Ubuntu
linux package

Jammy update: v5.15.140 upstream stable release

Bug #2050038 reported by Portia Stephens on 2024-01-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Jammy	Fix Released	Medium	Portia Stephens

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.15.140 upstream stable release
from git://git.kernel.org/

locking/ww_mutex/test: Fix potential workqueue corruption
perf/core: Bail out early if the request AUX area is out of bound
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
workqueue: Provide one lock class key per work_on_cpu() callsite
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
wifi: mac80211_hwsim: fix clang-specific fortify warning
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
atl1c: Work around the DMA RX overflow issue
bpf: Detect IP == ksym.end as part of BPF program
wifi: ath9k: fix clang-specific fortify warnings
wifi: ath10k: fix clang-specific fortify warning
net: annotate data-races around sk->sk_tx_queue_mapping
net: annotate data-races around sk->sk_dst_pending_confirm
wifi: ath10k: Don't touch the CE interrupt registers after power up
Bluetooth: btusb: Add date->evt_skb is NULL check
Bluetooth: Fix double free in hci_conn_cleanup
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
drm/komeda: drop all currently held locks if deadlock happens
drm/amdkfd: Fix a race condition of vram buffer unref in svm code
drm/amd/display: use full update for clip size increase of large plane source
string.h: add array-wrappers for (v)memdup_user()
kernel: kexec: copy user-array safely
kernel: watch_queue: copy user-array safely
drm: vmwgfx_surface.c: copy user-array safely
drm/msm/dp: skip validity check for DP CTS EDID checksum
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amdgpu: Fix potential null pointer derefernce
drm/panel: fix a possible null pointer dereference
drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference
drm/amdgpu/vkms: fix a possible null pointer dereference
drm/panel: st7703: Pick different reset sequence
drm/amdkfd: Fix shift out-of-bounds issue
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size
selftests/efivarfs: create-read: fix a resource leak
ASoC: soc-card: Add storage for PCI SSID
crypto: pcrypt - Fix hungtask for PADATA_RESET
RDMA/hfi1: Use FIELD_GET() to extract Link Width
scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs
scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool
fs/jfs: Add check for negative db_l2nbperpage
fs/jfs: Add validity check for db_maxag and db_agpref
jfs: fix array-index-out-of-bounds in dbFindLeaf
jfs: fix array-index-out-of-bounds in diAlloc
HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround
ARM: 9320/1: fix stack depot IRQ stack filter
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
atm: iphase: Do PCI error checks on own line
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
PCI: Use FIELD_GET() to extract Link Width
PCI: Extract ATS disabling to a helper function
PCI: Disable ATS for specific Intel IPU E2000 devices
misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller
PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
exfat: support handle zero-size directory
tty: vcc: Add check for kstrdup() in vcc_probe()
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
9p/trans_fd: Annotate data-racy writes to file::f_flags
9p: v9fs_listxattr: fix %s null argument warning
i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
i2c: sun6i-p2wi: Prevent potential division by zero
virtio-blk: fix implicit overflow on virtio_max_dma_size
i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
media: gspca: cpia1: shift-out-of-bounds in set_flicker
media: vivid: avoid integer overflow
gfs2: ignore negated quota changes
gfs2: fix an oops in gfs2_permission
media: cobalt: Use FIELD_GET() to extract Link Width
media: ccs: Fix driver quirk struct documentation
media: imon: fix access to invalid resource for the second interface
drm/amd/display: Avoid NULL dereference of timing generator
kgdb: Flush console before entering kgdb on panic
i2c: dev: copy userspace array safely
ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
drm/qxl: prevent memory leak
drm/amdgpu: fix software pci_unplug on some chips
pwm: Fix double shift bug
wifi: iwlwifi: Use FW rate for non-data frames
tracing: Reuse logic from perf's get_recursion_context()
tracing/perf: Add interrupt_context_level() helper
sched/core: Optimize in_task() and in_interrupt() a bit
media: cadence: csi2rx: Unregister v4l2 async notifier
media: cec: meson: always include meson sub-directory in Makefile
SUNRPC: ECONNRESET might require a rebind
SUNRPC: Add an IS_ERR() check back to where it was
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
gfs2: Silence "suspicious RCU usage in gfs2_permission" warning
mptcp: diag: switch to context structure
mptcp: listen diag dump support
net: inet: Remove count from inet_listen_hashbucket
net: inet: Open code inet_hash2 and inet_unhash2
net: inet: Retire port only listening_hash
net: set SOCK_RCU_FREE before inserting socket into hashtable
ipvlan: add ipvlan_route_v6_outbound() helper
tty: Fix uninit-value access in ppp_sync_receive()
net: hns3: fix add VLAN fail issue
net: hns3: refine the definition for struct hclge_pf_to_vf_msg
net: hns3: add byte order conversion for PF to VF mailbox message
net: hns3: add barrier in vf mailbox reply process
net: hns3: fix incorrect capability bit display for copper port
net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
net: hns3: fix VF reset fail issue
net: hns3: fix VF wrong speed and duplex issue
tipc: Fix kernel-infoleak due to uninitialized TLV value
ppp: limit MRU to 64K
xen/events: fix delayed eoi list handling
ptp: annotate data-race around q->head and q->tail
bonding: stop the device in bond_setup_by_slave()
net: ethernet: cortina: Fix max RX frame define
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix MTU max setting
af_unix: fix use-after-free in unix_stream_read_actor()
netfilter: nf_conntrack_bridge: initialize err to 0
netfilter: nf_tables: use the correct get/put helpers
netfilter: nf_tables: add and use BE register load-store helpers
netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
net: stmmac: fix rx budget limit check
net/mlx5e: Remove incorrect addition of action fwd flag
net/mlx5e: Move mod hdr allocation to a single place
net/mlx5e: Refactor mod header management API
net/mlx5e: Fix pedit endianness
net/mlx5e: Reduce the size of icosq_str
net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors
macvlan: Don't propagate promisc change to lower dev in passthru
tools/power/turbostat: Fix a knl bug
tools/power/turbostat: Enable the C-state Pre-wake printing
cifs: spnego: add ';' in HOST_KEY_LEN
cifs: fix check of rc in function generate_smb3signingkey
xfs: refactor buffer cancellation table allocation
xfs: don't leak xfs_buf_cancel structures when recovery fails
xfs: convert buf_cancel_table allocation to kmalloc_array
xfs: use invalidate_lock to check the state of mmap_lock
xfs: prevent a UAF when log IO errors race with unmount
xfs: flush inode gc workqueue before clearing agi bucket
xfs: fix use-after-free in xattr node block inactivation
xfs: don't leak memory when attr fork loading fails
xfs: fix intermittent hang during quotacheck
xfs: add missing cmap->br_state = XFS_EXT_NORM update
xfs: Fix false ENOSPC when performing direct write on a delalloc extent in cow fork
xfs: fix inode reservation space for removing transaction
xfs: avoid a UAF when log intent item recovery fails
xfs: fix exception caused by unexpected illegal bestcount in leaf dir
xfs: fix memory leak in xfs_errortag_init
xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init()
i915/perf: Fix NULL deref bugs with drm_dbg() calls
media: venus: hfi: add checks to perform sanity on queue pointers
powerpc/perf: Fix disabling BHRB and instruction sampling
randstruct: Fix gcc-plugin performance mode to stay in group
bpf: Fix check_stack_write_fixed_off() to correctly spill imm
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
scsi: mpt3sas: Fix loop logic
scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers
scsi: qla2xxx: Fix system crash due to bad pointer access
crypto: x86/sha - load modules based on CPU features
x86/cpu/hygon: Fix the CPU topology evaluation for real
KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
KVM: x86: Ignore MSR_AMD64_TW_CFG access
audit: don't take task_lock() in audit_exe_compare() code path
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
tty/sysrq: replace smp_processor_id() with get_cpu()
hvc/xen: fix console unplug
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
hvc/xen: fix event channel handling for secondary consoles
PCI/sysfs: Protect driver's D3cold preference from user space
watchdog: move softlockup_panic back to early_param
ACPI: resource: Do IRQ override on TongFang GMxXGxx
arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
parisc/pdc: Add width field to struct pdc_model
clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks
mmc: vub300: fix an error code
mmc: sdhci_am654: fix start loop index for TAP value parsing
PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common()
PCI: exynos: Don't discard .remove() callback
wifi: wilc1000: use vmm_table as array in wilc struct
svcrdma: Drop connection after an RDMA Read error
rcu/tree: Defer setting of jiffies during stall reset
arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM
PM: hibernate: Use __get_safe_page() rather than touching the list
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects
btrfs: don't arbitrarily slow down delalloc if we're committing
firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit
ACPI: FPDT: properly handle invalid FPDT subtables
ima: annotate iint mutex to avoid lockdep false positive warnings
ima: detect changes to the backing overlay file
wifi: ath11k: fix temperature event locking
wifi: ath11k: fix dfs radar event locking
wifi: ath11k: fix htt pktlog locking
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
KEYS: trusted: Rollback init_trusted() consistently
PCI: keystone: Don't discard .remove() callback
PCI: keystone: Don't discard .probe() callback
netfilter: nf_tables: split async and sync catchall in two functions
selftests/resctrl: Remove duplicate feature check from CMT test
selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests
ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
quota: explicitly forbid quota files from being encrypted
kernel/reboot: emergency_restart: Set correct system_state
i2c: core: Run atomic i2c xfer when !preemptible
tracing: Have the user copy of synthetic event address use correct context
mcb: fix error handling for different scenarios when parsing
dmaengine: stm32-mdma: correct desc prep when channel running
s390/cmma: fix detection of DAT pages
mm/cma: use nth_page() in place of direct struct page manipulation
mm/memory_hotplug: use pfn math in place of direct struct page manipulation
mtd: cfi_cmdset_0001: Byte swap OTP info
i3c: master: cdns: Fix reading status register
i3c: master: svc: fix race condition in ibi work thread
i3c: master: svc: fix wrong data return when IBI happen during start frame
i3c: master: svc: fix ibi may not return mandatory data byte
i3c: master: svc: fix check wrong status register in irq handler
i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen
parisc: Prevent booting 64-bit kernels on PA1.x machines
parisc/pgtable: Do not drop upper 5 address bits of physical address
xhci: Enable RPM on controllers that support low-power states
ALSA: info: Fix potential deadlock at disconnection
ALSA: hda/realtek - Add Dell ALC295 to pin fall back table
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: fix hard LOCKUP on crtscts mode
regmap: Ensure range selector registers are updated after cache sync
cpufreq: stats: Fix buffer overflow detection in trans_stats()
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
bluetooth: Add device 0bda:887b to device tables
bluetooth: Add device 13d3:3571 to device tables
Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
ksmbd: fix slab out of bounds write in smb_inherit_dacl()
arm64: dts: qcom: ipq6018: switch TCSR mutex to MMIO
arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size
powerpc/pseries/ddw: simplify enable_ddw()
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
Revert "i2c: pxa: move to generic GPIO recovery"
lsm: fix default return value for vm_enough_memory
lsm: fix default return value for inode_getsecctx
sbsa_gwdt: Calculate timeout with 64-bit math
i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
s390/ap: fix AP bus crash on early config change callback invocation
net: ethtool: Fix documentation of ethtool_sprintf()
net: dsa: lan9303: consequently nested-lock physical MDIO
net: phylink: initialize carrier state at creation
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
f2fs: avoid format-overflow warning
media: lirc: drop trailing space from scancode transmit
media: sharp: fix sharp encoding
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi: add checks to handle capabilities from firmware
media: ccs: Correctly initialise try compose rectangle
nfsd: fix file memleak on client_opens_release
riscv: kprobes: allow writing to x0
mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors
r8169: fix network lost after resume on DASH systems
mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER
media: qcom: camss: Fix pm_domain_on sequence in probe
media: qcom: camss: Fix vfe_get() error jump
media: qcom: camss: Fix VFE-17x vfe_disable_output()
media: qcom: camss: Fix missing vfe_lite clocks check
Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E"
ext4: apply umask if ACL support is disabled
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: correct return value of ext4_convert_meta_bg
ext4: correct the start block of counting reserved clusters
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
ext4: add missed brelse in update_backups
drm/amd/pm: Handle non-terminated overdrive commands.
drm/i915: Fix potential spectre vulnerability
drm/amdgpu: don't use ATRM for external devices
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox
io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
powerpc/powernv: Fix fortify source warnings in opal-prd.c
tracing: Have trace_event_file have ref counters
Input: xpad - add VID for Turtle Beach controllers
driver core: Release all resources during unbind before updating device links
Linux 5.15.140
UBUNTU: Upstream stable to v5.15.140

See original description

Tags:

CVE References

Portia Stephens (portias) on 2024-01-22

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
summary:	- Jammy update: upstream stable patchset 2024-01-22 + Jammy update: v5.15.140 upstream stable release
description:	updated

Portia Stephens (portias) on 2024-01-22

Changed in linux (Ubuntu Jammy):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Portia Stephens (portias)
Changed in linux (Ubuntu):
status:	Confirmed → Invalid

Portia Stephens (portias) on 2024-01-22

description:

updated

Revision history for this message

Stefan Bader (smb) wrote on 2024-01-24:

Skipped "io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid" as it is already applied as CVE-2023-46862 (cross-checked both patches look identical).

Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-03-07:

Download full text (65.6 KiB)

This bug was fixed in the package linux - 5.15.0-100.110

---------------
linux (5.15.0-100.110) jammy; urgency=medium

* jammy/linux: 5.15.0-100.110 -proposed tracker (LP: #2052616)

* i915 regression introduced with 5.5 kernel (LP: #2044131)
- drm/i915: Skip some timing checks on BXT/GLK DSI transcoders

* Audio balancing setting doesn't work with the cirrus codec (LP: #2051050)
- ALSA: hda/cs8409: Suppress vmaster control for Dolphin models

* partproke is broken on empty loopback device (LP: #2049689)
- block: Move checking GENHD_FL_NO_PART to bdev_add_partition()

* CVE-2023-0340
- vhost: use kzalloc() instead of kmalloc() followed by memset()

* CVE-2023-51780
- atm: Fix Use-After-Free in do_vcc_ioctl

* CVE-2023-6915
- ida: Fix crash in ida_free when the bitmap is empty

* CVE-2024-0646
- net: tls, update curr on splice as well

* CVE-2024-0565
- smb: client: fix OOB in receive_encrypted_standard()

* CVE-2023-51781
- appletalk: Fix Use-After-Free in atalk_ioctl

This bug was fixed in the package linux - 5.15.0-100.110

---------------
linux (5.15.0-100.110) jammy; urgency=medium

* jammy/linux: 5.15.0-100.110 -proposed tracker (LP: #2052616)

* i915 regression introduced with 5.5 kernel (LP: #2044131)
    - drm/i915: Skip some timing checks on BXT/GLK DSI transcoders

* Audio balancing setting doesn't work with the cirrus codec (LP: #2051050)
    - ALSA: hda/cs8409: Suppress vmaster control for Dolphin models

* partproke is broken on empty loopback device (LP: #2049689)
    - block: Move checking GENHD_FL_NO_PART to bdev_add_partition()

* CVE-2023-0340
    - vhost: use kzalloc() instead of kmalloc() followed by memset()

* CVE-2023-51780
    - atm: Fix Use-After-Free in do_vcc_ioctl

* CVE-2023-6915
    - ida: Fix crash in ida_free when the bitmap is empty

* CVE-2024-0646
    - net: tls, update curr on splice as well

* CVE-2024-0565
    - smb: client: fix OOB in receive_encrypted_standard()

