Jammy update: v5.15.34 upstream stable release

Bug #1969107 reported by Paolo Pisati
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Fix Released
Medium
Unassigned

Bug Description

    SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       v5.15.34 upstream stable release
       from git://git.kernel.org/

Linux 5.15.34
stacktrace: move filter_irq_stacks() to kernel/stacktrace.c
powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
static_call: Don't make __static_call_return0 static
mm/sparsemem: fix 'mem_section' will never be NULL gcc 12 warning
irqchip/gic, gic-v3: Prevent GSI to SGI translations
powerpc/64: Fix build failure with allyesconfig in book3s_64_entry.S
irqchip/gic-v4: Wait for GICR_VPENDBASER.Dirty to clear before descheduling
x86,static_call: Fix __static_call_return0 for i386
sched: Teach the forced-newidle balancer about CPU affinity limitation.
x86/bug: Prevent shadowing in __WARN_FLAGS
Drivers: hv: vmbus: Replace smp_store_mb() with virt_store_mb()
mm: don't skip swap entry even if zap_details specified
selftests: cgroup: Test open-time cgroup namespace usage for migration checks
selftests: cgroup: Test open-time credential usage for migration checks
selftests: cgroup: Make cg_create() use 0755 for permission instead of 0644
ubsan: remove CONFIG_UBSAN_OBJECT_SIZE
Revert "net/mlx5: Accept devlink user input after driver initialization complete"
KVM: avoid NULL pointer dereference in kvm_dirty_ring_push
dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts
tools build: Filter out options and warnings not supported by clang
perf python: Fix probing for some clang command line options
perf build: Don't use -ffat-lto-objects in the python feature test when building with clang-13
Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()"
SUNRPC: Don't call connect() more than once on a TCP socket
rtc: mc146818-lib: fix signedness bug in mc146818_get_time()
selftests/bpf: Fix u8 narrow load checks for bpf_sk_lookup remote_port
bpf: Make remote_port field in struct bpf_sk_lookup 16-bit wide
Revert "selftests: net: Add tls config dependency for tls selftests"
net/smc: send directly on setting TCP_NODELAY
KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255
drm/amdgpu: don't use BACO for reset in S3
drm/amdkfd: Create file descriptor after client is added to smi_clients list
drm/nouveau/pmu: Add missing callbacks for Tegra devices
drm/amdgpu/vcn: Fix the register setting for vcn1
drm/amdgpu/smu10: fix SoC/fclk units in auto mode
drm/amdgpu/display: change pipe policy for DCN 2.1
drm/panel: ili9341: fix optional regulator handling
SUNRPC: Prevent immediate close+reconnect
amd/display: set backlight only if required
fbdev: Fix unregistering of framebuffers without device
irqchip/gic-v3: Fix GICR_CTLR.RWP polling
perf/core: Inherit event_caps
perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator
ata: sata_dwc_460ex: Fix crash due to OOB write
perf/x86/intel: Don't extend the pseudo-encoding to GP counters
x86/mm/tlb: Revert retpoline avoidance approach
x86/msi: Fix msi message data shadow struct
gpio: Restrict usage of GPIO chip irq members before initialization
RDMA/hfi1: Fix use-after-free bug for mm struct
arm64: patch_text: Fixup last cpu should be master
spi: core: add dma_map_dev for __spi_unmap_msg()
btrfs: prevent subvol with swapfile from being deleted
btrfs: fix qgroup reserve overflow the qgroup limit
perf/x86/intel: Update the FRONTEND MSR mask on Sapphire Rapids
x86/speculation: Restore speculation related MSRs during S3 resume
x86/pm: Save the MSR validity status at context setup
io_uring: fix race between timeout flush and removal
io_uring: implement compat handling for IORING_REGISTER_IOWQ_AFF
io_uring: defer splice/tee file validity check until command issue
io_uring: don't check req->file in io_fsync_prep()
mm/mempolicy: fix mpol_new leak in shared_policy_replace
mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
highmem: fix checks in __kmap_local_sched_{in,out}
lz4: fix LZ4_decompress_safe_partial read out of bound
mmc: core: Fixup support for writeback-cache for eMMC and SD
mmc: renesas_sdhi: don't overwrite TAP settings when HS400 tuning is complete
mmc: mmci: stm32: correctly check all elements of sg list
mmc: block: Check for errors after write on SPI
Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning"
scsi: ufs: ufs-pci: Add support for Intel MTL
scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
arm64: Add part number for Arm Cortex-A78AE
perf session: Remap buf if there is no space for event
perf tools: Fix perf's libperf_print callback
perf: arm-spe: Fix perf report --mem-mode
iommu/omap: Fix regression in probe for NULL pointer dereference
SUNRPC: svc_tcp_sendmsg() should handle errors from xdr_alloc_bvec()
SUNRPC: Handle low memory situations in call_status()
SUNRPC: Handle ENOMEM in call_transmit_status()
io_uring: don't touch scm_fp_list after queueing skb
io_uring: nospec index for tags on files update
scsi: ufs: ufshpb: Fix a NULL check on list iterator
drbd: Fix five use after free bugs in get_initial_state
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
spi: bcm-qspi: fix MSPI only access with bcm_qspi_exec_mem_op()
qede: confirm skb is allocated before using
net: phy: mscc-miim: reject clause 45 register accesses
net: sfc: fix using uninitialized xdp tx_queue
rxrpc: fix a race in rxrpc_exit_net()
net: openvswitch: fix leak of nested actions
net: ethernet: mv643xx: Fix over zealous checking of_get_mac_address()
net: openvswitch: don't send internal clone attribute to the userspace.
ice: xsk: fix VSI state check in ice_xsk_wakeup()
ice: synchronize_rcu() when terminating rings
ipv6: Fix stats accounting in ip6_pkt_drop
ice: Do not skip not enabled queues in ice_vc_dis_qs_msg
ice: Set txq_teid to ICE_INVAL_TEID on ring creation
dpaa2-ptp: Fix refcount leak in dpaa2_ptp_probe
sctp: count singleton chunks in assoc user stats
IB/rdmavt: add lock to call to rvt_error_qp to prevent a race condition
IB/cm: Cancel mad on the DREQ event when the state is MRA_REP_RCVD
RDMA/mlx5: Add a missing update of cache->last_add
RDMA/mlx5: Don't remove cache MRs when a delay is needed
sfc: Do not free an empty page_ring
bnxt_en: Prevent XDP redirect from running when stopping TX queue
bnxt_en: reserve space inside receive page for skb_shared_info
bnxt_en: Synchronize tx when xdp redirects happen on same ring
arch/arm64: Fix topology initialization for core scheduling
regulator: atc260x: Fix missing active_discharge_on setting
regulator: rtq2134: Fix missing active_discharge_on setting
drm/imx: dw_hdmi-imx: Fix bailout in error cases of probe
drm/imx: Fix memory leak in imx_pd_connector_get_modes
drm/imx: imx-ldb: Check for null pointer after calling kmemdup
net: stmmac: Fix unset max_speed difference between DT and non-DT platforms
net: ipv4: fix route with nexthop object delete warning
mctp: Fix check for dev_hard_header() result
ice: Clear default forwarding VSI during VSI release
skbuff: fix coalescing for page_pool fragment recycling
vrf: fix packet sniffing for traffic originating from ip tunnels
net/tls: fix slab-out-of-bounds bug in decrypt_internal
net: sfc: add missing xdp queue reinitialization
vdpa: mlx5: prevent cvq work from hogging CPU
vdpa/mlx5: Propagate link status from device to vdpa driver
vdpa/mlx5: Rename control VQ workqueue to vdpa wq
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
scsi: core: Fix sbitmap depth in scsi_realloc_sdev_budget_map()
scsi: sr: Fix typo in CDROM(CLOSETRAY|EJECT) handling
NFSv4: fix open failure with O_ACCMODE flag
Revert "NFSv4: Handle the special Linux file open access mode"
Drivers: hv: vmbus: Fix potential crash on module unload
drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
rtc: mc146818-lib: fix RTC presence check
