This bug was fixed in the package linux - 5.15.0-72.79 --------------- linux (5.15.0-72.79) jammy; urgency=medium * jammy/linux: 5.15.0-72.79 -proposed tracker (LP: #2016548) * Add split lock detection for EMR (LP: #2015855) - x86/split_lock: Enumerate architectural split lock disable bit * selftest: fib_tests: Always cleanup before exit (LP: #2015956) - selftest: fib_tests: Always cleanup before exit * Add support for intel EMR cpu (LP: #2015372) - platform/x86: intel-uncore-freq: add Emerald Rapids support - perf/x86/intel/cstate: Add Emerald Rapids - perf/x86/rapl: Add support for Intel Emerald Rapids - intel_idle: add Emerald Rapids Xeon support - tools/power/x86/intel-speed-select: Add Emerald Rapid quirk - tools/power turbostat: Introduce support for EMR - powercap: intel_rapl: add support for Emerald Rapids - EDAC/i10nm: Add Intel Emerald Rapids server support * Kernel livepatch ftrace graph fix (LP: #2013603) - kprobes: treewide: Remove trampoline_address from kretprobe_trampoline_handler() - kprobes: treewide: Make it harder to refer kretprobe_trampoline directly - kprobes: Add kretprobe_find_ret_addr() for searching return address - s390/unwind: recover kretprobe modified return address in stacktrace - s390/unwind: fix fgraph return address recovery * Jammy update: v5.15.98 upstream stable release (LP: #2015600) - Linux 5.15.98 * Jammy update: v5.15.97 upstream stable release (LP: #2015599) - ionic: refactor use of ionic_rx_fill() - Fix XFRM-I support for nested ESP tunnels - arm64: dts: rockchip: drop unused LED mode property from rk3328-roc-cc - ARM: dts: rockchip: add power-domains property to dp node on rk3288 - HID: elecom: add support for TrackBall 056E:011C - ACPI: NFIT: fix a potential deadlock during NFIT teardown - btrfs: send: limit number of clones and allocated memory size - ASoC: rt715-sdca: fix clock stop prepare timeout issue - IB/hfi1: Assign npages earlier - neigh: make sure used and confirmed times are valid - HID: core: Fix deadloop in hid_apply_multiplier. - x86/cpu: Add Lunar Lake M - staging: mt7621-dts: change palmbus address to lower case - bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state - net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). - vc_screen: don't clobber return value in vcs_read - scripts/tags.sh: Invoke 'realpath' via 'xargs' - scripts/tags.sh: fix incompatibility with PCRE2 - usb: dwc3: pci: add support for the Intel Meteor Lake-M - USB: serial: option: add support for VW/Skoda "Carstick LTE" - usb: gadget: u_serial: Add null pointer check in gserial_resume - USB: core: Don't hold device lock while reading the "descriptors" sysfs file - Linux 5.15.97 * Jammy update: v5.15.96 upstream stable release (LP: #2015595) - drm/etnaviv: don't truncate physical page address - wifi: rtl8xxxu: gen2: Turn on the rate control - drm/edid: Fix minimum bpc supported with DSC1.2 for HDMI sink - clk: mxl: Switch from direct readl/writel based IO to regmap based IO - clk: mxl: Remove redundant spinlocks - clk: mxl: Add option to override gate clks - clk: mxl: Fix a clk entry by adding relevant flags - powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G - clk: mxl: syscon_node_to_regmap() returns error pointers - random: always mix cycle counter in add_latent_entropy() - KVM: x86: Fail emulation during EMULTYPE_SKIP on any exception - KVM: SVM: Skip WRMSR fastpath on VM-Exit if next RIP isn't valid - can: kvaser_usb: hydra: help gcc-13 to figure out cmd_len - powerpc: dts: t208x: Disable 10G on MAC1 and MAC2 - powerpc: use generic version of arch_is_kernel_initmem_freed() - powerpc/vmlinux.lds: Ensure STRICT_ALIGN_SIZE is at least page aligned - powerpc/vmlinux.lds: Add an explicit symbol for the SRWX boundary - powerpc/64s/radix: Fix crash with unaligned relocated kernel - powerpc/64s/radix: Fix RWX mapping with relocated kernel - drm/i915/gvt: fix double free bug in split_2MB_gtt_entry - uaccess: Add speculation barrier to copy_from_user() - binder: read pre-translated fds from sender buffer - binder: defer copies of pre-patched txn data - binder: fix pointer cast warning - binder: Address corner cases in deferred copy and fixup - binder: Gracefully handle BINDER_TYPE_FDA objects with num_fds=0 - nbd: fix possible overflow on 'first_minor' in nbd_dev_add() - wifi: mwifiex: Add missing compatible string for SD8787 - audit: update the mailing list in MAINTAINERS - ext4: Fix