Ubuntu
linux package

Jammy update: v5.15.117 upstream stable release

Bug #2030107 reported by Kamal Mostafa on 2023-08-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Jammy	Fix Released	Medium	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.15.117 upstream stable release
from git://git.kernel.org/

ata: ahci: fix enum constants for gcc-13
gcc-plugins: Reorganize gimple includes for GCC 13
remove the sx8 block driver
UBUNTU: [Config] updateconfigs for BLK_DEV_SX8
sfc (gcc13): synchronize ef100_enqueue_skb()'s return type
i40e: Remove string printing for i40e_status
i40e: use int for i40e_status
i40e: fix build warning in ice_fltr_add_mac_to_list()
bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
f2fs: fix iostat lock protection
blk-iocost: avoid 64-bit division in ioc_timer_fn
platform/surface: aggregator: Allow completion work-items to be executed in parallel
spi: qup: Request DMA before enabling clocks
afs: Fix setting of mtime when creating a file/dir/symlink
wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
neighbour: fix unaligned access to pneigh_entry
net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
bpf: Fix UAF in task local storage
net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down
net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
net: enetc: correct the statistics of rx bytes
net/sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values
drm/i915: Explain the magic numbers for AUX SYNC/precharge length
drm/i915: Use 18 fast wake AUX sync len
Bluetooth: Fix l2cap_disconnect_req deadlock
Bluetooth: L2CAP: Add missing checks for invalid DCID
qed/qede: Fix scheduling while atomic
wifi: cfg80211: fix locking in sched scan stop work
selftests/bpf: Verify optval=NULL case
selftests/bpf: Fix sockopt_sk selftest
netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
netfilter: ipset: Add schedule point in call_ad().
ipv6: rpl: Fix Route of Death.
rfs: annotate lockless accesses to sk->sk_rxhash
rfs: annotate lockless accesses to RFS sock flow table
drm/i915/selftests: Increase timeout for live_parallel_switch
drm/i915/selftests: Stop using kthread_stop()
drm/i915/selftests: Add some missing error propagation
net: sched: move rtm_tca_policy declaration to include file
net: sched: act_police: fix sparse errors in tcf_police_dump()
net: sched: fix possible refcount leak in tc_chain_tmplt_add()
bpf: Add extra path pointer check to d_path helper
lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
bnxt_en: Don't issue AP reset during ethtool's reset operation
bnxt_en: Query default VLAN before VNIC setup on a VF
bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks
batman-adv: Broken sync while rescheduling delayed work
Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
Input: psmouse - fix OOB access in Elantech protocol
Input: fix open count when closing inhibited device
ALSA: hda/realtek: Add quirk for Clevo NS50AU
ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
drm/i915/gt: Use the correct error value when kernel_context() fails
drm/amd/pm: conditionally disable pcie lane switching for some sienna_cichlid SKUs
drm/amdgpu: fix xclk freq on CHIP_STONEY
drm/amd/pm: Fix power context allocation in SMU13
can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in J1939 Socket
can: j1939: change j1939_netdev_lock type to mutex
can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
ceph: fix use-after-free bug for inodes when flushing capsnaps
s390/dasd: Use correct lock while counting channel queue length
Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
Bluetooth: hci_qca: fix debugfs registration
tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
rbd: get snapshot context after exclusive lock is ensured to be held
pinctrl: meson-axg: add missing GPIOA_18 gpio group
usb: usbfs: Enforce page requirements for mmap
usb: usbfs: Use consistent mmap functions
ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc
ASoC: codecs: wsa881x: do not set can_multi_write flag
arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite boards
arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals
arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts
ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback returning void
ASoC: mediatek: mt8195: fix use-after-free in driver remove path
arm64: dts: imx8mn-beacon: Fix SPI CS pinmux
i2c: mv64xxx: Fix reading invalid status value in atomic mode
firmware: arm_ffa: Set handle field to zero in memory descriptor
i2c: sprd: Delete i2c adapter in .remove's error path
eeprom: at24: also select REGMAP
riscv: fix kprobe __user string arg print fault issue
vduse: avoid empty string for dev name
vhost: support PACKED when setting-getting vring_base
vhost_vdpa: support PACKED when setting-getting vring_base
ext4: only check dquot_initialize_needed() when debugging
Linux 5.15.117
UBUNTU: Upstream stable to v5.15.117

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2023-08-04

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug

Kamal Mostafa (kamalmostafa) on 2023-08-04

Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Jammy):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Kamal Mostafa (kamalmostafa)

Kamal Mostafa (kamalmostafa) on 2023-08-04

description:

updated

Stefan Bader (smb) on 2023-08-25

Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-10-03:

Download full text (56.7 KiB)

This bug was fixed in the package linux - 5.15.0-86.96

---------------
linux (5.15.0-86.96) jammy; urgency=medium

* jammy/linux: 5.15.0-86.96 -proposed tracker (LP: #2036575)

  * 5.15.0-85 live migration regression (LP: #2036675)
    - Revert "KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES"
    - Revert "x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0"

* Regression for ubuntu_bpf test build on Jammy 5.15.0-85.95 (LP: #2035181)
- selftests/bpf: fix static assert compilation issue for test_cls_*.c

  * `refcount_t: underflow; use-after-free.` on hidon w/ 5.15.0-85-generic
    (LP: #2034447)
    - crypto: rsa-pkcs1pad - Use helper to set reqsize

linux (5.15.0-85.95) jammy; urgency=medium

* jammy/linux: 5.15.0-85.95 -proposed tracker (LP: #2033821)

  * Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

* Request backport of xen timekeeping performance improvements (LP: #2033122)
- x86/xen/time: prefer tsc as clocksource when it is invariant

  * kdump doesn't work with UEFI secure boot and kernel lockdown enabled on
    ARM64 (LP: #2033007)
    - [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG
    - kexec, KEYS: make the code in bzImage64_verify_sig generic
    - arm64: kexec_file: use more system keyrings to verify kernel image signature

  * ubuntu_kernel_selftests:net:vrf-xfrm-tests.sh: 8 failed test cases on
    jammy/fips (LP: #2019880)
    - selftests: net: vrf-xfrm-tests: change authentication and encryption algos

  * ubuntu_kernel_selftests:net:tls: 88 failed test cases on jammy/fips
    (LP: #2019868)
    - selftests/harness: allow tests to be skipped during setup
    - selftests: net: tls: check if FIPS mode is enabled

  * A general-proteciton exception during guest migration to unsupported PKRU
    machine (LP: 2032164, reverted)
    - x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0
    - KVM: x86: Always enable legacy FP/SSE in allowed user XFEATURES

* CVE-2023-4569
- netfilter: nf_tables: deactivate catchall elements in next generation

This bug was fixed in the package linux - 5.15.0-86.96

---------------
linux (5.15.0-86.96) jammy; urgency=medium

* jammy/linux: 5.15.0-86.96 -proposed tracker (LP: #2036575)

* Regression for ubuntu_bpf test build on Jammy 5.15.0-85.95 (LP: #2035181)
    - selftests/bpf: fix static assert compilation issue for test_cls_*.c

* `refcount_t: underflow; use-after-free.` on hidon w/ 5.15.0-85-generic
    (LP: #2034447)
    - crypto: rsa-pkcs1pad - Use helper to set reqsize

linux (5.15.0-85.95) jammy; urgency=medium

* jammy/linux: 5.15.0-85.95 -proposed tracker (LP: #2033821)

* Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

* Request backport of xen timekeeping performance improvements (LP: #2033122)
    - x86/xen/time: prefer tsc as clocksource when it is invariant

