This bug was fixed in the package linux-gcp - 5.15.0-1041.49 --------------- linux-gcp (5.15.0-1041.49) jammy; urgency=medium * jammy/linux-gcp: 5.15.0-1041.49 -proposed tracker (LP: #2030391) [ Ubuntu: 5.15.0-83.92 ] * jammy/linux: 5.15.0-83.92 -proposed tracker (LP: #2031132) * libgnutls report "trap invalid opcode" when trying to install packages over https (LP: #2031093) - [Config]: disable CONFIG_GDS_FORCE_MITIGATION [ Ubuntu: 5.15.0-81.90 ] * jammy/linux: 5.15.0-81.90 -proposed tracker (LP: #2030422) * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper - [Packaging] resync getabis - debian/dkms-versions -- update from kernel-versions (main/2023.08.07) * CVE-2022-40982 - x86/mm: Initialize text poking earlier - x86/mm: fix poking_init() for Xen PV guests - x86/mm: Use mm_alloc() in poking_init() - mm: Move mm_cachep initialization to mm_init() - init: Provide arch_cpu_finalize_init() - x86/cpu: Switch to arch_cpu_finalize_init() - ARM: cpu: Switch to arch_cpu_finalize_init() - sparc/cpu: Switch to arch_cpu_finalize_init() - um/cpu: Switch to arch_cpu_finalize_init() - init: Remove check_bugs() leftovers - init: Invoke arch_cpu_finalize_init() earlier - init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init() - x86/init: Initialize signal frame size late - x86/fpu: Remove cpuinfo argument from init functions - x86/fpu: Mark init functions __init - x86/fpu: Move FPU initialization into arch_cpu_finalize_init() - x86/xen: Fix secondary processors' FPU initialization - x86/speculation: Add Gather Data Sampling mitigation - x86/speculation: Add force option to GDS mitigation - x86/speculation: Add Kconfig option for GDS - KVM: Add GDS_NO support to KVM - Documentation/x86: Fix backwards on/off logic about YMM support - [Config]: Enable CONFIG_ARCH_HAS_CPU_FINALIZE_INIT and CONFIG_GDS_FORCE_MITIGATION * CVE-2023-3609 - net/sched: cls_u32: Fix reference counter leak leading to overflow * CVE-2023-21400 - io_uring: ensure IOPOLL locks around deferred work * CVE-2023-4015 - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain - netfilter: nf_tables: unbind non-anonymous set if rule construction fails - netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR * CVE-2023-3995 - netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID * CVE-2023-3777 - netfilter: nf_tables: skip bound chain on rule flush * losetup with mknod fails on jammy with kernel 5.15.0-69-generic (LP: #2015400) - loop: do not enforce max_loop hard limit by (new) default * Include the MAC address pass through function on RTL8153DD-CG (LP: #2020295) - r8152: add USB device driver for config selection * Jammy update: v5.15.116 upstream stable release (LP: #2029401) - RDMA/bnxt_re: Fix the page_size used during the MR creation - RDMA/efa: Fix unsupported page sizes in device - RDMA/hns: Fix base address table allocation - RDMA/hns: Modify the value of long message loopback slice - dmaengine: at_xdmac: Move the free desc to the tail of the desc list - dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved() - RDMA/bnxt_re: Fix a possible memory leak - RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx - iommu/rockchip: Fix unwind goto issue - iommu/amd: Don't block updates to GATag if guest mode is on - dmaengine: pl330: rename _start to prevent build error - riscv: Fix unused variable warning when BUILTIN_DTB is set - net/mlx5: fw_tracer, Fix event handling - net/mlx5e: Don't attach netdev profile while handling internal error - net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure - netrom: fix info-leak in nr_write_internal() - af_packet: Fix data-races of pkt_sk(sk)->num. - amd-xgbe: fix the false linkup in xgbe_phy_status - mtd: rawnand: ingenic: fix empty stub helper definitions - RDMA/irdma: Add SW mechanism to generate completions on error - RDMA/irdma: Prevent QP use after free - RDMA/irdma: Fix Local Invalidate fencing - af_packet: do not use READ_ONCE() in packet_bind() - tcp: deny tcp_disconnect() when threads are waiting - tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set - net/sched: sch_ingress: Only create under TC_H_INGRESS - net/sched: sch_clsact: Only create under TC_H_CLSACT - net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs - net/sched: Prohibit regrafting ingress or clsact Qdiscs - net: sched: fix NULL pointer dereference in mq_attach - net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report - udp6: Fix race condition in udp6_sendmsg & connect - net/mlx5e: Fix error handling in mlx5e_refresh_tirs - net/mlx5: Read embedded cpu after init bit cleared - net: dsa: mv88e6xxx: Increase wait after reset deactivation - mtd: rawnand: marvell: ensure timing values are written - mtd: rawnand: marvell: don't set the NAND frequency select - rtnetlink: call validate_linkmsg in rtnl_create_link - drm/amdgpu: release gpu full access after "amdgpu_device_ip_late_init" - watchdog: menz069_wdt: fix