* CVE-2023-51781
    - appletalk: Fix Use-After-Free in atalk_ioctl

* Jammy update: v5.15.143 upstream stable release (LP: #2050858)
    - vdpa/mlx5: preserve CVQ vringh index
    - hrtimers: Push pending hrtimers away from outgoing CPU earlier
    - i2c: designware: Fix corrupted memory seen in the ISR
    - netfilter: ipset: fix race condition between swap/destroy and kernel side
      add/del/test
    - tg3: Move the [rt]x_dropped counters to tg3_napi
    - tg3: Increment tx_dropped in tg3_tso_bug()
    - kconfig: fix memory leak from range properties
    - drm/amdgpu: correct chunk_ptr to a pointer to chunk.
    - platform/x86: asus-wmi: Adjust tablet/lidflip handling to use enum
    - platform/x86: asus-wmi: Add support for ROG X13 tablet mode
    - platform/x86: asus-wmi: Simplify tablet-mode-switch probing
    - platform/x86: asus-wmi: Simplify tablet-mode-switch handling
    - platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code
    - of: dynamic: Fix of_reconfig_get_state_change() return value documentation
    - platform/x86: wmi: Allow duplicate GUIDs for drivers that use struct
      wmi_driver
    - platform/x86: wmi: Skip blocks with zero instances
    - ipv6: fix potential NULL deref in fib6_add()
    - octeontx2-pf: Add missing mutex lock in otx2_get_pauseparam
    - octeontx2-af: Check return value of nix_get_nixlf before using nixlf
    - hv_netvsc: rndis_filter needs to select NLS
    - r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
    - r8152: Add RTL8152_INACCESSIBLE checks to more loops
    - r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
    - r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
    - r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
    - mlxbf-bootctl: correctly identify secure boot with development keys
    - platform/mellanox: Add null pointer checks for devm_kasprintf()
    - platform/mellanox: Check devm_hwmon_device_register_with_groups() return
      value
    - arcnet: restoring support for multiple Sohard Arcnet cards
    - net: stmmac: fix FPE events losing
    - octeontx2-af: fix a use-after-free in rvu_npa_register_reporters
    - i40e: Fix unexpected MFS warning message
    - net: bnxt: fix a potential use-after-free in bnxt_init_tc
    - ionic: fix snprintf format length warning
    - ionic: Fix dim work handling in split interrupt mode
    - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
    - net: hns: fix fake link up on xge port
    - octeontx2-af: Update Tx link register range
    - netfilter: nf_tables: validate family when identifying table via handle
    - netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
    - tcp: do not accept ACK of bytes we never sent
    - bpf: sockmap, updating the sg structure should also update curr
    - psample: Require 'CAP_NET_ADMIN' when joining "packets" group
    - net: add missing kdoc for struct genl_multicast_group::flags
    - drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
    - tee: optee: Fix supplicant based device enumeration
    - RDMA/hns: Fix unnecessary err return when using invalid congest control
      algorithm
    - RDMA/irdma: Do not modify to SQD on error
    - RDMA/irdma: Add wait for suspend on SQD
    - arm64: dts: rockchip: Expand reg size of vdec node for RK3399
    - RDMA/rtrs-srv: Do not unconditionally enable irq
    - RDMA/rtrs-clt: Start hb after path_up
    - RDMA/rtrs-srv: Check return values while processing info request
    - RDMA/rtrs-srv: Free srv_mr iu only when always_invalidate is true
    - RDMA/rtrs-srv: Destroy path files after making sure no IOs in-flight
    - RDMA/rtrs-clt: Fix the max_send_wr setting
    - RDMA/rtrs-clt: Remove the warnings for req in_use check
    - RDMA/bnxt_re: Correct module description string
    - hwmon: (acpi_power_meter) Fix 4.29 MW bug
    - hwmon: (nzxt-kraken2) Fix error handling path in kraken2_probe()
    - ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
    - RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
    - RDMA/irdma: Avoid free the non-cqp_request scratch
    - arm64: dts: imx8mq: drop usb3-resume-missing-cas from usb
    - arm64: dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
    - ARM: dts: imx6ul-pico: Describe the Ethernet PHY clock
    - tracing: Fix a warning when allocating buffered events fails
    - scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
    - ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
    - ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
    - ARM: dts: imx28-xea: Pass the 'model' property
    - riscv: fix misaligned access handling of C.SWSP and C.SDSP
    - md: introduce md_ro_state
    - md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
    - kprobes: consistent rcu api usage for kretprobe holder
    - nvme-pci: Add sleep quirk for Kingston drives
    - io_uring: fix mutex_unlock with unreferenced ctx
    - ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
    - ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
    - nilfs2: fix missing error check for sb_set_blocksize call
    - nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
    - checkstack: fix printed address
    - tracing: Always update snapshot buffer size
    - tracing: Disable snapshot buffer when stopping instance tracers
    - tracing: Fix incomplete locking when disabling buffered events
    - tracing: Fix a possible race when disabling buffered events
    - packet: Move reference count in packet_sock to atomic_long_t
    - regmap: fix bogus error on regcache_sync success
    - platform/surface: aggregator: fix recv_buf() return value
    - arm64: dts: mediatek: mt7622: fix memory node warning check
    - arm64: dts: mediatek: mt8183-kukui-jacuzzi: fix dsi unnecessary cells
      properties
    - arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
    - arm64: dts: mediatek: mt8183: Fix unit address for scp reserved memory
    - binder: fix memory leaks of spam and pending work
    - kallsyms: Make kallsyms_on_each_symbol generally available
    - coresight: etm4x: Make etm4_remove_dev() return void
    - coresight: etm4x: Remove bogous __exit annotation for some functions
    - misc: mei: client.c: return negative error code in mei_cl_write
    - misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write
    - ring-buffer: Force absolute timestamp on discard of event
    - tracing: Set actual size after ring buffer resize
    - tracing: Stop current tracer when resizing buffer
    - r8169: fix rtl8125b PAUSE frames blasting when suspended
    - mm: fix oops when filemap_map_pmd() without prealloc_pte
    - io_uring/af_unix: disable sending io_uring over sockets
    - platform/x86: asus-wmi: Fix kbd_dock_devid tablet-switch reporting
    - docs/process/howto: Replace C89 with C11
    - tools headers UAPI: Sync linux/perf_event.h with the kernel sources
    - arm64: dts: mediatek: align thermal zone node names with dtschema
    - arm64: dts: mediatek: mt8183: Move thermal-zones to the root node
    - arm64: dts: mediatek: add missing space before {
    - arm64: dts: mt8183: kukui: Fix underscores in node names
    - gpiolib: sysfs: Fix error handling on failed export
    - drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
    - drm/amdgpu: correct the amdgpu runtime dereference usage count
    - usb: gadget: f_hid: fix report descriptor allocation
    - parport: Add support for Brainboxes IX/UC/PX parallel cards
    - usb: typec: class: fix typec_altmode_put_partner to put plugs
    - ARM: PL011: Fix DMA support
    - serial: sc16is7xx: address RX timeout interrupt errata
    - serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
    - serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
    - serial: 8250_omap: Add earlycon support for the AM654 UART controller
    - x86/CPU/AMD: Check vendor in the AMD microcode callback
    - KVM: s390/mm: Properly reset no-dat
    - KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
    - MIPS: Loongson64: Reserve vgabios memory on boot
    - MIPS: Loongson64: Enable DMA noncoherent support
    - cifs: Fix non-availability of dedup breaking generic/304
    - smb: client: fix potential NULL deref in parse_dfs_referrals()
    - devcoredump : Serialize devcd_del work
    - devcoredump: Send uevent once devcd is ready
    - Linux 5.15.143

* Intel E810-XXV - NETDEV WATCHDOG: (ice): transmit queue timed out
    (LP: #2036239)
    - ice: Add feature bitmap, helpers and a check for DSCP
    - ice: Add driver support for firmware changes for LAG
    - ice: alter feature support check for SRIOV and LAG

* Don't WARN_ON_ONCE() for a broken discovery table (LP: #2048404)
    - perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table

* Reject connection when malformed L2CAP signal packet is received
    (LP: #2047634)
    - Bluetooth: L2CAP: Send reject on command corrupted request

* Jammy update: v5.15.142 upstream stable release (LP: #2050849)
    - pinctrl: avoid reload of p state in list iteration
    - firewire: core: fix possible memory leak in create_units()
    - mmc: cqhci: Increase recovery halt timeout
    - mmc: cqhci: Warn of halt or task clear failure
    - mmc: cqhci: Fix task clearing in CQE error recovery
    - mmc: block: Retry commands in CQE error recovery
    - mmc: block: Do not lose cache flush during CQE error recovery
    - mmc: block: Be sure to wait while busy in CQE error recovery
    - ALSA: hda: Disable power-save on KONTRON SinglePC
    - ALSA: hda/realtek: Headset Mic VREF to 100%
    - ALSA: hda/realtek: Add supported ALC257 for ChromeOS
    - dm-verity: align struct dm_verity_fec_io properly
    - dm verity: don't perform FEC for failed readahead IO
    - bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
    - iommu/vt-d: Add MTL to quirk list to skip TE disabling
    - powerpc: Don't clobber f0/vs0 during fp|altivec register save
    - parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes
    - btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod()
    - btrfs: fix off-by-one when checking chunk map includes logical address
    - btrfs: send: ensure send_fd is writable
    - btrfs: make error messages more clear when getting a chunk map
    - Input: xpad - add HyperX Clutch Gladiate Support
    - vlan: introduce vlan_dev_free_egress_priority
    - vlan: move dev_put into vlan_dev_uninit
    - rcu: Avoid tracing a few functions executed in stop machine
    - hv_netvsc: fix race of netvsc and VF register_netdevice
    - USB: core: Change configuration warnings to notices
    - usb: config: fix iteration issue in 'usb_get_bos_descriptor()'
    - dpaa2-eth: increase the needed headroom to account for alignment
    - uapi: propagate __struct_group() attributes to the container union
    - selftests/net: ipsec: fix constant out of range
    - octeontx2-af: Fix possible buffer overflow
    - net: stmmac: xgmac: Disable FPE MMC interrupts
    - octeontx2-pf: Fix adding mbox work queue entry when num_vfs > 64
    - Revert "workqueue: remove unused cancel_work()"
    - r8169: prevent potential deadlock in rtl8169_close
    - ravb: Fix races between ravb_tx_timeout_work() and net related ops
    - net: ravb: Check return value of reset_control_deassert()
    - net: ravb: Use pm_runtime_resume_and_get()
    - net: ravb: Start TX queues after HW initialization succeeded
    - net: ravb: Stop DMA in case of failures on ravb_open()
    - perf intel-pt: Fix async branch flags
    - selftests/resctrl: Add missing SPDX license to Makefile
    - selftests/resctrl: Move _GNU_SOURCE define into Makefile
    - smb3: fix touch -h of symlink
    - ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
    - ASoC: SOF: sof-pci-dev: use community key on all Up boards
    - ASoC: SOF: sof-pci-dev: add parameter to override topology filename
    - ASoC: SOF: sof-pci-dev: don't use the community key on APL Chromebooks
    - ASoC: SOF: sof-pci-dev: Fix community key quirk detection
    - fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
    - fs: add ctime accessors infrastructure
    - smb3: fix caching of ctime on setxattr
    - cpufreq: imx6q: don't warn for disabling a non-existing frequency
    - cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
    - iommu/vt-d: Omit devTLB invalidation requests when TES=0
    - iommu/vt-d: Make context clearing consistent with context mapping
    - mmc: core: add helpers mmc_regulator_enable/disable_vqmmc
    - mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled
    - r8169: disable ASPM in case of tx timeout
    - r8169: fix deadlock on RTL8125 in jumbo mtu mode
    - iomap: update ki_pos a little later in iomap_dio_complete
    - Linux 5.15.142