* ubuntu_kernel_selftests:net:vrf-xfrm-tests.sh: 8 failed test cases on
    jammy/fips (LP: #2019880)
    - selftests: net: vrf-xfrm-tests: change authentication and encryption algos

* CVE-2023-4569
    - netfilter: nf_tables: deactivate catchall elements in next generation

* CVE-2023-20569
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - x86/srso: Add a Speculative RAS Overflow mitigation
    - x86/srso: Add IBPB_BRTYPE support
    - x86/srso: Add SRSO_NO support
    - x86/srso: Add IBPB
    - x86/srso: Add IBPB on VMEXIT
    - x86/srso: Fix return thunks in generated code
    - x86/srso: Tie SBPB bit setting to microcode patch detection
    - x86: fix backwards merge of GDS/SRSO bit
    - x86/srso: Fix build breakage with the LLVM linker
    - x86/cpu: Fix __x86_return_thunk symbol type
    - x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
    - x86/alternative: Make custom return thunk unconditional
    - objtool: Add frame-pointer-specific function ignore
    - x86/ibt: Add ANNOTATE_NOENDBR
    - x86/cpu: Clean up SRSO return thunk mess
    - x86/cpu: Rename original retbleed methods
    - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
    - x86/cpu: Cleanup the untrain mess
    - x86/srso: Explain the untraining sequences a bit more
    - x86/static_call: Fix __static_call_fixup()
    - x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
    - x86/srso: Disable the mitigation on unaffected configurations
    - x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
    - objtool/x86: Fixup frame-pointer vs rethunk
    - x86/srso: Correct the mitigation status when SMT is disabled
    - objtool/x86: Fix SRSO mess
    - Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation

* Fix unreliable ethernet cable detection on I219 NIC (LP: #2028122)
    - e1000e: Use PME poll to circumvent unreliable ACPI wake

* Need to get fine-grained control for FAN(TFN) Participant. (LP: #2031333)
    - ACPI: fan: Separate file for attributes creation
    - ACPI: fan: Optimize struct acpi_fan_fif
    - ACPI: fan: Properly handle fine grain control
    - ACPI: fan: Add additional attributes for fine grain control

* [SRU][Ubuntu 22.04.1] Unable to interpret the frequency values in
    cpuinfo_min_freq and cpuino_max_freq sysfs files. (LP: #2030924)
    - cpufreq: intel_pstate: Fix scaling for hybrid-capable

* CVE-2023-40283
    - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

* CVE-2023-20588
    - x86/bugs: Increase the x86 bugs vector size to two u32s
    - x86/CPU/AMD: Do not leak quotient data after a division by 0
    - x86/CPU/AMD: Fix the DIV(0) initial fix attempt

* CVE-2023-4194
    - net: tun_chr_open(): set sk_uid from current_fsuid()
    - net: tap_open(): set sk_uid from current_fsuid()

* CVE-2023-4155
    - KVM: SEV: Refactor out sev_es_state struct
    - KVM: SEV: Fall back to vmalloc for SEV-ES scratch area if necessary
    - KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure
    - KVM: SVM: Exit to userspace on ENOMEM/EFAULT GHCB errors
    - KVM: SEV: snapshot the GHCB before accessing it
    - KVM: SEV: only access GHCB fields once

* CVE-2023-1206
    - tcp: Reduce chance of collisions in inet6_hashfn().

* Crashing with CPU soft lock on GA kernel 5.15.0.79.76 and HWE kernel
    5.19.0-46.47-22.04.1 (LP: #2032176)
    - Revert "KVM: x86: enable TDP MMU by default"

* Jammy update: v5.15.122 upstream stable release (LP: #2032690)
    - Linux 5.15.122
    - Upstream stable to v5.15.122