watchdog initialisation - ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs. - drm/amdgpu: Use the default reset when loading or reloading the driver - mailbox: mailbox-test: Fix potential double-free in mbox_test_message_write() - drm/ast: Fix ARM compatibility - btrfs: abort transaction when sibling keys check fails for leaves - ARM: 9295/1: unwind:fix unwind abort for uleb128 case - media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE - platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield - gfs2: Don't deref jdesc in evict - fbdev: imsttfb: Fix use after free bug in imsttfb_probe - fbdev: modedb: Add 1920x1080 at 60 Hz video mode - fbdev: stifb: Fix info entry in sti_struct on error path - nbd: Fix debugfs_create_dir error checking - block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE - nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G - nvme-pci: add quirk for missing secondary temperature thresholds - ASoC: dwc: limit the number of overrun messages - um: harddog: fix modular build - xfrm: Check if_id in inbound policy/secpath match - ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs - ASoC: ssm2602: Add workaround for playback distortions - media: dvb_demux: fix a bug for the continuity counter - media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer() - media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() - media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() - media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer - media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer() - media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address - media: netup_unidvb: fix irq init by register it at the end of probe - media: dvb_ca_en50221: fix a size write bug - media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb() - media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table - media: dvb-core: Fix use-after-free due on race condition at dvb_net - media: dvb-core: Fix use-after-free due to race at dvb_register_device() - media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221 - s390/pkey: zeroize key blobs - s390/topology: honour nr_cpu_ids when adding CPUs - ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P - wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value - ARM: dts: stm32: add pin map for CAN controller on stm32f7 - arm64/mm: mark private VM_FAULT_X defines as vm_fault_t - arm64: vdso: Pass (void *) to virt_to_page() - wifi: mac80211: simplify chanctx allocation - scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed - wifi: b43: fix incorrect __packed annotation - netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT - nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk - ALSA: oss: avoid missing-prototype warnings - drm/msm: Be more shouty if per-process pgtables aren't working - atm: hide unused procfs functions - drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged - nvme-pci: Add quirk for Teamgroup MP33 SSD - mailbox: mailbox-test: fix a locking issue in mbox_test_message_write() - media: uvcvideo: Don't expose unsupported formats to userspace - iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT method - iio: adc: mxs-lradc: fix the order of two cleanup operations - HID: google: add jewel USB id - HID: wacom: avoid integer overflow in wacom_intuos_inout() - iio: imu: inv_icm42600: fix timestamp reset - dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value - iio: light: vcnl4035: fixed chip ID check - iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag - iio: dac: mcp4725: Fix i2c_master_send() return value handling - iio: adc: ad7192: Change "shorted" channels to differential - iio: dac: build ad5758 driver when AD5758 is selected - net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818 - dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type - usb: gadget: f_fs: Add unbind event before functionfs_unbind - md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk() - misc: fastrpc: return -EPIPE to invocations on device removal - misc: fastrpc: reject new invocations during device removal - scsi: stex: Fix gcc 13 warnings - ata: libata-scsi: Use correct device no in ata_find_dev() - drm/amd/pm: reverse mclk and fclk clocks levels for vangogh - drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp - drm/amd/pm: reverse mclk and fclk clocks levels for renoir - x86/boot: Wrap literal addresses in absolute_pointer() - ath6kl: Use struct_group() to avoid size-mismatched casting - block/blk-iocost (gcc13): keep large values in a new enum - mmc: vub300: fix invalid response handling - mmc: pwrseq: sd8787: Fix WILC CHIP_EN and RESETN toggling order - tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of UARTCTRL_SBK - btrfs: fix csum_tree_block page iteration to avoid tripping on -Werror=array-bounds - powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall - iommu/amd: Fix domain flush size when syncing iotlb - usb: cdns3: allocate TX FIFO size according to composite EP number - usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM - block: fix revalidate performance regression - selinux: don't use make's grouped targets feature yet - tracing/probe: trace_probe_primary_from_call(): checked list_first_entry - selftests: mptcp: connect: skip if MPTCP is not supported - selftests: mptcp: pm nl: skip if MPTCP is not supported - selftests: mptcp: sockopt: skip if MPTCP is not supported - ext4: add EA_INODE checking to ext4_iget() - ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find() - ext4: disallow ea_inodes with extended attributes - ext4: add lockdep annotations for i_data_sem for ea_inode's - fbcon: Fix null-ptr-deref in soft_cursor - serial: 8250_tegra: Fix an error handling path in tegra_uart_probe() - test_firmware: fix the memory leak of the allocated firmware buffer - KVM: x86: Account fastpath-only VM-Exits in vCPU stats - ksmbd: fix credit count leakage - ksmbd: fix incorrect AllocationSize set in smb2_get_info - KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() - regmap: Account for register length when chunking - tpm, tpm_tis: Request threaded interrupt handler - drm/rcar: stop using 'imply' for dependencies - [Config] updateconfigs for DRM_RCAR_LVDS - scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD) - scsi: dpt_i2o: Do not process completions with invalid addresses - [Config] updateconfigs for SCSI_DPT_I2O - drm/amdgpu/gfx10: Disable gfxoff before disabling powergating. - selftests: mptcp: diag: skip if MPTCP is not supported - selftests: mptcp: simult flows: skip if MPTCP is not supported - selftests: mptcp: join: skip if MPTCP is not supported - ext4: enable the lazy init thread when remounting read/write - ARM: defconfig: drop CONFIG_DRM_RCAR_LVDS - RDMA/irdma: Fix drain SQ hang with no completion - RDMA/irdma: Do not generate SW completions for NOPs - Linux 5.15.116 * CVE-2023-20593 - x86/cpu/amd: Move the errata checking functionality up - x86/cpu/amd: Add a Zenbleed fix * CVE-2023-4004 - netfilter: nft_set_pipapo: fix improper element removal * CVE-2023-3611 - net/sched: sch_qfq: refactor parsing of netlink parameters - net/sched: sch_qfq: account for stab overhead in qfq_enqueue * CVE-2023-3610 - netfilter: nf_tables: fix chain binding transaction logic * CVE-2023-2898 - f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io() * Backport support to tolerate ZSTD compressed firmware files (LP: #2028550) - firmware_loader: EXTRA_FIRMWARE does not support compressed files - firmware: Add the support for ZSTD-compressed firmware files - [Config] Enable FW_LOADER_COMPRESS_ZSTD by default * stacked overlay file system mounts that have chroot() called against them appear to be getting locked (by the kernel most likely?) (LP: #2016398) - SAUCE: overlayfs: fix reference count mismatch * kdump fails on big arm64 systems when offset is not specified (LP: #2024479) - arm64: mm: use IS_ENABLED(CONFIG_KEXEC_CORE) instead of #ifdef - arm64: kdump: Reimplement crashkernel=X - docs: kdump: Update the crashkernel description for arm64 - arm64: kdump: Do not allocate crash low memory if not needed - arm64/mm: Define defer_reserve_crashkernel() - arm64: kdump: Provide default size when crashkernel=Y, low is not specified - arm64: kdump: Support crashkernel=X fall back to reserve region above DMA zones * usbrtl sometimes doesn't reload firmware (LP: #2026028) - Bluetooth: btrtl: Ask ic_info to drop firmware * cifs: fix mid leak during reconnection after timeout threshold (LP: #2029138) - cifs: fix mid leak during reconnection after timeout threshold * Jammy update: v5.15.115 upstream stable release (LP: #2028799) - power: supply: bq27xxx: expose battery data when CI=1 - power: supply: bq27xxx: Move bq27xxx_battery_update() down - power: supply: bq27xxx: Ensure power_supply_changed() is called on current sign changes - power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize - power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier() - power: supply: bq24190: Call power_supply_changed() after updating input current - bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps - net/mlx5: devcom only supports 2 ports - net/mlx5e: Fix deadlock in tc route query code - net/mlx5: Devcom, serialize devcom registration - platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering - platform/x86: ISST: Remove 8 socket limit - net: phy: mscc: enable VSC8501/2 RGMII RX clock - net: dsa: introduce helpers for iterating through ports using dp - net: dsa: mt7530: rework mt753[01]_setup - net: dsa: mt7530: split-off common parts from mt7531_setup - net: dsa: mt7530: fix network connectivity with multiple CPU ports - Bonding: add arp_missed_max option - bonding: fix send_peer_notif overflow - binder: fix UAF caused by faulty buffer cleanup - irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() - irqchip/mips-gic: Use raw spinlock for gic_lock - net/mlx5e: Fix SQ wake logic in ptp napi_poll context - xdp: Allow registering memory model without rxq reference - net: page_pool: use in_softirq() instead - page_pool: fix inconsistency for page_pool_ring_[un]lock() - irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable - xdp: xdp_mem_allocator can be NULL in trace_mem_connect(). - bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() - Revert "binder_alloc: add missing mmap_lock calls when using the VMA" - Revert "android: binder: stop saving a pointer to the VMA" - binder: add lockless binder_alloc_(set|get)_vma() - binder: fix UAF of alloc->vma in race with munmap() - ipv{4,6}/raw: fix output xfrm lookup wrt protocol - netfilter: ctnetlink: Support offloaded conntrack entry deletion - Linux 5.15.115 * Jammy update: v5.15.114 upstream stable release (LP: #2028701) - usb: gadget: Properly configure the device for remote wakeup - usb: dwc3: fix gadget mode suspend interrupt handler issue - dt-bindings: ata: ahci-ceva: convert to yaml - dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries - watchdog: sp5100_tco: Immediately trigger upon starting. - ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 - spi: fsl-spi: Re-organise transfer bits_per_word adaptation - spi: fsl-cpm: Use 16 bit mode for large transfers with even size - ocfs2: Switch to security_inode_init_security() - arm64: Also reset KASAN tag if page is not PG_mte_tagged - ALSA: hda/ca0132: add quirk for EVGA X299 DARK - ALSA: hda: Fix unhandled register update during auto-suspend period - ALSA: hda/realtek: Enable headset onLenovo M70/M90 - mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works - ASoC: rt5682: Disable jack detection interrupt during suspend - net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize - m68k: Move signal frame following exception on 68020/030 - parisc: Handle kgdb breakpoints only in kernel context - parisc: Allow to reboot machine after system halt - gpio: mockup: Fix mode of debugfs files - btrfs: use nofs when cleaning up aborted transactions - dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type - selftests/memfd: Fix unknown type name build failure - parisc: Fix flush_dcache_page() for usage from irq context - perf/x86/uncore: Correct the number of CHAs on SPR - x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms - debugobjects: Don't wake up kswapd from fill_pool() - fbdev: udlfb: Fix endpoint check - net: fix stack overflow when LRO is disabled for virtual interfaces - udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). - USB: core: Add routines for endpoint checks in old drivers - USB: sisusbvga: Add endpoint checks - media: radio-shark: Add endpoint checks - ASoC: lpass: Fix for KASAN use_after_free out of bounds - net: fix skb leak in __skb_tstamp_tx() - selftests: fib_tests: mute cleanup error message - octeontx2-pf: Fix TSOv6 offload - bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields - ipv6: Fix out-of-bounds access in ipv6_find_tlv() - cifs: mapchars mount option ignored - power: supply: leds: Fix blink to LED on transition - power: supply: mt6360: add a check of devm_work_autocancel in mt6360_charger_probe - power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition - power: supply: bq27xxx: Fix I2C IRQ race on remove - power: supply: bq27xxx: Fix poll_interval handling and races on remove - power: supply: bq27xxx: Add cache parameter to bq27xxx_battery_current_and_status() - power: supply: sbs-charger: Fix INHIBITED bit for Status reg - firmware: arm_ffa: Check if ffa_driver remove is present before executing - firmware: arm_ffa: Fix FFA device names for logical partitions - fs: fix undefined behavior in bit shift for SB_NOUSER - regulator: pca9450: Fix BUCK2 enable_mask - coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() - xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() - x86/show_trace_log_lvl: Ensure stack pointer is aligned, again - ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg - sctp: fix an issue that plpmtu can never go to complete state - forcedeth: Fix an error handling path in nv_probe() - platform/mellanox: mlxbf-pmc: fix sscanf() error checking - net/mlx5e: do as little as possible in napi poll when budget is 0 - net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs - net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE - net/mlx5: Fix error message when failing to allocate device memory - net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device - arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay - firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors - regulator: mt6359: add read check for PMIC MT6359 - 3c589_cs: Fix an error handling path in tc589_probe() - net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE - Linux 5.15.114 * Jammy update: v5.15.113 upstream stable release (LP: #2028408) - drm/mipi-dsi: Set the fwnode for mipi_dsi_device - ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings - net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() - scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend - tick/broadcast: Make broadcast device replacement work correctly - linux/dim: Do nothing if no time delta between samples - net: stmmac: switch to use interrupt for hw crosstimestamping - net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register - net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). - netfilter: nf_tables: always release netdev hooks from notifier - netfilter: conntrack: fix possible bug_on with enable_hooks=1 - netlink: annotate accesses to nlk->cb_running - net: annotate sk->sk_err write from do_recvmmsg() - net: deal with most data-races in sk_wait_event() - net: add vlan_get_protocol_and_depth() helper - tcp: add annotations around sk->sk_shutdown accesses - gve: Remove the code of clearing PBA bit - net: datagram: fix data-races in datagram_poll() - af_unix: Fix a data race of sk->sk_receive_queue->qlen. - af_unix: Fix data races around sk->sk_shutdown. - drm/i915/dp: prevent potential div-by-zero - fbdev: arcfb: Fix error handling in arcfb_probe() - ext4: remove an unused variable warning with CONFIG_QUOTA=n - ext4: reflect error codes from ext4_multi_mount_protect() to its callers - ext4: fix lockdep warning when enabling MMP - ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set - ext4: allow ext4_get_group_info() to fail - refscale: Move shutdown from wait_event() to wait_event_idle() - rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access - fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() - drm/displayid: add displayid_get_header() and check bounds better - drm/amd/display: Use DC_LOG_DC in the trasform pixel function - regmap: cache: Return error in cache sync operations for REGCACHE_NONE - arm64: dts: qcom: msm8996: Add missing DWC3 quirks - media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and buffer_finish() - media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish - firmware: arm_sdei: Fix sleep from invalid context BUG - ACPI: EC: Fix oops when removing custom query handlers - remoteproc: stm32_rproc: Add mutex protection for workqueue - drm/tegra: Avoid potential 32-bit integer overflow - drm/msm/dp: Clean up handling of DP AUX interrupts - ACPICA: Avoid undefined behavior: applying zero offset to null pointer - ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects - drm/amd: Fix an out of bounds error in BIOS parser - media: Prefer designated initializers over memset for subdev pad ops - wifi: ath: Silence memcpy run-time false positive warning - bpf: Annotate data races in bpf_local_storage - wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex - ext2: Check block size validity during mount - scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow - bnxt: avoid overflow in bnxt_get_nvram_directory() - net: pasemi: Fix return type of pasemi_mac_start_tx() - net: Catch invalid index in XPS mapping - scsi: target: iscsit: Free cmds before session free - lib: cpu_rmap: Avoid use after free on rmap->obj array entries - scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition - gfs2: Fix inode height consistency check - scsi: ufs: ufs-pci: Add support for Intel Lunar Lake - ext4: set goal start correctly in ext4_mb_normalize_request - ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() - f2fs: fix to drop all dirty pages during umount() if cp_error is set - f2fs: fix to check readonly condition correctly - samples/bpf: Fix fout leak in hbm's run_bpf_prog - bpf: Add preempt_count_{sub,add} into btf id deny list - wifi: iwlwifi: pcie: fix possible NULL pointer dereference - wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf - null_blk: Always check queue mode setting from configfs - wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace - wifi: ath11k: Fix SKB corruption in REO destination ring - nbd: fix incomplete validation of ioctl arg - ipvs: Update width of source for ip_vs_sync_conn_options - Bluetooth: btintel: Add LE States quirk support - Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set - Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp - HID: logitech-hidpp: Don't use the USB serial for USB devices - HID: logitech-hidpp: Reconcile USB and Unifying serials - spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 - HID: wacom: generic: Set battery quirk only when we see battery data - usb: typec: tcpm: fix multiple times discover svids error - serial: 8250: Reinit port->pm on port specific driver unbind - mcb-pci: Reallocate memory region to avoid memory overlapping - sched: Fix KCSAN noinstr violation - recordmcount: Fix memory leaks in the uwrite function - RDMA/core: Fix multiple -Warray-bounds warnings - iommu/arm-smmu-qcom: Limit the SMR groups to 128 - fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode' - fs/ntfs3: Enhance the attribute size check - fs/ntfs3: Fix NULL dereference in ni_write_inode - fs/ntfs3: Validate MFT flags before replaying logs - fs/ntfs3: Add length check in indx_get_root - fs/ntfs3: Fix a possible null-pointer dereference in ni_clear() - clk: tegra20: fix gcc-7 constant overflow warning - iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any - iommu/sprd: Release dma buffer to avoid memory leak - Input: xpad - add constants for GIP interface numbers - phy: st: miphy28lp: use _poll_timeout functions for waits - soundwire: qcom: gracefully handle too many ports in DT - mfd: dln2: Fix memory leak in dln2_probe() - parisc: Replace regular spinlock with spin_trylock on panic path - platform/x86: hp-wmi: Support touchpad on/off - [Config] updateconfigs for X86_PLATFORM_DRIVERS_HP - platform/x86: Move existing HP drivers to a new hp subdir - platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct - xfrm: don't check the default policy if the policy allows the packet - Revert "Fix XFRM-I support for nested ESP tunnels" - drm/msm/dp: unregister audio driver during unbind - drm/msm/dpu: Add INTF_5 interrupts - drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header - drm/msm/dpu: Remove duplicate register defines from INTF - dt-bindings: display/msm: dsi-controller-main: Document qcom, master-dsi and qcom, sync-dual-dsi - ASoC: fsl_micfil: Fix error handler with pm_runtime_enable - cpupower: Make TSC read per CPU for Mperf monitor - af_key: Reject optional tunnel/BEET mode templates in outbound policies - selftests: seg6: disable DAD on IPv6 router cfg for srv6_end_dt4_l3vpn_test - selftets: seg6: disable rp_filter by default in srv6_end_dt4_l3vpn_test - net: fec: Better handle pm_runtime_get() failing in .remove() - net: phy: dp83867: add w/a for packet errors seen with short cables - ALSA: firewire-digi00x: prevent potential use after free - ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 - vsock: avoid to close connected socket after the timeout - tcp: fix possible sk_priority leak in tcp_v4_send_reset() - serial: arc_uart: fix of_iomap leak in `arc_serial_probe` - serial: 8250_bcm7271: balance clk_enable calls - serial: 8250_bcm7271: fix leak in `brcmuart_probe` - erspan: get the proto with the md version for collect_md - net: hns3: fix output information incomplete for dumping tx queue info with debugfs - net: hns3: fix sending pfc frames after reset issue - net: hns3: fix reset delay time to avoid configuration timeout - media: netup_unidvb: fix use-after-free at del_timer() - SUNRPC: double free xprt_ctxt while still in use - tracing: Introduce helpers to safely handle dynamic-sized sockaddrs - SUNRPC: Clean up svc_deferred_class trace events - SUNRPC: Remove dead code in svc_tcp_release_rqst() - SUNRPC: Remove svc_rqst::rq_xprt_hlen - SUNRPC: always free ctxt when freeing deferred request - SUNRPC: Fix trace_svc_register() call site - drm/exynos: fix g2d_open/close helper function definitions - net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() - virtio-net: Maintain reverse cleanup order - virtio_net: Fix error unwinding of XDP initialization - tipc: add tipc_bearer_min_mtu to calculate min mtu - tipc: do not update mtu if msg_max is too small in mtu negotiation - tipc: check the bearer min mtu properly when setting it by netlink - s390/cio: include subchannels without devices also for evaluation - net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() - net: bcmgenet: Restore phy_stop() depending upon suspend/close - wifi: mac80211: fix min center freq offset tracing - wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock - wifi: iwlwifi: mvm: don't trust firmware n_channels - scsi: storvsc: Don't pass unused PFNs to Hyper-V host - cassini: Fix a memory leak in the error handling path of cas_init_one() - net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset - igb: fix bit_shift to be in [1..8] range - vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() - netfilter: nf_tables: fix nft_trans type confusion - netfilter: nft_set_rbtree: fix null deref on element insertion - bridge: always declare tunnel functions - ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go - USB: usbtmc: Fix direction for 0-length ioctl control messages - usb-storage: fix deadlock when a scsi command timeouts more than once - USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value - usb: dwc3: debugfs: Resume dwc3 before accessing registers - usb: gadget: u_ether: Fix host MAC address case - usb: typec: altmodes/displayport: fix pin_assignment_show - xhci-pci: Only run d3cold avoidance quirk for s2idle - xhci: Fix incorrect tracking of free space on transfer rings - ALSA: hda: Fix Oops by 9.1 surround channel names - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table - ALSA: hda/realtek: Add quirk for Clevo L140AU - ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 - ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 - can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag - can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag - can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() - can: kvaser_pciefd: Call request_irq() before enabling interrupts - can: kvaser_pciefd: Empty SRB buffer in probe - can: kvaser_pciefd: Clear listen-only bit if not explicitly requested - can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt - can: kvaser_pciefd: Disable interrupts in probe error path - SMB3: Close all deferred handles of inode in case of handle lease break - SMB3: drop reference to cfile before sending oplock break - ksmbd: smb2: Allow messages padded to 8byte boundary - ksmbd: allocate one more byte for implied bcc[0] - ksmbd: fix wrong UserName check in session_user - ksmbd: fix global-out-of-bounds in smb2_find_context_vals - statfs: enforce statfs[64] structure initialization - serial: Add support for Advantech PCI-1611U card - serial: 8250_exar: Add support for USR298x PCI Modems - serial: qcom-geni: fix enabling deactivated interrupt - thunderbolt: Clear registers properly when auto clear isn't in use - vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF - ceph: force updating the msg pointer in non-split case - powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV device - tpm/tpm_tis: Disable interrupts for more Lenovo devices - powerpc/64s/radix: Fix soft dirty tracking - nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() - s390/qdio: fix do_sqbs() inline assembly constraint - HID: wacom: Force pen out of prox if no events have been received in a while - HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs - HID: wacom: add three styli to wacom_intuos_get_tool_type - Linux 5.15.113 * Jammy update: v5.15.112 upstream stable release (LP: #2026607) - ring-buffer: Ensure proper resetting of atomic variables in ring_buffer_reset_online_cpus - crypto: ccp - Clear PSP interrupt status register before calling handler - ubifs: Fix AA deadlock when setting xattr for encrypted file - ubifs: Fix memory leak in do_rename - bus: mhi: Move host MHI code to "host" directory - bus: mhi: host: Remove duplicate ee check for syserr - bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state - bus: mhi: host: Range check CHDBOFF and ERDBOFF - mailbox: zynq: Switch to flexible array to simplify code - mailbox: zynqmp: Fix counts of child nodes - ASoC: soc-pcm: use GFP_ATOMIC for dpcm structure - ASoC: soc-pcm: align BE 'atomicity' with that of the FE - ASoC: soc-pcm: Fix and cleanup DPCM locking - ASoC: soc-pcm: serialize BE triggers - ASoC: soc-pcm: test refcount before triggering - ASoC: soc-pcm: fix BE handling of PAUSE_RELEASE - fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup() - drm/hyperv: Don't overwrite dirt_needed value set by host - scsi: qedi: Fix use after free bug in qedi_remove() - net/ncsi: clear Tx enable mode when handling a Config required AEN - net/sched: cls_api: remove block_cb from driver_list before freeing - sit: update dev->needed_headroom in ipip6_tunnel_bind_dev() - selftests: srv6: make srv6_end_dt46_l3vpn_test more robust - net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu - writeback: fix call of incorrect macro - watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe() - RISC-V: mm: Enable huge page support to kernel_page_present() function - net/sched: act_mirred: Add carrier check - r8152: fix flow control issue of RTL8156A - r8152: fix the poor throughput for 2.5G devices - r8152: move setting r8153b_rx_agg_chg_indicate() - sfc: Fix module EEPROM reporting for QSFP modules - rxrpc: Fix hard call timeout units - octeontx2-af: Secure APR table update with the lock - octeontx2-af: Skip PFs if not enabled - octeontx2-pf: Disable packet I/O for graceful exit - octeontx2-vf: Detach LF resources on probe cleanup - ionic: remove noise from ethtool rxnfc error msg - ethtool: Fix uninitialized number of lanes - ionic: catch failure from devlink_alloc - af_packet: Don't send zero-byte data in packet_sendmsg_spkt(). - drm/amdgpu: add a missing lock for AMDGPU_SCHED - ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init` - net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621 - virtio_net: split free_unused_bufs() - virtio_net: suppress cpu stall when free_unused_bufs - net: enetc: check the index of the SFI rather than the handle - perf scripts intel-pt-events.py: Fix IPC output for Python 2 - perf vendor events power9: Remove UTF-8 characters from JSON files - perf pmu: zfree() expects a pointer to a pointer to zero it after freeing its contents - perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp() - crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs() - crypto: engine - check if BH is disabled during completion - crypto: api - Add scaffolding to change completion function signature - crypto: engine - Use crypto_request_complete - crypto: engine - fix crypto_queue backlog handling - perf symbols: Fix return incorrect build_id size in elf_read_build_id() - perf evlist: Refactor evlist__for_each_cpu() - perf stat: Separate bperf from bpf_profiler - btrfs: fix btrfs_prev_leaf() to not return the same key twice - btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones - btrfs: fix encoded write i_size corruption with no-holes - btrfs: don't free qgroup space unless specified - btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add - btrfs: print-tree: parent bytenr must be aligned to sector size - btrfs: fix space cache inconsistency after error loading it from disk - cifs: fix pcchunk length type in smb2_copychunk_range - cifs: release leases for deferred close handles when freezing - platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the Juno Tablet - platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i - inotify: Avoid reporting event with invalid wd - smb3: fix problem remounting a share after shutdown - SMB3: force unmount was failing to close deferred close files - sh: math-emu: fix macro redefined warning - sh: mcount.S: fix build error when PRINTK is not enabled - sh: init: use OF_EARLY_FLATTREE for early init - sh: nmi_debug: fix return value of __setup handler - remoteproc: stm32: Call of_node_put() on iteration error - remoteproc: st: Call of_node_put() on iteration error - remoteproc: imx_rproc: Call of_node_put() on iteration error - ARM: dts: exynos: fix WM8960 clock name in Itop Elite - ARM: dts: s5pv210: correct MIPI CSIS clock name - drm/bridge: lt8912b: Fix DSI Video Mode - drm/msm: fix NULL-deref on snapshot tear down - drm/msm: fix NULL-deref on irq uninstall - f2fs: fix potential corruption when moving a directory - drm/panel: otm8009a: Set backlight parent to panel device - drm/amd/display: fix flickering caused by S/G mode - drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini() - drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx ras - drm/amdgpu: Fix vram recover doesn't work after whole GPU reset (v2) - drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend - HID: wacom: Set a default resolution for older tablets - HID: wacom: insert timestamp to packed Bluetooth (BT) events - fs/ntfs3: Refactoring of various minor issues - ASoC: soc-pcm: Fix DPCM lockdep warning due to nested stream locks - ASoC: soc-compress: Inherit atomicity from DAI link for Compress FE - ASoC: soc-pcm: Move debugfs removal out of spinlock - ASoC: DPCM: Don't pick up BE without substream - ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close() - drm/i915/dg2: Support 4k@30 on HDMI - drm/i915/dg2: Add additional HDMI pixel clock frequencies - drm/i915/dg2: Add HDMI pixel clock frequencies 267.30 and 319.89 MHz - drm/msm: Remove struct_mutex usage - drm/msm/adreno: fix runtime PM imbalance at gpu load - drm/amd/display: Refine condition of cursor visibility for pipe-split - drm/amd/display: Add NULL plane_state check for cursor disable logic - wifi: rtw88: rtw8821c: Fix rfe_option field width - ksmbd: set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO - ksmbd: fix multi session connection failure - ksmbd: replace sessions list in connection with xarray - ksmbd: add channel rwlock - ksmbd: fix kernel oops from idr_remove() - ksmbd: fix racy issue while destroying session on multichannel - ksmbd: fix deadlock in ksmbd_find_crypto_ctx() - ksmbd: not allow guest user on multichannel - locking/rwsem: Add __always_inline annotation to __down_read_common() and inlined callers - ext4: fix WARNING in mb_find_extent - ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum - ext4: fix data races when using cached status extents - ext4: check iomap type only if ext4_iomap_begin() does not fail - ext4: improve error recovery code paths in __ext4_remount() - ext4: improve error handling from ext4_dirhash() - ext4: fix deadlock when converting an inline directory in nojournal mode - ext4: add bounds checking in get_max_inline_xattr_value_size() - ext4: bail out of ext4_xattr_ibody_get() fails for any reason - ext4: remove a BUG_ON in ext4_mb_release_group_pa() - ext4: fix invalid free tracking in ext4_xattr_move_to_block() - drm/msm/adreno: adreno_gpu: Use suspend() instead of idle() on load error - serial: 8250: Fix serial8250_tx_empty() race with DMA Tx - drbd: correctly submit flush bio on barrier - RISC-V: Fix up a cherry-pick warning in setup_vm_final() - drm/amd/display: Fix hang when skipping modeset - Linux 5.15.112 * CVE-2023-31084 // CVE-2023-31084 was assigned to this bug. - media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*() * CVE-2023-3776 - net/sched: cls_fw: Fix improper refcount update leads to use-after-free -- Thadeu Lima de Souza Cascardo