* Jammy update: v5.15.141 upstream stable release (LP: #2050044)
    - afs: Fix afs_server_list to be cleaned up with RCU
    - afs: Make error on cell lookup failure consistent with OpenAFS
    - drm/panel: boe-tv101wum-nl6: Fine tune the panel power sequence
    - drm/panel: auo,b101uan08.3: Fine tune the panel power sequence
    - drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
    - drm/panel: simple: Fix Innolux G101ICE-L01 timings
    - wireguard: use DEV_STATS_INC()
    - octeontx2-pf: Fix memory leak during interface down
    - ata: pata_isapnp: Add missing error check for devm_ioport_map()
    - drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
    - HID: core: store the unique system identifier in hid_device
    - HID: fix HID device resource race between HID core and debugging support
    - ipv4: Correct/silence an endian warning in __ip_do_redirect
    - net: usb: ax88179_178a: fix failed operations during ax88179_reset
    - net/smc: avoid data corruption caused by decline
    - arm/xen: fix xen_vcpu_info allocation alignment
    - octeontx2-pf: Fix ntuple rule creation to direct packet to VF with higher Rx
      queue than its PF
    - amd-xgbe: handle corner-case during sfp hotplug
    - amd-xgbe: handle the corner-case during tx completion
    - amd-xgbe: propagate the correct speed and duplex status
    - net: axienet: Fix check for partial TX checksum
    - afs: Return ENOENT if no cell DNS record can be found
    - afs: Fix file locking on R/O volumes to operate in local mode
    - nvmet: nul-terminate the NQNs passed in the connect command
    - USB: dwc3: qcom: fix resource leaks on probe deferral
    - USB: dwc3: qcom: fix ACPI platform device leak
    - lockdep: Fix block chain corruption
    - MIPS: KVM: Fix a build warning about variable set but not used
    - media: camss: Replace hard coded value with parameter
    - media: camss: sm8250: Virtual channels for CSID
    - media: qcom: camss: Fix set CSI2_RX_CFG1_VC_MODE when VC is greater than 3
    - media: qcom: camss: Fix csid-gen2 for test pattern generator
    - ext4: add a new helper to check if es must be kept
    - ext4: factor out __es_alloc_extent() and __es_free_extent()
    - ext4: use pre-allocated es in __es_insert_extent()
    - ext4: use pre-allocated es in __es_remove_extent()
    - ext4: using nofail preallocation in ext4_es_remove_extent()
    - ext4: using nofail preallocation in ext4_es_insert_delayed_block()
    - ext4: using nofail preallocation in ext4_es_insert_extent()
    - ext4: fix slab-use-after-free in ext4_es_insert_extent()
    - ext4: make sure allocate pending entry not fail
    - proc: sysctl: prevent aliased sysctls from getting passed to init
    - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA
    - swiotlb-xen: provide the "max_mapping_size" method
    - bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
      btree_gc_coalesce()
    - md: fix bi_status reporting in md_end_clone_io
    - bcache: fixup multi-threaded bch_sectors_dirty_init() wake-up race
    - io_uring/fs: consider link->flags when getting path for LINKAT
    - s390/dasd: protect device queue against concurrent access
    - USB: serial: option: add Luat Air72*U series products
    - hv_netvsc: Fix race of register_netdevice_notifier and VF register
    - hv_netvsc: Mark VF as slave before exposing it to user-mode
    - dm-delay: fix a race between delay_presuspend and delay_bio
    - bcache: check return value from btree_node_alloc_replacement()
    - bcache: prevent potential division by zero error
    - bcache: fixup init dirty data errors
    - bcache: fixup lock c->root error
    - usb: cdnsp: Fix deadlock issue during using NCM gadget
    - USB: serial: option: add Fibocom L7xx modules
    - USB: serial: option: fix FM101R-GL defines
    - USB: serial: option: don't claim interface 4 for ZTE MF290
    - usb: typec: tcpm: Skip hard reset when in error recovery
    - USB: dwc2: write HCINT with INTMASK applied
    - usb: dwc3: Fix default mode initialization
    - usb: dwc3: set the dma max_seg_size
    - USB: dwc3: qcom: fix software node leak on probe errors
    - USB: dwc3: qcom: fix wakeup after probe deferral
    - io_uring: fix off-by one bvec index
    - Linux 5.15.141

