Ubuntu
linux package

kvm: Running perf against qemu processes results in page fault inside guest

Bug #2054218 reported by Matthew Ruffell on 2024-02-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned
	Mantic	Fix Released	Medium	Matthew Ruffell

Bug Description

BugLink: https://bugs.launchpad.net/bugs/2054218

[Impact]

Running perf against a QEMU/kvm process results in the guest suffering a page fault in trying to store Precise Event Based Sampling (PEBS) records for the host. This affects both using perf against a single process, in which it crashes the targeted guest, or using perf system wide, in which it crashes all running guests on the system.

The issue was introduced in 6.0 by:

commit c59a1f106f5cd4843c097069ff1bb2ad72103a67
Author: Like Xu <email address hidden>
Date: Mon Apr 11 18:19:36 2022 +0800
Subject: KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c59a1f106f5cd4843c097069ff1bb2ad72103a67

This affects all 6.2 and 6.5 kernels. There is no known workaround, apart from not using perf on affected systems.

[Fix]

The issue was fixed in 6.7 by:

commit 971079464001c6856186ca137778e534d983174a
Author: Paolo Bonzini <email address hidden>
Date: Thu Jan 4 16:15:17 2024 +0100
Subject: KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=971079464001c6856186ca137778e534d983174a

This reinstates the logic for setting MSR_CORE_PERF_GLOBAL_CTRL to what it was before "KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS".

- .guest = intel_ctrl & (~cpuc->intel_ctrl_host_mask | ~pebs_mask),
+ .guest = intel_ctrl & ~cpuc->intel_ctrl_host_mask & ~pebs_mask,

The faulty logic includes any bit that isn't both marked as exclude_guest and using PEBS, while it should really be excluding PEBS from the host.

[Testcase]

Start a bare metal server. Enable KVM, start a few VMs. The VMs can be idle, they don't require any workload.

$ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils uvtool
$ sudo reboot
$ ssh-keygen
$ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily release=jammy arch=amd64
$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64
$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-b release=jammy arch=amd64
$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-c release=jammy arch=amd64
$ virsh list
Id Name State
-------------------------
2 jammy-a running
3 jammy-b running
4 jammy-c running
$ uvt-kvm ssh jammy-a
Check it works.
$ ps aux | grep qemu
Find the pid of jammy-a
$ perf top -p $PID
$ virsh console jammy-a
Escape character is ^] (Ctrl + ])
[ 357.793039] BUG: unable to handle page fault for address: fffffe49178c6028
$ uvt-kvm ssh jammy-a
(no response)

Test packages are available in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf379502-test

If you install it, then running perf against the PID of qemu processes will no longer crash the guest, and they will be accessible by SSH afterward.

[Where problems could occur]

We are rearranging the logic of setting the PEBS MSRs, which affects processor sampling of events. This will affect any profiling tools running against KVM based virtual machines, namely perf against QEMU.

If a regression were to occur, running perf against a VM could cause it to page fault and subsequently crash, resulting in downtime.

The only workaround will be to disable all profiling tools until a fix is available.

See original description

Tags:

CVE References

Matthew Ruffell (mruffell) on 2024-02-18

Changed in linux (Ubuntu Mantic):
status:	New → In Progress
Changed in linux (Ubuntu):
status:	New → Fix Released
Changed in linux (Ubuntu Mantic):
importance:	Undecided → Medium
assignee:	nobody → Matthew Ruffell (mruffell)
description:	updated
tags:	added: mantic sts

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2024-02-18:

Cover letter:
https://lists.ubuntu.com/archives/kernel-team/2024-February/148896.html
Patch:
https://lists.ubuntu.com/archives/kernel-team/2024-February/148897.html

Stefan Bader (smb) on 2024-02-29

Changed in linux (Ubuntu Mantic):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-03-11:

This bug is awaiting verification that the linux/6.5.0-27.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux' to 'verification-done-mantic-linux'. If the problem still exists, change the tag 'verification-needed-mantic-linux' to 'verification-failed-mantic-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2024-03-20:

Performing verification for mantic.

I deployed mantic onto a bare metal server, with kernel 6.5.0-26-generic from
-updates.

I installed a KVM stack, synced a cloud image, and tested VM creation.

$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64
$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

From there, I found the PID of the VM:

$ ps aux | grep qemu
libvirt+ 1799 107 1.5 9642380 1044752 ? Sl 03:21 0:38 /usr/bin/qemu-system-x86_64 -name guest=jammy-a,debug-threads=on -S -object {"qom-ty

We run perf:

$ sudo perf top -p 1799

$ virsh console jammy-a
Connected to domain 'jammy-a'
Escape character is ^] (Ctrl + ])
[ 161.413890] BUG: unable to handle page fault for address: fffffe18cdb1c028
[ 161.419474] #PF: supervisor read access in kernel mode
[ 161.423707] #PF: error_code(0x0000) - not-present page
[ 161.427949] PGD 17ffca0[ 161.429508] BUG: unable to handle page fault for address: fffffe18cdb1c028
[ 161.429513] #PF: supervisor read access in kernel mode
[ 161.429516] #PF: error_code(0x0000) - n

The VM suffers a page fault and crashes, and is not accessible over ssh.

$ uvt-kvm ssh jammy-a
(no response).

I then enabled -proposed, and installed 6.5.0-27-generic:

$ uname -rv
6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 7 18:21:00 UTC 2024

$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64
$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

We get the pid of the VM:

$ ps aux | grep qemu
libvirt+ 1786 42.5 1.5 7960876 1022308 ? Sl 03:37 0:40 /usr/bin/qemu-system-x86_64 -name guest=jammy-a,debug-threads=on -S -object {"qom-ty

We run perf:

$ sudo perf top -p 1786

This time, the VM does not crash, and stays running:

$ virsh console jammy-a
Connected to domain 'jammy-a'
Escape character is ^] (Ctrl + ])

jammy-a login:
jammy-a login:

We can also ssh to the VM just fine:

$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

This is much better. The kernel in -proposed fixes the issue, happy to mark verified for mantic.

Performing verification for mantic.

I deployed mantic onto a bare metal server, with kernel 6.5.0-26-generic from
-updates.

I installed a KVM stack, synced a cloud image, and tested VM creation.