* Jammy update: v5.15.121 upstream stable release (LP: #2032689)
    - netfilter: nf_tables: drop map element references from preparation phase
    - fs: pipe: reveal missing function protoypes
    - x86/resctrl: Only show tasks' pid in current pid namespace
    - blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost
    - md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
    - md/raid10: fix overflow of md/safe_mode_delay
    - md/raid10: fix wrong setting of max_corr_read_errors
    - md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
    - md/raid10: fix io loss while replacement replace rdev
    - irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
    - svcrdma: Prevent page release when nothing was received
    - posix-timers: Prevent RT livelock in itimer_delete()
    - tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
    - clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
    - PM: domains: fix integer overflow issues in genpd_parse_state()
    - perf/arm-cmn: Fix DTC reset
    - powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
    - ARM: 9303/1: kprobes: avoid missing-declaration warnings
    - cpufreq: intel_pstate: Fix energy_performance_preference for passive
    - thermal/drivers/sun8i: Fix some error handling paths in sun8i_ths_probe()
    - rcutorture: Correct name of use_softirq module parameter
    - rcuscale: Always log error message
    - rcuscale: Move shutdown from wait_event() to wait_event_idle()
    - rcu/rcuscale: Move rcu_scale_*() after kfree_scale_cleanup()
    - rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale
    - kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME
      is undefined
    - perf/ibs: Fix interface via core pmu events
    - x86/mm: Fix __swp_entry_to_pte() for Xen PV guests
    - locking/atomic: arm: fix sync ops
    - evm: Complete description of evm_inode_setattr()
    - evm: Fix build warnings
    - ima: Fix build warnings
    - pstore/ram: Add check for kstrdup
    - igc: Enable and fix RX hash usage by netstack
    - wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
    - wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
    - libbpf: btf_dump_type_data_check_overflow needs to consider
      BTF_MEMBER_BITFIELD_SIZE
    - samples/bpf: Fix buffer overflow in tcp_basertt
    - spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
    - wifi: wilc1000: fix for absent RSN capabilities WFA testcase
    - wifi: mwifiex: Fix the size of a memory allocation in
      mwifiex_ret_802_11_scan()
    - sctp: add bpf_bypass_getsockopt proto callback
    - libbpf: fix offsetof() and container_of() to work with CO-RE
    - bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen
    - spi: dw: Round of n_bytes to power of 2
    - nfc: llcp: fix possible use of uninitialized variable in
      nfc_llcp_send_connect()
    - bpftool: JIT limited misreported as negative value on aarch64
    - regulator: core: Fix more error checking for debugfs_create_dir()
    - regulator: core: Streamline debugfs operations
    - wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
    - wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
    - wifi: atmel: Fix an error handling path in atmel_probe()
    - wl3501_cs: use eth_hw_addr_set()
    - wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
    - wifi: ray_cs: Utilize strnlen() in parse_addr()
    - wifi: ray_cs: Drop useless status variable in parse_addr()
    - wifi: ray_cs: Fix an error handling path in ray_probe()
    - wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
    - selftests/bpf: Fix check_mtu using wrong variable type
    - wifi: rsi: Do not configure WoWlan in shutdown hook if not enabled
    - wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
    - watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct
      config
    - watchdog/perf: more properly prevent false positives with turbo modes
    - kexec: fix a memory leak in crash_shrink_memory()
    - memstick r592: make memstick_debug_get_tpc_name() static
    - wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
    - rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
    - wifi: iwlwifi: pull from TXQs with softirqs disabled
    - iwlwifi: don't dump_stack() when we get an unexpected interrupt
    - wifi: iwlwifi: pcie: fix NULL pointer dereference in
      iwl_pcie_irq_rx_msix_handler()
    - wifi: cfg80211: rewrite merging of inherited elements
    - wifi: iwlwifi: mvm: indicate HW decrypt for beacon protection
    - wifi: ath9k: convert msecs to jiffies where needed
    - bpf: Omit superfluous address family check in __bpf_skc_lookup
    - bpf: Factor out socket lookup functions for the TC hookpoint.
    - bpf: Call __bpf_sk_lookup()/__bpf_skc_lookup() directly via TC hookpoint
    - bpf: Fix bpf socket lookup from tc/xdp to respect socket VRF bindings
    - can: length: fix bitstuffing count
    - igc: Fix race condition in PTP tx code
    - net: stmmac: fix double serdes powerdown
    - netlink: fix potential deadlock in netlink_set_err()
    - netlink: do not hard code device address lenth in fdb dumps
    - bonding: do not assume skb mac_header is set
    - selftests: rtnetlink: remove netdevsim device after ipsec offload test
    - gtp: Fix use-after-free in __gtp_encap_destroy().
    - net: axienet: Move reset before 64-bit DMA detection
    - sfc: fix crash when reading stats while NIC is resetting
    - lib/ts_bm: reset initial match offset for every block of text
    - netfilter: conntrack: dccp: copy entire header to stack buffer, not just
      basic one
    - netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return
      value.
    - ipvlan: Fix return value of ipvlan_queue_xmit()
    - netlink: Add __sock_i_ino() for __netlink_diag_dump().
    - drm/amd/display: Add logging for display MALL refresh setting
    - radeon: avoid double free in ci_dpm_init()
    - drm/amd/display: Explicitly specify update type per plane info change
    - Input: drv260x - sleep between polling GO bit
    - drm/bridge: tc358768: always enable HS video mode
    - drm/bridge: tc358768: fix PLL parameters computation
    - drm/bridge: tc358768: fix PLL target frequency
    - drm/bridge: tc358768: fix TCLK_ZEROCNT computation
    - drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation
    - drm/bridge: tc358768: fix TCLK_TRAILCNT computation
    - drm/bridge: tc358768: fix THS_ZEROCNT computation
    - drm/bridge: tc358768: fix TXTAGOCNT computation
    - drm/bridge: tc358768: fix THS_TRAILCNT computation
    - drm/vram-helper: fix function names in vram helper doc
    - ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
    - ARM: dts: meson8b: correct uart_B and uart_C clock references
    - Input: adxl34x - do not hardcode interrupt trigger type
    - drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
    - drm/panel: sharp-ls043t1le01: adjust mode settings
    - ARM: dts: stm32: Move ethernet MAC EEPROM from SoM to carrier boards
    - bus: ti-sysc: Fix dispc quirk masking bool variables
    - arm64: dts: microchip: sparx5: do not use PSCI on reference boards
    - clk: imx: scu: use _safe list iterator to avoid a use after free
    - RDMA/bnxt_re: Disable/kill tasklet only if it is enabled
    - RDMA/bnxt_re: Fix to remove unnecessary return labels
    - RDMA/bnxt_re: Use unique names while registering interrupts
    - RDMA/bnxt_re: Remove a redundant check inside bnxt_re_update_gid
    - RDMA/bnxt_re: Fix to remove an unnecessary log
    - drm/msm/dsi: don't allow enabling 14nm VCO with unprogrammed rate
    - drm/msm/disp/dpu: get timing engine status from intf status register
    - drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK
    - ARM: dts: gta04: Move model property out of pinctrl node
    - arm64: dts: qcom: msm8916: correct camss unit address
    - arm64: dts: qcom: msm8994: correct SPMI unit address
    - arm64: dts: qcom: msm8996: correct camss unit address
    - arm64: dts: qcom: sdm630: correct camss unit address
    - arm64: dts: qcom: sdm845: correct camss unit address
    - arm64: dts: qcom: db820c: Move blsp1_uart2 pin states to msm8996.dtsi
    - arm64: dts: qcom: apq8016-sbc: Update modem and WiFi firmware path
    - arm64: dts: qcom: apq8016-sbc: Clarify firmware-names
    - arm64: dts: qcom: apq8016-sbc: fix mpps state names
    - arm64: dts: qcom: Drop unneeded extra device-specific includes
    - arm64: dts: qcom: apq8016-sbc: Fix regulator constraints
    - arm64: dts: qcom: apq8016-sbc: Fix 1.8V power rail on LS expansion
    - drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
    - ARM: ep93xx: fix missing-prototype warnings
    - ARM: omap2: fix missing tick_broadcast() prototype
    - arm64: dts: qcom: apq8096: fix fixed regulator name property
    - arm64: dts: mediatek: mt8183: Add mediatek,broken-save-restore-fw to kukui
    - ARM: dts: stm32: Shorten the AV96 HDMI sound card name
    - memory: brcmstb_dpfe: fix testing array offset after use
    - ASoC: es8316: Increment max value for ALC Capture Target Volume control
    - ASoC: es8316: Do not set rate constraints for unsupported MCLKs
    - ARM: dts: meson8: correct uart_B and uart_C clock references
    - soc/fsl/qe: fix usb.c build errors
    - RDMA/irdma: avoid fortify-string warning in irdma_clr_wqes
    - IB/hfi1: Use bitmap_zalloc() when applicable
    - IB/hfi1: Fix wrong mmu_node used for user SDMA packet after invalidate
    - RDMA/hns: Fix hns_roce_table_get return value
    - ARM: dts: iwg20d-q7-common: Fix backlight pwm specifier
    - arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
    - fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
    - arm64: dts: ti: k3-j7200: Fix physical address of pin
    - ARM: dts: stm32: Fix audio routing on STM32MP15xx DHCOM PDK2
    - ARM: dts: stm32: fix i2s endpoint format property for stm32mp15xx-dkx
    - hwmon: (gsc-hwmon) fix fan pwm temperature scaling
    - hwmon: (adm1275) Allow setting sample averaging
    - hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272
    - ARM: dts: BCM5301X: fix duplex-full => full-duplex
    - drm/amdkfd: Fix potential deallocation of previously deallocated memory.
    - drm/amd/display: Fix artifacting on eDP panels when engaging freesync video
      mode
    - drm/radeon: fix possible division-by-zero errors
    - amdgpu: validate offset_in_bo of drm_amdgpu_gem_va
    - drm/msm/a5xx: really check for A510 in a5xx_gpu_init
    - RDMA/bnxt_re: wraparound mbox producer index
    - RDMA/bnxt_re: Avoid calling wake_up threads from spin_lock context
    - clk: imx: clk-imx8mn: fix memory leak in imx8mn_clocks_probe
    - clk: imx: clk-imx8mp: improve error handling in imx8mp_clocks_probe()
    - arm64: dts: qcom: sm8250-edo: Panel framebuffer is 2.5k instead of 4k
    - clk: clocking-wizard: Fix Oops in clk_wzrd_register_divider()
    - clk: tegra: tegra124-emc: Fix potential memory leak
    - ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
    - drm/msm/dpu: do not enable color-management if DSPPs are not available
    - drm/msm/dp: Free resources after unregistering them
    - arm64: dts: mediatek: Add cpufreq nodes for MT8192
    - arm64: dts: mediatek: mt8192: Fix CPUs capacity-dmips-mhz
    - drm/msm/dpu: correct MERGE_3D length
    - clk: vc5: check memory returned by kasprintf()
    - clk: cdce925: check return value of kasprintf()
    - clk: si5341: return error if one synth clock registration fails
    - clk: si5341: check return value of {devm_}kasprintf()
    - clk: si5341: free unused memory on probe failure
    - clk: keystone: sci-clk: check return value of kasprintf()
    - clk: ti: clkctrl: check return value of kasprintf()
    - drivers: meson: secure-pwrc: always enable DMA domain
    - ovl: update of dentry revalidate flags after copy up
    - ASoC: imx-audmix: check return value of devm_kasprintf()
    - clk: Fix memory leak in devm_clk_notifier_register()
    - PCI: cadence: Fix Gen2 Link Retraining process
    - PCI: vmd: Reset VMD config register between soft reboots
    - scsi: qedf: Fix NULL dereference in error handling
    - pinctrl: bcm2835: Handle gpiochip_add_pin_range() errors
    - PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
    - scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
    - PCI: pciehp: Cancel bringup sequence if card is not present
    - PCI: ftpci100: Release the clock resources
    - PCI: Add pci_clear_master() stub for non-CONFIG_PCI
    - perf bench: Use unbuffered output when pipe/tee'ing to a file
    - perf bench: Add missing setlocale() call to allow usage of %'d style
      formatting
    - pinctrl: cherryview: Return correct value if pin in push-pull mode
    - kcsan: Don't expect 64 bits atomic builtins from 32 bits architectures
    - powerpc/interrupt: Don't read MSR from interrupt_exit_kernel_prepare()
    - powerpc/signal32: Force inlining of __unsafe_save_user_regs() and
      save_tm_user_regs_unsafe()
    - perf script: Fix allocation of evsel->priv related to per-event dump files
    - perf dwarf-aux: Fix off-by-one in die_get_varname()
    - powerpc/64s: Fix VAS mm use after free
    - pinctrl: microchip-sgpio: check return value of devm_kasprintf()
    - pinctrl: at91-pio4: check return value of devm_kasprintf()
    - powerpc/powernv/sriov: perform null check on iov before dereferencing iov
    - powerpc: simplify ppc_save_regs
    - powerpc: update ppc_save_regs to save current r1 in pt_regs
    - riscv: uprobes: Restore thread.bad_cause
    - powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo
    - powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-
      boundary
    - hwrng: virtio - add an internal buffer
    - hwrng: virtio - don't wait on cleanup
    - hwrng: virtio - don't waste entropy
    - hwrng: virtio - always add a pending request
    - hwrng: virtio - Fix race on data_avail and actual data
    - modpost: remove broken calculation of exception_table_entry size
    - crypto: nx - fix build warnings when DEBUG_FS is not enabled
    - modpost: fix section mismatch message for R_ARM_ABS32
    - modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
    - crypto: marvell/cesa - Fix type mismatch warning
    - modpost: fix off by one in is_executable_section()
    - ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
    - crypto: qat - honor CRYPTO_TFM_REQ_MAY_SLEEP flag
    - crypto: qat - replace get_current_node() with numa_node_id()
    - crypto: qat - use reference to structure in dma_map_single()
    - crypto: kpp - Add helper to set reqsize
    - crypto: qat - Use helper to set reqsize
    - crypto: qat - unmap buffer before free for DH
    - crypto: qat - unmap buffers before free for RSA
    - NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
    - SMB3: Do not send lease break acknowledgment if all file handles have been
      closed
    - dax: Fix dax_mapping_release() use after free
    - dax: Introduce alloc_dev_dax_id()
    - dax/kmem: Pass valid argument to memory_group_register_static
    - hwrng: st - keep clock enabled while hwrng is registered
    - kbuild: Disable GCOV for *.mod.o
    - efi/libstub: Disable PCI DMA before grabbing the EFI memory map
    - ksmbd: avoid field overflow warning
    - ACPI: utils: Fix acpi_evaluate_dsm_typed() redefinition error
    - bootmem: remove the vmemmap pages from kmemleak in free_bootmem_page
    - USB: serial: option: add LARA-R6 01B PIDs
    - usb: dwc3: gadget: Propagate core init errors to UDC during pullup
    - phy: tegra: xusb: Clear the driver reference in usb-phy dev
    - iio: adc: ad7192: Fix null ad7192_state pointer access
    - iio: adc: ad7192: Fix internal/external clock selection
    - iio: accel: fxls8962af: errata bug only applicable for FXLS8962AF
    - iio: accel: fxls8962af: fixup buffer scan element type
    - ALSA: hda/realtek: Add quirk for Clevo NPx0SNx
    - ALSA: jack: Fix mutex call in snd_jack_report()
    - block: fix signed int overflow in Amiga partition support
    - block: add overflow checks for Amiga partition support
    - block: change all __u32 annotations to __be32 in affs_hardblocks.h
