Jammy update: v5.15.35 upstream stable release

Bug #1969857 reported by Kamal Mostafa
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Medium
Kamal Mostafa
Jammy
Fix Released
Medium
Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

       v5.15.35 upstream stable release
       from git://git.kernel.org/

drm/amd/display: Add pstate verification and recovery for DCN31
drm/amd/display: Fix p-state allow debug index on dcn31
hamradio: defer 6pack kfree after unregister_netdev
hamradio: remove needs_free_netdev to avoid UAF
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
ACPI: processor idle: Check for architectural support for LPI
ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40
btrfs: remove unused parameter nr_pages in add_ra_bio_pages()
btrfs: remove no longer used counter when reading data page
btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
soc: qcom: aoss: Expose send for generic usecase
dt-bindings: net: qcom,ipa: add optional qcom,qmp property
net: ipa: request IPA register values be retained
btrfs: release correct delalloc amount in direct IO write path
ALSA: core: Add snd_card_free_on_error() helper
ALSA: sis7019: Fix the missing error handling
ALSA: ali5451: Fix the missing snd_card_free() call at probe error
ALSA: als300: Fix the missing snd_card_free() call at probe error
ALSA: als4000: Fix the missing snd_card_free() call at probe error
ALSA: atiixp: Fix the missing snd_card_free() call at probe error
ALSA: au88x0: Fix the missing snd_card_free() call at probe error
ALSA: aw2: Fix the missing snd_card_free() call at probe error
ALSA: azt3328: Fix the missing snd_card_free() call at probe error
ALSA: bt87x: Fix the missing snd_card_free() call at probe error
ALSA: ca0106: Fix the missing snd_card_free() call at probe error
ALSA: cmipci: Fix the missing snd_card_free() call at probe error
ALSA: cs4281: Fix the missing snd_card_free() call at probe error
ALSA: cs5535audio: Fix the missing snd_card_free() call at probe error
ALSA: echoaudio: Fix the missing snd_card_free() call at probe error
ALSA: emu10k1x: Fix the missing snd_card_free() call at probe error
ALSA: ens137x: Fix the missing snd_card_free() call at probe error
ALSA: es1938: Fix the missing snd_card_free() call at probe error
ALSA: es1968: Fix the missing snd_card_free() call at probe error
ALSA: fm801: Fix the missing snd_card_free() call at probe error
ALSA: galaxy: Fix the missing snd_card_free() call at probe error
ALSA: hdsp: Fix the missing snd_card_free() call at probe error
ALSA: hdspm: Fix the missing snd_card_free() call at probe error
ALSA: ice1724: Fix the missing snd_card_free() call at probe error
ALSA: intel8x0: Fix the missing snd_card_free() call at probe error
ALSA: intel_hdmi: Fix the missing snd_card_free() call at probe error
ALSA: korg1212: Fix the missing snd_card_free() call at probe error
ALSA: lola: Fix the missing snd_card_free() call at probe error
ALSA: lx6464es: Fix the missing snd_card_free() call at probe error
ALSA: maestro3: Fix the missing snd_card_free() call at probe error
ALSA: oxygen: Fix the missing snd_card_free() call at probe error
ALSA: riptide: Fix the missing snd_card_free() call at probe error
ALSA: rme32: Fix the missing snd_card_free() call at probe error
ALSA: rme9652: Fix the missing snd_card_free() call at probe error
ALSA: rme96: Fix the missing snd_card_free() call at probe error
ALSA: sc6000: Fix the missing snd_card_free() call at probe error
ALSA: sonicvibes: Fix the missing snd_card_free() call at probe error
ALSA: via82xx: Fix the missing snd_card_free() call at probe error
ALSA: usb-audio: Cap upper limits of buffer/period bytes for implicit fb
ALSA: nm256: Don't call card private_free at probe error path
drm/msm: Add missing put_task_struct() in debugfs path
firmware: arm_scmi: Remove clear channel call on the TX channel
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
Revert "ath11k: mesh: add support for 256 bitmap in blockack frames in 11ax"
firmware: arm_scmi: Fix sorting of retrieved clock rates
media: rockchip/rga: do proper error checking in probe
SUNRPC: Fix the svc_deferred_event trace class
net/sched: flower: fix parsing of ethertype following VLAN header
veth: Ensure eth header is in skb's linear part
gpiolib: acpi: use correct format characters
cifs: release cached dentries only if mount is complete
net: mdio: don't defer probe forever if PHY IRQ provider is missing
mlxsw: i2c: Fix initialization error flow
net/sched: fix initialization order when updating chain 0 head
net: dsa: felix: suppress -EPROBE_DEFER errors
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
net/sched: taprio: Check if socket flags are valid
cfg80211: hold bss_lock while updating nontrans_list
netfilter: nft_socket: make cgroup match work in input too
drm/msm: Fix range size vs end confusion
drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
drm/msm/dp: add fail safe mode outside of event_mutex context
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
scsi: pm80xx: Enable upper inbound, outbound queues
scsi: iscsi: Move iscsi_ep_disconnect()
scsi: iscsi: Fix offload conn cleanup when iscsid restarts
scsi: iscsi: Fix endpoint reuse regression
scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
