SRU Justification Impact: The upstream process for stable tree updates is quite similar in scope to the Ubuntu SRU process, e.g., each patch has to demonstrably fix a bug, and each patch is vetted by upstream by originating either directly from a mainline/stable Linux tree or a minimally backported form of that patch. The following upstream stable patches should be included in the Ubuntu kernel: v6.8.5 upstream stable release from git://git.kernel.org/ Linux 6.8.5 x86: set SPECTRE_BHI_ON as default KVM: x86: Add BHI_NO x86/bhi: Mitigate KVM by default x86/bhi: Add BHI mitigation knob x86/bhi: Enumerate Branch History Injection (BHI) bug x86/bhi: Define SPEC_CTRL_BHI_DIS_S x86/bhi: Add support for clearing branch history at syscall entry x86/syscall: Don't force use of indirect calls for system calls x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file x86/efistub: Remap kernel text read-only before dropping NX attribute x86/sev: Move early startup code into .head.text section x86/sme: Move early SME kernel encryption handling into .head.text x86/boot: Move mem_encrypt= parsing to the decompressor efi/libstub: Add generic support for parsing mem_encrypt= bpf: support deferring bpf_link dealloc to after RCU grace period bpf: put uprobe link's path and task in release callback Revert "x86/mpparse: Register APIC address only once" drm/xe: Rework rebinding drm/xe: Use ring ops TLB invalidation for rebinds drm/i915/gt: Enable only one CCS for compute workload drm/i915/gt: Do not generate the command streamer for all the CCS drm/i915/gt: Disable HW load balancing for CCS drm/i915/dp: Fix the computation for compressed_bpp for DISPLAY < 13 drm/i915/mst: Reject FEC+MST on ICL drm/i915/mst: Limit MST+DSC to TGL+ smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect() smb: client: fix potential UAF in smb2_is_network_name_deleted() smb: client: fix potential UAF in is_valid_oplock_break() smb: client: fix potential UAF in smb2_is_valid_lease_break() smb: client: fix potential UAF in smb2_is_valid_oplock_break() smb: client: fix potential UAF in cifs_dump_full_key() smb: client: fix potential UAF in cifs_stats_proc_show() smb: client: fix potential UAF in cifs_stats_proc_write() smb: client: fix potential UAF in cifs_debug_files_proc_show() smb3: retrying on failed server close smb: client: serialise cifs_construct_tcon() with cifs_mount_mutex smb: client: handle DFS tcons in cifs_construct_tcon() smb: client: refresh referral without acquiring refpath_lock smb: client: guarantee refcounted children from parent session smb: client: fix UAF in smb2_reconnect_server() riscv: process: Fix kernel gp leakage riscv: Fix spurious errors from __get/put_kernel_nofault s390/entry: align system call table on 8 bytes selftests/mm: include strings.h for ffsl mm/secretmem: fix GUP-fast succeeding on secretmem folios arm64/ptrace: Use saved floating point state type to determine SVE layout riscv: Fix vector state restore in rt_sigreturn() aio: Fix null ptr deref in aio_complete() wakeup perf/x86/intel/ds: Don't clear ->pebs_data_cfg for the last PEBS event x86/coco: Require seeding RNG with RDRAND on CoCo systems x86/mce: Make sure to grab mce_sysfs_mutex in set_bank() x86/mm/pat: fix VM_PAT handling in COW mappings of: module: prevent NULL pointer dereference in vsnprintf() of: dynamic: Synchronize of_changeset_destroy() with the devlink removals driver core: Introduce device_link_wait_removal() ASoC: SOF: Intel: hda: Compensate LLP in case it is not reset ASoC: SOF: ipc4-pcm: Correct the delay calculation ASoC: SOF: sof-pcm: Add pointer callback to sof_ipc_pcm_ops ASoC: SOF: ipc4-pcm: Invalidate the stream_start_offset in PAUSED state ASoC: SOF: ipc4-pcm: Combine the SOF_IPC4_PIPE_PAUSED cases in pcm_trigger ASoC: SOF: ipc4-pcm: Move struct sof_ipc4_timestamp_info definition locally ASoC: SOF: Remove the get_stream_position callback ASoC: SOF: ipc4-pcm: Use the snd_sof_pcm_get_dai_frame_counter() for pcm_delay ASoC: SOF: Intel: hda-common-ops: Do not set the get_stream_position callback ASoC: SOF: Intel: Set the dai/host get frame/byte counter callbacks ASoC: SOF: Introduce a new callback pair to be used for PCM delay reporting ASoC: SOF: Intel: mtl/lnl: Use the generic get_stream_position callback ASoC: SOF: Intel: hda: Implement get_stream_position (Linear Link Position) ASoC: SOF: Intel: hda-pcm: Use dsp_max_burst_size_in_ms to place constraint ASoC: SOF: ipc4-topology: Save the DMA maximum burst size for PCMs ASoC: SOF: Add dsp_max_burst_size_in_ms member to snd_sof_pcm_stream io_uring/kbuf: hold io_buffer_list reference over mmap io_uring: use private workqueue for exit work io_uring/rw: don't allow multishot reads without NOWAIT support io_uring/kbuf: protect io_buffer_list teardown with a reference io_uring/kbuf: get rid of bl->is_ready io_uring/kbuf: get rid of lower BGID lists ALSA: hda/realtek: Update Panasonic CF-SZ6 quirk to support headset with microphone ALSA: hda/realtek: cs35l41: Support ASUS ROG G634JYR ALSA: hda/realtek: Add sound quirks for Lenovo Legion slim 7 16ARHA7 models ALSA: hda/realtek - Fix inactive headset mic jack ALSA: hda: Add pplcllpl/u members to hdac_ext_stream ksmbd: do not set SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 ksmbd: validate payload size in ipc response ksmbd: don't send oplock break if rename fails gpio: cdev: fix missed label sanitizing in debounce_setup() gpio: cdev: check for NULL labels when sanitizing them for irqs Revert "drm/amd/display: Send DTBCLK disable message on first commit" x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk stackdepot: rename pool_index to pool_index_plus_1 lib/stackdepot: move stack_record struct definition into the header nfsd: hold a lighter-weight client reference over CB_RECALL_ANY riscv: Disable preemption when using patch_map() riscv: Fix warning by declaring arch_cpu_idle() as noinstr riscv: use KERN_INFO in do_trap SUNRPC: Fix a slow server-side memory leak with RPC-over-TCP ASoC: SOF: amd: fix for false dsp interrupts ata: sata_mv: Fix PCI device ID table declaration compilation warning drm/i915/gt: Limit the reserved VM space to only the platforms that need it thermal: gov_power_allocator: Allow binding without trip points thermal: gov_power_allocator: Allow binding without cooling devices s390/pai: fix sampling event removal for PMU device driver spi: mchp-pci1xxx: Fix a possible null pointer dereference in pci1xxx_spi_probe cifs: Fix caching to try to do open O_WRONLY as rdwr on server drm/i915/dp: Fix DSC state HW readout for SST connectors Revert "ALSA: emu10k1: fix synthesizer sample playback position and caching" scsi: sd: Unregister device if device_add_disk() failed in sd_probe() scsi: mylex: Fix sysfs buffer lengths ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit regmap: maple: Fix uninitialized symbol 'ret' warnings ASoC: amd: acp: fix for acp_init function error handling spi: s3c64xx: Use DMA mode from fifo size spi: s3c64xx: determine the fifo depth only once spi: s3c64xx: allow full FIFO masks spi: s3c64xx: define a magic value spi: s3c64xx: remove else after return spi: s3c64xx: explicitly include spi: s3c64xx: sort headers alphabetically spi: s3c64xx: Extract FIFO depth calculation to a dedicated macro ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw ASoC: rt722-sdca-sdw: fix locking sequence ASoC: rt712-sdca-sdw: fix locking sequence ASoC: rt711-sdw: fix locking sequence ASoC: rt711-sdca: fix locking sequence ASoC: rt5682-sdw: fix locking sequence drm/prime: Unbreak virtgpu dma-buf export nouveau/uvmm: fix addr/range calcs for remap operations drm/panfrost: fix power transition timeout warnings ALSA: hda: cs35l56: Add ACPI device match tables regmap: maple: Fix cache corruption in regcache_maple_drop() ASoC: amd: acp: fix for acp pdm configuration check RISC-V: Update AT_VECTOR_SIZE_ARCH for new AT_MINSIGSTKSZ block: count BLK_OPEN_RESTRICT_WRITES openers drivers/perf: riscv: Disable PERF_SAMPLE_BRANCH_* while not supported riscv: hwprobe: do not produce frtace relocation riscv: mm: Fix prototype to avoid discarding const ASoC: cs42l43: Correct