    - block: increment diskseq on all media change events
    - SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
    - w1: w1_therm: fix locking behavior in convert_t
    - w1: fix loop in w1_fini()
    - sh: j2: Use ioremap() to translate device tree address into kernel memory
    - usb: dwc2: platform: Improve error reporting for problems during .remove()
    - usb: dwc2: Fix some error handling paths
    - serial: 8250: omap: Fix freeing of resources on failed register
    - clk: qcom: camcc-sc7180: Add parent dependency to all camera GDSCs
    - clk: qcom: gcc-ipq6018: Use floor ops for sdcc clocks
    - media: usb: Check az6007_read() return value
    - media: videodev2.h: Fix struct v4l2_input tuner index comment
    - media: usb: siano: Fix warning due to null work_func_t function pointer
    - media: i2c: Correct format propagation for st-mipid02
    - clk: qcom: reset: Allow specifying custom reset delay
    - clk: qcom: reset: support resetting multiple bits
    - clk: qcom: ipq6018: fix networking resets
    - usb: dwc3: qcom: Fix potential memory leak
    - usb: gadget: u_serial: Add null pointer check in gserial_suspend
    - extcon: Fix kernel doc of property fields to avoid warnings
    - extcon: Fix kernel doc of property capability fields to avoid warnings
    - usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
    - usb: hide unused usbfs_notify_suspend/resume functions
    - serial: 8250: lock port for stop_rx() in omap8250_irq()
    - serial: 8250: lock port for UART_IER access in omap8250_irq()
    - kernfs: fix missing kernfs_idr_lock to remove an ID from the IDR
    - coresight: Fix loss of connection info when a module is unloaded
    - mfd: rt5033: Drop rt5033-battery sub-device
    - media: venus: helpers: Fix ALIGN() of non power of two
    - media: atomisp: gmin_platform: fix out_len in gmin_get_config_dsm_var()
    - KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
    - usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
    - usb: dwc3: qcom: Fix an error handling path in dwc3_qcom_probe()
    - usb: common: usb-conn-gpio: Set last role to unknown before initial
      detection
    - usb: dwc3-meson-g12a: Fix an error handling path in dwc3_meson_g12a_probe()
    - mfd: intel-lpss: Add missing check for platform_get_resource
    - Revert "usb: common: usb-conn-gpio: Set last role to unknown before initial
      detection"
    - serial: 8250_omap: Use force_suspend and resume for system suspend
    - test_firmware: return ENOMEM instead of ENOSPC on failed memory allocation
    - nvmem: rmem: Use NVMEM_DEVID_AUTO
    - mfd: stmfx: Fix error path in stmfx_chip_init
    - mfd: stmfx: Nullify stmfx->vdd in case of error
    - KVM: s390: vsie: fix the length of APCB bitmap
    - KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler
    - mfd: stmpe: Only disable the regulators if they are enabled
    - phy: tegra: xusb: check return value of devm_kzalloc()
    - pwm: imx-tpm: force 'real_period' to be zero in suspend
    - pwm: sysfs: Do not apply state to already disabled PWMs
    - pwm: ab8500: Fix error code in probe()
    - pwm: mtk_disp: Fix the disable flow of disp_pwm
    - md/raid10: fix the condition to call bio_end_io_acct()
    - rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
    - drm/i915/psr: Use hw.adjusted mode when calculating io/fast wake times
    - media: cec: i2c: ch7322: also select REGMAP
    - sctp: fix potential deadlock on &net->sctp.addr_wq_lock
    - net/sched: act_ipt: add sanity checks on table name and hook locations
    - Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
    - ibmvnic: Do not reset dql stats on NON_FATAL err
    - net: dsa: vsc73xx: fix MTU configuration
    - spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
    - mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
    - f2fs: fix error path handling in truncate_dnode()
    - octeontx2-af: Fix mapping for NIX block from CGX connection
    - octeontx2-af: Add validation before accessing cgx and lmac
    - ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr()
    - powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
    - net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
    - tcp: annotate data races in __tcp_oow_rate_limited()
    - xsk: Honor SO_BINDTODEVICE on bind
    - net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
    - riscv: move memblock_allow_resize() after linear mapping is ready
    - pptp: Fix fib lookup calls.
    - net: dsa: tag_sja1105: fix MAC DA patching from meta frames
    - octeontx-af: fix hardware timestamp configuration
    - s390/qeth: Fix vipa deletion
    - sh: dma: Fix DMA channel offset calculation
    - apparmor: fix missing error check for rhashtable_insert_fast
    - i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()
    - i2c: xiic: Don't try to handle more interrupt events after error
    - extcon: usbc-tusb320: Convert to i2c's .probe_new()
    - btrfs: do not BUG_ON() on tree mod log failure at balance_level()
    - i2c: qup: Add missing unwind goto in qup_i2c_probe()
    - NFSD: add encoding of op_recall flag for write delegation
    - io_uring: wait interruptibly for request completions on exit
    - mmc: core: disable TRIM on Kingston EMMC04G-M627
    - mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
    - mmc: mmci: Set PROBE_PREFER_ASYNCHRONOUS
    - mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is
      used.
    - bcache: fixup btree_cache_wait list damage
    - bcache: Remove unnecessary NULL point check in node allocations
    - bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent
    - um: Use HOST_DIR for mrproper
    - integrity: Fix possible multiple allocation in integrity_inode_get()
    - autofs: use flexible array in ioctl structure
    - shmem: use ramfs_kill_sb() for kill_sb method of ramfs-based tmpfs
    - ext4: Remove ext4 locking of moved directory
    - Revert "f2fs: fix potential corruption when moving a directory"
    - fs: Establish locking order for unrelated directories
    - fs: Lock moved directories
    - ipvs: increase ip_vs_conn_tab_bits range for 64BIT
    - jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
    - fs: avoid empty option when generating legacy mount string
    - btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile
    - btrfs: delete unused BGs while reclaiming BGs
    - btrfs: bail out reclaim process if filesystem is read-only
    - btrfs: reinsert BGs failed to reclaim
    - btrfs: fix race when deleting quota root from the dirty cow roots list
    - btrfs: fix extent buffer leak after tree mod log failure at split_node()
    - btrfs: do not BUG_ON() on tree mod log failure at __btrfs_cow_block()
    - ASoC: mediatek: mt8173: Fix irq error path
    - ASoC: mediatek: mt8173: Fix snd_soc_component_initialize error path
    - ARM: dts: qcom: ipq4019: fix broken NAND controller properties override
    - ARM: orion5x: fix d2net gpio initialization
    - leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename
    - fs: no need to check source
    - ovl: fix null pointer dereference in ovl_get_acl_rcu()
    - fanotify: disallow mount/sb marks on kernel internal pseudo fs
    - netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
    - wireguard: queueing: use saner cpu selection wrapping
    - wireguard: netlink: send staged packets when setting initial private key
    - tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
    - block/partition: fix signedness issue for Amiga partitions
    - io_uring: Use io_schedule* in cqring wait
    - io_uring: add reschedule point to handle_tw_list()
    - net: lan743x: Don't sleep in atomic context
    - workqueue: clean up WORK_* constant types, clarify masking
    - ksmbd: use ksmbd_req_buf_next() in ksmbd_smb2_check_message()
    - ksmbd: validate command payload size
    - ksmbd: fix out-of-bound read in smb2_write
    - ksmbd: validate session id and tree id in the compound request
    - drm/panel: simple: Add connector_type for innolux_at043tn24
    - drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime
    - drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags
    - igc: Remove delay during TX ring configuration
    - net/mlx5e: fix double free in mlx5e_destroy_flow_table
    - net/mlx5e: fix memory leak in mlx5e_ptp_open
    - net/mlx5e: Check for NOT_READY flag state after locking
    - igc: set TP bit in 'supported' and 'advertising' fields of
      ethtool_link_ksettings
    - igc: Handle PPS start time programming for past time values
    - scsi: qla2xxx: Fix error code in qla2x00_start_sp()
    - bpf: Fix max stack depth check for async callbacks
    - net: mvneta: fix txq_map in case of txq_number==1
    - gve: Set default duplex configuration to full
    - ionic: remove WARN_ON to prevent panic_on_warn
    - net: bgmac: postpone turning IRQs off to avoid SoC hangs
    - net: prevent skb corruption on frag list segmentation
    - icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
    - udp6: fix udp6_ehashfn() typo
    - ntb: idt: Fix error handling in idt_pci_driver_init()
    - NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
    - ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
    - NTB: ntb_transport: fix possible memory leak while device_register() fails
    - NTB: ntb_tool: Add check for devm_kcalloc
    - ipv6/addrconf: fix a potential refcount underflow for idev
    - platform/x86: wmi: remove unnecessary argument
    - platform/x86: wmi: use guid_t and guid_equal()
    - platform/x86: wmi: move variables
    - platform/x86: wmi: Break possible infinite loop when parsing GUID
    - kernel/trace: Fix cleanup logic of enable_trace_eprobe
    - igc: Fix launchtime before start of cycle
    - igc: Fix inserting of empty frame for launchtime
    - bpf, riscv: Support riscv jit to provide bpf_line_info
    - riscv, bpf: Fix inconsistent JIT image generation
    - drm/i915: Fix one wrong caching mode enum usage
    - octeontx2-pf: Add additional check for MCAM rules
    - erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
    - erofs: decouple basic mount options from fs_context
    - erofs: fix fsdax unavailability for chunk-based regular files
    - wifi: airo: avoid uninitialized warning in airo_get_rate()
    - bpf: cpumap: Fix memory leak in cpu_map_update_elem
    - net/sched: flower: Ensure both minimum and maximum ports are specified
    - riscv: mm: fix truncation warning on RV32
    - netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()
    - net/sched: make psched_mtu() RTNL-less safe
    - nvme-pci: remove nvme_queue from nvme_iod
    - nvme-pci: fix DMA direction of unmapping integrity data
    - pinctrl: amd: Fix mistake in handling clearing pins at startup
    - pinctrl: amd: Detect internal GPIO0 debounce handling
    - pinctrl: amd: Detect and mask spurious interrupts
    - pinctrl: amd: Only use special debounce behavior for GPIO 0
    - tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
    - mtd: rawnand: meson: fix unaligned DMA buffers handling
    - net: bcmgenet: Ensure MDIO unregistration has clocks enabled
    - mm/damon/ops-common: atomically test and clear young on ptes and pmds
    - powerpc: Fail build if using recordmcount with binutils v2.37
    - misc: fastrpc: Create fastrpc scalar with correct buffer count
    - powerpc/security: Fix Speculation_Store_Bypass reporting on Power10
    - arm64: errata: Add detection for TRBE overwrite in FILL mode
    - erofs: fix compact 4B support for 16k block size
    - MIPS: Loongson: Fix cpu_probe_loongson() again
    - MIPS: KVM: Fix NULL pointer dereference
    - ext4: Fix reusing stale buffer heads from last failed mounting
    - ext4: fix wrong unit use in ext4_mb_clear_bb
    - ext4: get block from bh in ext4_free_blocks for fast commit replay
    - ext4: fix wrong unit use in ext4_mb_new_blocks
    - ext4: fix to check return value of freeze_bdev() in ext4_shutdown()
    - ext4: turn quotas off if mount failed after enabling quotas
    - ext4: only update i_reserved_data_blocks on successful block allocation
    - jfs: jfs_dmap: Validate db_l2nbperpage while mounting
    - hwrng: imx-rngc - fix the timeout for init and self check
    - dm integrity: reduce vmalloc space footprint on 32-bit architectures
    - PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
    - PCI: qcom: Disable write access to read only registers for IP v2.3.3
    - PCI: rockchip: Assert PCI Configuration Enable bit after probe
    - PCI: rockchip: Write PCI Device ID to correct register
    - PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
    - PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
    - PCI: rockchip: Use u32 variable to access 32-bit registers
    - PCI: rockchip: Set address alignment for endpoint mode
    - misc: pci_endpoint_test: Free IRQs before removing the device
    - misc: pci_endpoint_test: Re-init completion for every test
    - mfd: pm8008: Fix module autoloading
    - md/raid0: add discard support for the 'original' layout
    - dm init: add dm-mod.waitfor to wait for asynchronously probed block devices
    - fs: dlm: return positive pid value for F_GETLK
    - drm/atomic: Allow vblank-enabled + self-refresh "disable"
    - drm/rockchip: vop: Leave vblank enabled in self-refresh
    - drm/amdgpu: fix clearing mappings for BOs that are always valid in VM
    - drm/amd/display: Correct `DMUB_FW_VERSION` macro
    - drm/amdgpu: avoid restore process run into dead loop.
    - drm/ttm: Don't leak a resource on swapout move error
    - serial: atmel: don't enable IRQs prematurely
    - tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in
      case of error
    - tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when
      iterating clk
    - tty: serial: imx: fix rs485 rx after tx
    - firmware: stratix10-svc: Fix a potential resource leak in
      svc_create_memory_pool()
    - libceph: harden msgr2.1 frame segment length checks
    - ceph: don't let check_caps skip sending responses for revoke msgs
    - xhci: Fix resume issue of some ZHAOXIN hosts
    - xhci: Fix TRB prefetch issue of ZHAOXIN hosts
    - xhci: Show ZHAOXIN xHCI root hub speed correctly
    - meson saradc: fix clock divider mask length
    - opp: Fix use-after-free in lazy_opp_tables after probe deferral
    - soundwire: qcom: fix storing port config out-of-bounds
    - Revert "8250: add support for ASIX devices with a FIFO bug"
    - bus: ixp4xx: fix IXP4XX_EXP_T1_MASK
    - s390/decompressor: fix misaligned symbol build error
    - tracing/histograms: Add histograms to hist_vars if they have referenced
      variables
    - tracing: Fix memory leak of iter->temp when reading trace_pipe
    - samples: ftrace: Save required argument registers in sample trampolines
    - net: ena: fix shift-out-of-bounds in exponential backoff
    - ring-buffer: Fix deadloop issue on reading trace_pipe
    - ftrace: Fix possible warning on checking all pages used in
      ftrace_process_locs()
    - xtensa: ISS: fix call to split_if_spec
    - tracing: Fix null pointer dereference in tracing_err_log_open()
    - selftests: mptcp: sockopt: return error if wrong mark
    - selftests: mptcp: depend on SYN_COOKIES
    - tracing/probes: Fix not to count error code to total length
    - tracing/probes: Fix to update dynamic data counter if fetcharg uses it
    - scsi: qla2xxx: Wait for io return on terminate rport
    - scsi: qla2xxx: Array index may go out of bound
    - scsi: qla2xxx: Avoid fcport pointer dereference
    - scsi: qla2xxx: Fix buffer overrun
    - scsi: qla2xxx: Fix potential NULL pointer dereference
    - scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
    - scsi: qla2xxx: Correct the index of array
    - scsi: qla2xxx: Pointer may be dereferenced
    - scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
    - MIPS: kvm: Fix build error with KVM_MIPS_DEBUG_COP0_COUNTERS enabled
    - net/sched: sch_qfq: reintroduce lmax bound check for MTU
    - drm/atomic: Fix potential use-after-free in nonblocking commits
    - Linux 5.15.121