* Jammy update: v5.15.140 upstream stable release (LP: #2050038)
    - locking/ww_mutex/test: Fix potential workqueue corruption
    - perf/core: Bail out early if the request AUX area is out of bound
    - clocksource/drivers/timer-imx-gpt: Fix potential memory leak
    - clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
    - workqueue: Provide one lock class key per work_on_cpu() callsite
    - x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
    - wifi: mac80211_hwsim: fix clang-specific fortify warning
    - wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
    - atl1c: Work around the DMA RX overflow issue
    - bpf: Detect IP == ksym.end as part of BPF program
    - wifi: ath9k: fix clang-specific fortify warnings
    - wifi: ath10k: fix clang-specific fortify warning
    - net: annotate data-races around sk->sk_tx_queue_mapping
    - net: annotate data-races around sk->sk_dst_pending_confirm
    - wifi: ath10k: Don't touch the CE interrupt registers after power up
    - Bluetooth: btusb: Add date->evt_skb is NULL check
    - Bluetooth: Fix double free in hci_conn_cleanup
    - platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
    - drm/komeda: drop all currently held locks if deadlock happens
    - drm/amdkfd: Fix a race condition of vram buffer unref in svm code
    - drm/amd/display: use full update for clip size increase of large plane
      source
    - string.h: add array-wrappers for (v)memdup_user()
    - kernel: kexec: copy user-array safely
    - kernel: watch_queue: copy user-array safely
    - drm: vmwgfx_surface.c: copy user-array safely
    - drm/msm/dp: skip validity check for DP CTS EDID checksum
    - drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
    - drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
    - drm/amdgpu: Fix potential null pointer derefernce
    - drm/panel: fix a possible null pointer dereference
    - drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference
    - drm/amdgpu/vkms: fix a possible null pointer dereference
    - drm/panel: st7703: Pick different reset sequence
    - drm/amdkfd: Fix shift out-of-bounds issue
    - drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
    - arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size
    - selftests/efivarfs: create-read: fix a resource leak
    - ASoC: soc-card: Add storage for PCI SSID
    - crypto: pcrypt - Fix hungtask for PADATA_RESET
    - RDMA/hfi1: Use FIELD_GET() to extract Link Width
    - scsi: hisi_sas: Set debugfs_dir pointer to NULL after removing debugfs
    - scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool
    - fs/jfs: Add check for negative db_l2nbperpage
    - fs/jfs: Add validity check for db_maxag and db_agpref
    - jfs: fix array-index-out-of-bounds in dbFindLeaf
    - jfs: fix array-index-out-of-bounds in diAlloc
    - HID: lenovo: Detect quirk-free fw on cptkbd and stop applying workaround
    - ARM: 9320/1: fix stack depot IRQ stack filter
    - ALSA: hda: Fix possible null-ptr-deref when assigning a stream
    - PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
    - atm: iphase: Do PCI error checks on own line
    - scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
    - PCI: Use FIELD_GET() to extract Link Width
    - PCI: Extract ATS disabling to a helper function
    - PCI: Disable ATS for specific Intel IPU E2000 devices
    - misc: pci_endpoint_test: Add Device ID for R-Car S4-8 PCIe controller
    - PCI: Use FIELD_GET() in Sapphire RX 5600 XT Pulse quirk
    - HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
    - exfat: support handle zero-size directory
    - tty: vcc: Add check for kstrdup() in vcc_probe()
    - usb: gadget: f_ncm: Always set current gadget in ncm_bind()
    - 9p/trans_fd: Annotate data-racy writes to file::f_flags
    - 9p: v9fs_listxattr: fix %s null argument warning
    - i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler
    - i2c: sun6i-p2wi: Prevent potential division by zero
    - virtio-blk: fix implicit overflow on virtio_max_dma_size
    - i3c: master: mipi-i3c-hci: Fix a kernel panic for accessing DAT_data.
    - media: gspca: cpia1: shift-out-of-bounds in set_flicker
    - media: vivid: avoid integer overflow
    - gfs2: ignore negated quota changes
    - gfs2: fix an oops in gfs2_permission
    - media: cobalt: Use FIELD_GET() to extract Link Width
    - media: ccs: Fix driver quirk struct documentation
    - media: imon: fix access to invalid resource for the second interface
    - drm/amd/display: Avoid NULL dereference of timing generator
    - kgdb: Flush console before entering kgdb on panic
    - i2c: dev: copy userspace array safely
    - ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
    - drm/qxl: prevent memory leak
    - drm/amdgpu: fix software pci_unplug on some chips
    - pwm: Fix double shift bug
    - wifi: iwlwifi: Use FW rate for non-data frames
    - tracing: Reuse logic from perf's get_recursion_context()
    - tracing/perf: Add interrupt_context_level() helper
    - sched/core: Optimize in_task() and in_interrupt() a bit
    - media: cadence: csi2rx: Unregister v4l2 async notifier
    - media: cec: meson: always include meson sub-directory in Makefile
    - SUNRPC: ECONNRESET might require a rebind
    - SUNRPC: Add an IS_ERR() check back to where it was
    - NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
    - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
    - gfs2: Silence "suspicious RCU usage in gfs2_permission" warning
    - mptcp: diag: switch to context structure
    - mptcp: listen diag dump support
    - net: inet: Remove count from inet_listen_hashbucket
    - net: inet: Open code inet_hash2 and inet_unhash2
    - net: inet: Retire port only listening_hash
    - net: set SOCK_RCU_FREE before inserting socket into hashtable
    - ipvlan: add ipvlan_route_v6_outbound() helper
    - tty: Fix uninit-value access in ppp_sync_receive()
    - net: hns3: fix add VLAN fail issue
    - net: hns3: refine the definition for struct hclge_pf_to_vf_msg
    - net: hns3: add byte order conversion for PF to VF mailbox message
    - net: hns3: add barrier in vf mailbox reply process
    - net: hns3: fix incorrect capability bit display for copper port
    - net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
    - net: hns3: fix VF reset fail issue
    - net: hns3: fix VF wrong speed and duplex issue
    - tipc: Fix kernel-infoleak due to uninitialized TLV value
    - ppp: limit MRU to 64K
    - xen/events: fix delayed eoi list handling
    - ptp: annotate data-race around q->head and q->tail
    - bonding: stop the device in bond_setup_by_slave()
    - net: ethernet: cortina: Fix max RX frame define
    - net: ethernet: cortina: Handle large frames
    - net: ethernet: cortina: Fix MTU max setting
    - af_unix: fix use-after-free in unix_stream_read_actor()
    - netfilter: nf_conntrack_bridge: initialize err to 0
    - netfilter: nf_tables: use the correct get/put helpers
    - netfilter: nf_tables: add and use BE register load-store helpers
    - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
    - net: stmmac: fix rx budget limit check
    - net/mlx5e: Remove incorrect addition of action fwd flag
    - net/mlx5e: Move mod hdr allocation to a single place
    - net/mlx5e: Refactor mod header management API
    - net/mlx5e: Fix pedit endianness
    - net/mlx5e: Reduce the size of icosq_str
    - net/mlx5e: Check return value of snprintf writing to fw_version buffer for
      representors
    - macvlan: Don't propagate promisc change to lower dev in passthru
    - tools/power/turbostat: Fix a knl bug
    - tools/power/turbostat: Enable the C-state Pre-wake printing
    - cifs: spnego: add ';' in HOST_KEY_LEN
    - cifs: fix check of rc in function generate_smb3signingkey
    - xfs: refactor buffer cancellation table allocation
    - xfs: don't leak xfs_buf_cancel structures when recovery fails
    - xfs: convert buf_cancel_table allocation to kmalloc_array
    - xfs: use invalidate_lock to check the state of mmap_lock
    - xfs: prevent a UAF when log IO errors race with unmount
    - xfs: flush inode gc workqueue before clearing agi bucket
    - xfs: fix use-after-free in xattr node block inactivation
    - xfs: don't leak memory when attr fork loading fails
    - xfs: fix intermittent hang during quotacheck
    - xfs: add missing cmap->br_state = XFS_EXT_NORM update
    - xfs: Fix false ENOSPC when performing direct write on a delalloc extent in
      cow fork
    - xfs: fix inode reservation space for removing transaction
    - xfs: avoid a UAF when log intent item recovery fails
    - xfs: fix exception caused by unexpected illegal bestcount in leaf dir
    - xfs: fix memory leak in xfs_errortag_init
    - xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init()
    - i915/perf: Fix NULL deref bugs with drm_dbg() calls
    - media: venus: hfi: add checks to perform sanity on queue pointers
    - powerpc/perf: Fix disabling BHRB and instruction sampling
    - randstruct: Fix gcc-plugin performance mode to stay in group
    - bpf: Fix check_stack_write_fixed_off() to correctly spill imm
    - bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
    - scsi: mpt3sas: Fix loop logic
    - scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for
      selected registers
    - scsi: qla2xxx: Fix system crash due to bad pointer access
    - crypto: x86/sha - load modules based on CPU features
    - x86/cpu/hygon: Fix the CPU topology evaluation for real
    - KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
    - KVM: x86: Ignore MSR_AMD64_TW_CFG access
    - audit: don't take task_lock() in audit_exe_compare() code path
    - audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
    - tty/sysrq: replace smp_processor_id() with get_cpu()
    - hvc/xen: fix console unplug
    - hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
    - hvc/xen: fix event channel handling for secondary consoles
    - PCI/sysfs: Protect driver's D3cold preference from user space
    - watchdog: move softlockup_panic back to early_param
    - ACPI: resource: Do IRQ override on TongFang GMxXGxx
    - arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
    - parisc/pdc: Add width field to struct pdc_model
    - clk: socfpga: Fix undefined behavior bug in struct stratix10_clock_data
    - clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
    - clk: qcom: ipq6018: drop the CLK_SET_RATE_PARENT flag from PLL clocks
    - mmc: vub300: fix an error code
    - mmc: sdhci_am654: fix start loop index for TAP value parsing
    - PCI/ASPM: Fix L1 substate handling in aspm_attr_store_common()
    - PCI: exynos: Don't discard .remove() callback
    - wifi: wilc1000: use vmm_table as array in wilc struct
    - svcrdma: Drop connection after an RDMA Read error
    - rcu/tree: Defer setting of jiffies during stall reset
    - arm64: dts: qcom: ipq6018: Fix hwlock index for SMEM
    - PM: hibernate: Use __get_safe_page() rather than touching the list
    - PM: hibernate: Clean up sync_read handling in snapshot_write_next()
    - rcu: kmemleak: Ignore kmemleak false positives when RCU-freeing objects
    - btrfs: don't arbitrarily slow down delalloc if we're committing
    - firmware: qcom_scm: use 64-bit calling convention only when client is 64-bit
    - ACPI: FPDT: properly handle invalid FPDT subtables
    - ima: annotate iint mutex to avoid lockdep false positive warnings
    - ima: detect changes to the backing overlay file
    - wifi: ath11k: fix temperature event locking
    - wifi: ath11k: fix dfs radar event locking
    - wifi: ath11k: fix htt pktlog locking
    - mmc: meson-gx: Remove setting of CMD_CFG_ERROR
    - genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
    - KEYS: trusted: Rollback init_trusted() consistently
    - PCI: keystone: Don't discard .remove() callback
    - PCI: keystone: Don't discard .probe() callback
    - netfilter: nf_tables: split async and sync catchall in two functions
    - selftests/resctrl: Remove duplicate feature check from CMT test
    - selftests/resctrl: Reduce failures due to outliers in MBA/MBM tests
    - ASoC: codecs: wsa-macro: fix uninitialized stack variables with name prefix
    - jbd2: fix potential data lost in recovering journal raced with synchronizing
      fs bdev
    - quota: explicitly forbid quota files from being encrypted
    - kernel/reboot: emergency_restart: Set correct system_state
    - i2c: core: Run atomic i2c xfer when !preemptible
    - tracing: Have the user copy of synthetic event address use correct context
    - mcb: fix error handling for different scenarios when parsing
    - dmaengine: stm32-mdma: correct desc prep when channel running
    - s390/cmma: fix detection of DAT pages
    - mm/cma: use nth_page() in place of direct struct page manipulation
    - mm/memory_hotplug: use pfn math in place of direct struct page manipulation
    - mtd: cfi_cmdset_0001: Byte swap OTP info
    - i3c: master: cdns: Fix reading status register
    - i3c: master: svc: fix race condition in ibi work thread
    - i3c: master: svc: fix wrong data return when IBI happen during start frame
    - i3c: master: svc: fix ibi may not return mandatory data byte
    - i3c: master: svc: fix check wrong status register in irq handler
    - i3c: master: svc: fix SDA keep low when polling IBIWON timeout happen
    - parisc: Prevent booting 64-bit kernels on PA1.x machines
    - parisc/pgtable: Do not drop upper 5 address bits of physical address
    - xhci: Enable RPM on controllers that support low-power states
    - ALSA: info: Fix potential deadlock at disconnection
    - ALSA: hda/realtek - Add Dell ALC295 to pin fall back table
    - ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
    - serial: meson: Use platform_get_irq() to get the interrupt
    - tty: serial: meson: fix hard LOCKUP on crtscts mode
    - regmap: Ensure range selector registers are updated after cache sync
    - cpufreq: stats: Fix buffer overflow detection in trans_stats()
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
    - bluetooth: Add device 0bda:887b to device tables
    - bluetooth: Add device 13d3:3571 to device tables
    - Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
    - Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
    - ksmbd: fix slab out of bounds write in smb_inherit_dacl()
    - arm64: dts: qcom: ipq6018: switch TCSR mutex to MMIO
    - arm64: dts: qcom: ipq6018: Fix tcsr_mutex register size
    - powerpc/pseries/ddw: simplify enable_ddw()
    - Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
    - Revert "i2c: pxa: move to generic GPIO recovery"
    - lsm: fix default return value for vm_enough_memory
    - lsm: fix default return value for inode_getsecctx
    - sbsa_gwdt: Calculate timeout with 64-bit math
    - i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
    - s390/ap: fix AP bus crash on early config change callback invocation
    - net: ethtool: Fix documentation of ethtool_sprintf()
    - net: dsa: lan9303: consequently nested-lock physical MDIO
    - net: phylink: initialize carrier state at creation
    - i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
    - f2fs: avoid format-overflow warning
    - media: lirc: drop trailing space from scancode transmit
    - media: sharp: fix sharp encoding
    - media: venus: hfi_parser: Add check to keep the number of codecs within
      range
    - media: venus: hfi: fix the check to handle session buffer requirement
    - media: venus: hfi: add checks to handle capabilities from firmware
    - media: ccs: Correctly initialise try compose rectangle
    - nfsd: fix file memleak on client_opens_release
    - riscv: kprobes: allow writing to x0
    - mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
    - mm: kmem: drop __GFP_NOFAIL when allocating objcg vectors
    - r8169: fix network lost after resume on DASH systems
    - mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of AER
    - media: qcom: camss: Fix pm_domain_on sequence in probe
    - media: qcom: camss: Fix vfe_get() error jump
    - media: qcom: camss: Fix VFE-17x vfe_disable_output()
    - media: qcom: camss: Fix missing vfe_lite clocks check
    - ext4: apply umask if ACL support is disabled
    - ext4: correct offset of gdb backup in non meta_bg group to update_backups
    - ext4: correct return value of ext4_convert_meta_bg
    - ext4: correct the start block of counting reserved clusters
    - ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
    - ext4: add missed brelse in update_backups
    - drm/amd/pm: Handle non-terminated overdrive commands.
    - drm/i915: Fix potential spectre vulnerability
    - drm/amdgpu: don't use ATRM for external devices
    - drm/amdgpu: fix error handling in amdgpu_bo_list_get()
    - drm/amd/display: Change the DMCUB mailbox memory location from FB to inbox
    - powerpc/powernv: Fix fortify source warnings in opal-prd.c
    - tracing: Have trace_event_file have ref counters
    - Input: xpad - add VID for Turtle Beach controllers
    - driver core: Release all resources during unbind before updating device
      links
    - Linux 5.15.140

* CVE-2023-46862
    - io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

* Jammy update: v5.15.139 upstream stable release (LP: #2049432)
    - iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user()
    - sched/uclamp: Ignore (util == 0) optimization in feec() when p_util_max = 0
    - sched: Fix stop_one_cpu_nowait() vs hotplug
    - vfs: fix readahead(2) on block devices
    - writeback, cgroup: switch inodes with dirty timestamps to release dying
      cgwbs
    - x86/srso: Fix SBPB enablement for (possible) future fixed HW
    - futex: Don't include process MM in futex key on no-MMU
    - x86: Share definition of __is_canonical_address()
    - x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot
    - x86/boot: Fix incorrect startup_gdt_descr.size
    - pstore/platform: Add check for kstrdup
    - genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
    - i40e: fix potential memory leaks in i40e_remove()
    - selftests/bpf: Test tail call counting with bpf2bpf and data on stack
    - selftests/bpf: Correct map_fd to data_fd in tailcalls
    - udp: add missing WRITE_ONCE() around up->encap_rcv
    - tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
    - gve: Use size_add() in call to struct_size()
    - mlxsw: Use size_mul() in call to struct_size()
    - tipc: Use size_add() in calls to struct_size()
    - net: spider_net: Use size_add() in call to struct_size()
    - wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
    - wifi: mt76: mt7603: rework/fix rx pse hang check
    - mt76: dma: use kzalloc instead of devm_kzalloc for txwi
    - mt76: add support for overriding the device used for DMA mapping
    - mt76: pass original queue id from __mt76_tx_queue_skb to the driver
    - wifi: mt76: mt7603: improve stuck beacon handling
    - tcp_metrics: add missing barriers on delete
    - tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
    - tcp_metrics: do not create an entry from tcp_init_metrics()
    - wifi: rtlwifi: fix EDCA limit set by BT coexistence
    - can: dev: can_restart(): don't crash kernel if carrier is OK
    - can: dev: can_restart(): fix race condition between controller restart and
      netif_carrier_on()
    - can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is
      accessed out of bounds
    - PM / devfreq: rockchip-dfi: Make pmu regmap mandatory
    - netfilter: nf_tables: Drop pointless memset when dumping rules
    - thermal: core: prevent potential string overflow
    - r8169: use tp_to_dev instead of open code
    - r8169: fix rare issue with broken rx after link-down on RTL8125
    - chtls: fix tp->rcv_tstamp initialization
    - tcp: fix cookie_init_timestamp() overflows
    - iwlwifi: pcie: adjust to Bz completion descriptor
    - wifi: iwlwifi: call napi_synchronize() before freeing rx/tx queues
    - wifi: iwlwifi: pcie: synchronize IRQs before NAPI
    - wifi: iwlwifi: empty overflow queue during flush
    - ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
    - ipv6: avoid atomic fragment on GSO packets
    - net: add DEV_STATS_READ() helper
    - ipvlan: properly track tx_errors
    - regmap: debugfs: Fix a erroneous check after snprintf()
    - spi: tegra: Fix missing IRQ check in tegra_slink_probe()
    - clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
    - clk: qcom: mmcc-msm8998: Don't check halt bit on some branch clks
    - clk: qcom: mmcc-msm8998: Fix the SMMU GDSC
    - clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
    - clk: imx: Select MXC_CLK for CLK_IMX8QXP
    - clk: imx: imx8mq: correct error handling path
    - clk: imx: imx8qxp: Fix elcdif_pll clock
    - clk: renesas: rzg2l: Simplify multiplication/shift logic
    - clk: renesas: rzg2l: Use FIELD_GET() for PLL register fields
    - clk: renesas: rzg2l: Fix computation formula
    - spi: nxp-fspi: use the correct ioremap function
    - clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
    - clk: ti: Add ti_dt_clk_name() helper to use clock-output-names
    - clk: ti: Update pll and clockdomain clocks to use ti_dt_clk_name()
    - clk: ti: Update component clocks to use ti_dt_clk_name()
    - clk: ti: change ti_clk_register[_omap_hw]() API
    - clk: ti: fix double free in of_ti_divider_clk_setup()
    - clk: npcm7xx: Fix incorrect kfree
    - clk: mediatek: clk-mt6765: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
    - clk: qcom: config IPQ_APSS_6018 should depend on QCOM_SMEM
    - platform/x86: wmi: Fix probe failure when failing to register WMI devices
    - platform/x86: wmi: remove unnecessary initializations
    - platform/x86: wmi: Fix opening of char device
    - hwmon: (axi-fan-control) Fix possible NULL pointer dereference
    - hwmon: (coretemp) Fix potentially truncated sysfs attribute name
    - drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
    - drm/rockchip: vop: Fix call to crtc reset helper
    - drm/radeon: possible buffer overflow
    - drm/mipi-dsi: Create devm device registration
    - drm/mipi-dsi: Create devm device attachment
    - drm/bridge: lt8912b: Switch to devm MIPI-DSI helpers
    - drm/bridge: lt8912b: Register and attach our DSI device at probe
    - drm/bridge: lt8912b: Add hot plug detection
    - drm/bridge: lt8912b: Fix bridge_detach
    - drm/bridge: lt8912b: Fix crash on bridge detach
    - drm/bridge: lt8912b: Manually disable HPD only if it was enabled
    - drm/bridge: lt8912b: Add missing drm_bridge_attach call
    - drm/bridge: tc358768: Fix use of uninitialized variable
    - drm/bridge: tc358768: Disable non-continuous clock mode
    - drm/bridge: tc358768: Fix bit updates
    - drm/amdkfd: fix some race conditions in vram buffer alloc/free of svm code
    - drm/mediatek: Fix iommu fault by swapping FBs after updating plane state
    - drm/mediatek: Fix iommu fault during crtc enabling
    - drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
    - arm64/arm: xen: enlighten: Fix KPTI checks
    - drm/rockchip: Fix type promotion bug in rockchip_gem_iommu_map()
    - xen-pciback: Consider INTx disabled when MSI/MSI-X is enabled
    - drm/msm/dsi: use msm_gem_kernel_put to free TX buffer
    - drm: mediatek: mtk_dsi: Fix NO_EOT_PACKET settings/handling
    - perf: hisi: Fix use-after-free when register pmu fails
    - ARM: dts: renesas: blanche: Fix typo in GP_11_2 pin name
    - arm64: dts: qcom: msm8916: Fix iommu local address range
    - arm64: dts: qcom: msm8992-libra: drop duplicated reserved memory
    - arm64: dts: qcom: sc7280: Add missing LMH interrupts
    - arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
    - ARM64: dts: marvell: cn9310: Use appropriate label for spi1 pins
    - arm64: dts: qcom: apq8016-sbc: Add missing ADV7533 regulators
    - ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
    - soc: qcom: llcc: Handle a second device without data corruption
    - firmware: ti_sci: Mark driver as non removable
    - firmware: arm_ffa: Assign the missing IDR allocation ID to the FFA device
    - clk: scmi: Free scmi_clk allocated when the clocks with invalid info are
      skipped
    - arm64: dts: imx8qm-ss-img: Fix jpegenc compatible entry
    - arm64: dts: imx8mm: Add sound-dai-cells to micfil node
    - arm64: dts: imx8mn: Add sound-dai-cells to micfil node
    - selftests/pidfd: Fix ksft print formats
    - selftests/resctrl: Ensure the benchmark commands fits to its array
    - crypto: hisilicon/hpre - Fix a erroneous check after snprintf()
    - hwrng: geode - fix accessing registers
    - RDMA/core: Use size_{add,sub,mul}() in calls to struct_size()
    - scsi: ibmvfc: Fix erroneous use of rtas_busy_delay with hcall return code
    - libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return
      value
    - nd_btt: Make BTT lanes preemptible
    - crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
    - crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
    - crypto: qat - increase size of buffers
    - hid: cp2112: Fix duplicate workqueue initialization
    - ARM: 9321/1: memset: cast the constant byte to unsigned char
    - ext4: move 'ix' sanity check to corrent position
    - ASoC: fsl: mpc5200_dma.c: Fix warning of Function parameter or member not
      described
    - IB/mlx5: Fix rdma counter binding for RAW QP
    - RDMA/hns: Fix uninitialized ucmd in hns_roce_create_qp_common()
    - RDMA/hns: Fix signed-unsigned mixed comparisons
    - RDMA/hns: The UD mode can only be configured with DCQCN
    - ASoC: fsl: Fix PM disable depth imbalance in fsl_easrc_probe
    - scsi: ufs: core: Leave space for '\0' in utf8 desc string
    - RDMA/hfi1: Workaround truncation compilation error
    - hid: cp2112: Fix IRQ shutdown stopping polling for all IRQs on chip
    - sh: bios: Revive earlyprintk support
    - Revert "HID: logitech-hidpp: add a module parameter to keep firmware
      gestures"
    - HID: logitech-hidpp: Remove HIDPP_QUIRK_NO_HIDINPUT quirk
    - HID: logitech-hidpp: Don't restart IO, instead defer hid_connect() only
    - HID: logitech-hidpp: Revert "Don't restart communication if not necessary"
    - HID: logitech-hidpp: Move get_wireless_feature_index() check to
      hidpp_connect_event()
    - ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
    - padata: Fix refcnt handling in padata_free_shell()
    - crypto: qat - fix deadlock in backlog processing
    - ASoC: ams-delta.c: use component after check
    - mfd: core: Un-constify mfd_cell.of_reg
    - mfd: core: Ensure disabled devices are skipped without aborting
    - mfd: dln2: Fix double put in dln2_probe
    - mfd: arizona-spi: Set pdata.hpdet_channel for ACPI enumerated devs
    - leds: turris-omnia: Drop unnecessary mutex locking
    - leds: turris-omnia: Do not use SMBUS calls
    - leds: pwm: Don't disable the PWM when the LED should be off
    - leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
    - f2fs: compress: fix to avoid use-after-free on dic
    - f2fs: compress: fix to avoid redundant compress extension
    - tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
    - livepatch: Fix missing newline character in klp_resolve_symbols()
    - dmaengine: idxd: Register dsa_bus_type before registering idxd sub-drivers
    - usb: dwc2: fix possible NULL pointer dereference caused by driver
      concurrency
    - usb: chipidea: Fix DMA overwrite for Tegra
    - usb: chipidea: Simplify Tegra DMA alignment code
    - dmaengine: ti: edma: handle irq_of_parse_and_map() errors
    - misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
    - tools: iio: iio_generic_buffer ensure alignment
    - USB: usbip: fix stub_dev hub disconnect
    - dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
    - f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
    - powerpc: Only define __parse_fpscr() when required
    - modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
    - powerpc/40x: Remove stale PTE_ATOMIC_UPDATES macro
    - powerpc/xive: Fix endian conversion size
    - powerpc/imc-pmu: Use the correct spinlock initializer.
    - powerpc/pseries: fix potential memory leak in init_cpu_associativity()
    - usb: host: xhci-plat: fix possible kernel oops while resuming
    - perf machine: Avoid out of bounds LBR memory read
    - perf hist: Add missing puts to hist__account_cycles
    - 9p/net: fix possible memory leak in p9_check_errors()
    - i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
    - cxl/mem: Fix shutdown order
    - rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
    - pcmcia: cs: fix possible hung task and memory leak pccardd()
    - pcmcia: ds: fix refcount leak in pcmcia_device_add()
    - pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
    - media: i2c: max9286: Fix some redundant of_node_put() calls
    - media: bttv: fix use after free error due to btv->timeout timer
    - media: s3c-camif: Avoid inappropriate kfree()
    - media: vidtv: psi: Add check for kstrdup
    - media: vidtv: mux: Add check and kfree for kstrdup
    - media: cedrus: Fix clock/reset sequence
    - media: dvb-usb-v2: af9035: fix missing unlock
    - regmap: prevent noinc writes from clobbering cache
    - pwm: sti: Reduce number of allocations and drop usage of chip_data
    - pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
    - Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
    - llc: verify mac len before reading mac header
    - hsr: Prevent use after free in prp_create_tagged_frame()
    - tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
    - bpf: Check map->usercnt after timer->timer is assigned
    - inet: shrink struct flowi_common
    - octeontx2-pf: Fix error codes
    - octeontx2-pf: Fix holes in error code
    - dccp: Call security_inet_conn_request() after setting IPv4 addresses.
    - dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
    - Fix termination state for idr_for_each_entry_ul()
    - net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
    - selftests: pmtu.sh: fix result checking
    - net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
    - net/smc: allow cdc msg send rather than drop it with NULL sndbuf_desc
    - net/smc: put sk reference if close work was canceled
    - tg3: power down device only on SYSTEM_POWER_OFF
    - block: remove unneeded return value of bio_check_ro()
    - blk-core: use pr_warn_ratelimited() in bio_check_ro()
    - r8169: respect userspace disabling IFF_MULTICAST
    - i2c: iproc: handle invalid slave state
    - netfilter: xt_recent: fix (increase) ipv6 literal buffer length
    - netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate
      eval call-backs
    - netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
    - drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
    - ASoC: hdmi-codec: register hpd callback on component probe
    - spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
    - fbdev: imsttfb: Fix error path of imsttfb_probe()
    - fbdev: imsttfb: fix a resource leak in probe
    - fbdev: fsl-diu-fb: mark wr_reg_wa() static
    - tracing/kprobes: Fix the order of argument descriptions
    - btrfs: use u64 for buffer sizes in the tree search ioctls
    - Linux 5.15.139