extraction of data pointer in suspend/resume ASoC: wm_adsp: Fix missing mutex_lock in wm_adsp_write_ctl() 9p: Fix read/write debug statements to report server reply mptcp: don't account accept() of non-MPC client as fallback to TCP selftests: mptcp: use += operator to append strings selftests: mptcp: connect: fix shellcheck warnings KVM: SVM: Add support for allowing zero SEV ASIDs KVM: SVM: Use unsigned integers when dealing with ASIDs net: ravb: Always update error counters net: ravb: Always process TX descriptor ring net: ravb: Let IP-specific receive function to interrogate descriptors mean_and_variance: Drop always failing tests e1000e: move force SMBUS from enable ulp function to avoid PHY loss issue e1000e: Minor flow correction in e1000_shutdown function drm/amd: Flush GFXOFF requests in prepare stage i40e: Enforce software interrupt during busy-poll exit i40e: fix vf may be used uninitialized in this function warning i40e: fix i40e_count_filters() to count only active/new filters octeontx2-af: Add array index check octeontx2-pf: check negative error code in otx2_open() octeontx2-af: Fix issue with loading coalesced KPU profiles udp: prevent local UDP tunnel packets from being GROed udp: do not transition UDP GRO fraglist partial checksums to unnecessary udp: do not accept non-tunnel GSO skbs landing in a tunnel r8169: skip DASH fw status checks when DASH is disabled mlxbf_gige: stop interface during shutdown ipv6: Fix infinite recursion in fib6_dump_done(). e1000e: Workaround for sporadic MDI error on Meteor Lake systems ax25: fix use-after-free bugs caused by ax25_ds_del_timer tcp: Fix bind() regression for v6-only wildcard and v4(-mapped-v6) non-wildcard addresses. selftests: reuseaddr_conflict: add missing new line at the end of the output erspan: make sure erspan_base_hdr is present in skb->head tcp: Fix bind() regression for v6-only wildcard and v4-mapped-v6 non-wildcard addresses. i40e: Fix VF MAC filter removal ice: fix enabling RX VLAN filtering idpf: fix kernel panic on unknown packet types gro: fix ownership transfer selftests: net: gro fwd: update vxlan GRO test expectations net: dsa: mv88e6xxx: fix usable ports on 88e6020 net: phy: micrel: Fix potential null pointer dereference net: fec: Set mac_managed_pm during probe net: txgbe: fix i2c dev name cannot match clkdev net: phy: micrel: lan8814: Fix when enabling/disabling 1-step timestamping net: stmmac: fix rx queue priority assignment net/sched: fix lockdep splat in qdisc_tree_reduce_backlog() net: dsa: sja1105: Fix parameters order in sja1110_pcs_mdio_write_c45() net/sched: act_skbmod: prevent kernel-infoleak KVM: arm64: Ensure target address is granule-aligned for range TLBI KVM: arm64: Use TLBI_TTL_UNKNOWN in __kvm_tlb_flush_vmid_range() x86/retpoline: Do the necessary fixup to the Zen3/4 srso return thunk for !SRSO mptcp: prevent BPF accessing lowat from a subflow socket. bpf, sockmap: Prevent lock inversion deadlock in map delete elem vboxsf: Avoid an spurious warning if load_nls_xxx() fails netfilter: validate user input for expected length netfilter: nf_tables: discard table flag update with pending basechain deletion netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() netfilter: nf_tables: flush pending destroy work before exit_net release netfilter: nf_tables: reject new basechain after table flag update vsock/virtio: fix packet delivery to tap device net: mana: Fix Rx DMA datasize and skb_over_panic net: usb: ax88179_178a: avoid the interface always configured as random address net/rds: fix possible cp null dereference xen-netfront: Add missing skb_mark_for_recycle selftests: mptcp: join: fix dev in check_endpoint netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path netfilter: nf_tables: release batch on table validation from abort path Bluetooth: Fix TOCTOU in HCI debugfs implementation Bluetooth: hci_event: set the conn encrypted before conn establishes Bluetooth: add quirk for broken address properties Bluetooth: qca: fix device-address endianness arm64: dts: qcom: sc7180-trogdor: mark