test disables swap and cleans page cache first); no other
process frees enough memory at the same time.

Link: https://lkml.kernel.org/r/20241014221211.832591-1-weixugc@google.com
Fixes: e4dde56cd208 ("mm: multi-gen LRU: per-node lru_gen_folio lists")
Signed-off-by: Wei Xu <weixugc@google.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Jan Alexander Steffens <heftig@archlinux.org>
Cc: Suleiman Souhlal <suleiman@google.com>
Cc: Yu Zhao <yuzhao@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

(cherry picked from commit b130ba4a6259f6b64d8af15e9e7ab1e912bcb7ad)
Signed-off-by: Matthew Ruffell <matthew.ruffell@canonical.com>
Acked-by: Koichiro Den <koichiro.den@canonical.com>
Acked-by: Agathe Porte <agathe.porte@canonical.com>
Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-11-21 22:15:47 UTC

UBUNTU: Ubuntu-6.8.0-51.51

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-11-15 16:29:06 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-49.49.1

Signed-off-by: Ubuntu Kernel Bot <kernel-team-bot+auto-prepare@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-11-15 14:56:22 UTC

UBUNTU: Ubuntu-6.8.0-49.49

Signed-off-by: Ubuntu Kernel Bot <kernel-team-bot+auto-prepare@canonical.com>

Author: Mehmet Basaran
Author Date: 2024-11-09 20:38:45 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-49.49.1

Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>

Author: Mehmet Basaran
Author Date: 2024-11-07 21:05:21 UTC

UBUNTU: Ubuntu-6.8.0-50.50

Signed-off-by: Mehmet Basaran <mehmet.basaran@canonical.com>

Author: Stephen Hemminger
Author Date: 2024-10-09 16:43:42 UTC

sch/netem: fix use after free in netem_dequeue

commit 3b3a2a9c6349e25a025d2330f479bc33a6ccb54a upstream.

If netem_dequeue() enqueues packet to inner qdisc and that qdisc
returns __NET_XMIT_STOLEN. The packet is dropped but
qdisc_tree_reduce_backlog() is not called to update the parent's
q.qlen, leading to the similar use-after-free as Commit
e04991a48dbaf382 ("netem: fix return value if duplicate enqueue
fails")

Commands to trigger KASAN UaF:

ip link add type dummy
ip link set lo up
ip link set dummy0 up
tc qdisc add dev lo parent root handle 1: drr
tc filter add dev lo parent 1: basic classid 1:1
tc class add dev lo classid 1:1 drr
tc qdisc add dev lo parent 1:1 handle 2: netem
tc qdisc add dev lo parent 2: handle 3: drr
tc filter add dev lo parent 3: basic classid 3:1 action mirred egress
redirect dev dummy0
tc class add dev lo classid 3:1 drr
ping -c1 -W0.01 localhost # Trigger bug
tc class del dev lo classid 1:1
tc class add dev lo classid 1:1 drr
ping -c1 -W0.01 localhost # UaF

Fixes: 50612537e9ab ("netem: fix classful handling")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Link: https://patch.msgid.link/20240901182438.4992-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 32008ab989ddcff1a485fa2b4906234c25dc5cd6 linux-6.10.y)
CVE-2024-46800
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
Acked-by: Ivan Hu <ivan.hu@canonical.com>
Acked-by: Guoqing Jiang <guoqing.jiang@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-10-25 21:55:54 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-48.48.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-10-25 21:07:43 UTC

UBUNTU: Ubuntu-6.8.0-48.48

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-10-24 10:39:44 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-47.47.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Stephen Hemminger
Author Date: 2024-09-24 15:45:00 UTC

netem: fix return value if duplicate enqueue fails

There is a bug in netem_enqueue() introduced by
commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
that can lead to a use-after-free.

This commit made netem_enqueue() always return NET_XMIT_SUCCESS
when a packet is duplicated, which can cause the parent qdisc's q.qlen
to be mistakenly incremented. When this happens qlen_notify() may be
skipped on the parent during destruction, leaving a dangling pointer
for some classful qdiscs like DRR.

There are two ways for the bug happen:

- If the duplicated packet is dropped by rootq->enqueue() and then
  the original packet is also dropped.
- If rootq->enqueue() sends the duplicated packet to a different qdisc
  and the original packet is dropped.

In both cases NET_XMIT_SUCCESS is returned even though no packets
are enqueued at the netem qdisc.

The fix is to defer the enqueue of the duplicate packet until after
the original packet has been guaranteed to return NET_XMIT_SUCCESS.

Fixes: 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240819175753.5151-1-stephen@networkplumber.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

CVE-2024-45016
(cherry picked from commit c07ff8592d57ed258afee5a5e04991a48dbaf382)
Signed-off-by: Ian Whitfield <ian.whitfield@canonical.com>
Acked-by: Magali Lemes <magali.lemes@canonical.com>
Acked-by: Jacob Martin <jacob.martin@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-09-02 15:25:58 UTC

UBUNTU: Ubuntu-lowlatency-6.8.0-45.45.1

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-09-02 04:07:59 UTC

UBUNTU: Ubuntu-6.8.0-45.45

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>

Author: Daniel Borkmann
Author Date: 2024-06-21 14:08:27 UTC

bpf: Fix overrunning reservations in ringbuf

BugLink: https://bugs.launchpad.net/bugs/2076435

[ Upstream commit cfa1a2329a691ffd991fcf7248a57d752e712881 ]

The BPF ring buffer internally is implemented as a power-of-2 sized circular
buffer, with two logical and ever-increasing counters: consumer_pos is the
consumer counter to show which logical position the consumer consumed the
data, and producer_pos which is the producer counter denoting the amount of
data reserved by all producers.

Each time a record is reserved, the producer that "owns" the record will
successfully advance producer counter. In user space each time a record is
read, the consumer of the data advanced the consumer counter once it finished
processing. Both counters are stored in separate pages so that from user
space, the producer counter is read-only and the consumer counter is read-write.

One aspect that simplifies and thus speeds up the implementation of both
producers and consumers is how the data area is mapped twice contiguously
back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data
area, because the next page after the last data page would be first data page
again, and thus the sample will still appear completely contiguous in virtual
memory.

Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program.
Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ`
for the BPF program to use. Bing-Jhong and Muhammad reported that it is however
possible to make a second allocated memory chunk overlapping with the first
chunk and as a result, the BPF program is now able to edit first chunk's
header.

For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size
of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to
bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in
[0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets
allocate a chunk B with size 0x3000. This will succeed because consumer_pos
was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask`
check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able
to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned
earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data
pages. This means that chunk B at [0x4000,0x4008] is chunk A's header.
bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then
locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk
B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong
page and could cause a crash.

Fix it by calculating the oldest pending_pos and check whether the range
from the oldest outstanding record to the newest would span beyond the ring
buffer size. If that is the case, then reject the request. We've tested with
the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh)
before/after the fix and while it seems a bit slower on some benchmarks, it
is still not significantly enough to matter.

Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Reported-by: Muhammad Ramdhan <ramdhan@starlabs.sg>
Co-developed-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Co-developed-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20240621140828.18238-1-daniel@iogearbox.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Portia Stephens <portia.stephens@canonical.com>
Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
CVE-2024-41009
Signed-off-by: Manuel Diewald <manuel.diewald@canonical.com>

Author: Ubuntu Kernel Bot
Author Date: 2024-08-25 19:40:18 UTC

UBUNTU: Ubuntu-6.8.0-40.40

Signed-off-by: Ubuntu Kernel Bot <ubuntu-kernel-bot@canonical.com>