* Jammy update: v5.15.138 upstream stable release (LP: #2049417)
    - ASoC: codecs: wcd938x: fix resource leaks on bind errors
    - ASoC: codecs: wcd938x: fix runtime PM imbalance on remove
    - pinctrl: qcom: lpass-lpi: fix concurrent register updates
    - tcp: remove dead code from tcp_sendmsg_locked()
    - tcp: cleanup tcp_remove_empty_skb() use
    - mptcp: more conservative check for zero probes
    - mcb: Return actual parsed size when reading chameleon table
    - mcb-lpc: Reallocate memory region to avoid memory overlapping
    - virtio_balloon: Fix endless deflation and inflation on arm64
    - virtio-mmio: fix memory leak of vm_dev
    - vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE
    - mm/page_alloc: correct start page when guard page debug is enabled
    - mm/migrate: fix do_pages_move for compat pointers
    - nfsd: lock_rename() needs both directories to live on the same fs
    - drm/i915/pmu: Check if pmu is closed before stopping event
    - vsock/virtio: factor our the code to initialize and delete VQs
    - vsock/virtio: add support for device suspend/resume
    - vsock/virtio: initialize the_virtio_vsock before using VQs
    - drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
    - firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels()
    - r8169: fix the KCSAN reported data-race in rtl_tx() while reading tp->cur_tx
    - r8169: fix the KCSAN reported data-race in rtl_tx while reading
      TxDescArray[entry].opts1
    - r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
    - i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value
    - treewide: Spelling fix in comment
    - igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
    - neighbour: fix various data-races
    - igc: Fix ambiguity in the ethtool advertising
    - net: ieee802154: adf7242: Fix some potential buffer overflow in
      adf7242_stats_show()
    - net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg
    - r8152: Increase USB control msg timeout to 5000ms as per spec
    - r8152: Run the unload routine if we have errors during probe
    - r8152: Cancel hw_phy_work if we have an error in probe
    - r8152: Release firmware if we have an error in probe
    - tcp: fix wrong RTO timeout when received SACK reneging
    - gtp: uapi: fix GTPA_MAX
    - gtp: fix fragmentation needed check with gso
    - i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
    - kasan: print the original fault addr when access invalid shadow
    - iio: exynos-adc: request second interupt only when touchscreen mode is used
    - iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds
    - iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale
    - i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
    - i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
    - i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
    - i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
    - i2c: aspeed: Fix i2c bus hang in slave read
    - tracing/kprobes: Fix the description of variable length arguments
    - misc: fastrpc: Clean buffers on remote invocation failures
    - nvmem: imx: correct nregs for i.MX6ULL
    - nvmem: imx: correct nregs for i.MX6SLL
    - nvmem: imx: correct nregs for i.MX6UL
    - perf/core: Fix potential NULL deref
    - sparc32: fix a braino in fault handling in csum_and_copy_..._user()
    - clk: Sanitize possible_parent_show to Handle Return Value of
      of_clk_get_parent_name
    - iio: afe: rescale: reorder includes
    - iio: afe: rescale: expose scale processing function
    - iio: afe: rescale: add offset support
    - iio: afe: rescale: Accept only offset channels
    - gve: Fix GFP flags when allocing pages
    - x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
    - x86/mm: Simplify RESERVE_BRK()
    - x86/mm: Fix RESERVE_BRK() for older binutils
    - ext4: add two helper functions extent_logical_end() and pa_logical_end()
    - ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
    - ext4: avoid overlapping preallocations due to overflow
    - objtool/x86: add missing embedded_insn check
    - driver: platform: Add helper for safer setting of driver_override
    - rpmsg: Constify local variable in field store macro
    - rpmsg: Fix kfree() of static memory on setting driver_override
    - rpmsg: Fix calling device_lock() on non-initialized device
    - rpmsg: glink: Release driver_override
    - rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
    - x86: Fix .brk attribute in linker script
    - ASoC: simple-card: fixup asoc_simple_probe() error handling
    - net: sched: cls_u32: Fix allocation size in u32_init()
    - irqchip/riscv-intc: Mark all INTC nodes as initialized
    - irqchip/stm32-exti: add missing DT IRQ flag translation
    - dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
    - powerpc/85xx: Fix math emulation exception
    - Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
    - fbdev: atyfb: only use ioremap_uc() on i386 and ia64
    - fs/ntfs3: Add ckeck in ni_update_parent()
    - fs/ntfs3: Write immediately updated ntfs state
    - fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN)
    - fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr()
    - fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame()
    - fs/ntfs3: Fix directory element type detection
    - fs/ntfs3: Avoid possible memory leak
    - spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
    - netfilter: nfnetlink_log: silence bogus compiler warning
    - ASoC: rt5650: fix the wrong result of key button
    - drm/ttm: Reorder sys manager cleanup step
    - fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
    - scsi: mpt3sas: Fix in error path
    - platform/mellanox: mlxbf-tmfifo: Fix a warning message
    - net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
    - r8152: Check for unplug in rtl_phy_patch_request()
    - r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en()
    - powerpc/mm: Fix boot crash with FLATMEM
    - can: isotp: set max PDU size to 64 kByte
    - can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting
    - can: isotp: check CAN address family in isotp_bind()
    - can: isotp: handle wait_event_interruptible() return values
    - can: isotp: add local echo tx processing and tx without FC
    - can: isotp: isotp_bind(): do not validate unused address information
    - can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior
    - drm/amd: Move helper for dynamic speed switch check out of smu13
    - drm/amd: Disable ASPM for VI w/ all Intel systems
    - PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
    - usb: storage: set 1.50 as the lower bcdDevice for older "Super Top"
      compatibility
    - usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm()
    - usb: raw-gadget: properly handle interrupted requests
    - tty: n_gsm: fix race condition in status line change on dead connections
    - tty: 8250: Remove UC-257 and UC-431
    - tty: 8250: Add support for additional Brainboxes UC cards
    - tty: 8250: Add support for Brainboxes UP cards
    - tty: 8250: Add support for Intashield IS-100
    - tty: 8250: Fix port count of PX-257
    - tty: 8250: Fix up PX-803/PX-857
    - tty: 8250: Add support for additional Brainboxes PX cards
    - tty: 8250: Add support for Intashield IX cards
    - tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks
    - misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support
    - ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection
    - Linux 5.15.138