bluetooth address as broken Revert "Bluetooth: hci_qca: Set BDA quirk bit if fwnode exists in DT" x86/bpf: Fix IP after emitting call depth accounting x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word x86/cpufeatures: Add new word for scattered features r8169: fix issue caused by buggy BIOS on certain boards with RTL8168d selinux: avoid dereference of garbage after mount failure KVM: arm64: Fix out-of-IPA space translation fault handling KVM: arm64: Fix host-programmed guest events in nVHE RISC-V: KVM: Fix APLIC in_clrip[x] read emulation RISC-V: KVM: Fix APLIC setipnum_le/be write emulation gpio: cdev: sanitize the label before requesting the interrupt Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." mm/treewide: replace pud_large() with pud_leaf() kbuild: make -Woverride-init warnings more consistent modpost: do not make find_tosym() return NULL dm integrity: fix out-of-range warning drm/i915: Do not print 'pxp init failed with 0' when it succeed drm/i915/mtl: Update workaround 14018575942 drm/i915/xelpg: Extend some workarounds/tuning to gfx version 12.74 drm/i915/display: Disable AuxCCS framebuffers if built for Xe drm/i915: Stop doing double audio enable/disable on SDVO and g4x+ DP inet: inet_defrag: prevent sk release while still in use Octeontx2-af: fix pause frame configuration in GMP mode net: lan743x: Add set RFE read fifo threshold for PCI1x1x chips net: bcmasp: Bring up unimac after PHY link up iommu: Validate the PASID in iommu_attach_device_pasid() netfilter: nf_tables: skip netdev hook unregistration if table is dormant netfilter: nf_tables: reject table flag and netdev basechain updates netfilter: nf_tables: reject destroy command to remove basechain hooks cifs: Fix duplicate fscache cookie warnings bpf: Protect against int overflow for stack access size drm/amd/display: Send DTBCLK disable message on first commit drm/amd/display: Update P010 scaling cap mlxbf_gige: call request_irq() after NAPI initialized tls: get psock ref after taking rxlock to avoid leak tls: adjust recv return with async crypto and failed copy to userspace tls: recv: process_rx_list shouldn't use an offset with kvec net: hns3: mark unexcuted loopback test result as UNEXECUTED net: hns3: fix kernel crash when devlink reload during pf initialization net: hns3: fix index limit to support all queue stats ACPICA: debugger: check status of acpi_evaluate_object() in acpi_db_walk_for_fields() gpiolib: Fix debug messaging in gpiod_find_and_request() selftests: vxlan_mdb: Fix failures with old libnet drm/rockchip: vop2: Remove AR30 and AB30 format support net: wwan: t7xx: Split 64bit accesses to fix alignment issues tcp: properly terminate timers for kernel sockets net: hsr: hsr_slave: Fix the promiscuous mode in offload mode s390/qeth: handle deferred cc1 dpll: indent DPLL option type by a tab drm/xe/device: fix XE_MAX_TILES_PER_DEVICE check drm/xe/device: fix XE_MAX_GT_PER_TILE check drm/xe/queue: fix engine_class bounds check drm/xe/guc_submit: use jiffies for job timeout drm/xe: Add exec_queue.sched_props.job_timeout_ms drm/xe: Remove unused xe_bo->props struct igc: Remove stale comment about Tx timestamping ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() ice: fix memory corruption bug with suspend and rebuild ice: Refactor FW data type and fix bitmap casting issue ALSA: hda: cs35l56: Set the init_done flag before component_add() wifi: iwlwifi: mvm: include link ID when releasing frames wifi: iwlwifi: mvm: rfi: fix potential response leaks wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF mlxbf_gige: stop PHY during open() error paths tools: ynl: fix setting presence bits in simple nests nfsd: Fix error cleanup path in nfsd_rename() nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet arm64: bpf: fix 32bit unconditional bswap dma-buf: Fix NULL pointer dereference in sanitycheck() bpf, arm64: fix bug in BPF_LDX_MEMSX s390/bpf: Fix bpf_plt pointer arithmetic xsk: Don't assume metadata is always requested in TX completion scripts/bpf_doc: Use silent mode when exec make cmd