* Jammy update: v5.15.120 upstream stable release (LP: #2032688)
    - mptcp: fix possible divide by zero in recvmsg()
    - mptcp: consolidate fallback and non fallback state machine
    - mm, hwpoison: try to recover from copy-on write faults
    - mm, hwpoison: when copy-on-write hits poison, take page offline
    - drm/amdgpu: Set vmbo destroy after pt bo is created
    - x86/microcode/AMD: Load late on both threads too
    - x86/smp: Use dedicated cache-line for mwait_play_dead()
    - can: isotp: isotp_sendmsg(): fix return error fix on TX path
    - bpf: ensure main program has an extable
    - HID: wacom: Use ktime_t rather than int when dealing with timestamps
    - HID: logitech-hidpp: add HIDPP_QUIRK_DELAYED_INIT for the T651.
    - Revert "thermal/drivers/mediatek: Use devm_of_iomap to avoid resource leak
      in mtk_thermal_probe"
    - perf symbols: Symbol lookup with kcore can fail if multiple segments match
      stext
    - scripts/tags.sh: Resolve gtags empty index generation
    - drm/amdgpu: Validate VM ioctl flags.
    - parisc: Delete redundant register definitions in <asm/assembly.h>
    - nubus: Partially revert proc_create_single_data() conversion
    - Linux 5.15.120