* Jammy update: v5.15.137 upstream stable release (LP: #2049350)
    - lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default
    - Documentation: sysctl: align cells in second content column
    - xfs: don't expose internal symlink metadata buffers to the vfs
    - Bluetooth: hci_event: Ignore NULL link key
    - Bluetooth: Reject connection with the device which has same BD_ADDR
    - Bluetooth: Fix a refcnt underflow problem for hci_conn
    - Bluetooth: vhci: Fix race when opening vhci device
    - Bluetooth: hci_event: Fix coding style
    - Bluetooth: avoid memcmp() out of bounds warning
    - ice: fix over-shifted variable
    - ice: reset first in crash dump kernels
    - nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
    - regmap: fix NULL deref on lookup
    - KVM: x86: Mask LVTPC when handling a PMI
    - tcp: check mptcp-level constraints for backlog coalescing
    - fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
    - fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
    - fs/ntfs3: fix deadlock in mark_as_free_ex
    - netfilter: nft_payload: fix wrong mac header matching
    - drm/i915: Retry gtt fault when out of fence registers
    - ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
    - ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
    - ASoC: codecs: wcd938x: drop bogus bind error handling
    - ASoC: codecs: wcd938x: fix unbind tear down order
    - qed: fix LL2 RX buffer allocation
    - xfrm: fix a data-race in xfrm_gen_index()
    - xfrm: interface: use DEV_STATS_INC()
    - net: ipv4: fix return value check in esp_remove_trailer
    - net: ipv6: fix return value check in esp_remove_trailer
    - net: rfkill: gpio: prevent value glitch during probe
    - tcp: fix excessive TLP and RACK timeouts from HZ rounding
    - tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
    - tun: prevent negative ifindex
    - ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
    - net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
    - i40e: prevent crash on probe if hw registers have invalid values
    - net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
    - bonding: Return pointer to data after pull on skb
    - net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
    - neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
    - netfilter: nft_set_rbtree: .deactivate fails if element has expired
    - netfilter: nf_tables: do not remove elements if set backend implements
      .abort
    - netfilter: nf_tables: revert do not remove elements if set backend
      implements .abort
    - net: pktgen: Fix interface flags printing
    - selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and
      hugetlb_reparenting_test.sh that may cause error
    - serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()
    - serial: 8250_omap: Fix errors with no_console_suspend
    - iio: Un-inline iio_buffer_enabled()
    - iio: core: Hide read accesses to iio_dev->currentmode
    - iio: core: introduce iio_device_{claim|release}_buffer_mode() APIs
    - iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data()
    - iio: adc: ad7192: Correct reference voltage
    - perf: Add irq and exception return branch types
    - perf/x86: Move branch classifier
    - perf/x86/lbr: Filter vsyscall addresses
    - drm/atomic-helper: relax unregistered connector check
    - powerpc/32s: Remove capability to disable KUEP at boottime
    - powerpc/32s: Do kuep_lock() and kuep_unlock() in assembly
    - powerpc/47x: Fix 47x syscall return crash
    - mctp: Allow local delivery to the null EID
    - mctp: perform route lookups under a RCU read-side lock
    - nfp: flower: avoid rmmod nfp crash issues
    - ksmbd: not allow to open file if delelete on close bit is set
    - ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
    - fs-writeback: do not requeue a clean inode having skipped pages
    - btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
    - btrfs: initialize start_slot in btrfs_log_prealloc_extents
    - i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
    - overlayfs: set ctime when setting mtime and atime
    - gpio: timberdale: Fix potential deadlock on &tgpio->lock
    - ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
    - ata: libata-eh: Fix compilation warning in ata_eh_link_report()
    - tracing: relax trace_event_eval_update() execution with cond_resched()
    - wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
    - wifi: iwlwifi: Ensure ack flag is properly cleared.
    - HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
    - Bluetooth: btusb: add shutdown function for QCA6174
    - Bluetooth: Avoid redundant authentication
    - Bluetooth: hci_core: Fix build warnings
    - wifi: cfg80211: Fix 6GHz scan configuration
    - wifi: mac80211: allow transmitting EAPOL frames with tainted key
    - wifi: cfg80211: avoid leaking stack data into trace
    - regulator/core: Revert "fix kobject release warning and memory leak in
      regulator_register()"
    - sky2: Make sure there is at least one frag_addr available
    - ipv4/fib: send notify when delete source address routes
    - drm: panel-orientation-quirks: Add quirk for One Mix 2S
    - btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
    - btrfs: error out when COWing block using a stale transaction
    - btrfs: error when COWing block from a root that is being deleted
    - btrfs: error out when reallocating block for defrag using a stale
      transaction
    - HID: multitouch: Add required quirk for Synaptics 0xcd7e device
    - platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
    - net/mlx5: Handle fw tracer change ownership event based on MTRC
    - Bluetooth: hci_event: Fix using memcmp when comparing keys
    - net: introduce a function to check if a netdev name is in use
    - net: move from strlcpy with unused retval to strscpy
    - net: fix ifname in netlink ntf during netns move
    - mtd: rawnand: qcom: Unmap the right resource upon probe failure
    - mtd: rawnand: pl353: Ensure program page operations are successful
    - mtd: rawnand: marvell: Ensure program page operations are successful
    - mtd: rawnand: arasan: Ensure program page operations are successful
    - mtd: spinand: micron: correct bitmask for ecc status
    - mtd: physmap-core: Restore map_rom fallback
    - mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
    - mmc: core: sdio: hold retuning if sdio in 1-bit mode
    - pNFS: Fix a hang in nfs4_evict_inode()
    - NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server
    - ACPI: irq: Fix incorrect return value in acpi_register_gsi()
    - nvme-pci: add BOGUS_NID for Intel 0a54 device
    - nvme-rdma: do not try to stop unallocated queues
    - USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
    - USB: serial: option: add entry for Sierra EM9191 with new firmware
    - USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
    - s390/pci: fix iommu bitmap allocation
    - selftests/ftrace: Add new test case which checks non unique symbol
    - s390/cio: fix a memleak in css_alloc_subchannel
    - platform/surface: platform_profile: Propagate error if profile registration
      fails
    - platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
    - platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
    - gpio: vf610: set value before the direction to avoid a glitch
    - ASoC: pxa: fix a memory leak in probe()
    - serial: 8250: omap: Move uart_write() inside PM section
    - phy: mapphone-mdm6600: Fix runtime disable on probe
    - phy: mapphone-mdm6600: Fix runtime PM for remove
    - phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
    - Bluetooth: hci_sock: fix slab oob read in create_monitor_event
    - Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
    - xfrm6: fix inet6_dev refcount underflow problem
    - Linux 5.15.137

* CVE-2023-51782
    - net/rose: Fix Use-After-Free in rose_ioctl

* CVE-2023-51779
    - Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

* CVE-2023-22995
    - usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
      dwc3_qcom_acpi_register_core

* CVE-2023-4134
    - Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()

* Packaging resync (LP: #1786013)
    - [Packaging] update annotations scripts

-- Stefan Bader <stefan.bader@canonical.com>  Fri, 02 Feb 2024 14:05:20 +0100

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Jammy update: v5.15.140 upstream stable release

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package