This bug was fixed in the package linux - 5.15.0-91.101 --------------- linux (5.15.0-91.101) jammy; urgency=medium * jammy/linux: 5.15.0-91.101 -proposed tracker (LP: #2043452) * USB bus error after upgrading to proposed kernel on lunar and jammy (LP: #2043197) - USB: core: Fix oversight in SuperSpeed initialization linux (5.15.0-90.100) jammy; urgency=medium * jammy/linux: 5.15.0-90.100 -proposed tracker (LP: #2041603) * CVE-2023-25775 - RDMA/irdma: Remove irdma_uk_mw_bind() - RDMA/irdma: Remove irdma_sc_send_lsmm_nostag() - RDMA/irdma: Remove irdma_cqp_up_map_cmd() - RDMA/irdma: Remove irdma_get_hw_addr() - RDMA/irdma: Make irdma_uk_cq_init() return a void - RDMA/irdma: optimize rx path by removing unnecessary copy - RDMA/irdma: Remove enum irdma_status_code - RDMA/irdma: Remove excess error variables - RDMA/irdma: Prevent zero-length STAG registration * CVE-2023-39189 - netfilter: nfnetlink_osf: avoid OOB read * SMC stats: Wrong bucket calculation for payload of exactly 4096 bytes (LP: #2039575) - net/smc: Fix pos miscalculation in statistics * CVE-2023-45871 - igb: set max size RX buffer when store bad packet is enabled * CVE-2023-39193 - netfilter: xt_sctp: validate the flag_info count * CVE-2023-39192 - netfilter: xt_u32: validate user space input * CVE-2023-31085 - ubi: Refuse attaching if mtd's erasesize is 0 * CVE-2023-5717 - perf: Disallow mis-matched inherited group reads * CVE-2023-5178 - nvmet-tcp: Fix a possible UAF in queue intialization setup * CVE-2023-5158 - vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() * [SRU][J/L/M] UBUNTU: [Packaging] Make WWAN driver a loadable module (LP: #2033406) - [Packaging] Make WWAN driver loadable modules * HP ProBook 450 G8 Notebook fail to wifi test (LP: #2037513) - iwlwifi: mvm: Don't fail if PPAG isn't supported - wifi: iwlwifi: fw: skip PPAG for JF * usbip: error: failed to open /usr/share/hwdata//usb.ids (LP: #2039439) - [Packaging] Make linux-tools-common depend on hwdata * scripts/pahole-flags.sh change return to exit 0 (LP: #2035123) - SAUCE: scripts/pahole-flags.sh change return to exit 0 * Unable to use nvme drive to install Ubuntu 23.10 (LP: #2040157) - misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe * Jammy update: v5.15.131 upstream stable release (LP: #2039610) - erofs: ensure that the post-EOF tails are all zeroed - ksmbd: fix wrong DataOffset validation of create context - ksmbd: replace one-element array with flex-array member in struct smb2_ea_info - ARM: pxa: remove use of symbol_get() - mmc: au1xmmc: force non-modular build and remove symbol_get usage - net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index - rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff - modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules - USB: serial: option: add Quectel EM05G variant (0x030e) - USB: serial: option: add FOXCONN T99W368/T99W373 product - ALSA: usb-audio: Fix init call orders for UAC1 - usb: dwc3: meson-g12a: do post init to fix broken usb after resumption - usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0 - HID: wacom: remove the battery when the EKR is off - staging: rtl8712: fix race condition - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition - wifi: mt76: mt7921: do not support one stream on secondary antenna only - serial: qcom-geni: fix opp vote on shutdown - serial: sc16is7xx: fix broken port 0 uart init - serial: sc16is7xx: fix bug when first setting GPIO direction - firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe - fsi: master-ast-cf: Add MODULE_FIRMWARE macro - tcpm: Avoid soft reset when partner does not support get_status - nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() - nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse - pinctrl: amd: Don't show `Invalid config param` errors - usb: typec: tcpci: move tcpci.h to include/linux/usb/ - usb: typec: tcpci: clear the fault status bit - Linux 5.15.131 * Jammy update: v5.15.130 upstream stable release (LP: #2039608) - ACPI: thermal: Drop nocrt parameter - module: Expose module_init_layout_section() - arm64: module-plts: inline linux/moduleloader.h - arm64: module: Use module_init_layout_section() to spot init sections - ARM: module: Use module_init_layout_section() to spot init sections - rcu: Prevent expedited GP from enabling tick on offline CPU - rcu-tasks: Fix IPI failure handling in trc_wait_for_one_reader - rcu-tasks: Wait for trc_read_check_handler() IPIs - rcu-tasks: Add trc_inspect_reader() checks for exiting critical section - Linux 5.15.130 * CVE-2023-42754 - ipv4: fix null-deref in ipv4_link_failure * Jammy update: v5.15.129 upstream stable release (LP: #2039227) - NFSv4.2: fix error handling in nfs42_proc_getxattr - NFSv4: fix out path in __nfs4_get_acl_uncached - xprtrdma: Remap Receive buffers after a reconnect - PCI: acpiphp: Reassign resources on bridge if necessary - dlm: improve plock logging if interrupted - dlm: replace usage of found with dedicated list iterator variable - fs: dlm: add pid to debug log - fs: dlm: change plock interrupted message to debug again - fs: dlm: use dlm_plock_info for do_unlock_close - fs: dlm: fix mismatch of plock results from userspace - MIPS: cpu-features: Enable octeon_cache by cpu_type - MIPS: cpu-features: Use boot_cpu_type for CPU type based features - fbdev: Improve performance of sys_imageblit() - fbdev: Fix sys_imageblit() for arbitrary image widths - fbdev: fix potential OOB read in fast_imageblit() - ALSA: pcm: Fix potential data race at PCM memory allocation helpers - jbd2: remove t_checkpoint_io_list - jbd2: remove journal_clean_one_cp_list() - jbd2: fix a race when checking checkpoint buffer busy - can: raw: fix receiver memory leak - drm/amd/display: do not wait for mpc idle if tg is disabled - drm/amd/display: check TG is non-null before checking if enabled - can: raw: fix lockdep issue in raw_release() - tracing: Fix cpu buffers unavailable due to 'record_disabled' missed - tracing: Fix memleak due to race between current_tracer and trace - octeontx2-af: SDP: fix receive link config - sock: annotate data-races around prot->memory_pressure - dccp: annotate data-races in dccp_poll() - ipvlan: Fix a reference count leak warning in ipvlan_ns_exit() - net: bgmac: Fix return value check for fixed_phy_register() - net: bcmgenet: Fix return value check for fixed_phy_register() - net: validate veth and vxcan peer ifindexes - ice: fix receive buffer size miscalculation - igb: Avoid starting unnecessary workqueues - igc: Fix the typo in the PTM Control macro - net/sched: fix a qdisc modification with ambiguous command request - netfilter: nf_tables: flush pending destroy work before netlink notifier - netfilter: nf_tables: fix out of memory error handling - rtnetlink: return ENODEV when ifname does not exist and group is given - rtnetlink: Reject negative ifindexes in RTM_NEWLINK - net: remove bond_slave_has_mac_rcu() - bonding: fix macvlan over alb bond support - net/ncsi: make one oem_gma function for all mfr id - net/ncsi: change from ndo_set_mac_address to dev_set_mac_address - ibmveth: Use dcbf rather than dcbfl - NFSv4: Fix dropped lock for racing OPEN and delegation return - clk: Fix slab-out-of-bounds error in devm_clk_release() - ALSA: ymfpci: Fix the missing snd_card_free() call at probe error - mm: add a call to flush_cache_vmap() in vmap_pfn() - NFS: Fix a use after free in nfs_direct_join_group() - nfsd: Fix race to FREE_STATEID and cl_revoked - selinux: set next pointer before attaching to list - batman-adv: Trigger events for auto adjusted MTU - batman-adv: Don't increase MTU when set by user - batman-adv: Do not get eth header before batadv_check_management_packet - batman-adv: Fix TT global entry leak when client roamed back - batman-adv: Fix batadv_v_ogm_aggr_send memory leak - batman-adv: Hold rtnl lock during MTU update via netlink - lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels - radix tree: remove unused variable - of: unittest: Fix EXPECT for parse_phandle_with_args_map() test - of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock - media: vcodec: Fix potential array out-of-bounds in encoder queue_setup - PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus - drm/vmwgfx: Fix shader stage validation - drm/display/dp: Fix the DP DSC Receiver cap size - x86/fpu: Invalidate FPU state correctly on exec() - nfs: use vfs setgid helper - nfsd: use vfs setgid helper - torture: Fix hang during kthread shutdown phase - cgroup/cpuset: Rename functions dealing with DEADLINE