$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64
$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

From there, I found the PID of the VM:

$ ps aux | grep qemu
libvirt+    1799  107  1.5 9642380 1044752 ?     Sl   03:21   0:38 /usr/bin/qemu-system-x86_64 -name guest=jammy-a,debug-threads=on -S -object {"qom-ty

We run perf:

$ sudo perf top -p 1799

$ virsh console jammy-a
Connected to domain 'jammy-a'
Escape character is ^] (Ctrl + ])
[  161.413890] BUG: unable to handle page fault for address: fffffe18cdb1c028
[  161.419474] #PF: supervisor read access in kernel mode
[  161.423707] #PF: error_code(0x0000) - not-present page
[  161.427949] PGD 17ffca0[  161.429508] BUG: unable to handle page fault for address: fffffe18cdb1c028
[  161.429513] #PF: supervisor read access in kernel mode
[  161.429516] #PF: error_code(0x0000) - n

The VM suffers a page fault and crashes, and is not accessible over ssh.

$ uvt-kvm ssh jammy-a
(no response).

I then enabled -proposed, and installed 6.5.0-27-generic:

$ uname -rv
6.5.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar  7 18:21:00 UTC 2024

$ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64
$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

We get the pid of the VM:

$ ps aux | grep qemu
libvirt+    1786 42.5  1.5 7960876 1022308 ?     Sl   03:37   0:40 /usr/bin/qemu-system-x86_64 -name guest=jammy-a,debug-threads=on -S -object {"qom-ty

We run perf:

$ sudo perf top -p 1786

This time, the VM does not crash, and stays running:

$ virsh console jammy-a
Connected to domain 'jammy-a'
Escape character is ^] (Ctrl + ])

jammy-a login: 
jammy-a login:

We can also ssh to the VM just fine:

$ uvt-kvm ssh jammy-a
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

This is much better. The kernel in -proposed fixes the issue, happy to mark verified for mantic.

tags:

added: verification-done-mantic-linux
removed: verification-needed-mantic-linux

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-08:

Download full text (41.0 KiB)

This bug was fixed in the package linux - 6.5.0-27.28

---------------
linux (6.5.0-27.28) mantic; urgency=medium

* mantic/linux: 6.5.0-27.28 -proposed tracker (LP: #2055584)

  * Packaging resync (LP: #1786013)
    - [Packaging] drop ABI data
    - [Packaging] update annotations scripts
    - debian.master/dkms-versions -- update from kernel-versions (main/2024.03.04)

* CVE-2024-26597
- net: qualcomm: rmnet: fix global oob in rmnet_policy

* CVE-2024-26599
- pwm: Fix out-of-bounds access in of_pwm_single_xlate()

* Drop ABI checks from kernel build (LP: #2055686)
- [Packaging] Remove in-tree abi checks

  * Cranky update-dkms-versions rollout (LP: #2055685)
    - [Packaging] remove update-dkms-versions
    - Move debian/dkms-versions to debian.master/dkms-versions
    - [Packaging] Replace debian/dkms-versions with $(DEBIAN)/dkms-versions

  * linux: please move erofs.ko (CONFIG_EROFS for EROFS support) from linux-
    modules-extra to linux-modules (LP: #2054809)
    - UBUNTU [Packaging]: Include erofs in linux-modules instead of linux-modules-
      extra

* performance: Scheduler: ratelimit updating of load_avg (LP: #2053251)
- sched/fair: Ratelimit update to tg->load_avg

* IB peer memory feature regressed in 6.5 (LP: #2055082)
- SAUCE: RDMA/core: Introduce peer memory interface

* linux-tools-common: man page of usbip[d] is misplaced (LP: #2054094)
- [Packaging] rules: Put usbip manpages in the correct directory

* CVE-2024-23851
- dm: limit the number of targets and parameter size area

* CVE-2024-23850
- btrfs: do not ASSERT() if the newly created subvolume already got read

  * x86: performance: tsc: Extend watchdog check exemption to 4-Sockets platform
    (LP: #2054699)
    - x86/tsc: Extend watchdog check exemption to 4-Sockets platform

  * linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from
    linux-modules-extra to linux-modules (LP: #2045561)
    - [Packaging] Move dmi-sysfs.ko into linux-modules

* Fix AMD brightness issue on AUO panel (LP: #2054773)
- drm/amdgpu: make damage clips support configurable

This bug was fixed in the package linux - 6.5.0-27.28

---------------
linux (6.5.0-27.28) mantic; urgency=medium

* mantic/linux: 6.5.0-27.28 -proposed tracker (LP: #2055584)

* Packaging resync (LP: #1786013)
    - [Packaging] drop ABI data
    - [Packaging] update annotations scripts
    - debian.master/dkms-versions -- update from kernel-versions (main/2024.03.04)

* CVE-2024-26597
    - net: qualcomm: rmnet: fix global oob in rmnet_policy

* CVE-2024-26599
    - pwm: Fix out-of-bounds access in of_pwm_single_xlate()

* Drop ABI checks from kernel build (LP: #2055686)
    - [Packaging] Remove in-tree abi checks

* performance: Scheduler: ratelimit updating of load_avg (LP: #2053251)
    - sched/fair: Ratelimit update to tg->load_avg

* IB peer memory feature regressed in 6.5 (LP: #2055082)
    - SAUCE: RDMA/core: Introduce peer memory interface

* linux-tools-common: man page of usbip[d] is misplaced (LP: #2054094)
    - [Packaging] rules: Put usbip manpages in the correct directory

* CVE-2024-23851
    - dm: limit the number of targets and parameter size area

* CVE-2024-23850
    - btrfs: do not ASSERT() if the newly created subvolume already got read

* x86: performance: tsc: Extend watchdog check exemption to 4-Sockets platform
    (LP: #2054699)
    - x86/tsc: Extend watchdog check exemption to 4-Sockets platform

* linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from
    linux-modules-extra to linux-modules (LP: #2045561)
    - [Packaging] Move dmi-sysfs.ko into linux-modules

* Fix AMD brightness issue on AUO panel (LP: #2054773)
    - drm/amdgpu: make damage clips support configurable

* Mantic update: upstream stable patchset 2024-02-28 (LP: #2055199)
    - f2fs: explicitly null-terminate the xattr list
    - pinctrl: lochnagar: Don't build on MIPS
    - ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro
    - mptcp: fix uninit-value in mptcp_incoming_options
    - wifi: cfg80211: lock wiphy mutex for rfkill poll
    - wifi: avoid offset calculation on NULL pointer
    - wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap
    - debugfs: fix automount d_fsdata usage
    - nvme-core: fix a memory leak in nvme_ns_info_from_identify()
    - drm/amd/display: update dcn315 lpddr pstate latency
    - drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
    - smb: client, common: fix fortify warnings
    - blk-mq: don't count completed flush data request as inflight in case of
      quiesce
    - nvme-core: check for too small lba shift
    - hwtracing: hisi_ptt: Handle the interrupt in hardirq context
    - hwtracing: hisi_ptt: Don't try to attach a task
    - ASoC: wm8974: Correct boost mixer inputs
    - arm64: dts: rockchip: fix rk356x pcie msg interrupt name
    - ASoC: Intel: Skylake: Fix mem leak in few functions
    - ASoC: nau8822: Fix incorrect type in assignment and cast to restricted
      __be16
    - ASoC: Intel: Skylake: mem leak in skl register function
    - ASoC: cs43130: Fix the position of const qualifier
    - ASoC: cs43130: Fix incorrect frame delay configuration
    - ASoC: rt5650: add mutex to avoid the jack detection failure
    - ASoC: Intel: skl_hda_dsp_generic: Drop HDMI routes when HDMI is not
      available
    - nouveau/tu102: flush all pdbs on vmm flush
    - ASoC: amd: yc: Add DMI entry to support System76 Pangolin 13
    - ASoC: hdac_hda: Conditionally register dais for HDMI and Analog
    - net/tg3: fix race condition in tg3_reset_task()
    - ASoC: da7219: Support low DC impedance headset
    - nvme: introduce helper function to get ctrl state
    - nvme: prevent potential spectre v1 gadget
    - arm64: dts: rockchip: Fix PCI node addresses on rk3399-gru
    - drm/amdgpu: Add NULL checks for function pointers
    - drm/exynos: fix a potential error pointer dereference
    - drm/exynos: fix a wrong error checking
    - hwmon: (corsair-psu) Fix probe when built-in
    - LoongArch: Preserve syscall nr across execve()
    - clk: rockchip: rk3568: Add PLL rate for 292.5MHz
    - clk: rockchip: rk3128: Fix HCLK_OTG gate register
    - jbd2: correct the printing of write_flags in jbd2_write_superblock()
    - jbd2: increase the journal IO's priority
    - drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
    - neighbour: Don't let neigh_forced_gc() disable preemption for long
    - platform/x86: intel-vbtn: Fix missing tablet-mode-switch events
    - jbd2: fix soft lockup in journal_finish_inode_data_buffers()
    - tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
    - tracing: Add size check when printing trace_marker output
    - stmmac: dwmac-loongson: drop useless check for compatible fallback
    - MIPS: dts: loongson: drop incorrect dwmac fallback compatible
    - tracing: Fix uaf issue when open the hist or hist_debug file
    - ring-buffer: Do not record in NMI if the arch does not support cmpxchg in
      NMI
    - Input: psmouse - enable Synaptics InterTouch for ThinkPad L14 G1
    - reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
    - Input: atkbd - skip ATKBD_CMD_GETID in translated mode
    - Input: i8042 - add nomux quirk for Acer P459-G2-M
    - s390/scm: fix virtual vs physical address confusion
    - ARC: fix spare error
    - wifi: iwlwifi: pcie: avoid a NULL pointer dereference
    - Input: xpad - add Razer Wolverine V2 support
    - kselftest: alsa: fixed a print formatting warning
    - HID: nintendo: fix initializer element is not constant error
    - platform/x86: thinkpad_acpi: fix for incorrect fan reporting on some
      ThinkPad systems
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Medion Lifetab S10346
    - ASoC: Intel: bytcr_rt5640: Add new swapped-speakers quirk
    - ALSA: hda/realtek: Add quirks for ASUS Zenbook 2022 Models
    - dm audit: fix Kconfig so DM_AUDIT depends on BLK_DEV_DM
    - HID: nintendo: Prevent divide-by-zero on code