rtc: Check return value from mc146818_get_time()
rtc: mc146818-lib: change return values of mc146818_get_time()
mm: fix race between MADV_FREE reclaim and blkdev direct IO read
parisc: Fix patch code locking and flushing
parisc: Fix CPU affinity for Lasi, WAX and Dino chips
selftests: net: Add tls config dependency for tls selftests
NFS: Avoid writeback threads getting stuck in mempool_alloc()
NFS: nfsiod should not block forever in mempool_alloc()
SUNRPC: Fix socket waits for write buffer space
jfs: prevent NULL deref in diFree
virtio_console: eliminate anonymous module_init & module_exit
serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
x86/Kconfig: Do not allow CONFIG_X86_X32_ABI=y with llvm-objcopy
x86: Annotate call_on_stack()
NFS: swap-out must always use STABLE writes.
NFS: swap IO handling is slightly different for O_DIRECT IO
SUNRPC: remove scheduling boost for "SWAPPER" tasks.
SUNRPC/xprt: async tasks mustn't block waiting for memory
SUNRPC/call_alloc: async tasks mustn't block waiting for memory
clk: Enforce that disjoints limits are invalid
clk: ti: Preserve node in ti_dt_clocks_register()
xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu>=32
habanalabs: fix possible memory leak in MMU DR fini
NFSv4: Protect the state recovery thread against direct reclaim
NFSv4.2: fix reference count leaks in _nfs42_proc_copy_notify()
w1: w1_therm: fixes w1_seq for ds28ea00 sensors
staging: wfx: fix an error handling in wfx_init_common()
opp: Expose of-node's name in debugfs
cpufreq: CPPC: Fix performance/frequency conversion
clk: rockchip: drop CLK_SET_RATE_PARENT from dclk_vop* on rk3568
phy: amlogic: meson8b-usb2: fix shared reset control use
phy: amlogic: meson8b-usb2: Use dev_err_probe()
phy: amlogic: phy-meson-gxl-usb2: fix shared reset controller use
staging: vchiq_core: handle NULL result of find_service_by_handle
staging: vchiq_arm: Avoid NULL ptr deref in vchiq_dump_platform_instances
clk: si5341: fix reported clk_rate when output divider is 2
minix: fix bug when opening a file with O_DIRECT
init/main.c: return 1 from handled __setup() functions
lib/Kconfig.debug: add ARCH dependency for FUNCTION_ALIGN option
ceph: fix memory leak in ceph_readdir when note_last_dentry returns error
ceph: fix inode reference leakage in ceph_get_snapdir()
netlabel: fix out-of-bounds memory accesses
netfilter: conntrack: revisit gc autotuning
Bluetooth: Fix use after free in hci_send_acl
MIPS: ingenic: correct unit node address
xtensa: fix DTC warning unit_address_format
mt76: fix monitor mode crash with sdio driver
usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
net: sfp: add 2500base-X quirk for Lantech SFP module
net/mlx5e: Remove overzealous validations in netlink EEPROM query
net: limit altnames to 64k total
net: account alternate interface name memory
riscv: Fixed misaligned memory access. Fixed pointer comparison.
can: etas_es58x: es58x_fd_rx_event_msg(): initialize rx_event_msg before calling es58x_check_msg_len()
can: isotp: set default value for N_As to 50 micro seconds
scsi: libfc: Fix use after free in fc_exch_abts_resp()
powerpc/secvar: fix refcount leak in format_show()
powerpc/64e: Tie PPC_BOOK3E_64 to PPC_FSL_BOOK3E
MIPS: fix fortify panic when copying asm exception handlers
PCI: endpoint: Fix misused goto label
bnxt_en: Eliminate unintended link toggle during FW reset
Bluetooth: use memset avoid memory leaks
Bluetooth: Fix not checking for valid hdev on bt_dev_{info,warn,err,dbg}
tuntap: add sanity checks about msg_controllen in sendmsg
macvtap: advertise link netns via netlink
mips: ralink: fix a refcount leak in ill_acc_of_setup()
net/smc: correct settings of RMB window update limit
scsi: hisi_sas: Limit users changing debugfs BIST count value
scsi: hisi_sas: Free irq vectors in order for v3 HW
scsi: aha152x: Fix aha152x_setup() __setup handler return value
mt76: mt7615: Fix assigning negative values to unsigned variable
powerpc/64s/hash: Make hash faults work in NMI context
mt76: mt7915: fix injected MPDU transmission to not use HW A-MSDU
scsi: pm8001: Fix memory leak in pm8001_chip_fw_flash_update_req()
scsi: pm8001: Fix tag leaks on error
scsi: pm8001: Fix task leak in pm8001_send_abort_all()
scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
scsi: pm8001: Fix pm80xx_pci_mem_copy() interface
vfio/pci: Stub vfio_pci_vga_rw when !CONFIG_VFIO_PCI_VGA
drm/amdkfd: make CRAT table missing message informational only
dm: requeue IO if mapping table not yet available
dm ioctl: prevent potential spectre v1 gadget
ipv4: Invalidate neighbour for broadcast address upon address addition
drm/msm/dsi: Remove spurious IRQF_ONESHOT flag
iwlwifi: mvm: move only to an enabled channel
iwlwifi: mvm: Correctly set fragmented EBS
usb: dwc3: pci: Set the swnode from inside dwc3_pci_quirks()
net/mlx5e: Disable TX queues before registering the netdev
power: supply: axp288-charger: Set Vhold to 4.4V
powerpc/set_memory: Avoid spinlock recursion in change_page_attr()
scsi: mpi3mr: Fix memory leaks
scsi: mpi3mr: Fix reporting of actual data transfer size
PCI: pciehp: Add Qualcomm quirk for Command Completed erratum
tcp: Don't acquire inet_listen_hashbucket::lock with disabled BH.
PCI: endpoint: Fix alignment fault error in copy tests
usb: ehci: add pci device support for Aspeed platforms
iommu/arm-smmu-v3: fix event handling soft lockup
PCI: aardvark: Fix support for MSI interrupts
scsi: smartpqi: Fix kdump issue when controller is locked up
drm/amdgpu: Fix recursive locking warning
powerpc: Set crashkernel offset to mid of RMA region
net: initialize init_net earlier
ipv6: make mc_forwarding atomic
libbpf: Fix build issue with llvm-readelf
cfg80211: don't add non transmitted BSS to 6GHz scanned channels
mt76: dma: initialize skip_unmap in mt76_dma_rx_fill
mt76: mt7921: fix crash when startup fails.
power: supply: axp20x_battery: properly report current when discharging
drm/v3d: fix missing unlock
scsi: bfa: Replace snprintf() with sysfs_emit()
scsi: mvsas: Replace snprintf() with sysfs_emit()
bpf: Make dst_port field in struct bpf_sock 16-bit wide
drm/bridge: Add missing pm_runtime_put_sync
net/smc: Send directly when TCP_CORK is cleared
ath11k: mhi: use mhi_sync_power_up()
ath11k: pci: fix crash on suspend if board file is not found
ath11k: fix kernel panic during unload/load ath11k modules
powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
drm/amdkfd: Don't take process mutex for svm ioctls
ptp: replace snprintf with sysfs_emit
usb: cdnsp: fix cdnsp_decode_trb function to properly handle ret value
usb: gadget: tegra-xudc: Fix control endpoint's definitions
usb: gadget: tegra-xudc: Do not program SPARAM
drm/amd/display: Use PSR version selected during set_psr_caps
drm/amd/display: Fix memory leak
drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
drm/amd/display: Add signal type check when verify stream backends same
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
drm: Add orientation quirk for GPD Win Max
KVM: x86/emulator: Emulate RDPID only if it is enabled in guest
KVM: x86/pmu: Fix and isolate TSX-specific performance event logic
KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
KVM: SVM: Fix kvm_cache_regs.h inclusions for is_guest_mode()
KVM: x86/pmu: Use different raw event masks for AMD and Intel
kfence: limit currently covered allocations when pool nearly full
kfence: move saving stack trace of allocations into __kfence_alloc()
kfence: count unexpectedly skipped allocations
nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
nbd: Fix hungtask when nbd_config_put
nbd: Fix incorrect error handle when first_minor is illegal in nbd_dev_add
nbd: add error handling support for add_disk()
rtc: wm8350: Handle error for wm8350_register_irq
um: fix and optimize xor select template for CONFIG64 and timetravel mode
lib/logic_iomem: correct fallback config references

CVE References

Paolo Pisati (p-pisati)
Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Stefan Bader (smb)
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Jammy):
importance: Undecided → Medium
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (101.7 KiB)

This bug was fixed in the package linux - 5.15.0-35.36

---------------
linux (5.15.0-35.36) jammy; urgency=medium

  * CVE-2022-21499
    - SAUCE: debug: Lock down kgdb

linux (5.15.0-34.35) jammy; urgency=medium

  * jammy/linux: 5.15.0-34.35 -proposed tracker (LP: #1974322)

  * AMD APU s2idle is broken after the ASIC reset fix (LP: #1972134)
    - drm/amdgpu: unify BO evicting method in amdgpu_ttm
    - drm/amdgpu: explicitly check for s0ix when evicting resources

  * amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x0000 to IRQ, err -517
    (LP: #1971597)
    - gpio: Request interrupts after IRQ is initialized

  * config CONFIG_HISI_PMU for kunpeng920 (LP: #1956086)
    - [Config] CONFIG_HISI_PMU=m

  * Mute/mic LEDs no function on EliteBook G9 platfroms (LP: #1970552)
    - ALSA: hda/realtek: Enable mute/micmute LEDs support for HP Laptops

  * network-manager/1.36.4-2ubuntu1 ADT test failure with linux/5.15.0-28.29
    (LP: #1971418)
    - Revert "rfkill: make new event layout opt-in"

  * PCIE LnkCtl ASPM not enabled under VMD mode for Alder Lake platforms
    (LP: #1942160)
    - SAUCE: vmd: fixup bridge ASPM by driver name instead

  * Mute/mic LEDs no function on HP EliteBook 845/865 G9 (LP: #1970178)
    - ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook
      845/865 G9

  * Enable headset mic on Lenovo P360 (LP: #1967069)
    - ALSA: hda/realtek: Enable headset mic on Lenovo P360

  * WCN6856 BT keep in OFF state after coldboot system (LP: #1967067)
    - Bluetooth: btusb: Improve stability for QCA devices

  * Screen sometimes can't update [Failed to post KMS update: CRTC property
    (GAMMA_LUT) not found] (LP: #1967274)
    - drm/i915/xelpd: Enable Pipe color support for D13 platform
    - drm/i915: Use unlocked register accesses for LUT loads
    - drm/i915/xelpd: Enable Pipe Degamma
    - drm/i915/xelpd: Add Pipe Color Lut caps to platform config

  * Jammy update: v5.15.35 upstream stable release (LP: #1969857)
    - drm/amd/display: Add pstate verification and recovery for DCN31
    - drm/amd/display: Fix p-state allow debug index on dcn31
    - hamradio: defer 6pack kfree after unregister_netdev
    - hamradio: remove needs_free_netdev to avoid UAF
    - cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
    - ACPI: processor idle: Check for architectural support for LPI
    - ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40
    - btrfs: remove unused parameter nr_pages in add_ra_bio_pages()
    - btrfs: remove no longer used counter when reading data page
    - btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
    - soc: qcom: aoss: Expose send for generic usecase
    - dt-bindings: net: qcom,ipa: add optional qcom,qmp property
    - net: ipa: request IPA register values be retained
    - btrfs: release correct delalloc amount in direct IO write path
    - ALSA: core: Add snd_card_free_on_error() helper
    - ALSA: sis7019: Fix the missing error handling
    - ALSA: ali5451: Fix the missing snd_card_free() call at probe error
    - ALSA: als300: Fix the missing snd_card_free() call at probe error
    - ALSA: als4000: Fix ...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers