Kernel maintainers have released two new stable versions: 6.19.8 and 6.18.18 LTS, which address various security and networking issues. The 6.19.8 patch set tightens AppArmor's reference handling to prevent use-after-free bugs by introducing a double-refcount scheme that ensures the underlying structure is only freed after all inode references have been released. This version also resolves silent drops in packet handling due to networking quirks and stops an ATA race condition that could leave drives in an odd state after reset. Users can obtain the latest kernel by downloading the generic upstream tarball or updating their distribution's package, and should run apparmor_parser -T against each AppArmor profile to catch any syntax errors.

Linux Kernels 6.19.8 and 6.18.18 LTS Released: AppArmor Security, Networking Fixes, and ATA Race Bug Squashed

Kernel maintainers have pushed two new stable releases: 6.19.8 and 6.18.18 LTS. Version 6.19.8 tightens AppArmor’s reference handling, cleans up a couple of networking quirks that could surface as packet drops or silent crashes, and finally stops the dreaded ATA race condition that could leave a drive in an odd state after a reset.

AppArmor Now Guards Against Use‑After‑Free Bugs

The 6.19.8 patch set eliminates two separate use‑after‑free scenarios that used to happen when a rawdata file was opened while its profile was being removed. The code now relies on a double‑refcount scheme, which makes sure the underlying aa_loaddata structure is only freed after every inode reference has been released.

A system administrator in Brazil noticed that, right after updating their Wi‑Fi driver, loading a custom AppArmor policy would trigger a KASAN “use‑after‑free” crash. The new kernel removes that symptom by keeping the rawdata data alive until all file descriptors are closed.

Networking Stack Tweaks Reduce Silent Drops

Two networking patches arrive in 6.19.8. First, the act_ct classifier is now restricted to clsact/ingress qdiscs and shared blocks; binding it to an egress path would no longer attempt to classify packets that might already be held by the defragmentation engine, preventing the out‑of‑order packet handling bug reported by a container networking team last month. Second, the act_gate action now takes an RCU snapshot of its parameters when REPLACE is called, so that a timer callback walking the schedule list never dereferences stale data.

If you routinely tweak tc rules for bandwidth shaping or run Docker on top of Open vSwitch, you’ll notice fewer silent packet drops and no unexpected kernel panics after the update.

ATA Layer Stops Cancelling Work From Running Late

The ATA code now cancels queued work when a deferred NCQ command is cleared. Before this patch, a scenario could play out where an NCQ sequence finished, work was queued to issue a non‑NCQ command, and that work ran even after the port had been reset or an error had occurred. The kernel would then attempt to re‑issue stale commands, potentially corrupting data on SSDs.

A recent bug report from a research lab described receiving a WARN_ON after a drive reset caused by this race. 6.18.18 removes that warning and eliminates the risk of corrupted writes without affecting performance for normal NCQ traffic.

How to Get the Latest Kernel

If your distribution already ships 6.19.8 or 6.18.18, simply install the new package. Otherwise, pulling the generic upstream tarball is straightforward:

wget https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-6.19.8.tar.xz
tar xf linux-6.19.8.tar.xz
cd linux-6.19.8
make menuconfig   # optional – tweak as needed
make -j$(nproc)
sudo make modules_install
sudo make install
reboot

After reboot, confirm the running version:

uname -r
# should report 6.19.8‑generic or similar

If you rely on AppArmor, run apparmor_parser -T . against each profile in /etc/apparmor.d/ to catch any syntax errors that could surface after the refcount changes.