* Jammy update: v5.15.119 upstream stable release (LP: #2032683)
    - drm/amd/display: fix the system hang while disable PSR
    - tracing: Add tracing_reset_all_online_cpus_unlocked() function
    - tpm, tpm_tis: Claim locality in interrupt handler
    - drm/amd/display: Add minimal pipe split transition state
    - drm/amd/display: Use dc_update_planes_and_stream
    - drm/amd/display: Add wrapper to call planes and stream update
    - tick/common: Align tick period during sched_timer setup
    - selftests: mptcp: lib: skip if missing symbol
    - selftests: mptcp: lib: skip if not below kernel version
    - selftests/mount_setattr: fix redefine struct mount_attr build error
    - selftests: mptcp: pm nl: remove hardcoded default limits
    - selftests: mptcp: join: use 'iptables-legacy' if available
    - selftests: mptcp: join: skip check if MIB counter not supported
    - nilfs2: fix buffer corruption due to concurrent device reads
    - ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep()
    - KVM: Avoid illegal stage2 mapping on invalid memory slot
    - Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails
    - Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
    - PCI: hv: Fix a race condition bug in hv_pci_query_relations()
    - Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally"
    - PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev
    - PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic
    - PCI: hv: Add a per-bus mutex state_lock
    - cgroup: Do not corrupt task iteration when rebinding subsystem
    - mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916
    - mmc: meson-gx: remove redundant mmc_request_done() call from irq context
    - mmc: mmci: stm32: fix max busy timeout calculation
    - ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN
    - regulator: pca9450: Fix LDO3OUT and LDO4OUT MASK
    - regmap: spi-avmm: Fix regmap_bus max_raw_write
    - writeback: fix dereferencing NULL mapping->host on writeback_page_template
    - io_uring/net: save msghdr->msg_control for retries
    - io_uring/net: clear msg_controllen on partial sendmsg retry
    - io_uring/net: disable partial retries for recvmsg with cmsg
    - nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
    - x86/mm: Avoid using set_pgd() outside of real PGD pages
    - memfd: check for non-NULL file_seals in memfd_create() syscall
    - mmc: meson-gx: fix deferred probing
    - ieee802154: hwsim: Fix possible memory leaks
    - xfrm: Treat already-verified secpath entries as optional
    - xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c
    - xfrm: Ensure policies always checked on XFRM-I input path
    - bpf: track immediate values written to stack by BPF_ST instruction
    - bpf: Fix verifier id tracking of scalars on spill
    - xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
    - selftests: net: fcnal-test: check if FIPS mode is enabled
    - xfrm: Linearize the skb after offloading if needed.
    - net: qca_spi: Avoid high load if QCA7000 is not available
    - mmc: mtk-sd: fix deferred probing
    - mmc: mvsdio: fix deferred probing
    - mmc: omap: fix deferred probing
    - mmc: omap_hsmmc: fix deferred probing
    - mmc: owl: fix deferred probing
    - mmc: sdhci-acpi: fix deferred probing
    - mmc: sh_mmcif: fix deferred probing
    - mmc: usdhi60rol0: fix deferred probing
    - ipvs: align inner_mac_header for encapsulation
    - net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
    - net: dsa: mt7530: fix handling of BPDUs on MT7530 switch
    - be2net: Extend xmit workaround to BE3 chip
    - netfilter: nft_set_pipapo: .walk does not deal with generations
    - netfilter: nf_tables: disallow element updates of bound anonymous sets
    - netfilter: nf_tables: reject unbound anonymous set before commit phase
    - netfilter: nf_tables: reject unbound chain set before commit phase
    - netfilter: nf_tables: disallow updates of anonymous sets
    - netfilter: nfnetlink_osf: fix module autoload
    - Revert "net: phy: dp83867: perform soft reset and retain established link"
    - bpf/btf: Accept function names that contain dots
    - selftests: forwarding: Fix race condition in mirror installation
    - sch_netem: acquire qdisc lock in netem_change()
    - gpio: Allow per-parent interrupt data
    - gpiolib: Fix GPIO chip IRQ initialization restriction
    - gpio: sifive: add missing check for platform_get_irq
    - scsi: target: iscsi: Prevent login threads from racing between each other
    - HID: wacom: Add error check to wacom_parse_and_register()
    - arm64: Add missing Set/Way CMO encodings
    - media: cec: core: don't set last_initiator if tx in progress
    - nfcsim.c: Fix error checking for debugfs_create_dir
    - usb: gadget: udc: fix NULL dereference in remove()
    - nvme: double KA polling frequency to avoid KATO with TBKAS on
    - Input: soc_button_array - add invalid acpi_index DMI quirk handling
    - s390/cio: unregister device when the only path is gone
    - spi: lpspi: disable lpspi module irq in DMA mode
    - ASoC: simple-card: Add missing of_node_put() in case of error
    - soundwire: dmi-quirks: add new mapping for HP Spectre x360
    - ASoC: nau8824: Add quirk to active-high jack-detect
    - s390/purgatory: disable branch profiling
    - ARM: dts: Fix erroneous ADS touchscreen polarities
    - drm/exynos: vidi: fix a wrong error return
    - drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
    - drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
    - vhost_net: revert upend_idx only on retriable error
    - x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys
    - i2c: imx-lpi2c: fix type char overflow issue when calculating the clock
      cycle
    - act_mirred: remove unneded merge conflict markers
    - Linux 5.15.119