    - smb: client: fix potential OOB in smb2_dump_detail()
    - i2c: rk3x: fix potential spinlock recursion on poll
    - drm/amd/display: get dprefclk ss info from integration info table
    - pinctrl: cy8c95x0: Fix typo
    - pinctrl: cy8c95x0: Fix get_pincfg
    - virtio_blk: fix snprintf truncation compiler warning
    - net: qrtr: ns: Return 0 if server port is not present
    - ARM: sun9i: smp: fix return code check of of_property_match_string
    - drm/crtc: fix uninitialized variable use
    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx
    - ACPI: resource: Add another DMI match for the TongFang GMxXGxx
    - ASoC: SOF: Intel: hda-codec: Delay the codec device registration
    - ksmbd: don't allow O_TRUNC open on read-only share
    - ksmbd: free ppace array on error in parse_dacl
    - binder: use EPOLLERR from eventpoll.h
    - binder: fix use-after-free in shinker's callback
    - binder: fix trivial typo of binder_free_buf_locked()
    - binder: fix comment on binder_alloc_new_buf() return value
    - uio: Fix use-after-free in uio_open
    - parport: parport_serial: Add Brainboxes BAR details
    - parport: parport_serial: Add Brainboxes device IDs and geometry
    - leds: ledtrig-tty: Free allocated ttyname buffer on deactivate
    - PCI: Add ACS quirk for more Zhaoxin Root Ports
    - coresight: etm4x: Fix width of CCITMIN field
    - scripts/decode_stacktrace.sh: optionally use LLVM utilities
    - pinctrl: s32cc: Avoid possible string truncation
    - kunit: Warn if tests are slow
    - kunit: Reset suite counter right before running tests
    - io_uring: use fget/fput consistently
    - block: warn once for each partition in bio_check_ro()
    - drm/amdkfd: Use common function for IP version check
    - drm/amdkfd: Free gang_ctx_bo and wptr_bo in pqm_uninit
    - drm/amdgpu: Use another offset for GC 9.4.3 remap
    - ASoC: amd: yc: Add HP 255 G10 into quirk table
    - ASoC: SOF: topology: Fix mem leak in sof_dai_load()
    - ASoC: fsl_xcvr: Enable 2 * TX bit clock for spdif only case
    - ASoC: fsl_xcvr: refine the requested phy clock frequency
    - ASoC: SOF: ipc4-topology: Add core_mask in struct snd_sof_pipeline
    - ASoC: SOF: sof-audio: Modify logic for enabling/disabling topology cores
    - ASoC: SOF: ipc4-topology: Correct data structures for the SRC module
    - ASoC: SOF: ipc4-topology: Correct data structures for the GAIN module
    - pds_vdpa: fix up format-truncation complaint
    - pds_vdpa: clear config callback when status goes to 0
    - pds_vdpa: set features order
    - nvme: ensure reset state check ordering
    - nvme-ioctl: move capable() admin check to the end
    - nvme: fix deadlock between reset and scan
    - LoongArch: Apply dynamic relocations for LLD
    - LoongArch: Set unwind stack type to unknown rather than set error flag
    - soundwire: intel_ace2x: fix AC timing setting for ACE2.x
    - efi/loongarch: Use load address to calculate kernel entry address
    - pinctrl: amd: Mask non-wake source pins with interrupt enabled at suspend
    - ASoC: cs35l45: Use modern pm_ops
    - ASoC: cs35l45: Prevent IRQ handling when suspending/resuming
    - ASoC: cs35l45: Prevents spinning during runtime suspend
    - driver core: Add a guard() definition for the device_lock()
    - platform/x86/amd/pmc: Move platform defines to header
    - platform/x86/amd/pmc: Only run IRQ1 firmware version check on Cezanne
    - platform/x86/amd/pmc: Move keyboard wakeup disablement detection to pmc-
      quirks
    - platform/x86/amd/pmc: Disable keyboard wakeup on AMD Framework 13
    - drm/amdkfd: svm range always mapped flag not working on APU
    - drm/amd/display: Add case for dcn35 to support usb4 dmub hpd event
    - pinctrl: cy8c95x0: Fix regression
    - posix-timers: Get rid of [COMPAT_]SYS_NI() uses
    - nfc: Do not send datagram if socket state isn't LLCP_BOUND
    - x86/csum: Remove unnecessary odd handling
    - x86/csum: clean up `csum_partial' further
    - x86/microcode: do not cache microcode if it will not be used
    - bus: moxtet: Mark the irq as shared
    - bus: moxtet: Add spi device table
    - drm/amd/display: Pass pwrseq inst for backlight and ABM
    - Upstream stable to v6.1.74, v6.6.13

* Mantic update: upstream stable patchset 2024-02-27 (LP: #2055002)
    - Revert "nfsd: call nfsd_last_thread() before final nfsd_put()"
    - cifs: fix flushing folio regression for 6.1 backport
    - Upstream stable to v6.1.73, v6.6.12

* Mantic update: upstream stable patchset 2024-02-26 (LP: #2054779)
    - keys, dns: Fix missing size check of V1 server-list header
    - ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
    - ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
    - mptcp: prevent tcp diag from closing listener subflows
    - Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
    - drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
    - cifs: cifs_chan_is_iface_active should be called with chan_lock held
    - cifs: do not depend on release_iface for maintaining iface_list
    - wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
    - drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX xfer
    - netfilter: nf_tables: set transport offset from mac header for netdev/egress
    - nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to
      llcp_local
    - octeontx2-af: Fix marking couple of structure as __packed
    - drm/i915/dp: Fix passing the correct DPCD_REV for
      drm_dp_set_phy_test_pattern
    - ice: Fix link_down_on_close message
    - ice: Shut down VSI with "link-down-on-close" enabled
    - i40e: Fix filter input checks to prevent config with invalid values
    - igc: Report VLAN EtherType matching back to user
    - igc: Check VLAN TCI mask
    - igc: Check VLAN EtherType mask
    - ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
    - ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
    - mlxbf_gige: fix receive packet race condition
    - net: sched: em_text: fix possible memory leak in em_text_destroy()
    - r8169: Fix PCI error on system resume
    - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
    - selftests: bonding: do not set port down when adding to bond
    - ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
    - sfc: fix a double-free bug in efx_probe_filters
    - net: bcmgenet: Fix FCS generation for fragmented skbuffs
    - netfilter: nft_immediate: drop chain reference counter on error
    - net: Save and restore msg_namelen in sock_sendmsg
    - i40e: fix use-after-free in i40e_aqc_add_filters()
    - ASoC: meson: g12a-toacodec: Validate written enum values
    - ASoC: meson: g12a-tohdmitx: Validate written enum values
    - ASoC: meson: g12a-toacodec: Fix event generation
    - ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
    - i40e: Restore VF MSI-X state during PCI reset
    - igc: Fix hicredit calculation
    - net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
    - net/smc: fix invalid link access in dumping SMC-R connections
    - octeontx2-af: Always configure NIX TX link credits based on max frame size
    - octeontx2-af: Re-enable MAC TX in otx2_stop processing
    - asix: Add check for usbnet_get_endpoints
    - net: ravb: Wait for operating mode to be applied
    - bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
    - net: Implement missing SO_TIMESTAMPING_NEW cmsg support
    - bpf: Support new 32bit offset jmp instruction
    - mm: merge folio_has_private()/filemap_release_folio() call pairs
    - mm, netfs, fscache: stop read optimisation when folio removed from pagecache
    - smb: client: fix missing mode bits for SMB symlinks
    - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
    - firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and
      ASM108x/VT630x PCIe cards
    - x86/kprobes: fix incorrect return address calculation in
      kprobe_emulate_call_indirect
    - i2c: core: Fix atomic xfer check for non-preempt config
    - mm: fix unmap_mapping_range high bits shift bug
    - drm/amdgpu: skip gpu_info fw loading on navi12
    - drm/amd/display: add nv12 bounding box
    - mmc: meson-mx-sdhc: Fix initialization frozen issue
    - mmc: rpmb: fixes pause retune on all RPMB partitions.
    - mmc: core: Cancel delayed work before releasing host
    - mmc: sdhci-sprd: Fix eMMC init failure after hw reset
    - bpf: Fix a verifier bug due to incorrect branch offset comparison with
      cpu=v4
    - media: qcom: camss: Comment CSID dt_id field
    - Revert "interconnect: qcom: sm8250: Enable sync_state"
    - drm/amd/display: pbn_div need be updated for hotplug event
    - accel/qaic: Fix GEM import path code
    - accel/qaic: Implement quirk for SOC_HW_VERSION
    - drm/bridge: parade-ps8640: Never store more than msg->size bytes in AUX xfer
    - drm/bridge: ps8640: Fix size mismatch warning w/ len
    - drm/i915/perf: Update handling of MMIO triggered reports
    - igc: Check VLAN EtherType mask
    - netfilter: nf_nat: fix action not being set for all ct states
    - virtio_net: avoid data-races on dev->stats fields
    - mm: convert DAX lock/unlock page to lock/unlock folio
    - mm/memory-failure: pass the folio and the page to collect_procs()
    - tcp: derive delack_max from rto_min
    - bpftool: Fix -Wcast-qual warning
    - bpftool: Align output skeleton ELF code
    - crypto: xts - use 'spawn' for underlying single-block cipher
    - crypto: qat - fix double free during reset
    - crypto: hisilicon/qm - fix EQ/AEQ interrupt issue
    - vfio/mtty: Overhaul mtty interrupt handling
    - clk: si521xx: Increase stack based print buffer size in probe
    - RDMA/mlx5: Fix mkey cache WQ flush
    - rcu: Break rcu_node_0 --> &rq->__lock order
    - rcu: Introduce rcu_cpu_online()
    - rcu/tasks: Handle new PF_IDLE semantics
    - rcu/tasks-trace: Handle new PF_IDLE semantics
    - KVM: s390: vsie: fix wrong VIR 37 when MSO is used
    - dmaengine: ti: k3-psil-am62: Fix SPI PDMA data
    - dmaengine: ti: k3-psil-am62a: Fix SPI PDMA data
    - iio: imu: adis16475: use bit numbers in assign_bit()
    - iommu/vt-d: Support enforce_cache_coherency only for empty domains
    - phy: mediatek: mipi: mt8183: fix minimal supported frequency
    - phy: sunplus: return negative error code in sp_usb_phy_probe
    - clk: rockchip: rk3128: Fix aclk_peri_src's parent
    - clk: rockchip: rk3128: Fix SCLK_SDMMC's clock name
    - drm/i915: Call intel_pre_plane_updates() also for pipes getting enabled
    - drm/amd/display: Increase num voltage states to 40
    - cxl: Add cxl_decoders_committed() helper
    - cxl/core: Always hold region_rwsem while reading poison lists
    - kernel/resource: Increment by align value in get_free_mem_region()
    - drm/amd/display: Increase frame warning limit with KASAN or KCSAN in dml
    - dmaengine: idxd: Protect int_handle field in hw descriptor
    - RISCV: KVM: update external interrupt atomically for IMSIC swfile
    - powerpc/pseries/vas: Migration suspend waits for no in-progress open windows
    - net: prevent mss overflow in skb_segment()
    - cxl/pmu: Ensure put_device on pmu devices
    - net: libwx: fix memory leak on free page
    - net: constify sk_dst_get() and __sk_dst_get() argument
    - mm/mglru: skip special VMAs in lru_gen_look_around()
    - cxl: Add cxl_num_decoders_committed() usage to cxl_test
    - cxl/hdm: Fix a benign lockdep splat
    - cxl/memdev: Hold region_rwsem during inject and clear poison ops

* kvm: Running perf against qemu processes results in page fault inside guest
    (LP: #2054218) // Mantic update: upstream stable patchset 2024-02-26
    (LP: #2054779)
    - KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL

* smb: wsize blocks of bytes followed with binary zeros on copy, destroying
    data (LP: #2049634)
    - smb: Fix regression in writes when non-standard maximum write size
      negotiated

* CVE-2024-1085
    - netfilter: nf_tables: check if catch-all set element is active in next
      generation

* move_mount mediation does not detect if source is detached (LP: #2052662)
    - apparmor: Fix move_mount mediation by detecting if source is detached

* CVE-2023-46838
    - xen-netback: don't produce zero-size SKB frags

* CVE-2024-1086
    - netfilter: nf_tables: reject QUEUE/DROP verdict parameters

* Validate connection interval to pass Bluetooth Test Suite (LP: #2052005)
    - Bluetooth: Enforce validation on max value of connection interval

* Sound: Add rtl quirk of M70-Gen5 (LP: #2051947)
    - ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5

* Fix spurious wakeup caused by Cirque touchpad (LP: #2051896)
    - HID: i2c-hid: Remove I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV quirk
    - HID: i2c-hid: Renumber I2C_HID_QUIRK_ defines
    - HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend

* Mantic update: upstream stable patchset 2024-02-09 (LP: #2052792)
    - ksmbd: switch to use kmemdup_nul() helper
    - ksmbd: add support for read compound
    - ksmbd: fix wrong interim response on compound
    - ksmbd: fix `force create mode' and `force directory mode'
    - ksmbd: Fix one kernel-doc comment
    - ksmbd: add missing calling smb2_set_err_rsp() on error
    - ksmbd: remove experimental warning
    - ksmbd: remove unneeded mark_inode_dirty in set_info_sec()
    - ksmbd: fix passing freed memory 'aux_payload_buf'
    - ksmbd: return invalid parameter error response if smb2 request is invalid
    - ksmbd: check iov vector index in ksmbd_conn_write()
    - ksmbd: fix race condition with fp
    - ksmbd: fix race condition from parallel smb2 logoff requests
    - ksmbd: fix race condition between tree conn lookup and disconnect
    - ksmbd: fix wrong error response status by using set_smb2_rsp_status()
    - ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
    - ksmbd: fix potential double free on smb2_read_pipe() error path
    - ksmbd: Remove unused field in ksmbd_user struct
    - ksmbd: reorganize ksmbd_iov_pin_rsp()
    - ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr()
    - ksmbd: fix missing RDMA-capable flag for IPoIB device in
      ksmbd_rdma_capable_netdev()
    - ksmbd: add support for surrogate pair conversion
    - ksmbd: no need to wait for binded connection termination at logoff
    - ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked()
    - ksmbd: prevent memory leak on error return
    - ksmbd: separately allocate ci per dentry
    - ksmbd: move oplock handling after unlock parent dir
    - ksmbd: release interim response after sending status pending response
    - ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId
    - ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error
    - ksmbd: set epoch in create context v2 lease
    - ksmbd: set v2 lease capability
    - ksmbd: downgrade RWH lease caching state to RH for directory
    - ksmbd: send v2 lease break notification for directory
    - ksmbd: lazy v2 lease break on smb2_write()
    - ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack()
    - ksmbd: fix wrong allocation size update in smb2_open()
    - linux/export: Ensure natural alignment of kcrctab array
    - block: renumber QUEUE_FLAG_HW_WC
    - platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe
    - mm/filemap: avoid buffered read/write race to read inconsistent data
    - mm: migrate high-order folios in swap cache correctly
    - mm/memory-failure: cast index to loff_t before shifting it
    - mm/memory-failure: check the mapcount of the precise page
    - ring-buffer: Fix wake ups when buffer_percent is set to 100
    - tracing: Fix blocked reader of snapshot buffer
    - NFSD: fix possible oops when nfsd/pool_stats is closed.
    - Revert "platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe"
    - fs: cifs: Fix atime update check
    - linux/export: Fix alignment for 64-bit ksymtab entries
    - mptcp: refactor sndbuf auto-tuning
    - mptcp: fix possible NULL pointer dereference on close
    - mptcp: fix inconsistent state on fastopen race
    - platform/x86/intel/pmc: Add suspend callback
    - platform/x86/intel/pmc: Allow reenabling LTRs
    - platform/x86/intel/pmc: Move GBE LTR ignore to suspend callback
    - selftests: secretmem: floor the memory size to the multiple of page_size
    - Revert "nvme-fc: fix race between error recovery and creating association"
    - ftrace: Fix modification of direct_function hash while in use
    - Upstream stable to v6.1.71, v6.6.10

