-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 18 May 2025 14:01:11 +0200 Source: linux Architecture: source Version: 6.1.139-1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Salvatore Bonaccorso Changes: linux (6.1.139-1) bookworm-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.138 - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() - [arm64] i2c: imx-lpi2c: Fix clock count when probe defers - [arm64] errata: Add missing sentinels to Spectre-BHB MIDR arrays - [x86] perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value. - amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload - [arm64] mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() - dm-integrity: fix a warning on invalid table line - dm: always update the array size in realloc_argv on success - [amd64] iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid - [amd64] iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) - [x86] platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU hotplug - ksmbd: fix use-after-free in kerberos authentication - cpufreq: Avoid using inconsistent policy->min and policy->max - cpufreq: Fix setting policy limits when frequency tables are used - tracing: Fix oob write in trace_seq_to_buffer() - xfs: fix error returns from xfs_bmapi_write - xfs: fix xfs_bmap_add_extent_delay_real for partial conversions - xfs: remove a racy if_bytes check in xfs_reflink_end_cow_extent - xfs: require XFS_SB_FEAT_INCOMPAT_LOG_XATTRS for attr log intent item recovery - xfs: check opcode and iovec count match in xlog_recover_attri_commit_pass2 - xfs: validate recovered name buffers when recovering xattr items - xfs: revert commit 44af6c7e59b12 - xfs: match lock mode in xfs_buffered_write_iomap_begin() - xfs: make the seq argument to xfs_bmapi_convert_delalloc() optional - xfs: make xfs_bmapi_convert_delalloc() to allocate the target offset - xfs: convert delayed extents to unwritten when zeroing post eof blocks - xfs: allow symlinks with short remote targets - xfs: make sure sb_fdblocks is non-negative - xfs: fix freeing speculative preallocations for preallocated files - xfs: allow unlinked symlinks and dirs with zero size - xfs: restrict when we try to align cow fork delalloc to cowextsz hints - [x86] KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (CVE-2025-21839) - dm-bufio: don't schedule in atomic context - ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence - wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release - vxlan: vnifilter: Fix unlocked deletion of default FDB entry - net/mlx5: E-Switch, Initialize MAC Address for Default GID - net/mlx5: E-switch, Fix error handling for enabling roce - [arm64] net: mscc: ocelot: treat 802.1ad tagged traffic as 802.1Q-untagged - [arm64] net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID - net_sched: drr: Fix double list add in class with netem as child qdisc - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc - net_sched: ets: Fix double list add in class with netem as child qdisc - net_sched: qfq: Fix double list add in class with netem as child qdisc - ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr() - net: dlink: Correct endianness handling of led_mode - [arm64] net: dsa: felix: fix broken taprio gate states after clock jump - net: ipv6: fix UDPv6 GSO segmentation with NAT - bnxt_en: Fix coredump logic to free allocated buffer - bnxt_en: Fix out-of-bound memcpy() during ethtool -w - bnxt_en: Fix ethtool -d byte order for 32-bit values - nvme-tcp: fix premature queue removal and I/O failover - net: lan743x: Fix memleak issue when GSO enabled - net: fec: ERR007885 Workaround for conventional TX - [arm64] net: hns3: store rx VLAN tag offload state for VF - [arm64] net: hns3: fix an interrupt residual problem - [arm64] net: hns3: fixed debugfs tm_qset size - [arm64] net: hns3: defer calling ptp_clock_register() - PCI: imx6: Skip controller_id generation logic for i.MX7D - sch_htb: make htb_qlen_notify() idempotent - sch_drr: make drr_qlen_notify() idempotent - sch_hfsc: make hfsc_qlen_notify() idempotent - sch_qfq: make qfq_qlen_notify() idempotent - sch_ets: make est_qlen_notify() idempotent - [x86] Revert "x86/kexec: Allocate PGD for x86_64 transition page tables separately" - [arm64] firmware: arm_scmi: Balance device refcount when destroying devices - net: phy: microchip: force IRQ polling mode for lan88xx - Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" - [arm64,armhf] irqchip/gic-v2m: Mark a few functions __init - [arm64,armhf] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (CVE-2025-37819) - dm: fix copying after src array boundaries - [arm64] iommu/arm-smmu-v3: Use the new rb tree helpers - [arm64] iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids - drm/amd/display: phase2 enable mst hdcp multiple displays - drm/amd/display: Clean up style problems in amdgpu_dm_hdcp.c - drm/amd/display: Change HDCP update sequence for DM - drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp - drm/amd/display: Fix slab-use-after-free in hdcp - ASoC: Use of_property_read_bool() - ASoC: soc-core: Stop using of_property_read_bool() for non-boolean properties https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.139 - dm: add missing unlock on in dm_keyslot_evict() - [arm64] dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2 - [arm64] can: mcan: m_can_class_unregister(): fix order of unregistration calls - can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls - ksmbd: prevent out-of-bounds stream writes by validating *pos - openvswitch: Fix unsafe attribute parsing in output_userspace() - ksmbd: fix memory leak in parse_lease_state() - sch_htb: make htb_deactivate() idempotent - gre: Fix again IPv6 link-local address generation. - can: mcp251xfd: fix TDC setting for low data bit rates - rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() - can: gw: fix RCU/BH usage in cgw_create_job() - ipv4: Drop tos parameter from flowi4_update_output() - ipvs: fix uninit-value for saddr in do_output_route4 - netfilter: ipset: fix region locking in hash types - bpf: Scrub packet on bpf_redirect_peer - [armhf] net: dsa: b53: allow leaky reserved multicast - [armhf] net: dsa: b53: fix clearing PVID of a port - [armhf] net: dsa: b53: fix flushing old pvid VLAN on pvid change - [armhf] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave - [armhf] net: dsa: b53: always rejoin default untagged VLAN on bridge leave - [armhf] net: dsa: b53: fix learning on VLAN unaware bridges - Input: synaptics - enable InterTouch on Dynabook Portege X30-D - Input: synaptics - enable InterTouch on Dynabook Portege X30L-G - Input: synaptics - enable InterTouch on Dell Precision M3800 - Input: synaptics - enable SMBus for HP Elitebook 850 G1 - Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 - [x86] mm: Eliminate window where TLB flushes may be inadvertently skipped - drm/amd/display: Shift DMUB AUX reply command if necessary - iio: adc: ad7606: fix serial register access - iio: adis16201: Correct inclinometer channel resolution - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo - [arm64] drm/v3d: Add job to pending list if the reset was skipped - drm/amd/display: Fix the checking condition in dmub aux handling - drm/amd/display: Remove incorrect checking in dmub aux handler - drm/amd/display: Fix wrong handling for AUX_DEFER case - drm/amd/display: Copy AUX read reply data whenever length > 0 - drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush - usb: uhci-platform: Make the clock really optional - xenbus: Use kref to track req lifetime - module: ensure that kobject_put() is safe for module type kobjects - ocfs2: switch osb->disable_recovery to enum - ocfs2: implement handshaking with ocfs2 recovery thread - ocfs2: stop quota recovery before disabling quotas - [arm64,armhf] usb: host: tegra: Prevent host controller crash when OTG port is used - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition - usb: typec: ucsi: displayport: Fix NULL pointer access - USB: usbtmc: use interruptible sleep in usbtmc_read - usb: usbtmc: Fix erroneous get_stb ioctl error returns - usb: usbtmc: Fix erroneous wait_srq ioctl return - usb: usbtmc: Fix erroneous generic_read ioctl return - iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer. - types: Complement the aligned types with signed 64-bit one - [mips*] Fix MAX_REG_OFFSET - drm/panel: simple: Update timings for AUO G101EVN010 - nvme: unblock ctrl state transition for firmware update - do_umount(): add missing barrier before refcount checks in sync case - io_uring: always arm linked timeouts prior to issue - io_uring: ensure deferred completions are posted for multishot - Revert "net: phy: microchip: force IRQ polling mode for lan88xx" - [arm64] insn: Add support for encoding DSB - [arm64] proton-pack: Expose whether the platform is mitigated by firmware - [arm64] proton-pack: Expose whether the branchy loop k value - [arm64] bpf: Add BHB mitigation to the epilogue for cBPF programs - [arm64] bpf: Only mitigate cBPF programs loaded by unprivileged users - [arm64] proton-pack: Add new CPUs 'k' values for branch mitigation - [x86] bpf: Call branch history clearing sequence on exit - [x86] bpf: Add IBHF call at end of classic BPF - [x86] bhi: Do not set BHI_DIS_S in 32-bit mode - [x86] speculation: Simplify and make CALL_NOSPEC consistent - [x86] speculation: Add a conditional CS prefix to CALL_NOSPEC - [x86] speculation: Remove the extra #ifdef around CALL_NOSPEC - [amd64] Mitigations Indirect Target Selection (ITS) (CVE-2024-28956) + Documentation: x86/bugs/its: Add ITS documentation + x86/its: Enumerate Indirect Target Selection (ITS) bug + x86/its: Add support for ITS-safe indirect thunk + x86/its: Add support for ITS-safe return thunk + x86/its: Enable Indirect Target Selection mitigation + x86/its: Add "vmexit" option to skip mitigation on some CPUs + x86/its: Align RETs in BHB clear sequence to avoid thunking + x86/ibt: Keep IBT disabled during alternative patching + x86/its: Use dynamic thunks for indirect branches + x86/its: Fix build errors when CONFIG_MODULES=n + x86/alternative: Optimize returns patching + x86/alternatives: Remove faulty optimization + x86/its: FineIBT-paranoid vs ITS . [ Uwe Kleine-König ] * d/b/test-patches: Handle kernel release strings without ABI number. This is a backport from 6.10.1-1_exp1 to enable building bookworm kernels on trixie and newer. . [ Salvatore Bonaccorso ] * Bump ABI to 36 Checksums-Sha1: b4c0c859ab77ee75b9e59129d9e9d67243742881 290931 linux_6.1.139-1.dsc 6753467ceed630e19c814194975fdea87c9d9ce5 137773300 linux_6.1.139.orig.tar.xz 0120c5c5b05822a83476597d4fdc1a38f4c95687 1751028 linux_6.1.139-1.debian.tar.xz a6b875567b0ed2da2d58b2ded36c9dca8abeb26f 6691 linux_6.1.139-1_source.buildinfo Checksums-Sha256: 3f26ffdb2277186b718a5b727eb811b023375033c19f3253ac0f8c4770ecda0b 290931 linux_6.1.139-1.dsc 9b62dd9d9d12fe3fb649bac23af90eed0548e6eeacec357f4b4405a61f2d1e29 137773300 linux_6.1.139.orig.tar.xz 784dcdb69fc0e403d1ecb7813e82c9d9418e7aeb8526c8fcce1de174d4f8ba9d 1751028 linux_6.1.139-1.debian.tar.xz 15a49638607d27363342697fa68114342b40cc5c0a5cc5fc14840df18d0e8702 6691 linux_6.1.139-1_source.buildinfo Files: 7ebdc380e500207880181f39c1767bb3 290931 kernel optional linux_6.1.139-1.dsc e8e7a6c348f746d77682753b6c86d5f5 137773300 kernel optional linux_6.1.139.orig.tar.xz 2813697f1c75987ce63ceb02e212df34 1751028 kernel optional linux_6.1.139-1.debian.tar.xz 64b5dab5c5adab6db30b4da0c3dd67cc 6691 kernel optional linux_6.1.139-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmgpzTRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EYQMP/3OFVjD6+alZWia30fyPhxv0NFcwbIFF KYorZJNj9mJvB7aEGMh5mLiNq+BXBT417GweypLiU5e2qCYUsN66zclLTNU9hyf4 HGDL3mH6CMREluZuo+i+kl7xrvObXEQfT52Q8jmimjh9Zw0WHbKzXrD+VxqjYvEN IPoFt06KR30O12IXcJqMFsGsEiHVWJLCeLhePIJwV6fdIdU6c0e/KW/+F5KNw50H NRkSdGnl24hLFLZaPZdek/FNB30pgu23KfqBCeLlC9SYAYdKU+tS4LKCz5jrxrDR +SdK4Dv7SPf8RirMqraVKjJUhNzD4T7ge+srut/iwDg6eZ+ZCAH0FDxNb+lxtt25 bIs4aqJc3FLXwPUB0HVnhCnKpVl+tcIOC2er2SVLbRCNK53ys/KNdmg74FKTW1uu lYBnpsnv6emD3S9vo9jbxCWJg/XEQ9S/4ZcudlwTsBPGGBWqtOMnGhbOTFd+b31O 9SSjknd2kcDye0soogWrWBerJdBqMFqIu4zcfFCYlZoVUm7mjZnPWtogLwdV9m/Z GVUSaLXsI1YclDy0BE0Y3+PAUfXZB4yOmeu25Te7dffprKz+ovNST9KVgY4cHmHd g0tsaQsjH1JqX5TXS8Ha8QtiPHlf2NFROW8AeeL703qWvfrXNQ/afBKwp/toGkN+ OO4siVDKFGp/ =vCXd -----END PGP SIGNATURE-----