accounting - sched/cpuset: Bring back cpuset_mutex - sched/cpuset: Keep track of SCHED_DEADLINE task in cpusets - cgroup/cpuset: Iterate only if DEADLINE tasks are present - sched/deadline: Create DL BW alloc, free & check overflow interface - cgroup/cpuset: Free DL BW in case can_attach() fails - drm/i915: Fix premature release of request's reusable memory - can: raw: add missing refcount for memory leak fix - scsi: snic: Fix double free in snic_tgt_create() - scsi: core: raid_class: Remove raid_component_add() - clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' - pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} - dma-buf/sw_sync: Avoid recursive lock during fence signal - mm: memory-failure: kill soft_offline_free_page() - mm: memory-failure: fix unexpected return value in soft_offline_page() - mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer - Linux 5.15.129 * Jammy update: v5.15.128 upstream stable release (LP: #2038486) - mmc: sdhci-f-sdh30: Replace with sdhci_pltfm - selftests: forwarding: tc_actions: cleanup temporary files when test is aborted - selftests: forwarding: tc_actions: Use ncat instead of nc - macsec: Fix traffic counters/statistics - macsec: use DEV_STATS_INC() - net/tls: Perform immediate device ctx cleanup when possible - net/tls: Multi-threaded calls to TX tls_dev_del - net: tls: avoid discarding data on record close - PCI: tegra194: Fix possible array out of bounds access - ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings - iopoll: Call cpu_relax() in busy loops - ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion - dma-remap: use kvmalloc_array/kvfree for larger dma memory remap - HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL Keyboard - HID: add quirk for 03f0:464a HP Elite Presenter Mouse - RDMA/mlx5: Return the firmware result upon destroying QP/RQ - ovl: check type and offset of struct vfsmount in ovl_entry - smb: client: fix warning in cifs_smb3_do_mount() - media: v4l2-mem2mem: add lock to protect parameter num_rdy - usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push - media: platform: mediatek: vpu: fix NULL ptr dereference - thunderbolt: Read retimer NVM authentication status prior tb_retimer_set_inbound_sbtx() - usb: chipidea: imx: don't request QoS for imx8ulp - usb: chipidea: imx: add missing USB PHY DPDM wakeup setting - gfs2: Fix possible data races in gfs2_show_options() - pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() - firewire: net: fix use after free in fwnet_finish_incoming_packet() - watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub) - Bluetooth: L2CAP: Fix use-after-free - Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally - drm/amdgpu: Fix potential fence use-after-free v2 - fs/ntfs3: Enhance sanity check while generating attr_list - fs: ntfs3: Fix possible null-pointer dereferences in mi_read() - fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted - ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 - ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() - powerpc/kasan: Disable KCOV in KASAN code - ring-buffer: Do not swap cpu_buffer during resize process - iio: add addac subdirectory - iio: adc: stx104: Utilize iomap interface - iio: adc: stx104: Implement and utilize register structures - iio: stx104: Move to addac subdirectory - iio: addac: stx104: Fix race condition for stx104_write_raw() - iio: addac: stx104: Fix race condition when converting analog-to-digital - igc: read before write to SRRCTL register - ARM: dts: aspeed: asrock: Correct firmware flash SPI clocks - drm/amd/display: save restore hdcp state when display is unplugged from mst hub - drm/amd/display: phase3 mst hdcp for multiple displays - drm/amd/display: fix access hdcp_workqueue assert - usb: dwc3: gadget: Synchronize IRQ between soft connect/disconnect - usb: dwc3: Remove DWC3 locking during gadget suspend/resume - usb: dwc3: Fix typos in gadget.c - USB: dwc3: gadget: drop dead hibernation code - usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume() - tty: serial: fsl_lpuart: Add i.MXRT1050 support - tty: serial: fsl_lpuart: make rx_watermark configurable for different platforms - tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A - USB: dwc3: qcom: fix NULL-deref