function prototype mismatch for ext4_feat_ktype - bpf: add missing header file include - Linux 5.15.96 * Debian autoreconstruct Fix restoration of execute permissions (LP: #2015498) - [Debian] autoreconstruct - fix restoration of execute permissions * kernel: fix __clear_user() inline assembly constraints (LP: #2013088) - s390/uaccess: add missing earlyclobber annotations to __clear_user() * Kernel crash during Mellanox performance testing (LP: #2015097) - net/mlx5: fs, refactor software deletion rule * expoline.o is packaged unconditionally for s390x (LP: #2013209) - [Packaging] Copy expoline.o only when produced by the build * Intel E810 NICs driver in causing hangs when booting and bonds configured (LP: #2004262) - ice: avoid bonding causing auxiliary plug/unplug under RTNL lock * Jammy update: v5.15.95 upstream stable release (LP: #2013118) - mptcp: fix locking for in-kernel listener creation - kprobes: treewide: Cleanup the error messages for kprobes - riscv: kprobe: Fixup misaligned load text - ACPI / x86: Add support for LPS0 callback handler - ASoC: Intel: sof_rt5682: always set dpcm_capture for amplifiers - ASoC: Intel: sof_cs42l42: always set dpcm_capture for amplifiers - selftests/bpf: Verify copy_register_state() preserves parent/live fields - ALSA: hda: Do not unset preset when cleaning up codec - bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself - ASoC: cs42l56: fix DT probe - tools/virtio: fix the vringh test for virtio ring changes - net/rose: Fix to not accept on connected socket - net: stmmac: do not stop RX_CLK in Rx LPI state for qcs404 SoC - drm/nouveau/devinit/tu102-: wait for GFW_BOOT_PROGRESS == COMPLETED - net: sched: sch: Bounds check priority - s390/decompressor: specify __decompress() buf len to avoid overflow - nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association - drm/amd/display: Properly handle additional cases where DCN is not supported - platform/x86: touchscreen_dmi: Add Chuwi Vi8 (CWI501) DMI match - nvmem: core: add error handling for dev_set_name - nvmem: core: fix cleanup after dev_set_name() - nvmem: core: fix registration vs use race - nvmem: core: fix return value - xfs: zero inode fork buffer at allocation - xfs: fix potential log item leak - xfs: detect self referencing btree sibling pointers - xfs: set XFS_FEAT_NLINK correctly - xfs: validate v5 feature fields - xfs: avoid unnecessary runtime sibling pointer endian conversions - xfs: don't assert fail on perag references on teardown - xfs: assert in xfs_btree_del_cursor should take into account error - xfs: purge dquots after inode walk fails during quotacheck - xfs: don't leak btree cursor when insrec fails after a split - mptcp: do not wait for bare sockets' timeout - aio: fix mremap after fork null-deref - drm/amd/display: Fail atomic_check early on normalize_zpos error - platform/x86: amd-pmc: Fix compilation when CONFIG_DEBUGFS is disabled - platform/x86: amd-pmc: Correct usage of SMU version - platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN - netfilter: nft_tproxy: restrict to prerouting hook - tcp: Fix listen() regression in 5.15.88. - mmc: jz4740: Work around bug on JZ4760(B) - mmc: sdio: fix possible resource leaks in some error paths - mmc: mmc_spi: fix error handling in mmc_spi_probe() - ALSA: hda/conexant: add a new hda codec SN6180 - ALSA: hda/realtek - fixed wrong gpio assigned - sched/psi: Fix use-after-free in ep_remove_wait_queue() - hugetlb: check for undefined shift on 32 bit architectures - of: reserved_mem: Have kmemleak ignore dynamically allocated reserved mem - selftest/lkdtm: Skip stack-entropy test if lkdtm is not available - net: Fix unwanted sign extension in netdev_stats_to_stats64() - revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" - ixgbe: allow to increase MTU to 3K with XDP enabled - i40e: add double of VLAN header when computing the max MTU - net: bgmac: fix BCM5358 support by setting correct flags - net: ethernet: ti: am65-cpsw: Add RX DMA Channel Teardown Quirk - sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list - dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions. - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path - net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() - net: stmmac: fix order of dwmac5 FlexPPS parametrization sequence - bnxt_en: Fix mqprio and XDP ring checking logic - net: stmmac: Restrict warning on disabling