* Jammy update: v5.15.118 upstream stable release (LP: #2030239)
    - test_firmware: Use kstrtobool() instead of strtobool()
    - test_firmware: prevent race conditions by a correct implementation of
      locking
    - test_firmware: fix a memory leak with reqs buffer
    - ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate
    - drm/amdgpu: fix Null pointer dereference error in amdgpu_device_recover_vram
    - of: overlay: rename variables to be consistent
    - of: overlay: rework overlay apply and remove kfree()s
    - of: overlay: Fix missing of_node_put() in error case of
      init_overlay_changeset()
    - power: supply: ab8500: Fix external_power_changed race
    - power: supply: sc27xx: Fix external_power_changed race
    - power: supply: bq27xxx: Use mod_delayed_work() instead of cancel() +
      schedule()
    - ARM: dts: vexpress: add missing cache properties
    - tools: gpio: fix debounce_period_us output of lsgpio
    - power: supply: Ratelimit no data debug output
    - platform/x86: asus-wmi: Ignore WMI events with codes 0x7B, 0xC0
    - regulator: Fix error checking for debugfs_create_dir
    - irqchip/gic-v3: Disable pseudo NMIs on Mediatek devices w/ firmware issues
    - power: supply: Fix logic checking if system is running from battery
    - btrfs: scrub: try harder to mark RAID56 block groups read-only
    - btrfs: handle memory allocation failure in btrfs_csum_one_bio
    - ASoC: soc-pcm: test if a BE can be prepared
    - parisc: Improve cache flushing for PCXL in arch_sync_dma_for_cpu()
    - parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()
    - MIPS: unhide PATA_PLATFORM
    - MIPS: Alchemy: fix dbdma2
    - mips: Move initrd_start check after initrd address sanitisation.
    - ASoC: dwc: move DMA init to snd_soc_dai_driver probe()
    - xen/blkfront: Only check REQ_FUA for writes
    - drm:amd:amdgpu: Fix missing buffer object unlock in failure path
    - NVMe: Add MAXIO 1602 to bogus nid list.
    - irqchip/gic: Correctly validate OF quirk descriptors
    - wifi: cfg80211: fix locking in regulatory disconnect
    - wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid()
    - epoll: ep_autoremove_wake_function should use list_del_init_careful
    - ocfs2: fix use-after-free when unmounting read-only filesystem
    - ocfs2: check new file size on fallocate call
    - nios2: dts: Fix tse_mac "max-frame-size" property
    - nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
    - nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
    - kexec: support purgatories with .text.hot sections
    - x86/purgatory: remove PGO flags
    - powerpc/purgatory: remove PGO flags
    - ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD
      playback
    - dm thin metadata: check fail_io before using data_sm
    - nouveau: fix client work fence deletion race
    - RDMA/uverbs: Restrict usage of privileged QKEYs
    - net: usb: qmi_wwan: add support for Compal RXM-G1
    - drm/amdgpu: add missing radeon secondary PCI ID
    - ALSA: hda/realtek: Add a quirk for Compaq N14JP6
    - Remove DECnet support from kernel
    - [Config] updateconfigs for DECNET
    - thunderbolt: dma_test: Use correct value for absent rings when creating
      paths
    - thunderbolt: Mask ring interrupt on Intel hardware as well
    - USB: serial: option: add Quectel EM061KGL series
    - serial: lantiq: add missing interrupt ack
    - usb: dwc3: gadget: Reset num TRBs before giving back the request
    - RDMA/rtrs: Fix the last iu->buf leak in err path
    - RDMA/rtrs: Fix rxe_dealloc_pd warning
    - RDMA/rxe: Fix packet length checks
    - spi: fsl-dspi: avoid SCK glitches with continuous transfers
    - netfilter: nf_tables: integrate pipapo into commit protocol
    - netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
    - net: enetc: correct the indexes of highest and 2nd highest TCs
    - ping6: Fix send to link-local addresses with VRF.
    - net/sched: simplify tcf_pedit_act
    - net/sched: act_pedit: remove extra check for key type
    - net/sched: act_pedit: Parse L3 Header for L4 offset
    - RDMA/rxe: Remove the unused variable obj
    - RDMA/rxe: Removed unused name from rxe_task struct
    - RDMA/rxe: Fix the use-before-initialization error of resp_pkts
    - iavf: remove mask from iavf_irq_enable_queues()
    - octeontx2-af: fixed resource availability check
    - octeontx2-af: fix lbk link credits on cn10k
    - RDMA/mlx5: Initiate dropless RQ for RAW Ethernet functions
    - RDMA/cma: Always set static rate to 0 for RoCE
    - IB/uverbs: Fix to consider event queue closing also upon non-blocking mode
    - IB/isert: Fix dead lock in ib_isert
    - IB/isert: Fix possible list corruption in CMA handler
    - IB/isert: Fix incorrect release of isert connection
    - net: ethtool: correct MAX attribute value for stats
    - ipvlan: fix bound dev checking for IPv6 l3s mode
    - sctp: fix an error code in sctp_sf_eat_auth()
    - igc: Clean the TX buffer and TX descriptor ring
    - igb: fix nvm.ops.read() error handling
    - drm/nouveau: don't detect DSM for non-NVIDIA device
    - drm/nouveau/dp: check for NULL nv_connector->native_mode
    - drm/nouveau: add nv_encoder pointer check for NULL
    - cifs: fix lease break oops in xfstest generic/098
    - ext4: drop the call to ext4_error() from ext4_get_group_info()
    - net/sched: cls_api: Fix lockup on flushing explicitly created chain
    - net: lapbether: only support ethernet devices
    - dm: don't lock fs when the map is NULL during suspend or resume
    - net: tipc: resize nlattr array to correct size
    - selftests/ptp: Fix timestamp printf format for PTP_SYS_OFFSET
    - afs: Fix vlserver probe RTT handling
    - cgroup: always put cset in cgroup_css_set_put_fork
    - rcu/kvfree: Avoid freeing new kfree_rcu() memory after old grace period
    - neighbour: Remove unused inline function neigh_key_eq16()
    - net: Remove unused inline function dst_hold_and_use()
    - net: Remove DECnet leftovers from flow.h.
    - neighbour: delete neigh_lookup_nodev as not used
    - of: overlay: add entry to of_overlay_action_name[]
    - mmc: block: ensure error propagation for non-blk
    - nilfs2: reject devices with insufficient block count
    - Linux 5.15.118

* Jammy update: v5.15.117 upstream stable release (LP: #2030107)
    - ata: ahci: fix enum constants for gcc-13
    - gcc-plugins: Reorganize gimple includes for GCC 13
    - remove the sx8 block driver
    - [Config] updateconfigs for BLK_DEV_SX8
    - sfc (gcc13): synchronize ef100_enqueue_skb()'s return type
    - i40e: Remove string printing for i40e_status
    - i40e: use int for i40e_status
    - i40e: fix build warning in ice_fltr_add_mac_to_list()
    - bonding (gcc13): synchronize bond_{a,t}lb_xmit() types
    - f2fs: fix iostat lock protection
    - blk-iocost: avoid 64-bit division in ioc_timer_fn
    - platform/surface: aggregator: Allow completion work-items to be executed in
      parallel
    - spi: qup: Request DMA before enabling clocks
    - afs: Fix setting of mtime when creating a file/dir/symlink
    - wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
    - neighbour: fix unaligned access to pneigh_entry
    - net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
    - bpf: Fix UAF in task local storage
    - net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down
    - net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
    - net: enetc: correct the statistics of rx bytes
    - net/sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values
    - drm/i915: Explain the magic numbers for AUX SYNC/precharge length
    - drm/i915: Use 18 fast wake AUX sync len
    - Bluetooth: Fix l2cap_disconnect_req deadlock
    - Bluetooth: L2CAP: Add missing checks for invalid DCID
    - qed/qede: Fix scheduling while atomic
    - wifi: cfg80211: fix locking in sched scan stop work
    - selftests/bpf: Verify optval=NULL case
    - selftests/bpf: Fix sockopt_sk selftest
    - netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
    - netfilter: ipset: Add schedule point in call_ad().
    - ipv6: rpl: Fix Route of Death.
    - rfs: annotate lockless accesses to sk->sk_rxhash
    - rfs: annotate lockless accesses to RFS sock flow table
    - drm/i915/selftests: Increase timeout for live_parallel_switch
    - drm/i915/selftests: Stop using kthread_stop()
    - drm/i915/selftests: Add some missing error propagation
    - net: sched: move rtm_tca_policy declaration to include file
    - net: sched: act_police: fix sparse errors in tcf_police_dump()
    - net: sched: fix possible refcount leak in tc_chain_tmplt_add()
    - bpf: Add extra path pointer check to d_path helper
    - lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
    - bnxt_en: Don't issue AP reset during ethtool's reset operation
    - bnxt_en: Query default VLAN before VNIC setup on a VF
    - bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks
    - batman-adv: Broken sync while rescheduling delayed work
    - Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
    - Input: psmouse - fix OOB access in Elantech protocol
    - Input: fix open count when closing inhibited device
    - ALSA: hda/realtek: Add quirk for Clevo NS50AU
    - ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
    - drm/i915/gt: Use the correct error value when kernel_context() fails
    - drm/amd/pm: conditionally disable pcie lane switching for some
      sienna_cichlid SKUs
    - drm/amdgpu: fix xclk freq on CHIP_STONEY
    - drm/amd/pm: Fix power context allocation in SMU13
    - can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in
      J1939 Socket
    - can: j1939: change j1939_netdev_lock type to mutex
    - can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
    - ceph: fix use-after-free bug for inodes when flushing capsnaps
    - s390/dasd: Use correct lock while counting channel queue length
    - Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
    - Bluetooth: hci_qca: fix debugfs registration
    - tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
    - rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
    - rbd: get snapshot context after exclusive lock is ensured to be held
    - pinctrl: meson-axg: add missing GPIOA_18 gpio group
    - usb: usbfs: Enforce page requirements for mmap
    - usb: usbfs: Use consistent mmap functions
    - ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc
    - ASoC: codecs: wsa881x: do not set can_multi_write flag
    - arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite
      boards
    - arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals
    - arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts
    - ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback
      returning void
    - ASoC: mediatek: mt8195: fix use-after-free in driver remove path
    - arm64: dts: imx8mn-beacon: Fix SPI CS pinmux
    - i2c: mv64xxx: Fix reading invalid status value in atomic mode
    - firmware: arm_ffa: Set handle field to zero in memory descriptor
    - i2c: sprd: Delete i2c adapter in .remove's error path
    - eeprom: at24: also select REGMAP
    - riscv: fix kprobe __user string arg print fault issue
    - vduse: avoid empty string for dev name
    - vhost: support PACKED when setting-getting vring_base
    - vhost_vdpa: support PACKED when setting-getting vring_base
    - ext4: only check dquot_initialize_needed() when debugging
    - Linux 5.15.117

* CVE-2023-4273
    - exfat: check if filename entries exceeds max filename length

* CVE-2023-4128
    - net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-
      free
    - net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-
      free
    - net/sched: cls_route: No longer copy tcf_result on update to avoid use-
      after-free

* CVE-2023-3863
    - nfc: llcp: simplify llcp_sock_connect() error paths
    - net: nfc: Fix use-after-free caused by nfc_llcp_find_local

-- Stefan Bader <stefan.bader@canonical.com>  Wed, 20 Sep 2023 09:32:27 +0200

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Jammy update: v5.15.117 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package