Import Debian changes 5.4.0-1129.139

linux-aws (5.4.0-1129.139) focal; urgency=medium

  * focal/linux-aws: 5.4.0-1129.139 -proposed tracker (LP: #2072063)

  [ Ubuntu: 5.4.0-190.210 ]

  * focal/linux: 5.4.0-190.210 -proposed tracker (LP: #2072108)
  * CVE-2024-36016
    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
  * CVE-2022-48655
    - firmware: arm_scmi: Harden accesses to the reset domains
  * CVE-2024-26907
    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
  * CVE-2024-26585
    - tls: fix race between tx work scheduling and socket close
  * CVE-2024-26584
    - net: tls: handle backlogging of crypto requests
  * CVE-2024-26583
    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
    - net/tls: Fix use-after-free after the TLS device goes down and up
    - tls: splice_read: fix record type check
    - tls splice: remove inappropriate flags checking for MSG_PEEK
    - tls: splice_read: fix accessing pre-processed records
    - tls: Fix context leak on tls_device_down
    - net/tls: Check for errors in tls_device_init
    - net/tls: Remove the context from the list in tls_device_down
    - net/tls: pass context to tls_device_decrypted()
    - net/tls: Perform immediate device ctx cleanup when possible
    - net/tls: Multi-threaded calls to TX tls_dev_del
    - net: tls: avoid discarding data on record close
    - tls: rx: don't store the record type in socket context
    - tls: rx: don't store the decryption status in socket context
    - tls: rx: don't issue wake ups when data is decrypted
    - tls: rx: refactor decrypt_skb_update()
    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
    - tls: rx: don't report text length from the bowels of decrypt
    - tls: rx: wrap decryption arguments in a structure
    - tls: rx: factor out writing ContentType to cmsg
    - tls: rx: don't track the async count
    - tls: rx: assume crypto always calls our callback
    - tls: rx: use async as an in-out argument
    - tls: decrement decrypt_pending if no async completion will be called
    - net: tls: fix async vs NIC crypto offload
    - tls: rx: simplify async wait
    - tls: extract context alloc/initialization out of tls_set_sw_offload
    - net: tls: factor out tls_*crypt_async_wait()
    - tls: fix race between async notify and socket close

debian.aws/changelog

@@ -1,3 +1,54 @@
+linux-aws (5.4.0-1129.139) focal; urgency=medium
+
+  * focal/linux-aws: 5.4.0-1129.139 -proposed tracker (LP: #2072063)
+
+  [ Ubuntu: 5.4.0-190.210 ]
+
+  * focal/linux: 5.4.0-190.210 -proposed tracker (LP: #2072108)
+  * CVE-2024-36016
+    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
+  * CVE-2022-48655
+    - firmware: arm_scmi: Harden accesses to the reset domains
+  * CVE-2024-26907
+    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
+  * CVE-2024-26585
+    - tls: fix race between tx work scheduling and socket close
+  * CVE-2024-26584
+    - net: tls: handle backlogging of crypto requests
+  * CVE-2024-26583
+    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
+    - net/tls: Fix use-after-free after the TLS device goes down and up
+    - tls: splice_read: fix record type check
+    - tls splice: remove inappropriate flags checking for MSG_PEEK
+    - tls: splice_read: fix accessing pre-processed records
+    - tls: Fix context leak on tls_device_down
+    - net/tls: Check for errors in tls_device_init
+    - net/tls: Remove the context from the list in tls_device_down
+    - net/tls: pass context to tls_device_decrypted()
+    - net/tls: Perform immediate device ctx cleanup when possible
+    - net/tls: Multi-threaded calls to TX tls_dev_del
+    - net: tls: avoid discarding data on record close
+    - tls: rx: don't store the record type in socket context
+    - tls: rx: don't store the decryption status in socket context
+    - tls: rx: don't issue wake ups when data is decrypted
+    - tls: rx: refactor decrypt_skb_update()
+    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
+    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
+    - tls: rx: don't report text length from the bowels of decrypt
+    - tls: rx: wrap decryption arguments in a structure
+    - tls: rx: factor out writing ContentType to cmsg
+    - tls: rx: don't track the async count
+    - tls: rx: assume crypto always calls our callback
+    - tls: rx: use async as an in-out argument
+    - tls: decrement decrypt_pending if no async completion will be called
+    - net: tls: fix async vs NIC crypto offload
+    - tls: rx: simplify async wait
+    - tls: extract context alloc/initialization out of tls_set_sw_offload
+    - net: tls: factor out tls_*crypt_async_wait()
+    - tls: fix race between async notify and socket close
+
+ -- Philip Cox <philip.cox@canonical.com>  Wed, 17 Jul 2024 09:57:25 +0300
+
 linux-aws (5.4.0-1128.138) focal; urgency=medium
 