* Mantic update: upstream stable patchset 2024-02-06 (LP: #2052499)
    - kasan: disable kasan_non_canonical_hook() for HW tags
    - bpf: Fix prog_array_map_poke_run map poke update
    - ARM: dts: dra7: Fix DRA7 L3 NoC node register size
    - ARM: OMAP2+: Fix null pointer dereference and memory leak in
      omap_soc_device_init
    - reset: Fix crash when freeing non-existent optional resets
    - s390/vx: fix save/restore of fpu kernel context
    - wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
    - wifi: mac80211: check if the existing link config remains unchanged
    - wifi: mac80211: mesh: check element parsing succeeded
    - wifi: mac80211: mesh_plink: fix matches_local logic
    - Revert "net/mlx5e: fix double free of encap_header in update funcs"
    - Revert "net/mlx5e: fix double free of encap_header"
    - net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
    - net/mlx5: Re-organize mlx5_cmd struct
    - net/mlx5e: Fix a race in command alloc flow
    - net/mlx5e: fix a potential double-free in fs_udp_create_groups
    - net/mlx5: Fix fw tracer first block check
    - net/mlx5e: Correct snprintf truncation handling for fw_version buffer
    - net/mlx5e: Correct snprintf truncation handling for fw_version buffer used
      by representors
    - net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above
    - octeontx2-pf: Fix graceful exit during PFC configuration failure
    - net: Return error from sk_stream_wait_connect() if sk_wait_event() fails
    - net: sched: ife: fix potential use-after-free
    - ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
    - net/rose: fix races in rose_kill_by_device()
    - Bluetooth: Fix deadlock in vhci_send_frame
    - Bluetooth: hci_event: shut up a false-positive warning
    - net: mana: select PAGE_POOL
    - net: check vlan filter feature in vlan_vids_add_by_dev() and
      vlan_vids_del_by_dev()
    - afs: Fix the dynamic root's d_delete to always delete unused dentries
    - afs: Fix dynamic root lookup DNS check
    - net: check dev->gso_max_size in gso_features_check()
    - keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
    - afs: Fix overwriting of result of DNS query
    - afs: Fix use-after-free due to get/remove race in volume tree
    - ASoC: hdmi-codec: fix missing report for jack initial status
    - ASoC: fsl_sai: Fix channel swap issue on i.MX8MP
    - i2c: aspeed: Handle the coalesced stop conditions with the start conditions.
    - x86/xen: add CPU dependencies for 32-bit build
    - pinctrl: at91-pio4: use dedicated lock class for IRQ
    - gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl()
    - nvme-pci: fix sleeping function called from interrupt context
    - interconnect: Treat xlate() returning NULL node as an error
    - iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw
    - Input: ipaq-micro-keys - add error handling for devm_kmemdup
    - scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
    - iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table
    - iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma()
    - iio: triggered-buffer: prevent possible freeing of wrong buffer
    - ALSA: usb-audio: Increase delay in MOTU M quirk
    - usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3
    - wifi: cfg80211: Add my certificate
    - wifi: cfg80211: fix certs build to not depend on file order
    - USB: serial: ftdi_sio: update Actisense PIDs constant names
    - USB: serial: option: add Quectel EG912Y module support
    - USB: serial: option: add Foxconn T99W265 with new baseline
    - USB: serial: option: add Quectel RM500Q R13 firmware support
    - ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA
    - Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent
    - Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE
    - Bluetooth: Add more enc key size check
    - net: usb: ax88179_178a: avoid failed operations when device is disconnected
    - Input: soc_button_array - add mapping for airplane mode button
    - net: 9p: avoid freeing uninit memory in p9pdu_vreadf
    - net: rfkill: gpio: set GPIO direction
    - net: ks8851: Fix TX stall caused by TX buffer overrun
    - dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp
    - smb: client: fix OOB in cifsd when receiving compounded resps
    - smb: client: fix potential OOB in cifs_dump_detail()
    - smb: client: fix OOB in SMB2_query_info_init()
    - drm/i915: Reject async flips with bigjoiner
    - 9p: prevent read overrun in protocol dump tracepoint
    - btrfs: zoned: no longer count fresh BG region as zone unusable
    - ubifs: fix possible dereference after free
    - ublk: move ublk_cancel_dev() out of ub->mutex
    - selftests: mptcp: join: fix subflow_send_ack lookup
    - Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity"
    - scsi: core: Always send batch on reset or error handling command
    - tracing / synthetic: Disable events after testing in
      synth_event_gen_test_init()
    - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()
    - pinctrl: starfive: jh7100: ignore disabled device tree nodes
    - bus: ti-sysc: Flush posted write only after srst_udelay
    - gpio: dwapb: mask/unmask IRQ when disable/enale it
    - lib/vsprintf: Fix %pfwf when current node refcount == 0
    - thunderbolt: Fix memory leak in margining_port_remove()
    - KVM: arm64: vgic: Simplify kvm_vgic_destroy()
    - KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy()
    - KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy
    - x86/alternatives: Sync core before enabling interrupts
    - mm/damon/core: make damon_start() waits until kdamond_fn() starts
    - wifi: cfg80211: fix CQM for non-range use
    - wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x)
    - mm/damon/core: use number of passed access sampling as a timer
    - btrfs: qgroup: iterate qgroups without memory allocation for
      qgroup_reserve()
    - btrfs: qgroup: use qgroup_iterator in qgroup_convert_meta()
    - btrfs: free qgroup pertrans reserve on transaction abort
    - drm/i915: Fix FEC state dump
    - drm/i915: Introduce crtc_state->enhanced_framing
    - drm/i915/edp: don't write to DP_LINK_BW_SET when using rate select
    - drm: Fix FD ownership check in drm_master_check_perm()
    - platform/x86/intel/pmc: Fix hang in pmc_core_send_ltr_ignore()
    - SUNRPC: Revert 5f7fc5d69f6e92ec0b38774c387f5cf7812c5806
    - wifi: ieee80211: don't require protected vendor action frames
    - wifi: mac80211: don't re-add debugfs during reconfig
    - wifi: mac80211: check defragmentation succeeded
    - ice: fix theoretical out-of-bounds access in ethtool link modes
    - bpf: syzkaller found null ptr deref in unix_bpf proto add
    - net/mlx5e: Fix overrun reported by coverity
    - net/mlx5e: XDP, Drop fragmented packets larger than MTU size
    - net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num
    - net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get()
    - net/mlx5e: Fix error codes in alloc_branch_attr()
    - net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and above
    - Bluetooth: Fix not notifying when connection encryption changes
    - Bluetooth: hci_core: Fix hci_conn_hash_lookup_cis
    - bnxt_en: do not map packet buffers twice
    - net: phy: skip LED triggers on PHYs on SFP modules
    - ice: stop trashing VF VSI aggregator node ID information
    - ice: Fix PF with enabled XDP going no-carrier after reset
    - net: ethernet: mtk_wed: fix possible NULL pointer dereference in
      mtk_wed_wo_queue_tx_clean()
    - drm/i915/hwmon: Fix static analysis tool reported issues
    - drm/i915/mtl: Fix HDMI/DP PLL clock selection
    - i2c: qcom-geni: fix missing clk_disable_unprepare() and
      geni_se_resources_off()
    - drm/amdgpu: re-create idle bo's PTE during VM state machine reset
    - interconnect: qcom: sm8250: Enable sync_state
    - scsi: ufs: qcom: Return ufs_qcom_clk_scale_*() errors in
      ufs_qcom_clk_scale_notify()
    - scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
    - iio: kx022a: Fix acceleration value scaling
    - iio: adc: imx93: add four channels for imx93 adc
    - iio: imu: adis16475: add spi_device_id table
    - iio: tmag5273: fix temperature offset
    - ARM: dts: Fix occasional boot hang for am3 usb
    - wifi: mt76: fix crash with WED rx support enabled
    - ASoC: tas2781: check the validity of prm_no/cfg_no
    - usb: typec: ucsi: fix gpio-based orientation detection
    - usb: fotg210-hcd: delete an incorrect bounds test
    - net: avoid build bug in skb extension length calculation
    - nfsd: call nfsd_last_thread() before final nfsd_put()
    - ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
    - ring-buffer: Remove useless update to write_stamp in rb_try_to_discard()
    - ring-buffer: Fix slowpath of interrupted event
    - spi: atmel: Do not cancel a transfer upon any signal
    - spi: atmel: Prevent spi transfers from being killed
    - spi: atmel: Fix clock issue when using devices with different polarities
    - nvmem: brcm_nvram: store a copy of NVRAM content
    - pinctrl: starfive: jh7110: ignore disabled device tree nodes
    - x86/alternatives: Disable interrupts and sync when optimizing NOPs in place
    - x86/smpboot/64: Handle X2APIC BIOS inconsistency gracefully
    - spi: cadence: revert "Add SPI transfer delays"
    - Upstream stable to v6.1.70, v6.6.9

* Mantic update: upstream stable patchset 2024-02-01 (LP: #2051924)
    - r8152: add vendor/device ID pair for D-Link DUB-E250
    - r8152: add vendor/device ID pair for ASUS USB-C2500
    - ext4: fix warning in ext4_dio_write_end_io()
    - ksmbd: fix memory leak in smb2_lock()
    - afs: Fix refcount underflow from error handling race
    - HID: lenovo: Restrict detection of patched firmware only to USB cptkbd
    - net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work
    - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
    - qca_debug: Prevent crash on TX ring changes
    - qca_debug: Fix ethtool -G iface tx behavior
    - qca_spi: Fix reset behavior
    - bnxt_en: Fix wrong return value check in bnxt_close_nic()
    - bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic
    - atm: solos-pci: Fix potential deadlock on &cli_queue_lock
    - atm: solos-pci: Fix potential deadlock on &tx_queue_lock
    - net: fec: correct queue selection
    - octeontx2-af: fix a use-after-free in rvu_nix_register_reporters
    - octeontx2-pf: Fix promisc mcam entry action
    - octeontx2-af: Update RSS algorithm index
    - iavf: Introduce new state machines for flow director
    - iavf: Handle ntuple on/off based on new state machines for flow director
    - qed: Fix a potential use-after-free in qed_cxt_tables_alloc
    - net: Remove acked SYN flag from packet in the transmit queue correctly
    - net: ena: Destroy correct number of xdp queues upon failure
    - net: ena: Fix xdp drops handling due to multibuf packets
    - net: ena: Fix XDP redirection error
    - stmmac: dwmac-loongson: Make sure MDIO is initialized before use
    - sign-file: Fix incorrect return values check
    - vsock/virtio: Fix unsigned integer wrap around in
      virtio_transport_has_space()
    - dpaa2-switch: fix size of the dma_unmap
    - dpaa2-switch: do not ask for MDB, VLAN and FDB replay
    - net: stmmac: Handle disabled MDIO busses from devicetree
    - net: atlantic: fix double free in ring reinit logic
    - cred: switch to using atomic_long_t
    - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
    - ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
    - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
    - ALSA: hda/realtek: Apply mute LED quirk for HP15-db
    - PCI: loongson: Limit MRRS to 256
    - ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
    - drm/mediatek: Add spinlock for setting vblank event in atomic_begin
    - x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM
    - usb: aqc111: check packet for fixup for true limit
    - stmmac: dwmac-loongson: Add architecture dependency
    - [Config] updateconfigs for DWMAC_LOONGSON
    - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock
      required!"
    - blk-cgroup: bypass blkcg_deactivate_policy after destroying
    - bcache: avoid oversize memory allocation by small stripe_size
    - bcache: remove redundant assignment to variable cur_idx
    - bcache: add code comments for bch_btree_node_get() and
      __bch_btree_node_alloc()
    - bcache: avoid NULL checking to c->root in run_cache_set()
    - nbd: fold nbd config initialization into nbd_alloc_config()
    - nvme-auth: set explanation code for failure2 msgs
    - nvme: catch errors from nvme_configure_metadata()
    - selftests/bpf: fix bpf_loop_bench for new callback verification scheme
    - LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi
    - LoongArch: Implement constant timer shutdown interface
    - platform/x86: intel_telemetry: Fix kernel doc descriptions
    - HID: glorious: fix Glorious Model I HID report
    - HID: add ALWAYS_POLL quirk for Apple kb
    - nbd: pass nbd_sock to nbd_read_reply() instead of index
    - HID: hid-asus: reset the backlight brightness level on resume
    - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
    - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
    - net: usb: qmi_wwan: claim interface 4 for ZTE MF290
    - arm64: add dependency between vmlinuz.efi and Image
    - HID: hid-asus: add const to read-only outgoing usb buffer
    - btrfs: do not allow non subvolume root targets for snapshot
    - soundwire: stream: fix NULL pointer dereference for multi_link
    - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
    - arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
    - team: Fix use-after-free when an option instance allocation fails
    - drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
    - dmaengine: stm32-dma: avoid bitfield overflow assertion
    - mm/mglru: fix underprotected page cache
    - mm/shmem: fix race in shmem_undo_range w/THP
    - btrfs: free qgroup reserve when ORDERED_IOERR is set
    - btrfs: don't clear qgroup reserved bit in release_folio
    - drm/amdgpu: fix tear down order in amdgpu_vm_pt_free
    - drm/amd/display: Disable PSR-SU on Parade 0803 TCON again
    - drm/i915: Fix remapped stride with CCS on ADL+
    - smb: client: fix NULL deref in asn1_ber_decoder()
    - smb: client: fix OOB in smb2_query_reparse_point()
    - ring-buffer: Fix memory leak of free page
    - tracing: Update snapshot buffer on resize if it is allocated
    - ring-buffer: Do not update before stamp when switching sub-buffers
    - ring-buffer: Have saved event hold the entire event
    - ring-buffer: Fix writing to the buffer with max_data_size
    - ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
    - ring-buffer: Do not try to put back write_stamp
    - ring-buffer: Have rb_time_cmpxchg() set the msb counter too
    - net/mlx5e: Honor user choice of IPsec replay window size
    - net/mlx5e: Ensure that IPsec sequence packet number starts from 1
    - RDMA/mlx5: Send events from IB driver about device affiliation state
    - net/mlx5e: Disable IPsec offload support if not FW steering
    - net/mlx5e: TC, Don't offload post action rule if not supported
    - net/mlx5: Nack sync reset request when HotPlug is enabled
    - net/mlx5e: Check netdev pointer before checking its net ns
    - net/mlx5: Fix a NULL vs IS_ERR() check
    - bnxt_en: Fix skb recycling logic in bnxt_deliver_skb()
    - net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
    - octeon_ep: explicitly test for firmware ready value
    - octeontx2-af: Fix pause frame configuration
    - iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
    - net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
    - net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
    - cred: get rid of CONFIG_DEBUG_CREDENTIALS
    - [Config] updateconfigs for DEBUG_CREDENTIALS
    - HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[]
    - HID: Add quirk for Labtec/ODDOR/aikeec handbrake
    - fuse: share lookup state between submount and its parent
    - io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation
    - PCI/ASPM: Add pci_enable_link_state_locked()
    - PCI: vmd: Fix potential deadlock when enabling ASPM
    - drm/mediatek: fix kernel oops if no crtc is found
    - drm/i915/selftests: Fix engine reset count storage for multi-tile
    - drm/i915: Use internal class when counting engine resets
    - selftests/mm: cow: print ksft header before printing anything else
    - rxrpc: Fix some minor issues with bundle tracing
    - nbd: factor out a helper to get nbd_config without holding 'config_lock'
    - nbd: fix null-ptr-dereference while accessing 'nbd->config'
    - LoongArch: Record pc instead of offset in la_abs relocation
    - LoongArch: Silence the boot warning about 'nokaslr'
    - HID: mcp2221: Set driver data before I2C adapter add
    - HID: mcp2221: Allow IO to start during probe
    - HID: apple: add Jamesdonkey and A3R to non-apple keyboards list
    - nfc: virtual_ncidev: Add variable to check if ndev is running
    - scripts/checkstack.pl: match all stack sizes for s390
    - cxl/hdm: Fix dpa translation locking
    - Revert "selftests: error out if kernel header files are not yet built"
    - drm/mediatek: Fix access violation in mtk_drm_crtc_dma_dev_get
    - mm/mglru: try to stop at high watermarks
    - mm/mglru: respect min_ttl_ms with memcgs
    - mm/mglru: reclaim offlined memcgs harder
    - btrfs: fix qgroup_free_reserved_data int overflow
    - drm/edid: also call add modes in EDID connector update fallback
    - drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than
      the original
    - drm/i915: Fix intel_atomic_setup_scalers() plane_state handling
    - smb: client: fix potential OOBs in smb2_parse_contexts()
    - x86/speculation, objtool: Use absolute relocations for annotations
    - RDMA/mlx5: Change the key being sent for MPV device affiliation
    - Upstream stable to v6.1.69, v6.6.8

* CVE-2023-50431
    - accel/habanalabs: fix information leak in sec_attest_info()

* CVE-2024-22705
    - ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

-- Roxana Nicolescu <roxana.nicolescu@canonical.com>  Thu, 07 Mar 2024 17:27:48 +0100

Changed in linux (Ubuntu Mantic):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-04-08:

This bug is awaiting verification that the linux-raspi/6.5.0-1014.17 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-raspi' to 'verification-done-mantic-linux-raspi'. If the problem still exists, change the tag 'verification-needed-mantic-linux-raspi' to 'verification-failed-mantic-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-mantic-linux-raspi-v2 verification-needed-mantic-linux-raspi

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

kvm: Running perf against qemu processes results in page fault inside guest

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package