DMA store and fwd mode - ixgbe: add double of VLAN header when computing the max MTU - ipv6: Fix datagram socket connection with DSCP. - ipv6: Fix tcp socket connection with DSCP. - nilfs2: fix underflow in second superblock position calculations - mm/filemap: fix page end in filemap_get_read_batch - drm/i915/gen11: Moving WAs to icl_gt_workarounds_init() - drm/i915/gen11: Wa_1408615072/Wa_1407596294 should be on GT list - flow_offload: fill flags to action structure - net/sched: act_ctinfo: use percpu stats - i40e: Add checking for null for nlmsg_find_attr() - kvm: initialize all of the kvm_debugregs structure before sending it to userspace - alarmtimer: Prevent starvation by small intervals and SIG_IGN - ASoC: SOF: Intel: hda-dai: fix possible stream_tag leak - net: sched: sch: Fix off by one in htb_activate_prios() - platform/x86/amd: pmc: add CONFIG_SERIO dependency - Linux 5.15.95 * CVE-2023-1075 - net/tls: tls_is_tx_ready() checked list_entry * devlink_port_split from ubuntu_kernel_selftests.net fails on hirsute (KeyError: 'flavour') (LP: #1937133) - selftests: net: devlink_port_split.py: skip test if no suitable device available * Connection timeout due to conntrack limits (LP: #2011616) - netfilter: conntrack: adopt safer max chain length * Jammy update: v5.15.94 upstream stable release (LP: #2012673) - mm/migration: return errno when isolate_huge_page failed - migrate: hugetlb: check for hugetlb shared PMD in node migration - btrfs: limit device extents to the device size - btrfs: zlib: zero-initialize zlib workspace - ALSA: hda/realtek: Add Positivo N14KP6-TG - ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro 360 - ALSA: hda/realtek: Enable mute/micmute LEDs on HP Elitebook, 645 G9 - tracing: Fix poll() and select() do not work on per_cpu trace_pipe and trace_pipe_raw - of/address: Return an error when no valid dma-ranges are found - can: j1939: do not wait 250 ms if the same addr was already claimed - xfrm: compat: change expression for switch in xfrm_xlate64 - IB/hfi1: Restore allocated resources on failed copyout - xfrm/compat: prevent potential spectre v1 gadget in xfrm_xlate32_attr() - IB/IPoIB: Fix legacy IPoIB due to wrong number of queues - RDMA/irdma: Fix potential NULL-ptr-dereference - RDMA/usnic: use iommu_map_atomic() under spin_lock() - xfrm: fix bug with DSCP copy to v6 from v4 tunnel - net: phylink: move phy_device_free() to correctly release phy device - bonding: fix error checking in bond_debug_reregister() - net: phy: meson-gxl: use MMD access dummy stubs for GXL, internal PHY - ionic: clean interrupt before enabling queue to avoid credit race - uapi: add missing ip/ipv6 header dependencies for linux/stddef.h - ice: Do not use WQ_MEM_RECLAIM flag for workqueue - net: dsa: mt7530: don't change PVC_EG_TAG when CPU port becomes VLAN-aware - net: mscc: ocelot: fix VCAP filters not matching on MAC with "protocol 802.1Q" - net/mlx5e: Move repeating clear_bit in mlx5e_rx_reporter_err_rq_cqe_recover - net/mlx5e: Introduce the mlx5e_flush_rq function - net/mlx5e: Update rx ring hw mtu upon each rx-fcs flag change - net/mlx5: Bridge, fix ageing of peer FDB entries - net/mlx5e: IPoIB, Show unknown speed instead of error - net/mlx5: fw_tracer, Clear load bit when freeing string DBs buffers - net/mlx5: fw_tracer, Zero consumer index when reloading the tracer - net/mlx5: Serialize module cleanup with reload and remove - igc: Add ndo_tx_timeout support - rds: rds_rm_zerocopy_callback() use list_first_entry() - selftests: forwarding: lib: quote the sysctl values - ALSA: pci: lx6464es: fix a debug loop - riscv: stacktrace: Fix missing the first frame - ASoC: topology: Return -ENOMEM on memory allocation failure - pinctrl: mediatek: Fix the drive register definition of some Pins - pinctrl: aspeed: Fix confusing types in return value - pinctrl: single: fix potential NULL dereference - spi: dw: Fix wrong FIFO level setting for long xfers - pinctrl: intel: Restore the pins that used to be in Direct IRQ mode - cifs: Fix use-after-free in rdata->read_into_pages() - net: USB: Fix wrong-direction WARNING in plusb.c - mptcp: be careful on subflow status propagation on errors - btrfs: free device in btrfs_close_devices for a single device filesystem - usb: core: add quirk for Alcor Link AK9563 smartcard reader - usb: typec: altmodes/displayport: Fix probe pin assign check - clk: ingenic: jz4760: Update M/N/OD calculation algorithm - ceph: flush cap releases when the session is flushed - riscv: Fixup race condition on PG_dcache_clean in flush_icache_pte - powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch - rtmutex: Ensure that the top waiter is always woken up - arm64: dts: meson-gx: Make mmc host controller interrupts level-sensitive - arm64: dts: meson-g12-common: Make mmc host controller interrupts level- sensitive - arm64: dts: meson-axg: Make mmc host controller interrupts level-sensitive - Fix page corruption caused by racy check in __free_pages - drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini - drm/i915: Initialize the obj flags for shmem objects - drm/i915: Fix VBT DSI DVO port handling - x86/speculation: Identify processors vulnerable to SMT RSB predictions - KVM: x86: Mitigate the cross-thread return address predictions bug - Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions - Linux 5.15.94 * Jammy update: v5.15.93 upstream stable release (LP: #2012665) - firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region - bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() - ASoC: Intel: boards: fix spelling in comments - ASoC: Intel: bytcht_es8316: move comment to the right place - ASoC: Intel: bytcht_es8316: Drop reference count of ACPI device after use - ASoC: Intel: bytcr_rt5651: Drop reference count of ACPI device after use - ASoC: Intel: bytcr_rt5640: Drop reference count of ACPI device after use - ASoC: Intel: bytcr_wm5102: Drop reference count of ACPI device after use - bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers - ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() - bpf: Support <8-byte scalar spill and refill - bpf: Fix to preserve reg parent/live fields when copying range info - bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener - arm64: dts: imx8mm: Fix pad control for UART1_DTE_RX - drm/vc4: hdmi: make CEC adapter name unique - scsi: Revert "scsi: core: map PQ=1, PDT=other values to SCSI_SCAN_TARGET_PRESENT" - vhost/net: Clear the pending messages when the backend is removed - WRITE is "data source", not destination... - READ is "data destination", not source... - fix iov_iter_bvec() "direction" argument - fix "direction" argument of iov_iter_kvec() - ice: Prevent set_channel from changing queues while RDMA active - qede: execute xdp_do_flush() before napi_complete_done() - virtio-net: execute xdp_do_flush() before napi_complete_done() - dpaa_eth: execute xdp_do_flush() before napi_complete_done() - dpaa2-eth: execute xdp_do_flush() before napi_complete_done() - sfc: correctly advertise tunneled IPv6 segmentation - net: phy: dp83822: Fix null pointer access on DP83825/DP83826 devices - block/bfq-iosched.c: use "false" rather than "BLK_RW_ASYNC" - block, bfq: replace 0/1 with false/true in bic apis - block, bfq: fix uaf for bfqq in bic_set_bfqq() - netrom: Fix use-after-free caused by accept on already connected socket - drm/i915/guc: Fix locking when searching for a hung request - drm/i915/adlp: Fix typo for reference clock - netfilter: br_netfilter: disable sabotage_in hook after first suppression - squashfs: harden sanity check in squashfs_read_xattr_id_table - net: phy: meson-gxl: Add generic dummy stubs for MMD register access - ip/ip6_gre: Fix changing addr gen mode not generating IPv6 link local address - ip/ip6_gre: Fix non-point-to-point tunnel not generating IPv6 link local address - riscv: kprobe: Fixup kernel panic when probing an illegal position - igc: return an error if the mac type is unknown in igc_ptp_systim_to_hwtstamp() - can: j1939: fix errant WARN_ON_ONCE in j1939_session_deactivate - ata: libata: Fix sata_down_spd_limit() when no link speed is reported - selftests: net: udpgso_bench_rx: Fix 'used uninitialized' compiler warning - selftests: net: udpgso_bench_rx/tx: Stop when wrong CLI args are provided - selftests: net: udpgso_bench_tx: Cater for pending datagrams zerocopy benchmarking - virtio-net: Keep stop() to follow mirror sequence of open() - net: openvswitch: fix flow memory leak in ovs_flow_cmd_new - efi: fix potential NULL deref in efi_mem_reserve_persistent - i2c: designware-pci: Add new PCI IDs for AMD NAVI GPU - i2c: mxs: suppress probe-deferral error message - scsi: target: core: Fix warning on RT kernels - perf/x86/intel: Add Emerald Rapids - scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress - i2c: rk3x: fix a bunch of kernel-doc warnings - platform/x86: gigabyte-wmi: add support for B450M DS3H WIFI-CF - net/x25: Fix to not accept on connected socket - drm/amd/display: Fix timing not changning when freesync video is enabled - iio: adc: stm32-dfsdm: fill module aliases - usb: dwc3: qcom: enable vbus override when in OTG dr-mode - usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait - vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF - Input: i8042 - add Clevo PCX0DX to i8042 quirk table - fbcon: Check font dimension limits - net: qrtr: free memory on error path in radix_tree_insert() - watchdog: diag288_wdt: do not use stack buffers for hardware data - watchdog: diag288_wdt: fix __diag288() inline assembly - ALSA: hda/realtek: Add Acer Predator PH315-54 - efi: Accept version 2 of memory attributes table - iio: hid: fix the retval in accel_3d_capture_sample - iio: hid: fix the retval in gyro_3d_capture_sample - iio: adc: berlin2-adc: Add missing of_node_put() in error path - iio:adc:twl6030: Enable measurements of VUSB, VBAT and others - iio: imu: fxos8700: fix ACCEL measurement range selection - iio: imu: fxos8700: fix incomplete ACCEL and MAGN channels readback - iio: imu: fxos8700: fix IMU data bits returned to user space - iio: imu: fxos8700: fix map label of channel type to MAGN sensor - iio: imu: fxos8700: fix swapped ACCEL and MAGN channels readback - iio: imu: fxos8700: fix incorrect ODR mode readback - iio: imu: fxos8700: fix failed initialization ODR mode assignment - iio: imu: fxos8700: remove definition FXOS8700_CTRL_ODR_MIN - iio: imu: fxos8700: fix MAGN sensor scale and unit - nvmem: qcom-spmi-sdam: fix module autoloading - parisc: Fix return code of pdc_iodc_print() - parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case - riscv: disable generation of unwind tables - mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps - usb: gadget: f_uac2: Fix incorrect increment of bNumEndpoints - kernel/irq/irqdomain.c: fix memory leak with using debugfs_lookup() - x86/debug: Fix stack recursion caused by wrongly ordered DR7 accesses - fpga: stratix10-soc: Fix return value check in s10_ops_write_init() - mm/swapfile: add cond_resched() in get_swap_pages() - highmem: round down the address passed to kunmap_flush_on_unmap() - Squashfs: fix handling and sanity checking of xattr_ids count - drm/i915: Fix potential bit_17 double-free - nvmem: core: initialise nvmem->id early - nvmem: core: remove nvmem_config wp_gpio - nvmem: core: fix cell removal on error - serial: 8250_dma: Fix DMA Rx completion race - serial: 8250_dma: Fix DMA Rx rearm race - phy: qcom-qmp-combo: disable runtime PM on unbind - phy: qcom-qmp-combo: fix memleak on probe deferral - phy: qcom-qmp-usb: fix memleak on probe deferral - phy: qcom-qmp-combo: fix broken power on - phy: qcom-qmp-combo: fix runtime suspend - bpf: Fix incorrect state pruning for <8B spill/fill - bpf: Do not reject when the stack read size is different from the tracked scalar size - iio:adc:twl6030: Enable measurement of VAC - powerpc/imc-pmu: Revert nest_init_lock to being a mutex - fs/ntfs3: Validate attribute data and valid sizes - ovl: Use "buf" flexible array for memcpy() destination - fbdev: smscufx: fix error handling code in ufx_usb_probe - f2fs: fix to do sanity check on i_extra_isize in is_alive() - wifi: brcmfmac: Check the count value of channel spec to prevent out-of- bounds reads - gfs2: Cosmetic gfs2_dinode_{in,out} cleanup - gfs2: Always check inode size of inline inodes - bpf: Skip invalid kfunc call in backtrack_insn - Linux 5.15.93 * CVE-2023-1118 - media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() * [SRU][Ubuntu 22.04.1]: Observed "Array Index out of bounds" Call Trace multiple times on Ubuntu 22.04.1 OS during boot (LP: #2008157) - scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP - scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_FW_RAID_MAP_DYNAMIC - scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_DRV_RAID_MAP - scsi: megaraid_sas: Replace one-element array with flexible-array member in MR_PD_CFG_SEQ_NUM_SYNC - scsi: megaraid_sas: Use struct_size() in code related to struct MR_FW_RAID_MAP - scsi: megaraid_sas: Use struct_size() in code related to struct MR_PD_CFG_SEQ_NUM_SYNC * Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" (LP: #2011926) - Revert "net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child qdiscs" -- Stefan Bader