   * focal/linux-aws: 5.4.0-1128.138 -proposed tracker (LP: #2068400)

debian.aws/tracking-bug

@@ -1 +1 @@
-2068400 2024.06.10-1
+2072063 s2024.06.10-1

debian.master/changelog

@@ -1,3 +1,56 @@
+linux (5.4.0-190.210) focal; urgency=medium
+
+  * focal/linux: 5.4.0-190.210 -proposed tracker (LP: #2072108)
+
+  * CVE-2024-36016
+    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
+
+  * CVE-2022-48655
+    - firmware: arm_scmi: Harden accesses to the reset domains
+
+  * CVE-2024-26907
+    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
+
+  * CVE-2024-26585
+    - tls: fix race between tx work scheduling and socket close
+
+  * CVE-2024-26584
+    - net: tls: handle backlogging of crypto requests
+
+  * CVE-2024-26583
+    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
+    - net/tls: Fix use-after-free after the TLS device goes down and up
+    - tls: splice_read: fix record type check
+    - tls splice: remove inappropriate flags checking for MSG_PEEK
+    - tls: splice_read: fix accessing pre-processed records
+    - tls: Fix context leak on tls_device_down
+    - net/tls: Check for errors in tls_device_init
+    - net/tls: Remove the context from the list in tls_device_down
+    - net/tls: pass context to tls_device_decrypted()
+    - net/tls: Perform immediate device ctx cleanup when possible
+    - net/tls: Multi-threaded calls to TX tls_dev_del
+    - net: tls: avoid discarding data on record close
+    - tls: rx: don't store the record type in socket context
+    - tls: rx: don't store the decryption status in socket context
+    - tls: rx: don't issue wake ups when data is decrypted
+    - tls: rx: refactor decrypt_skb_update()
+    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
+    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
+    - tls: rx: don't report text length from the bowels of decrypt
+    - tls: rx: wrap decryption arguments in a structure
+    - tls: rx: factor out writing ContentType to cmsg
+    - tls: rx: don't track the async count
+    - tls: rx: assume crypto always calls our callback
+    - tls: rx: use async as an in-out argument
+    - tls: decrement decrypt_pending if no async completion will be called
+    - net: tls: fix async vs NIC crypto offload
+    - tls: rx: simplify async wait
+    - tls: extract context alloc/initialization out of tls_set_sw_offload
+    - net: tls: factor out tls_*crypt_async_wait()
+    - tls: fix race between async notify and socket close
+
+ -- Manuel Diewald <manuel.diewald@canonical.com>  Fri, 05 Jul 2024 17:04:36 +0200
+
 linux (5.4.0-189.209) focal; urgency=medium
 
   * focal/linux: 5.4.0-189.209 -proposed tracker (LP: #2068454)

debian.master/tracking-bug

@@ -1 +1 @@
-2068454 2024.06.10-1
+2072108 s2024.06.10-1

debian/changelog

@@ -1,3 +1,54 @@
+linux-aws (5.4.0-1129.139) focal; urgency=medium
+
+  * focal/linux-aws: 5.4.0-1129.139 -proposed tracker (LP: #2072063)
+
+  [ Ubuntu: 5.4.0-190.210 ]
+
+  * focal/linux: 5.4.0-190.210 -proposed tracker (LP: #2072108)
+  * CVE-2024-36016
+    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
+  * CVE-2022-48655
+    - firmware: arm_scmi: Harden accesses to the reset domains
+  * CVE-2024-26907
+    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
+  * CVE-2024-26585
+    - tls: fix race between tx work scheduling and socket close
+  * CVE-2024-26584
+    - net: tls: handle backlogging of crypto requests
+  * CVE-2024-26583
+    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
+    - net/tls: Fix use-after-free after the TLS device goes down and up
+    - tls: splice_read: fix record type check
+    - tls splice: remove inappropriate flags checking for MSG_PEEK
+    - tls: splice_read: fix accessing pre-processed records
+    - tls: Fix context leak on tls_device_down
+    - net/tls: Check for errors in tls_device_init
+    - net/tls: Remove the context from the list in tls_device_down
+    - net/tls: pass context to tls_device_decrypted()
+    - net/tls: Perform immediate device ctx cleanup when possible
+    - net/tls: Multi-threaded calls to TX tls_dev_del
+    - net: tls: avoid discarding data on record close
+    - tls: rx: don't store the record type in socket context
+    - tls: rx: don't store the decryption status in socket context
+    - tls: rx: don't issue wake ups when data is decrypted
+    - tls: rx: refactor decrypt_skb_update()
+    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
+    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
+    - tls: rx: don't report text length from the bowels of decrypt
+    - tls: rx: wrap decryption arguments in a structure
+    - tls: rx: factor out writing ContentType to cmsg
+    - tls: rx: don't track the async count
+    - tls: rx: assume crypto always calls our callback
+    - tls: rx: use async as an in-out argument
+    - tls: decrement decrypt_pending if no async completion will be called
+    - net: tls: fix async vs NIC crypto offload
+    - tls: rx: simplify async wait
+    - tls: extract context alloc/initialization out of tls_set_sw_offload
+    - net: tls: factor out tls_*crypt_async_wait()
+    - tls: fix race between async notify and socket close
+
+ -- Philip Cox <philip.cox@canonical.com>  Wed, 17 Jul 2024 09:57:25 +0300
+
 linux-aws (5.4.0-1128.138) focal; urgency=medium
 
   * focal/linux-aws: 5.4.0-1128.138 -proposed tracker (LP: #2068400)

debian/control

@@ -55,7 +55,7 @@ Vcs-Git: git://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-aws/+git
 XS-Testsuite: autopkgtest
 #XS-Testsuite-Depends: gcc-4.7 binutils
 
-Package: linux-aws-headers-5.4.0-1128
+Package: linux-aws-headers-5.4.0-1129
 Build-Profiles: <!stage1>
 Architecture: all
 Multi-Arch: foreign
@@ -66,46 +66,46 @@ Breaks: iscsitarget-dkms (<< 1.4.20.3+svn502-2ubuntu4.4)
 Description: Header files related to Linux kernel version 5.4.0
  This package provides kernel header files for version 5.4.0, for sites
  that want the latest kernel headers. Please read
- /usr/share/doc/linux-aws-headers-5.4.0-1128/debian.README.gz for details
+ /usr/share/doc/linux-aws-headers-5.4.0-1129/debian.README.gz for details
 
-Package: linux-aws-tools-5.4.0-1128
+Package: linux-aws-tools-5.4.0-1129
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
 Priority: optional
 Depends: ${misc:Depends}, ${shlibs:Depends}, linux-tools-common
-Description: Linux kernel version specific tools for version 5.4.0-1128
+Description: Linux kernel version specific tools for version 5.4.0-1129
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 5.4.0-1128 on
+ version 5.4.0-1129 on
  64 bit x86.
- You probably want to install linux-tools-5.4.0-1128-<flavour>.
+ You probably want to install linux-tools-5.4.0-1129-<flavour>.
 
-Package: linux-aws-cloud-tools-5.4.0-1128
+Package: linux-aws-cloud-tools-5.4.0-1129
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
 Priority: optional
 Depends: ${misc:Depends}, ${shlibs:Depends}, linux-cloud-tools-common
-Description: Linux kernel version specific cloud tools for version 5.4.0-1128
+Description: Linux kernel version specific cloud tools for version 5.4.0-1129
  This package provides the architecture dependant parts for kernel
- version locked tools for cloud tools for version 5.4.0-1128 on
+ version locked tools for cloud tools for version 5.4.0-1129 on
  64 bit x86.
- You probably want to install linux-cloud-tools-5.4.0-1128-<flavour>.
+ You probably want to install linux-cloud-tools-5.4.0-1129-<flavour>.
 
 
 
-Package: linux-image-unsigned-5.4.0-1128-aws
+Package: linux-image-unsigned-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, aufs-dkms, ${linux:rprovides}
-Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-5.4.0-1128-aws
+Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-5.4.0-1129-aws
 Recommends: grub-pc [amd64] | grub-efi-amd64 [amd64] | grub-efi-ia32 [amd64] | grub [amd64] | lilo [amd64] | grub-efi-arm64 [arm64], initramfs-tools | linux-initramfs-tool
 Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x]
-Conflicts: linux-image-5.4.0-1128-aws
-Suggests: fdutils, linux-aws-doc-5.4.0 | linux-aws-source-5.4.0, linux-aws-tools, linux-headers-5.4.0-1128-aws
+Conflicts: linux-image-5.4.0-1129-aws
+Suggests: fdutils, linux-aws-doc-5.4.0 | linux-aws-source-5.4.0, linux-aws-tools, linux-headers-5.4.0-1129-aws
 Description: Linux kernel image for version 5.4.0 on 64 bit x86 SMP
  This package contains the unsigned Linux kernel image for version 5.4.0 on
  64 bit x86 SMP.
@@ -118,7 +118,7 @@ Description: Linux kernel image for version 5.4.0 on 64 bit x86 SMP
  the linux-aws meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-modules-5.4.0-1128-aws
+Package: linux-modules-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: kernel
@@ -138,12 +138,12 @@ Description: Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
  the linux-aws meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-modules-extra-5.4.0-1128-aws
+Package: linux-modules-extra-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-5.4.0-1128-aws | linux-image-unsigned-5.4.0-1128-aws, crda | wireless-crda
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-5.4.0-1129-aws | linux-image-unsigned-5.4.0-1129-aws, crda | wireless-crda
 Description: Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
  This package contains the Linux kernel extra modules for version 5.4.0 on
  64 bit x86 SMP.
@@ -156,21 +156,21 @@ Description: Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
  the linux-modules-extra-aws meta-package, which will ensure that upgrades
  work correctly, and that supporting packages are also installed.
 
-Package: linux-headers-5.4.0-1128-aws
+Package: linux-headers-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-headers-5.4.0-1128, ${shlibs:Depends}
+Depends: ${misc:Depends}, linux-aws-headers-5.4.0-1129, ${shlibs:Depends}
 Provides: linux-headers, linux-headers-3.0
 Description: Linux kernel headers for version 5.4.0 on 64 bit x86 SMP
  This package provides kernel header files for version 5.4.0 on
  64 bit x86 SMP.
  .
  This is for sites that want the latest kernel headers.  Please read
- /usr/share/doc/linux-headers-5.4.0-1128/debian.README.gz for details.
+ /usr/share/doc/linux-headers-5.4.0-1129/debian.README.gz for details.
 
-Package: linux-image-unsigned-5.4.0-1128-aws-dbgsym
+Package: linux-image-unsigned-5.4.0-1129-aws-dbgsym
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
@@ -187,27 +187,27 @@ Description: Linux kernel debug image for version 5.4.0 on 64 bit x86 SMP
  is uncompressed, and unstripped. This package also includes the
  unstripped modules.
 
-Package: linux-tools-5.4.0-1128-aws
+Package: linux-tools-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-tools-5.4.0-1128
-Description: Linux kernel version specific tools for version 5.4.0-1128
+Depends: ${misc:Depends}, linux-aws-tools-5.4.0-1129
+Description: Linux kernel version specific tools for version 5.4.0-1129
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 5.4.0-1128 on
+ version 5.4.0-1129 on
  64 bit x86.
 
-Package: linux-cloud-tools-5.4.0-1128-aws
+Package: linux-cloud-tools-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-aws-cloud-tools-5.4.0-1128
-Description: Linux kernel version specific cloud tools for version 5.4.0-1128
+Depends: ${misc:Depends}, linux-aws-cloud-tools-5.4.0-1129
+Description: Linux kernel version specific cloud tools for version 5.4.0-1129
  This package provides the architecture dependant parts for kernel
- version locked tools for cloud for version 5.4.0-1128 on
+ version locked tools for cloud for version 5.4.0-1129 on
  64 bit x86.
 
 Package: linux-udebs-aws
@@ -221,7 +221,7 @@ Description: Metapackage depending on kernel udebs
  for easier version and migration tracking.
 
 
-Package: linux-buildinfo-5.4.0-1128-aws
+Package: linux-buildinfo-5.4.0-1129-aws
 Build-Profiles: <!stage1>
 Architecture: amd64 arm64
 Section: kernel

drivers/firmware/arm_scmi/reset.c

@@ -135,8 +135,12 @@ static int scmi_domain_reset(const struct scmi_handle *handle, u32 domain,
 	struct scmi_xfer *t;
 	struct scmi_msg_reset_domain_reset *dom;
 	struct scmi_reset_info *pi = handle->reset_priv;
-	struct reset_dom_info *rdom = pi->dom_info + domain;
+	struct reset_dom_info *rdom;
 
+	if (domain >= pi->num_domains)
+		return -EINVAL;
+
+	rdom = pi->dom_info + domain;
 	if (rdom->async_reset)
 		flags |= ASYNCHRONOUS_RESET;
 

drivers/infiniband/hw/mlx5/qp.c

@@ -4144,7 +4144,7 @@ static void set_eth_seg(const struct ib_send_wr *wr, struct mlx5_ib_qp *qp,
 		 */
 		copysz = min_t(u64, *cur_edge - (void *)eseg->inline_hdr.start,
 			       left);
-		memcpy(eseg->inline_hdr.start, pdata, copysz);
+		memcpy(eseg->inline_hdr.data, pdata, copysz);
 		stride = ALIGN(sizeof(struct mlx5_wqe_eth_seg) -
 			       sizeof(eseg->inline_hdr.start) + copysz, 16);
 		*size += stride / 16;

drivers/tty/n_gsm.c

@@ -1974,8 +1974,12 @@ static void gsm0_receive(struct gsm_mux *gsm, unsigned char c)
 		break;
 	case GSM_DATA:		/* Data */
 		gsm->buf[gsm->count++] = c;
-		if (gsm->count == gsm->len)
+		if (gsm->count >= MAX_MRU) {
+			gsm->bad_size++;
+			gsm->state = GSM_SEARCH;
+		} else if (gsm->count >= gsm->len) {
 			gsm->state = GSM_FCS;
+		}
 		break;
 	case GSM_FCS:		/* FCS follows the packet */
 		gsm->received_fcs = c;
@@ -2055,7 +2059,7 @@ static void gsm1_receive(struct gsm_mux *gsm, unsigned char c)
 		gsm->state = GSM_DATA;
 		break;
 	case GSM_DATA:		/* Data */
-		if (gsm->count > gsm->mru) {	/* Allow one for the FCS */
+		if (gsm->count > gsm->mru || gsm->count > MAX_MRU) {	/* Allow one for the FCS */
 			gsm->state = GSM_OVERRUN;
 			gsm->bad_size++;
 		} else

include/linux/mlx5/qp.h

@@ -251,7 +251,10 @@ struct mlx5_wqe_eth_seg {
 	union {
 		struct {
 			__be16 sz;
-			u8     start[2];
+			union {
+				u8     start[2];
+				DECLARE_FLEX_ARRAY(u8, data);
+			};
 		} inline_hdr;
 		struct {
 			__be16 type;