on suspend - USB: dwc3: fix use-after-free on core driver unbind - mmc: bcm2835: fix deferred probing - mmc: sunxi: fix deferred probing - ARM: dts: imx6sll: fixup of operating points - ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node - btrfs: move out now unused BG from the reclaim list - virtio-mmio: don't break lifecycle of vm_dev - vduse: Use proper spinlock for IRQ injection - cifs: fix potential oops in cifs_oplock_break - i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue - i2c: hisi: Only handle the interrupt of the driver's transfer - fbdev: mmp: fix value check in mmphw_probe() - powerpc/rtas_flash: allow user copy to flash block cache objects - tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux - tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms - btrfs: fix BUG_ON condition in btrfs_cancel_balance - i2c: designware: Correct length byte validation logic - i2c: designware: Handle invalid SMBus block data response length value - net: xfrm: Fix xfrm_address_filter OOB read - net: af_key: fix sadb_x_filter validation - net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure - xfrm: fix slab-use-after-free in decode_session6 - ip6_vti: fix slab-use-after-free in decode_session6 - ip_vti: fix potential slab-use-after-free in decode_session6 - xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH - net: phy: fix IRQ-based wake-on-lan over hibernate / power off - selftests: mirror_gre_changes: Tighten up the TTL test match - drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs - netfilter: nf_tables: fix false-positive lockdep splat - ipvs: fix racy memcpy in proc_do_sync_threshold - net: phy: broadcom: stub c45 read/write for 54810 - team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves - iavf: fix FDIR rule fields masks validation - i40e: fix misleading debug logs - net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset - sock: Fix misuse of sk_under_memory_pressure() - net: do not allow gso_size to be set to GSO_BY_FRAGS - bus: ti-sysc: Flush posted write on enable before reset - arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict - ARM: dts: imx: Set default tuning step for imx6sx usdhc - ASoC: rt5665: add missed regulator_bulk_disable - ASoC: meson: axg-tdm-formatter: fix channel slot allocation - soc: aspeed: socinfo: Add kfree for kstrdup - ALSA: hda/realtek - Remodified 3k pull low procedure - riscv: uaccess: Return the number of bytes effectively not copied - serial: 8250: Fix oops for port->pm on uart_change_pm() - ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces. - cifs: Release folio lock on fscache read hit. - mmc: wbsd: fix double mmc_free_host() in wbsd_init() - mmc: block: Fix in_flight[issue_type] value error - drm/qxl: fix UAF on handle creation - drm/amd: flush any delayed gfxoff on suspend entry - netfilter: set default timeout to 3 secs for sctp shutdown send and recv state - arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4 - virtio-net: set queues after driver_ok - net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled - mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove - Linux 5.15.128 * Jammy update: v5.15.127 upstream stable release (LP: #2038382) - ksmbd: validate command request size - ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() - wireguard: allowedips: expand maximum node depth - mmc: moxart: read scr register without changing byte order - ipv6: adjust ndisc_is_useropt() to also return true for PIO - dmaengine: pl330: Return DMA_PAUSED when transaction is paused - riscv,mmio: Fix readX()-to-delay() ordering - drm/nouveau/gr: enable memory loads on helper invocation on all channels - drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap() - drm/amd/display: check attr flag before set cursor degamma on DCN3+ - hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100 - radix tree test suite: fix incorrect allocation size for pthreads - nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput - bpf: allow precision tracking for programs with subprogs - bpf: stop setting precise in current state - bpf: aggressively forget precise markings during state checkpointing - selftests/bpf: make test_align selftest more robust - selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code - selftests/bpf: Fix sk_assign on s390x - io_uring: correct check for O_TMPFILE - iio: cros_ec: Fix the allocation size for cros_ec_command - iio: adc: ina2xx: avoid NULL pointer dereference on OF device match - binder: fix memory leak in binder_init() - misc: rtsx: judge ASPM Mode to set PETXCFG Reg - usb-storage: alauda: Fix uninit-value in alauda_check_media() - usb: dwc3: Properly handle processing of pending events - usb: common: usb-conn-gpio: Prevent bailing out if initial role is none - usb: typec: tcpm: Fix response to vsafe0V event - x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 - x86/mm: Fix VDSO and VVAR placement on 5-level paging machines - x86/speculation: Add cpu_show_gds() prototype - x86: Move gds_ucode_mitigated() declaration to header - drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes - selftests/rseq: Fix build with undefined __weak - selftests: forwarding: Add a helper to skip test when using veth pairs - selftests: forwarding: ethtool: Skip when using veth pairs - selftests: forwarding: ethtool_extended_state: Skip when using veth pairs - selftests: forwarding: Skip test when no interfaces are specified - selftests: forwarding: Switch off timeout - selftests: forwarding: tc_flower: Relax success criterion - net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() - bpf, sockmap: Fix map type error in sock_map_del_link - bpf, sockmap: Fix bug that strp_done cannot be called - mISDN: Update parameter type of dsp_cmx_send() - net/packet: annotate data-races around tp->status - tunnels: fix kasan splat when generating ipv4 pmtu error - xsk: fix refcount underflow in error path - bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves - dccp: fix data-race around dp->dccps_mss_cache - drivers: net: prevent tun_build_skb() to exceed the packet size limit - iavf: fix potential races for FDIR filters - IB/hfi1: Fix possible panic during hotplug remove - drm/rockchip: Don't spam logs in atomic check - wifi: cfg80211: fix sband iftype data lookup for AP_VLAN - RDMA/umem: Set iova in ODP flow - net: phy: at803x: remove set/get wol callbacks for AR8032 - net: hns3: refactor hclge_mac_link_status_wait for interface reuse - net: hns3: add wait until mac link down - nexthop: Fix infinite nexthop dump when using maximum nexthop ID - nexthop: Make nexthop bucket dump more efficient - nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID - dmaengine: mcf-edma: Fix a potential un-allocated memory access - net/mlx5: Allow 0 for total host VFs - net/mlx5: Skip clock update work when device is in error state - ibmvnic: Enforce stronger sanity checks on login response - ibmvnic: Unmap DMA login rsp buffer on send login fail - ibmvnic: Handle DMA unmapping of login buffs in release functions - btrfs: don't stop integrity writeback too early - btrfs: exit gracefully if reloc roots don't match - btrfs: reject invalid reloc tree root keys with stack dump - btrfs: set cache_block_group_error if we find an error - nvme-tcp: fix potential unbalanced freeze & unfreeze - nvme-rdma: fix potential unbalanced freeze & unfreeze - netfilter: nf_tables: report use refcount overflow - scsi: core: Fix legacy /proc parsing buffer overflow - scsi: storvsc: Fix handling of virtual Fibre Channel timeouts - scsi: 53c700: Check that command slot is not NULL - scsi: snic: Fix possible memory leak if device_add() fails - scsi: core: Fix possible memory leak if device_add() fails - scsi: fnic: Replace return codes in fnic_clean_pending_aborts() - scsi: qedi: Fix firmware halt over suspend and resume - scsi: qedf: Fix firmware halt over suspend and resume - alpha: remove __init annotation from exported page_is_ram() - sch_netem: fix issues in netem_change() vs get_dist_table() - tick: Detect and fix jiffies update stall - timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped - timers/nohz: Last resort update jiffies on nohz_full IRQ entry - Linux 5.15.127 - Upstream stable to v5.15.127 * CVE-2023-37453 - USB: core: Unite old scheme and new scheme descriptor reads - USB: core: Change usb_get_device_descriptor() API - USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() * Packaging resync (LP: #1786013) - [Packaging] update helper scripts -- Stefan Bader