scsi: iscsi: Fix unbound endpoint error handling
sctp: Initialize daddr on peeled off socket
netfilter: nf_tables: nft_parse_register can return a negative value
ALSA: ad1889: Fix the missing snd_card_free() call at probe error
ALSA: mtpav: Don't call card private_free at probe error path
io_uring: move io_uring_rsrc_update2 validation
io_uring: verify that resv2 is 0 in io_uring_rsrc_update2
io_uring: verify pad field is 0 in io_get_ext_arg
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
ALSA: usb-audio: Increase max buffer size
ALSA: usb-audio: Limit max buffer and period sizes per time
perf tools: Fix misleading add event PMU debug message
macvlan: Fix leaking skb in source mode with nodst option
net: ftgmac100: access hardware register after clock ready
nfc: nci: add flush_workqueue to prevent uaf
cifs: potential buffer overflow in handling symlinks
dm mpath: only use ktime_get_ns() in historical selector
vfio/pci: Fix vf_token mechanism when device-specific VF drivers are used
net: bcmgenet: Revert "Use stronger register read/writes to assure ordering"
block: fix offset/size check in bio_trim()
drm/amd: Add USBC connector ID
btrfs: fix fallocate to use file_modified to update permissions consistently
btrfs: do not warn for free space inode in cow_file_range
drm/amdgpu: conduct a proper cleanup of PDB bo
drm/amdgpu/gmc: use PCI BARs for APUs in passthrough
drm/amd/display: fix audio format not updated after edid updated
drm/amd/display: FEC check in timing validation
drm/amd/display: Update VTEM Infopacket definition
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
drm/amdgpu/vcn: improve vcn dpg stop procedure
drm/amdkfd: Check for potential null return of kmalloc_array()
Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests
PCI: hv: Propagate coherence from VMbus device to PCI device
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
scsi: target: tcmu: Fix possible page UAF
scsi: lpfc: Fix queue failures when recovering from PCI parity error
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
net: micrel: fix KS8851_MLL Kconfig
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
gpu: ipu-v3: Fix dev_dbg frequency output
regulator: wm8994: Add an off-on delay for WM8994 variant
arm64: alternatives: mark patch_alternative() as `noinstr`
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
net: axienet: setup mdio unconditionally
Drivers: hv: balloon: Disable balloon and hot-add accordingly
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
spi: cadence-quadspi: fix protocol setup for non-1-1-X operations
drm/amd/display: Enable power gating before init_pipes
drm/amd/display: Revert FEC check in validation
drm/amd/display: Fix allocate_mst_payload assert on resume
drbd: set QUEUE_FLAG_STABLE_WRITES
scsi: mpt3sas: Fail reset operation if config request timed out
scsi: mvsas: Add PCI ID of RocketRaid 2640
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
drivers: net: slip: fix NPD bug in sl_tx_timeout()
io_uring: zero tag on rsrc removal
io_uring: use nospec annotation for more indexes
perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
mm/secretmem: fix panic when growing a memfd_secret
mm, page_alloc: fix build_zonerefs_node()
mm: fix unexpected zeroed page mapping with zram swap
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
SUNRPC: Fix NFSD's request deferral on RDMA transports
memory: renesas-rpc-if: fix platform-device leak in error path
gcc-plugins: latent_entropy: use /dev/urandom
cifs: verify that tcon is valid before dereference in cifs_kill_sb
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
btrfs: fix root ref counts in error handling in btrfs_get_root_ref
btrfs: mark resumed async balance as writing
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
ipv6: fix panic when forwarding a pkt with no in6 dev
drm/amd/display: don't ignore alpha property on pre-multiplied mode
drm/amdgpu: Enable gfxoff quirk on MacBook Pro
x86/tsx: Use MSR_TSX_CTRL to clear CPUID bits
x86/tsx: Disable TSX development mode at boot
genirq/affinity: Consider that CPUs on nodes can be unbalanced
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
ARM: davinci: da850-evm: Avoid NULL pointer dereference
dm integrity: fix memory corruption when tag_size is less than digest size
i2c: dev: check return value when calling dev_set_name()
smp: Fix offline cpu check in flush_smp_call_function_queue()
i2c: pasemi: Wait for write xfers to finish
dt-bindings: net: snps: remove duplicate name
timers: Fix warning condition in __run_timers()
dma-direct: avoid redundant memory sync for swiotlb
drm/i915: Sunset igpu legacy mmap support based on GRAPHICS_VER_FULL
cpu/hotplug: Remove the 'cpu' member of cpuhp_cpu_state
soc: qcom: aoss: Fix missing put_device call in qmp_get
net: ipa: fix a build dependency
cpufreq: intel_pstate: ITMT support for overclocked system
ax25: add refcount in ax25_dev to avoid UAF bugs
ax25: fix reference count leaks of ax25_dev
ax25: fix UAF bugs of net_device caused by rebinding operation
ax25: Fix refcount leaks caused by ax25_cb_del()
ax25: fix UAF bug in ax25_send_control()
ax25: fix NPD bug in ax25_disconnect
ax25: Fix NULL pointer dereferences in ax25 timers
ax25: Fix UAF bugs in ax25 timers
Linux 5.15.35
UBUNTU: upstream stable to v5.15.35

CVE References

Changed in linux (Ubuntu):
status: New → Confirmed
tags: added: kernel-stable-tracking-bug
Changed in linux (Ubuntu Jammy):
status: Confirmed → In Progress
importance: Undecided → Medium
assignee: nobody → Kamal Mostafa (kamalmostafa)
description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu):
status: In Progress → Invalid
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (101.7 KiB)

This bug was fixed in the package linux - 5.15.0-35.36

---------------
linux (5.15.0-35.36) jammy; urgency=medium

  * CVE-2022-21499
    - SAUCE: debug: Lock down kgdb

linux (5.15.0-34.35) jammy; urgency=medium

  * jammy/linux: 5.15.0-34.35 -proposed tracker (LP: #1974322)

  * AMD APU s2idle is broken after the ASIC reset fix (LP: #1972134)
    - drm/amdgpu: unify BO evicting method in amdgpu_ttm
    - drm/amdgpu: explicitly check for s0ix when evicting resources

  * amd_gpio AMDI0030:00: Failed to translate GPIO pin 0x0000 to IRQ, err -517
    (LP: #1971597)
    - gpio: Request interrupts after IRQ is initialized

  * config CONFIG_HISI_PMU for kunpeng920 (LP: #1956086)
    - [Config] CONFIG_HISI_PMU=m

  * Mute/mic LEDs no function on EliteBook G9 platfroms (LP: #1970552)
    - ALSA: hda/realtek: Enable mute/micmute LEDs support for HP Laptops

  * network-manager/1.36.4-2ubuntu1 ADT test failure with linux/5.15.0-28.29
    (LP: #1971418)
    - Revert "rfkill: make new event layout opt-in"

  * PCIE LnkCtl ASPM not enabled under VMD mode for Alder Lake platforms
    (LP: #1942160)
    - SAUCE: vmd: fixup bridge ASPM by driver name instead

  * Mute/mic LEDs no function on HP EliteBook 845/865 G9 (LP: #1970178)
    - ALSA: hda/realtek: Enable mute/micmute LEDs and limit mic boost on EliteBook
      845/865 G9

  * Enable headset mic on Lenovo P360 (LP: #1967069)
    - ALSA: hda/realtek: Enable headset mic on Lenovo P360

  * WCN6856 BT keep in OFF state after coldboot system (LP: #1967067)
    - Bluetooth: btusb: Improve stability for QCA devices

  * Screen sometimes can't update [Failed to post KMS update: CRTC property
    (GAMMA_LUT) not found] (LP: #1967274)
    - drm/i915/xelpd: Enable Pipe color support for D13 platform
    - drm/i915: Use unlocked register accesses for LUT loads
    - drm/i915/xelpd: Enable Pipe Degamma
    - drm/i915/xelpd: Add Pipe Color Lut caps to platform config

  * Jammy update: v5.15.35 upstream stable release (LP: #1969857)
    - drm/amd/display: Add pstate verification and recovery for DCN31
    - drm/amd/display: Fix p-state allow debug index on dcn31
    - hamradio: defer 6pack kfree after unregister_netdev
    - hamradio: remove needs_free_netdev to avoid UAF
    - cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
    - ACPI: processor idle: Check for architectural support for LPI
    - ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40
    - btrfs: remove unused parameter nr_pages in add_ra_bio_pages()
    - btrfs: remove no longer used counter when reading data page
    - btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
    - soc: qcom: aoss: Expose send for generic usecase
    - dt-bindings: net: qcom,ipa: add optional qcom,qmp property
    - net: ipa: request IPA register values be retained
    - btrfs: release correct delalloc amount in direct IO write path
    - ALSA: core: Add snd_card_free_on_error() helper
    - ALSA: sis7019: Fix the missing error handling
    - ALSA: ali5451: Fix the missing snd_card_free() call at probe error
    - ALSA: als300: Fix the missing snd_card_free() call at probe error
    - ALSA: als4000: Fix ...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers