Ubuntu
linux package

Jammy update: v5.15.166 upstream stable release

Bug #2080594 reported by Koichiro Den on 2024-09-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Jammy	Fix Released	Medium	Koichiro Den

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.15.166 upstream stable release
from git://git.kernel.org/

fuse: Initialize beyond-EOF page contents before setting uptodate
char: xillybus: Don't destroy workqueue from work item running on it
char: xillybus: Refine workqueue handling
char: xillybus: Check USB endpoints when probing device
ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
ALSA: usb-audio: Support Yamaha P-125 quirk entry
xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
thunderbolt: Mark XDomain as unplugged when router is removed
s390/dasd: fix error recovery leading to data corruption on ESE devices
arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE
dm resume: don't return EINVAL when signalled
dm persistent data: fix memory allocation failure
vfs: Don't evict inode under the inode lru traversing context
fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
s390/cio: rename bitmap_size() -> idset_bitmap_size()
btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
bitmap: introduce generic optimized bitmap_size()
fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
selinux: fix potential counting error in avc_add_xperms_decision()
btrfs: tree-checker: add dev extent item checks
drm/amdgpu: Actually check flags for all context ops.
memcg_write_event_control(): fix a user-triggerable oops
drm/amdgpu/jpeg2: properly set atomics vmid field
s390/uv: Panic for set and remove shared access UVC errors
igc: Correct the launchtime offset
igc: remove I226 Qbv BaseTime restriction
igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer
net/mlx5e: Correctly report errors for ethtool rx flows
atm: idt77252: prevent use after free in dequeue_rx()
net: axienet: Fix register defines comment description
net: dsa: vsc73xx: pass value in phy_write operation
net: dsa: vsc73xx: use read_poll_timeout instead delay loop
net: dsa: vsc73xx: check busy flag in MDIO operations
mlxbf_gige: Remove two unused function declarations
mlxbf_gige: disable RX filters until RX path initialized
mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
netfilter: allow ipv6 fragments to arrive on different devices
netfilter: flowtable: initialise extack before use
netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
net: hns3: fix wrong use of semaphore up
net: hns3: fix a deadlock problem when config TC during resetting
ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
ssb: Fix division by zero issue in ssb_calc_clock_rate
wifi: cfg80211: check wiphy mutex is held for wdev mutex
wifi: mac80211: fix BA session teardown race
wifi: cw1200: Avoid processing an invalid TIM IE
i2c: riic: avoid potential division by zero
RDMA/rtrs: Fix the problem of variable not initialized fully
s390/smp,mcck: fix early IPI handling
i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
media: radio-isa: use dev_name to fill in bus_info
staging: iio: resolver: ad2s1210: fix use before initialization
drm/amd/display: Validate hw_points_num before using it
staging: ks7010: disable bh on tx_dev_lock
binfmt_misc: cleanup on filesystem umount
media: qcom: venus: fix incorrect return value
scsi: spi: Fix sshdr use
gfs2: setattr_chown: Add missing initialization
wifi: iwlwifi: abort scan when rfkill on but device enabled
wifi: iwlwifi: fw: Fix debugfs command sending
IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
hwmon: (ltc2992) Avoid division by zero
arm64: Fix KASAN random tag seed initialization
memory: tegra: Skip SID programming if SID registers aren't set
powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
nvmet-trace: avoid dereferencing pointer too early
ext4: do not trim the group with corrupted block bitmap
afs: fix __afs_break_callback() / afs_drop_open_mmap() race
fuse: fix UAF in rcu pathwalks
quota: Remove BUG_ON from dqget()
media: pci: cx23885: check cx23885_vdev_init() return
fs: binfmt_elf_efpic: don't use missing interpreter's properties
scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
media: drivers/media/dvb-core: copy user arrays safely
net/sun3_82586: Avoid reading past buffer in debug output
drm/lima: set gp bus_stop bit before hard reset
virtiofs: forbid newlines in tags
clocksource/drivers/arm_global_timer: Guard against division by zero
netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
md: clean up invalid BUG_ON in md_ioctl
x86: Increase brk randomness entropy for 64-bit systems
memory: stm32-fmc2-ebi: check regmap_read return value
parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
powerpc/boot: Handle allocation failure in simple_realloc()
powerpc/boot: Only free if realloc() succeeds
btrfs: change BUG_ON to assertion when checking for delayed_node root
btrfs: handle invalid root reference found in may_destroy_subvol()
btrfs: send: handle unexpected data in header buffer in begin_cmd()
btrfs: change BUG_ON to assertion in tree_move_down()
btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent()
f2fs: fix to do sanity check in update_sit_entry
usb: gadget: fsl: Increase size of name buffer for endpoints
Bluetooth: bnep: Fix out-of-bound access
net: hns3: add checking for vf id of mailbox
nvmet-tcp: do not continue for invalid icreq
NFS: avoid infinite loop in pnfs_update_layout.
openrisc: Call setup_memory() earlier in the init sequence
s390/iucv: fix receive buffer virtual vs physical address confusion
clocksource: Make watchdog and suspend-timing multiplication overflow safe
platform/x86: lg-laptop: fix %s null argument warning
usb: dwc3: core: Skip setting event buffers for host only controllers
irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
ext4: set the type of max_zeroout to unsigned int to avoid overflow
nvmet-rdma: fix possible bad dereference when freeing rsps
hrtimer: Prevent queuing of hrtimer without a function callback
gtp: pull network headers in gtp_dev_xmit()
block: use "unsigned long" for blk_validate_block_size().
nfsd: move reply cache initialization into nfsd startup
nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
NFSD: Refactor nfsd_reply_cache_free_locked()
NFSD: Rename nfsd_reply_cache_alloc()
NFSD: Replace nfsd_prune_bucket()
NFSD: Refactor the duplicate reply cache shrinker
NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
NFSD: Fix frame size warning in svc_export_parse()
sunrpc: don't change ->sv_stats if it doesn't exist
nfsd: stop setting ->pg_stats for unused stats
sunrpc: pass in the sv_stats struct through svc_create_pooled
sunrpc: remove ->pg_stats from svc_program
sunrpc: use the struct net as the svc proc private
nfsd: rename NFSD_NET_* to NFSD_STATS_*
nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
nfsd: make all of the nfsd stats per-network namespace
nfsd: remove nfsd_stats, make th_cnt a global counter
nfsd: make svc_stat per-network namespace instead of global
media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
dm suspend: return -ERESTARTSYS instead of -EINTR
net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings
platform/surface: aggregator: Fix warning when controller is destroyed in probe
Bluetooth: hci_core: Fix LE quote calculation
Bluetooth: SMP: Fix assumption of Central always being Initiator
tc-testing: don't access non-existent variable on exception
kcm: Serialise kcm_sendmsg() for the same socket.
netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
ip6_tunnel: Fix broken GRO
bonding: fix bond_ipsec_offload_ok return type
bonding: fix null pointer deref in bond_ipsec_offload_ok
bonding: fix xfrm real_dev null pointer dereference
bonding: fix xfrm state handling when clearing active slave
ice: fix ICE_LAST_OFFSET formula
dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
net: dsa: mv88e6xxx: read FID when handling ATU violations
net: dsa: mv88e6xxx: replace ATU violation prints with trace points
net: dsa: mv88e6xxx: Fix out-of-bound access
netem: fix return value if duplicate enqueue fails
ipv6: prevent UAF in ip6_send_skb()
ipv6: fix possible UAF in ip6_finish_output2()
ipv6: prevent possible UAF in ip6_xmit()
netfilter: flowtable: validate vlan header
net: xilinx: axienet: Always disable promiscuous mode
net: xilinx: axienet: Fix dangling multicast addresses
drm/msm/dpu: don't play tricks with debug macros
drm/msm/dp: reset the link phy params before link training
drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
mmc: mmc_test: Fix NULL dereference on allocation failure
Bluetooth: MGMT: Add error handling to pair_device()
scsi: core: Fix the return value of scsi_logical_block_count()
MIPS: Loongson64: Set timer mode in cpu-probe
HID: wacom: Defer calculation of resolution until resolution_code is known
HID: microsoft: Add rumble support to latest xbox controllers
cxgb4: add forgotten u64 ivlan cast before shift
KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
mmc: dw_mmc: allow biu and ciu clocks to defer
Revert "drm/amd/display: Validate hw_points_num before using it"
hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
ALSA: timer: Relax start tick time check for slave timer elements
mm/numa: no task_numa_fault() call if PMD is changed
mm/numa: no task_numa_fault() call if PTE is changed
Input: MT - limit max slots
tools: move alignment-related macros to new <linux/align.h>
btrfs: run delayed iputs when flushing delalloc
pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
pinctrl: single: fix potential NULL dereference in pcs_get_function()
wifi: mwifiex: duplicate static structs used in driver instances
net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response
mptcp: sched: check both backup in retrans
Revert "MIPS: Loongson64: reset: Prioritise firmware service"
drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
ata: libata-core: Fix null pointer dereference on error
cgroup/cpuset: Prevent UAF in proc_cpuset_show()
net:rds: Fix possible deadlock in rds_message_put
soundwire: stream: fix programming slave ports for non-continous port maps
PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro
PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros
PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro
phy: xilinx: add runtime PM support
phy: xilinx: phy-zynqmp: dynamic clock support for power-save
phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume
dmaengine: dw: Add peripheral bus width verification
dmaengine: dw: Add memory bus width verification
ethtool: check device is present when getting link settings
gtp: fix a potential NULL pointer dereference
net: busy-poll: use ktime_get_ns() instead of local_clock()
nfc: pn533: Add poll mod list filling check
soc: qcom: cmd-db: Map shared memory as WC, not WB
cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
USB: serial: option: add MeiG Smart SRM825L
usb: dwc3: omap: add missing depopulate in probe error path
usb: dwc3: core: Prevent USB core invalid event buffer address access
usb: dwc3: st: fix probed platform device ref count on probe error path
usb: dwc3: st: add missing depopulate in probe error path
usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes()
usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function
usb: cdnsp: fix for Link TRB with TC
phy: zynqmp: Enable reference clock correctly
igc: Fix reset adapter logics when tx mode change
igc: Fix qbv tx latency by setting gtxoffset
scsi: aacraid: Fix double-free on probe failure
apparmor: fix policy_unpack_test on big endian systems
Linux 5.15.166
UBUNTU: Upstream stable to v5.15.166

See original description

Tags:

CVE References

Koichiro Den (koichiroden) on 2024-09-13

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Jammy):
assignee:	nobody → Koichiro Den (koichiroden)
importance:	Undecided → Medium
status:	New → In Progress
description:	updated

Stefan Bader (smb) on 2024-09-13

Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-11-07:

Download full text (63.4 KiB)

This bug was fixed in the package linux - 5.15.0-125.135

---------------
linux (5.15.0-125.135) jammy; urgency=medium

* jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)

  * CVE-2024-26800
    - tls: rx: coalesce exit paths in tls_decrypt_sg()
    - tls: separate no-async decryption request handling from async
    - tls: fix use-after-free on failed backlog decryption

  * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch
    (LP: #2077321)
    - x86/CPU/AMD: Improve the erratum 1386 workaround

This bug was fixed in the package linux - 5.15.0-125.135

---------------
linux (5.15.0-125.135) jammy; urgency=medium

* jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)

* CVE-2024-26800
    - tls: rx: coalesce exit paths in tls_decrypt_sg()
    - tls: separate no-async decryption request handling from async
    - tls: fix use-after-free on failed backlog decryption

* Please backport the more restrictive XSAVES deactivation for  Zen1/2 arch
    (LP: #2077321)
    - x86/CPU/AMD: Improve the erratum 1386 workaround

* Jammy update: v5.15.167 upstream stable release (LP: #2081279)
    - drm: panel-orientation-quirks: Add quirk for OrangePi Neo
    - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown
    - ALSA: hda/conexant: Mute speakers at suspend / shutdown
    - i2c: Fix conditional for substituting empty ACPI functions
    - dma-debug: avoid deadlock between dma debug vs printk and netconsole
    - net: usb: qmi_wwan: add MeiG Smart SRM825L
    - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
    - drm/amd/display: Assign linear_pitch_alignment even for VM
    - drm/amdgpu: fix overflowed array index read warning
    - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc
    - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
    - drm/amd/pm: fix warning using uninitialized value of max_vid_step
    - drm/amd/pm: fix the Out-of-bounds read warning
    - drm/amdgpu: fix uninitialized scalar variable warning
    - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
    - drm/amdgpu: avoid reading vf2pf info size from FB
    - drm/amd/display: Check gpio_id before used as array index
    - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
    - drm/amd/display: Add array index check for hdcp ddc access
    - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
    - drm/amd/display: Check msg_id before processing transcation
    - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
      dal_gpio_service_create
    - drm/amd/amdgpu: Check tbo resource pointer
    - drm/amdgpu/pm: Fix uninitialized variable warning for smu10
    - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
    - drm/amdgpu: Fix out-of-bounds write warning
    - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
    - drm/amdgpu: fix ucode out-of-bounds read warning
    - drm/amdgpu: fix mc_data out-of-bounds read warning
    - drm/amdkfd: Reconcile the definition and use of oem_id in struct
      kfd_topology_device
    - apparmor: fix possible NULL pointer dereference
    - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy
      SOCs
    - drm/amdgpu: fix the waring dereferencing hive
    - drm/amd/pm: check specific index for aldebaran
    - drm/amdgpu: the warning dereferencing obj for nbio_v7_4
    - drm/amd/pm: check negtive return for table entries
    - drm/amdgpu: update type of buf size to u32 for eeprom functions
    - wifi: iwlwifi: remove fw_running op
    - cpufreq: scmi: Avoid overflow of target_freq in fast switch
    - PCI: al: Check IORESOURCE_BUS existence during probe
    - hwspinlock: Introduce hwspin_lock_bust()
    - RDMA/efa: Properly handle unexpected AQ completions
    - ionic: fix potential irq name truncation
    - rcu/nocb: Remove buggy bypass lock contention mitigation
    - usbip: Don't submit special requests twice
    - usb: typec: ucsi: Fix null pointer dereference in trace
    - fsnotify: clear PARENT_WATCHED flags lazily
    - smack: tcp: ipv4, fix incorrect labeling
    - drm/meson: plane: Add error handling
    - drm/bridge: tc358767: Check if fully initialized before signalling HPD event
      via IRQ
    - wifi: cfg80211: make hash table duplicates more survivable
    - block: remove the blk_flush_integrity call in blk_integrity_unregister
    - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
    - media: uvcvideo: Enforce alignment of frame and interval
    - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
    - virtio_net: Fix napi_skb_cache_put warning
    - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
    - ext4: reject casefold inode flag without casefold feature
    - udf: Limit file size to 4TB
    - ext4: handle redirtying in ext4_bio_write_page()
    - i2c: Use IS_REACHABLE() for substituting empty ACPI functions
    - sch/netem: fix use after free in netem_dequeue
    - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
    - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE
    - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing
    - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius
      devices
    - ALSA: hda/realtek: add patch for internal mic in Lenovo V145
    - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
    - ata: libata: Fix memory leak for error path in ata_host_alloc()
    - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
    - rtmutex: Drop rt_mutex::wait_lock before scheduling
    - nvme-pci: Add sleep quirk for Samsung 990 Evo
    - Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE"
    - Bluetooth: MGMT: Ignore keys being loaded with invalid type
    - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
    - mmc: sdhci-of-aspeed: fix module autoloading
    - mmc: cqhci: Fix checking of CQHCI_HALT state
    - fuse: update stats for pages in dropped aux writeback list
    - fuse: use unsigned type for getxattr/listxattr size truncation
    - clk: qcom: clk-alpha-pll: Fix the pll post div mask
    - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
    - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
    - tracing: Avoid possible softlockup in tracing_iter_reset()
    - ila: call nf_unregister_net_hooks() sooner
    - sched: sch_cake: fix bulk flow accounting logic for host fairness
    - nilfs2: fix missing cleanup on rollforward recovery error
    - nilfs2: fix state management in error path of log writing function
    - mptcp: pm: re-using ID of unused flushed subflows
    - mptcp: pm: only decrement add_addr_accepted for MPJ req
    - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR
    - mptcp: pm: fullmesh: select the right ID later
    - mptcp: constify a bunch of of helpers
    - mptcp: pm: avoid possible UaF when selecting endp
    - mptcp: avoid duplicated SUB_CLOSED events
    - mptcp: close subflow when receiving TCP+FIN
    - mptcp: pm: ADD_ADDR 0 is not a new address
    - mptcp: pm: do not remove already closed subflows
    - mptcp: pm: skip connecting to already established sf
    - mptcp: pr_debug: add missing \n at the end
    - mptcp: pm: send ACK on an active subflow
    - ALSA: hda: Add input value sanity checks to HDMI channel map controls
    - smack: unix sockets: fix accept()ed socket label
    - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
    - af_unix: Remove put_pid()/put_cred() in copy_peercred().
    - iommu: sun50i: clear bypass register
    - netfilter: nf_conncount: fix wrong variable type
    - udf: Avoid excessive partition lengths
    - media: vivid: fix wrong sizeimage value for mplane
    - leds: spi-byte: Call of_node_put() on error path
    - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
    - usb: uas: set host status byte on data completion error
    - drm/amd/display: Check HDCP returned status
    - media: vivid: don't set HDMI TX controls if there are no HDMI outputs
    - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
    - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
    - pcmcia: Use resource_size function on resource object
    - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6
    - can: bcm: Remove proc entry when dev is unregistered.
    - can: m_can: Release irq on error in m_can_open
    - igb: Fix not clearing TimeSync interrupts for 82580
    - platform/x86: dell-smbios: Fix error path in dell_smbios_init()
    - tcp_bpf: fix return value of tcp_bpf_sendmsg()
    - igc: Unlock on error in igc_io_resume()
    - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset
    - net: usb: don't write directly to netdev->dev_addr
    - usbnet: modern method to get random MAC
    - bareudp: Fix device stats updates.
    - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
    - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
    - fou: Fix null-ptr-deref in GRO.
    - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
    - net: dsa: vsc73xx: fix possible subblocks range of CAPT block
    - ASoC: topology: Properly initialize soc_enum values
    - dm init: Handle minors larger than 255
    - iommu/vt-d: Handle volatile descriptor status read
    - cgroup: Protect css->cgroup write under css_set_lock
    - um: line: always fill *error_out in setup_one_line()
    - devres: Initialize an uninitialized struct member
    - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
    - hwmon: (adc128d818) Fix underflows seen when writing limit attributes
    - hwmon: (lm95234) Fix underflows seen when writing limit attributes
    - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
    - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
    - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
    - drm/amdgpu: Set no_hw_access when VF request full GPU fails
    - ext4: fix possible tid_t sequence overflows
    - dma-mapping: benchmark: Don't starve others when doing the test
    - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
    - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
    - fs/ntfs3: Check more cases when directory is corrupted
    - btrfs: replace BUG_ON with ASSERT in walk_down_proc()
    - btrfs: clean up our handling of refs == 0 in snapshot delete
    - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()
    - riscv: set trap vector earlier
    - PCI: Add missing bridge lock to pci_bus_lock()
    - net: dpaa: avoid on-stack arrays of NR_CPUS elements
    - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup
    - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated
    - btrfs: initialize location to fix -Wmaybe-uninitialized in
      btrfs_lookup_dentry()
    - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section
    - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
    - HID: amd_sfh: free driver_data after destroying hid device
    - Input: uinput - reject requests with unreasonable number of slots
    - usbnet: ipheth: race between ipheth_close and error handling
    - Squashfs: sanity check symbolic link size
    - of/irq: Prevent device address out-of-bounds read in interrupt map walk
    - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
    - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed
    - ata: pata_macio: Use WARN instead of BUG
    - NFSv4: Add missing rescheduling points in
      nfs_client_return_marked_delegations
    - cifs: Check the lease context if we actually got a lease
    - staging: iio: frequency: ad9834: Validate frequency parameter value
    - iio: buffer-dmaengine: fix releasing dma channel on error
    - iio: fix scale application in iio_convert_raw_to_processed_unlocked
    - iio: adc: ad7124: fix config comparison
    - iio: adc: ad7124: fix chip ID mismatch
    - usb: dwc3: core: update LC timer as per USB Spec V3.2
    - binder: fix UAF caused by offsets overwrite
    - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
    - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
    - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
    - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
    - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
    - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
    - clocksource/drivers/timer-of: Remove percpu irq related code
    - uprobes: Use kzalloc to allocate xol area
    - perf/aux: Fix AUX buffer serialization
    - ksmbd: unset the binding mark of a reused connection
    - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()
    - nilfs2: replace snprintf in show functions with sysfs_emit
    - nilfs2: protect references to superblock parameters exposed in sysfs
    - workqueue: wq_watchdog_touch is always called with valid CPU
    - workqueue: Improve scalability of workqueue watchdog touch
    - ACPI: processor: Return an error if acpi_processor_get_info() fails in
      processor_add()
    - ACPI: processor: Fix memory leaks in error paths of processor_add()
    - arm64: acpi: Move get_cpu_for_acpi_id() to a header
    - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
    - nvmet-tcp: fix kernel crash if commands allocation fails
    - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode
    - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused
    - drm/i915/fence: Mark debug_fence_free() with __maybe_unused
    - gpio: rockchip: fix OF node leak in probe()
    - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation
    - net: change maximum number of UDP segments to 128
    - gso: fix dodgy bit handling for GSO_UDP_L4
    - net: drop bad gso csum_start and offset in virtio_net_hdr
    - x86/mm: Fix PTI for i386 some more
    - net, sunrpc: Remap EPERM in case of connection failure in
      xs_tcp_setup_socket
    - btrfs: fix race between direct IO write and fsync when using same fd
    - memcg: protect concurrent access to mem_cgroup_idr
    - udp: fix receiving fraglist GSO packets
    - Linux 5.15.167

* CVE-2024-41071
    - wifi: mac80211: Avoid address calculations via out of bounds array indexing

* CVE-2024-40915
    - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context

* CVE-2024-38611
    - media: i2c: et8ek8: Don't strip remove function when driver is builtin

* CVE-2024-38602
    - ax25: Fix reference count leak issues of ax25_dev

* CVE-2024-26669
    - net/sched: flower: Fix chain template offload

* CVE-2024-26607
    - drm/bridge: sii902x: Fix probing race issue

* Jammy update: v5.15.166 upstream stable release (LP: #2080594)
    - fuse: Initialize beyond-EOF page contents before setting uptodate
    - char: xillybus: Don't destroy workqueue from work item running on it
    - char: xillybus: Refine workqueue handling
    - char: xillybus: Check USB endpoints when probing device
    - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
    - ALSA: usb-audio: Support Yamaha P-125 quirk entry
    - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
    - thunderbolt: Mark XDomain as unplugged when router is removed
    - s390/dasd: fix error recovery leading to data corruption on ESE devices
    - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to
      NUMA_NO_NODE
    - dm resume: don't return EINVAL when signalled
    - dm persistent data: fix memory allocation failure
    - vfs: Don't evict inode under the inode lru traversing context
    - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
    - s390/cio: rename bitmap_size() -> idset_bitmap_size()
    - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
    - bitmap: introduce generic optimized bitmap_size()
    - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
    - selinux: fix potential counting error in avc_add_xperms_decision()
    - btrfs: tree-checker: add dev extent item checks
    - drm/amdgpu: Actually check flags for all context ops.
    - memcg_write_event_control(): fix a user-triggerable oops
    - drm/amdgpu/jpeg2: properly set atomics vmid field
    - s390/uv: Panic for set and remove shared access UVC errors
    - igc: Correct the launchtime offset
    - igc: remove I226 Qbv BaseTime restriction
    - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer
    - net/mlx5e: Correctly report errors for ethtool rx flows
    - atm: idt77252: prevent use after free in dequeue_rx()
    - net: axienet: Fix register defines comment description
    - net: dsa: vsc73xx: pass value in phy_write operation
    - net: dsa: vsc73xx: use read_poll_timeout instead delay loop
    - net: dsa: vsc73xx: check busy flag in MDIO operations
    - mlxbf_gige: Remove two unused function declarations
    - mlxbf_gige: disable RX filters until RX path initialized
    - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
    - netfilter: allow ipv6 fragments to arrive on different devices
    - netfilter: flowtable: initialise extack before use
    - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
    - net: hns3: fix wrong use of semaphore up
    - net: hns3: fix a deadlock problem when config TC during resetting
    - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
    - ssb: Fix division by zero issue in ssb_calc_clock_rate
    - wifi: cfg80211: check wiphy mutex is held for wdev mutex
    - wifi: mac80211: fix BA session teardown race
    - wifi: cw1200: Avoid processing an invalid TIM IE
    - i2c: riic: avoid potential division by zero
    - RDMA/rtrs: Fix the problem of variable not initialized fully
    - s390/smp,mcck: fix early IPI handling
    - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
    - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
    - media: radio-isa: use dev_name to fill in bus_info
    - staging: iio: resolver: ad2s1210: fix use before initialization
    - drm/amd/display: Validate hw_points_num before using it
    - staging: ks7010: disable bh on tx_dev_lock
    - binfmt_misc: cleanup on filesystem umount
    - media: qcom: venus: fix incorrect return value
    - scsi: spi: Fix sshdr use
    - gfs2: setattr_chown: Add missing initialization
    - wifi: iwlwifi: abort scan when rfkill on but device enabled
    - wifi: iwlwifi: fw: Fix debugfs command sending
    - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
    - hwmon: (ltc2992) Avoid division by zero
    - arm64: Fix KASAN random tag seed initialization
    - memory: tegra: Skip SID programming if SID registers aren't set
    - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
    - nvmet-trace: avoid dereferencing pointer too early
    - ext4: do not trim the group with corrupted block bitmap
    - afs: fix __afs_break_callback() / afs_drop_open_mmap() race
    - fuse: fix UAF in rcu pathwalks
    - quota: Remove BUG_ON from dqget()
    - media: pci: cx23885: check cx23885_vdev_init() return
    - fs: binfmt_elf_efpic: don't use missing interpreter's properties
    - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
    - media: drivers/media/dvb-core: copy user arrays safely
    - net/sun3_82586: Avoid reading past buffer in debug output
    - drm/lima: set gp bus_stop bit before hard reset
    - virtiofs: forbid newlines in tags
    - clocksource/drivers/arm_global_timer: Guard against division by zero
    - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
    - md: clean up invalid BUG_ON in md_ioctl
    - x86: Increase brk randomness entropy for 64-bit systems
    - memory: stm32-fmc2-ebi: check regmap_read return value
    - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367
    - powerpc/boot: Handle allocation failure in simple_realloc()
    - powerpc/boot: Only free if realloc() succeeds
    - btrfs: change BUG_ON to assertion when checking for delayed_node root
    - btrfs: handle invalid root reference found in may_destroy_subvol()
    - btrfs: send: handle unexpected data in header buffer in begin_cmd()
    - btrfs: change BUG_ON to assertion in tree_move_down()
    - btrfs: delete pointless BUG_ON check on quota root in
      btrfs_qgroup_account_extent()
    - f2fs: fix to do sanity check in update_sit_entry
    - usb: gadget: fsl: Increase size of name buffer for endpoints
    - Bluetooth: bnep: Fix out-of-bound access
    - net: hns3: add checking for vf id of mailbox
    - nvmet-tcp: do not continue for invalid icreq
    - NFS: avoid infinite loop in pnfs_update_layout.
    - openrisc: Call setup_memory() earlier in the init sequence
    - s390/iucv: fix receive buffer virtual vs physical address confusion
    - clocksource: Make watchdog and suspend-timing multiplication overflow safe
    - platform/x86: lg-laptop: fix %s null argument warning
    - usb: dwc3: core: Skip setting event buffers for host only controllers
    - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
    - ext4: set the type of max_zeroout to unsigned int to avoid overflow
    - nvmet-rdma: fix possible bad dereference when freeing rsps
    - hrtimer: Prevent queuing of hrtimer without a function callback
    - gtp: pull network headers in gtp_dev_xmit()
    - block: use "unsigned long" for blk_validate_block_size().
    - nfsd: move reply cache initialization into nfsd startup
    - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
    - NFSD: Refactor nfsd_reply_cache_free_locked()
    - NFSD: Rename nfsd_reply_cache_alloc()
    - NFSD: Replace nfsd_prune_bucket()
    - NFSD: Refactor the duplicate reply cache shrinker
    - NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
    - NFSD: Fix frame size warning in svc_export_parse()
    - sunrpc: don't change ->sv_stats if it doesn't exist
    - nfsd: stop setting ->pg_stats for unused stats
    - sunrpc: pass in the sv_stats struct through svc_create_pooled
    - sunrpc: remove ->pg_stats from svc_program
    - sunrpc: use the struct net as the svc proc private
    - nfsd: rename NFSD_NET_* to NFSD_STATS_*
    - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
    - nfsd: make all of the nfsd stats per-network namespace
    - nfsd: remove nfsd_stats, make th_cnt a global counter
    - nfsd: make svc_stat per-network namespace instead of global
    - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
    - dm suspend: return -ERESTARTSYS instead of -EINTR
    - net: mana: Fix doorbell out of order violation and avoid unnecessary
      doorbell rings
    - platform/surface: aggregator: Fix warning when controller is destroyed in
      probe
    - Bluetooth: hci_core: Fix LE quote calculation
    - Bluetooth: SMP: Fix assumption of Central always being Initiator
    - tc-testing: don't access non-existent variable on exception
    - kcm: Serialise kcm_sendmsg() for the same socket.
    - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
    - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
    - ip6_tunnel: Fix broken GRO
    - bonding: fix bond_ipsec_offload_ok return type
    - bonding: fix null pointer deref in bond_ipsec_offload_ok
    - bonding: fix xfrm real_dev null pointer dereference
    - bonding: fix xfrm state handling when clearing active slave
    - ice: fix ICE_LAST_OFFSET formula
    - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
    - net: dsa: mv88e6xxx: read FID when handling ATU violations
    - net: dsa: mv88e6xxx: replace ATU violation prints with trace points
    - net: dsa: mv88e6xxx: Fix out-of-bound access
    - ipv6: prevent UAF in ip6_send_skb()
    - ipv6: fix possible UAF in ip6_finish_output2()
    - ipv6: prevent possible UAF in ip6_xmit()
    - netfilter: flowtable: validate vlan header
    - net: xilinx: axienet: Always disable promiscuous mode
    - net: xilinx: axienet: Fix dangling multicast addresses
    - drm/msm/dpu: don't play tricks with debug macros
    - drm/msm/dp: reset the link phy params before link training
    - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
    - mmc: mmc_test: Fix NULL dereference on allocation failure
    - Bluetooth: MGMT: Add error handling to pair_device()
    - scsi: core: Fix the return value of scsi_logical_block_count()
    - MIPS: Loongson64: Set timer mode in cpu-probe
    - HID: wacom: Defer calculation of resolution until resolution_code is known
    - HID: microsoft: Add rumble support to latest xbox controllers
    - cxgb4: add forgotten u64 ivlan cast before shift
    - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
    - mmc: dw_mmc: allow biu and ciu clocks to defer
    - Revert "drm/amd/display: Validate hw_points_num before using it"
    - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
    - ALSA: timer: Relax start tick time check for slave timer elements
    - mm/numa: no task_numa_fault() call if PMD is changed
    - mm/numa: no task_numa_fault() call if PTE is changed
    - Input: MT - limit max slots
    - tools: move alignment-related macros to new <linux/align.h>
    - btrfs: run delayed iputs when flushing delalloc
    - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
    - pinctrl: single: fix potential NULL dereference in pcs_get_function()
    - wifi: mwifiex: duplicate static structs used in driver instances
    - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response
    - mptcp: sched: check both backup in retrans
    - Revert "MIPS: Loongson64: reset: Prioritise firmware service"
    - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
    - ata: libata-core: Fix null pointer dereference on error
    - cgroup/cpuset: Prevent UAF in proc_cpuset_show()
    - net:rds: Fix possible deadlock in rds_message_put
    - soundwire: stream: fix programming slave ports for non-continous port maps
    - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro
    - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros
    - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro
    - phy: xilinx: add runtime PM support
    - phy: xilinx: phy-zynqmp: dynamic clock support for power-save
    - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume
    - dmaengine: dw: Add peripheral bus width verification
    - dmaengine: dw: Add memory bus width verification
    - ethtool: check device is present when getting link settings
    - gtp: fix a potential NULL pointer dereference
    - net: busy-poll: use ktime_get_ns() instead of local_clock()
    - nfc: pn533: Add poll mod list filling check
    - soc: qcom: cmd-db: Map shared memory as WC, not WB
    - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
    - USB: serial: option: add MeiG Smart SRM825L
    - usb: dwc3: omap: add missing depopulate in probe error path
    - usb: dwc3: core: Prevent USB core invalid event buffer address access
    - usb: dwc3: st: fix probed platform device ref count on probe error path
    - usb: dwc3: st: add missing depopulate in probe error path
    - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in
      remove_power_attributes()
    - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function
    - usb: cdnsp: fix for Link TRB with TC
    - phy: zynqmp: Enable reference clock correctly
    - igc: Fix reset adapter logics when tx mode change
    - igc: Fix qbv tx latency by setting gtxoffset
    - scsi: aacraid: Fix double-free on probe failure
    - apparmor: fix policy_unpack_test on big endian systems
    - Linux 5.15.166

* CVE-2024-26893
    - firmware: arm_scmi: Fix double free in SMC transport cleanup path

* [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys
    - kernel part (LP: #1959940)
    - s390: uv: Add offset comments to UV query struct and fix naming
    - s390/uv: Add SE hdr query information
    - s390/uv: Add dump fields to query
    - KVM: s390: pv: Add query interface
    - KVM: s390: pv: Add dump support definitions
    - KVM: s390: pv: Add query dump information
    - KVM: s390: Add configuration dump functionality
    - KVM: s390: Add CPU dump functionality
    - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP
    - Documentation: KVM: add separate directories for architecture-specific
      documentation
    - Documentation: virt: Protected virtual machine dumps
    - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions
    - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery

* turbostat fails with too many open files on large systems (LP: #2069961)
    - tools/power turbostat: Increase the limit for fd opened

* Jammy update: v5.15.165 upstream stable release (LP: #2078428)
    - f2fs: fix return value of f2fs_convert_inline_inode()
    - f2fs: fix to don't dirty inode for readonly filesystem
    - EDAC, i10nm: make skx_common.o a separate module
    - platform/chrome: cros_ec_debugfs: fix wrong EC message version
    - block: refactor to use helper
    - block: cleanup bio_integrity_prep
    - block: initialize integrity buffer to zero before writing it to media
    - hfsplus: fix to avoid false alarm of circular locking
    - x86/of: Return consistent error type from x86_of_pci_irq_enable()
    - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
    - x86/pci/xen: Fix PCIBIOS_* return code handling
    - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
    - hwmon: (adt7475) Fix default duty on fan is disabled
    - pwm: stm32: Always do lazy disabling
    - drm/meson: fix canvas release in bind function
    - hwmon: (max6697) Fix underflow when writing limit attributes
    - hwmon: (max6697) Fix swapped temp{1,8} critical alarms
    - arm64: dts: qcom: sdm845: add power-domain to UFS PHY
    - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings
    - arm64: dts: qcom: sm8250: add power-domain to UFS PHY
    - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()
      callers
    - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
    - memory: fsl_ifc: Make FSL_IFC config visible and selectable
    - soc: qcom: pdr: protect locator_addr with the main mutex
    - soc: qcom: pdr: fix parsing of domains lists
    - arm64: dts: rockchip: Increase VOP clk rate on RK3328
    - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
    - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
    - ARM: dts: imx6qdl-kontron-samx6i: fix board reset
    - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects
    - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
    - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property
    - arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
    - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625
    - arm64: dts: amlogic: gx: correct hdmi clocks
    - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
    - x86/xen: Convert comma to semicolon
    - m68k: cmpxchg: Fix return value for default case in __arch_xchg()
    - ARM: pxa: spitz: use gpio descriptors for audio
    - ARM: spitz: fix GPIO assignment for backlight
    - vmlinux.lds.h: catch .bss..L* sections into BSS")
    - firmware: turris-mox-rwtm: Do not complete if there are no waiters
    - firmware: turris-mox-rwtm: Fix checking return value of
      wait_for_completion_timeout()
    - firmware: turris-mox-rwtm: Initialize completion before mailbox
    - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
    - selftests/bpf: Fix prog numbers in test_sockmap
    - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
    - tcp: annotate lockless accesses to sk->sk_err_soft
    - tcp: annotate lockless access to sk->sk_err
    - tcp: add tcp_done_with_error() helper
    - tcp: fix race in tcp_write_err()
    - tcp: fix races in tcp_v[46]_err()
    - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when
      CONFIG_ARCH_NO_SG_CHAIN is defined
    - selftests/bpf: Check length of recv in test_sockmap
    - lib: objagg: Fix general protection fault
    - mlxsw: spectrum_acl_erp: Fix object nesting warning
    - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more
      flexible
    - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors
    - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
    - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
    - wifi: cfg80211: handle 2x996 RU allocation in
      cfg80211_calculate_bitrate_he()
    - net: fec: Refactor: #define magic constants
    - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
    - libbpf: Checking the btf_type kind when fixing variable offsets
    - ipvs: Avoid unnecessary calls to skb_is_gso_sctp
    - netfilter: nf_tables: rise cap on SELinux secmark context
    - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
    - perf: Fix perf_aux_size() for greater-than 32-bit size
    - perf: Prevent passing zero nr_pages to rb_alloc_aux()
    - perf: Fix default aux_watermark calculation
    - wifi: virt_wifi: avoid reporting connection success with wrong SSID
    - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
    - wifi: virt_wifi: don't use strlen() in const context
    - locking/rwsem: Add __always_inline annotation to __down_write_common() and
      inlined callers
    - selftests/bpf: Close fd in error path in drop_on_reuseport
    - bpf: annotate BTF show functions with __printf
    - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
    - bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
    - selftests: forwarding: devlink_lib: Wait for udev events after reloading
    - xdp: fix invalid wait context of page_pool_destroy()
    - drm/amd/pm: Fix aldebaran pcie speed reporting
    - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit
    - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before
      regulators
    - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()
    - media: dvb-usb: Fix unexpected infinite loop in
      dvb_usb_read_remote_control()
    - media: imon: Fix race getting ictx->lock
    - media: i2c: Fix imx412 exposure control
    - saa7134: Unchecked i2c_transfer function result fixed
    - media: uvcvideo: Override default flags
    - media: renesas: vsp1: Fix _irqsave and _irq mix
    - media: renesas: vsp1: Store RPF partition configuration per RPF instance
    - drm/mediatek: Add missing plane settings when async update
    - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property
    - leds: trigger: Unregister sysfs attributes before calling deactivate()
    - perf report: Fix condition in sort__sym_cmp()
    - drm/etnaviv: fix DMA direction handling for cached RW buffers
    - drm/qxl: Add check for drm_cvt_mode
    - Revert "leds: led-core: Fix refcount leak in of_led_get()"
    - ext4: fix infinite loop when replaying fast_commit
    - media: venus: flush all buffers in output plane streamoff
    - perf intel-pt: Fix aux_watermark calculation for 64-bit size
    - perf intel-pt: Fix exclude_guest setting
    - mfd: rsmu: Split core code into separate module
    - mfd: omap-usb-tll: Use struct_size to allocate tll
    - xprtrdma: Fix rpcrdma_reqs_reset()
    - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
    - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server
    - ext4: return early for non-eligible fast_commit track events
    - ext4: don't track ranges in fast_commit if inode has inlined data
    - ext4: avoid writing unitialized memory to disk in EA inodes
    - sparc64: Fix incorrect function signature and add prototype for
      prom_cif_init
    - SUNRPC: Fixup gss_status tracepoint error output
    - PCI: Fix resource double counting on remove & rescan
    - clk: qcom: branch: Add helper functions for setting retain bits
    - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock
    - coresight: Fix ref leak when of_coresight_parse_endpoint() fails
    - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE
    - RDMA/cache: Release GID table even if leak is detected
    - Input: qt1050 - handle CHIP_ID reading error
    - RDMA/mlx4: Fix truncated output warning in mad.c
    - RDMA/mlx4: Fix truncated output warning in alias_GUID.c
    - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
    - ASoC: max98088: Check for clk_prepare_enable() error
    - mtd: make mtd_test.c a separate module
    - RDMA/device: Return error earlier if port in not valid
    - Input: elan_i2c - do not leave interrupt disabled on suspend failure
    - PCI: endpoint: Clean up error handling in vpci_scan_bus()
    - vhost/vsock: always initialize seqpacket_allow
    - net: missing check virtio
    - MIPS: Octeron: remove source file executable bit
    - powerpc/xmon: Fix disassembly CPU feature checks
    - macintosh/therm_windtunnel: fix module unload.
    - RDMA/hns: Fix missing pagesize and alignment check in FRMR
    - RDMA/hns: Fix undifined behavior caused by invalid max_sge
    - RDMA/hns: Fix insufficient extend DB for VFs.
    - bnxt_re: Fix imm_data endianness
    - netfilter: ctnetlink: use helper function to calculate expect ID
    - netfilter: nf_set_pipapo: fix initial map fill
    - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports
    - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
    - fs/ntfs3: Use ALIGN kernel macro
    - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT
    - fs/ntfs3: Fix transform resident to nonresident for compressed files
    - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting
    - fs/ntfs3: Fix getting file type
    - pinctrl: rockchip: update rk3308 iomux routes
    - pinctrl: core: fix possible memory leak when pinctrl_enable() fails
    - pinctrl: single: fix possible memory leak when pinctrl_enable() fails
    - pinctrl: ti: ti-iodelay: Drop if block with always false condition
    - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()
      fails
    - pinctrl: freescale: mxs: Fix refcount of child
    - fs/ntfs3: Replace inode_trylock with inode_lock
    - fs/ntfs3: Fix field-spanning write in INDEX_HDR
    - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
    - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
    - rtc: interface: Add RTC offset to alarm after fix-up
    - fs/ntfs3: Missed error return
    - landlock: Don't lose track of restrictions on cred_transfer
    - mm/hugetlb: fix possible recursive locking detected warning
    - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer
    - dt-bindings: thermal: correct thermal zone node name limit
    - tick/broadcast: Make takeover of broadcast hrtimer reliable
    - net: netconsole: Disable target before netpoll cleanup
    - af_packet: Handle outgoing VLAN packets without hardware offloading
    - ipv6: take care of scope when choosing the src addr
    - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE
      tasks
    - fuse: verify {g,u}id mount options correctly
    - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
    - media: venus: fix use after free in vdec_close
    - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error
    - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
    - ext2: Verify bitmap and itable block numbers before using them
    - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
    - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
    - scsi: qla2xxx: Fix optrom version displayed in FDMI
    - drm/amd/display: Check for NULL pointer
    - sched/fair: Use all little CPUs for CPU-bound workloads
    - apparmor: use kvfree_sensitive to free data->data
    - task_work: s/task_work_cancel()/task_work_cancel_func()/
    - task_work: Introduce task_work_cancel() again
    - udf: Avoid using corrupted block bitmap buffer
    - m68k: amiga: Turn off Warp1260 interrupts during boot
    - ext4: check dot and dotdot of dx_root before making dir indexed
    - ext4: make sure the first directory block is not a hole
    - io_uring: tighten task exit cancellations
    - selftests/landlock: Add cred_transfer test
    - wifi: mwifiex: Fix interface type change
    - leds: ss4200: Convert PCIBIOS_* return codes to errnos
    - jbd2: make jbd2_journal_get_max_txn_bufs() internal
    - media: uvcvideo: Fix integer overflow calculating timestamp
    - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()
    - ALSA: usb-audio: Fix microphone sound on HD webcam.
    - ALSA: usb-audio: Move HD Webcam quirk to the right place
    - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera
    - tools/memory-model: Fix bug in lock.cat
    - hwrng: amd - Convert PCIBIOS_* return codes to errnos
    - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
    - PCI: dw-rockchip: Fix initial PERST# GPIO value
    - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
    - binder: fix hang of unregistered readers
    - dev/parport: fix the array out-of-bounds risk
    - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed
    - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
    - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
    - ubi: eba: properly rollback inside self_check_eba
    - decompress_bunzip2: fix rare decompression failure
    - kbuild: Fix '-S -c' in x86 stack protector scripts
    - kobject_uevent: Fix OOB access within zap_modalias_env()
    - gve: Fix an edge case for TSO skb validity check
    - devres: Fix devm_krealloc() wasting memory
    - devres: Fix memory leakage caused by driver API devm_free_percpu()
    - mm/numa_balancing: teach mpol_to_str about the balancing mode
    - rtc: cmos: Fix return value of nvmem callbacks
    - scsi: qla2xxx: During vport delete send async logout explicitly
    - scsi: qla2xxx: Unable to act on RSCN for port online
    - scsi: qla2xxx: Fix for possible memory corruption
    - scsi: qla2xxx: Use QP lock to search for bsg
    - scsi: qla2xxx: Fix flash read failure
    - scsi: qla2xxx: Complete command early within lock
    - scsi: qla2xxx: validate nvme_local_port correctly
    - perf: Fix event leak upon exit
    - perf: Fix event leak upon exec and file release
    - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR
    - perf/x86/intel/pt: Fix topa_entry base length
    - perf/x86/intel/pt: Fix a topa_entry base address calculation
    - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8
    - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell
    - drm/i915/dp: Reset intel_dp->link_trained before retraining the link
    - rtc: isl1208: Fix return value of nvmem callbacks
    - watchdog/perf: properly initialize the turbo mode timestamp and rearm
      counter
    - platform: mips: cpu_hwmon: Disable driver on unsupported hardware
    - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
    - selftests/sigaltstack: Fix ppc64 GCC build
    - rbd: don't assume rbd_is_lock_owner() for exclusive mappings
    - remoteproc: stm32_rproc: Fix mailbox interrupts queuing
    - remoteproc: imx_rproc: Skip over memory region when node value is NULL
    - MIPS: ip30: ip30-console: Add missing include
    - MIPS: dts: loongson: Fix GMAC phy node
    - MIPS: Loongson64: env: Hook up Loongsson-2K
    - MIPS: Loongson64: Remove memory node for builtin-dtb
    - MIPS: Loongson64: reset: Prioritise firmware service
    - MIPS: Loongson64: Test register availability before use
    - drm/panfrost: Mark simple_ondemand governor as softdep
    - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
    - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
    - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
    - nilfs2: handle inconsistent state in nilfs_btnode_create_block()
    - io_uring/io-wq: limit retrying worker initialisation
    - kernel: rerun task_work while freezing in get_signal()
    - kdb: address -Wformat-security warnings
    - kdb: Use the passed prompt in kdb_position_cursor()
    - jfs: Fix array-index-out-of-bounds in diFree
    - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels
    - phy: cadence-torrent: Check return value on register read
    - um: time-travel: fix time-travel-start option
    - um: time-travel: fix signal blocking race/hang
    - libbpf: Fix no-args func prototype BTF dumping syntax
    - dma: fix call order in dmam_free_coherent
    - bpf, events: Use prog to emit ksymbol event for main program
    - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
    - ipv4: Fix incorrect source address in Record Route option
    - net: bonding: correctly annotate RCU in bond_should_notify_peers()
    - netfilter: nft_set_pipapo_avx2: disable softinterrupts
    - tipc: Return non-zero value from tipc_udp_addr2str() on error
    - net: stmmac: Correct byte order of perfect_match
    - net: nexthop: Initialize all fields in dumped nexthops
    - bpf: Fix a segment issue when downgrading gso_size
    - mISDN: Fix a use after free in hfcmulti_tx()
    - apparmor: Fix null pointer deref when receiving skb during sock creation
    - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
    - lirc: rc_dev_get_from_fd(): fix file leak
    - spi: spidev: Make probe to fail early if a spidev compatible is used
    - spi: spidev: Replace ACPI specific code by device_get_match_data()
    - spi: spidev: Replace OF specific code by device property API
    - spidev: Add Silicon Labs EM3581 device compatible
    - spi: spidev: order compatibles alphabetically
    - spi: spidev: add correct compatible for Rohm BH2228FV
    - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
    - ceph: fix incorrect kmalloc size of pagevec mempool
    - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en
    - nvme: split command copy into a helper
    - nvme: separate command prep and issue
    - nvme-pci: add missing condition check for existence of mapped data
    - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
    - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC
    - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node
    - arm64: dts: qcom: msm8998: drop USB PHY clock index
    - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings
    - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB
    - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB
    - sysctl: always initialize i_uid/i_gid
    - ext4: make ext4_es_insert_extent() return void
    - ext4: refactor ext4_da_map_blocks()
    - ext4: convert to exclusive lock while inserting delalloc extents
    - ext4: factor out a common helper to query extent map
    - ext4: check the extent status again before inserting delalloc block
    - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
    - drivers: soc: xilinx: check return status of get_api_version()
    - leds: trigger: use RCU to protect the led_cdevs list
    - leds: trigger: Remove unused function led_trigger_rename_static()
    - leds: trigger: Store brightness set by led_trigger_event()
    - leds: trigger: Call synchronize_rcu() before calling trig->activate()
    - leds: triggers: Flush pending brightness before activating trigger
    - irqdomain: Fixed unbalanced fwnode get and put
    - genirq: Allow the PM device to originate from irq domain
    - irqchip/imx-irqsteer: Constify irq_chip struct
    - irqchip/imx-irqsteer: Add runtime PM support
    - irqchip/imx-irqsteer: Handle runtime power management correctly
    - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume
    - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init
    - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000
    - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a
    - MIPS: dts: loongson: Fix liointc IRQ polarity
    - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt
    - drm/nouveau: prime: fix refcount underflow
    - drm/vmwgfx: Fix overlay when using Screen Targets
    - sched: act_ct: take care of padding in struct zones_ht_key
    - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode
    - rtnetlink: enable alt_ifname for setlink/newlink
    - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in
      rtnl_dellink().
    - net/iucv: fix use after free in iucv_sock_close()
    - net: mvpp2: Don't re-use loop iterator
    - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
    - netfilter: iptables: Fix potential null-ptr-deref in
      ip6table_nat_table_init().
    - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
    - ipv6: fix ndisc_is_useropt() handling for PIO
    - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
    - power: supply: bq24190_charger: replace deprecated strncpy with strscpy
    - platform/chrome: cros_ec_proto: Lock device when updating MKBP version
    - HID: wacom: Modify pen IDs
    - protect the fetch of ->fd[fd] in do_dup2() from mispredictions
    - ALSA: usb-audio: Correct surround channels in UAC1 channel map
    - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
    - Revert "ALSA: firewire-lib: obsolete workqueue for period update"
    - Revert "ALSA: firewire-lib: operate for period elapse event in process
      context"
    - drm/vmwgfx: Fix a deadlock in dma buf fence polling
    - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
    - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
    - mptcp: fix duplicate data handling
    - netfilter: ipset: Add list flush to cancel_gc
    - genirq: Allow irq_chip registration functions to take a const irq_chip
    - irqchip/mbigen: Fix mbigen node address layout
    - x86/mm: Fix pti_clone_pgtable() alignment assumption
    - x86/mm: Fix pti_clone_entry_text() for i386
    - sctp: move hlist_node and hashent out of sctp_ep_common
    - sctp: Fix null-ptr-deref in reuseport_add_sock().
    - net: usb: qmi_wwan: fix memory leak for not ip packets
    - net: bridge: mcast: wait for previous gc cycles when removing port
    - net: linkwatch: use system_unbound_wq
    - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
    - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
    - l2tp: fix lockdep splat
    - net: fec: Stop PPS on driver remove
    - rcutorture: Fix rcu_torture_fwd_cb_cr() data race
    - md: do not delete safemode_timer in mddev_suspend
    - md/raid5: avoid BUG_ON() while continue reshape after reassembling
    - clocksource/drivers/sh_cmt: Address race condition for clock events
    - ACPI: battery: create alarm sysfs attribute atomically
    - ACPI: SBS: manage alarm sysfs attribute through psy core
    - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
    - PCI: Add Edimax Vendor ID to pci_ids.h
    - udf: prevent integer overflow in udf_bitmap_free_blocks()
    - wifi: nl80211: don't give key data to userspace
    - btrfs: fix bitmap leak when loading free space cache on duplicate entry
    - drm/amdgpu/pm: Fix the null pointer dereference for smu7
    - drm/amdgpu: Fix the null pointer dereference to ras_manager
    - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules
    - drm/amd/display: Add null checker before passing variables
    - media: uvcvideo: Ignore empty TS packets
    - media: uvcvideo: Fix the bandwdith quirk on USB 3.x
    - ext4: fix uninitialized variable in ext4_inlinedir_to_tree
    - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
    - s390/sclp: Prevent release of buffer in I/O
    - SUNRPC: Fix a race to wake a sync task
    - profiling: remove profile=sleep support
    - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
    - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
    - ext4: fix wrong unit use in ext4_mb_find_by_goal
    - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-
      space
    - arm64: Add Neoverse-V2 part
    - arm64: barrier: Restore spec_bar() macro
    - arm64: cputype: Add Cortex-X4 definitions
    - arm64: cputype: Add Neoverse-V3 definitions
    - arm64: errata: Add workaround for Arm errata 3194386 and 3312417
    - [Config] Set ARM64_ERRATUM_3194386=y
    - arm64: cputype: Add Cortex-X3 definitions
    - arm64: cputype: Add Cortex-A720 definitions
    - arm64: cputype: Add Cortex-X925 definitions
    - arm64: errata: Unify speculative SSBS errata logic
    - arm64: errata: Expand speculative SSBS workaround
    - arm64: cputype: Add Cortex-X1C definitions
    - arm64: cputype: Add Cortex-A725 definitions
    - arm64: errata: Expand speculative SSBS workaround (again)
    - i2c: smbus: Improve handling of stuck alerts
    - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask
    - ASoC: codecs: wsa881x: Correct Soundwire ports mask
    - spi: spidev: Add missing spi_device_id for bh2228fv
    - i2c: smbus: Send alert notifications to all devices if source not found
    - bpf: kprobe: remove unused declaring of bpf_kprobe_override
    - kprobes: Fix to check symbol prefixes correctly
    - spi: spi-fsl-lpspi: Fix scldiv calculation
    - ALSA: usb-audio: Re-add ScratchAmp quirk entries
    - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT
    - drm/client: fix null pointer dereference in drm_client_modeset_probe
    - ALSA: line6: Fix racy access to midibuf
    - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
    - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
    - usb: vhci-hcd: Do not drop references before new references are gained
    - USB: serial: debug: do not echo input by default
    - usb: gadget: core: Check for unset descriptor
    - usb: gadget: u_serial: Set start_delayed during suspend
    - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES
    - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
    - tick/broadcast: Move per CPU pointer access into the atomic section
    - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
    - ntp: Clamp maxerror and esterror to operating range
    - clocksource: Reduce the default clocksource_watchdog() retries to 2
    - torture: Enable clocksource watchdog with "tsc=watchdog"
    - clocksource: Scale the watchdog read retries automatically
    - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()
    - irqchip/meson-gpio: support more than 8 channels gpio irq
    - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to
      'raw_spinlock_t'
    - driver core: Fix uevent_show() vs driver detach race
    - ntp: Safeguard against time_constant overflow
    - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()
    - serial: core: check uartclk for zero to avoid divide by zero
    - kcov: properly check for softirq context
    - irqchip/xilinx: Fix shift out of bounds
    - genirq/irqdesc: Honor caller provided affinity in alloc_desc()
    - power: supply: axp288_charger: Fix constant_charge_voltage writes
    - power: supply: axp288_charger: Round constant_charge_voltage writes down
    - tracing: Fix overflow in get_free_elt()
    - padata: Fix possible divide-by-0 panic in padata_mt_helper()
    - x86/mtrr: Check if fixed MTRRs exist before saving them
    - sched/smt: Introduce sched_smt_present_inc/dec() helper
    - sched/smt: Fix unbalance sched_smt_present dec/inc
    - drm/bridge: analogix_dp: properly handle zero sized AUX transactions
    - drm/mgag200: Set DDC timeout in milliseconds
    - mptcp: sched: check both directions for backup
    - mptcp: distinguish rcv vs sent backup flag in requests
    - mptcp: fix NL PM announced address accounting
    - mptcp: mib: count MPJ with backup flag
    - mptcp: fix bad RCVPRUNED mib accounting
    - mptcp: pm: only set request_bkup flag when sending MP_PRIO
    - mptcp: export local_address
    - mptcp: pm: fix backup support in signal endpoints
    - selftests: mptcp: join: validate backup in MPJ
    - selftests: mptcp: join: check backup support in signal endp
    - btrfs: fix corruption after buffer fault in during direct IO append write
    - xfs: fix log recovery buffer allocation for the legacy h_size fixup
    - btrfs: fix double inode unlock for direct IO sync writes
    - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
    - netfilter: nf_tables: set element extended ACK reporting support
    - netfilter: nf_tables: bail out if stateful expression provides no .clone
    - netfilter: nf_tables: allow clone callbacks to sleep
    - netfilter: nf_tables: prefer nft_chain_validate
    - net: stmmac: Enable mac_managed_pm phylink config
    - PCI: dwc: Restore MSI Receiver mask during resume
    - wifi: mac80211: check basic rates validity
    - mptcp: fully established after ADD_ADDR echo on MPJ
    - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
    - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
    - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes
    - arm64: cpufeature: Fix the visibility of compat hwcaps
    - exec: Fix ToCToU between perm check and set-uid/gid usage
    - nvme/pci: Add APST quirk for Lenovo N60z laptop
    - usb: gadget: u_audio: Check return codes from usb_ep_enable and
      config_ep_by_speed.
    - binfmt_flat: Fix corruption when not offsetting data start
    - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
    - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
    - media: Revert "media: dvb-usb: Fix unexpected infinite loop in
      dvb_usb_read_remote_control()"
    - Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error"
    - Linux 5.15.165

* CVE-2024-26661
    - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'

* CVE-2024-25744
    - x86: Fix misspelled Kconfig symbols
    - x86: Introduce ia32_enabled()
    - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c
    - x86/coco: Disable 32-bit emulation by default on TDX and SEV
    - x86/entry: Convert INT 0x80 emulation to IDTENTRY
    - x86/entry: Do not allow external 0x80 interrupts
    - x86/entry: Add do_SYSENTER_32() prototype
    - x86/bhi: Add support for clearing branch history at syscall entry

* [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible
    (LP: #2074380)
    - s390/cpum_cf: make crypto counters upward compatible across machine types

* Jammy update: v5.15.164 upstream stable release (LP: #2076100)
    - gcc-plugins: Rename last_stmt() for GCC 14+
    - filelock: Remove locks reliably when fcntl/close race is detected
    - ARM: 9324/1: fix get_user() broken with veneer
    - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
    - scsi: core: Fix a use-after-free
    - scsi: core: alua: I/O errors for ALUA state transitions
    - scsi: qedf: Don't process stag work during unload and recovery
    - scsi: qedf: Wait for stag work during unload
    - scsi: qedf: Set qed_slowpath_params to zero before use
    - ACPI: EC: Abort address space access upon error
    - ACPI: EC: Avoid returning AE_OK on errors in address space handler
    - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs
    - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
    - wifi: mac80211: handle tasklet frames before stopping
    - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup
    - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd
    - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option
    - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
    - selftests/openat2: Fix build warnings on ppc64
    - Input: silead - Always support 10 fingers
    - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()
    - ila: block BH in ila_output()
    - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process
    - null_blk: fix validation of block size
    - kconfig: gconf: give a proper initial state to the Save button
    - kconfig: remove wrong expr_trans_bool()
    - fs/file: fix the check in find_next_fd()
    - mei: demote client disconnect warning on suspend to debug
    - nvme: avoid double free special payload
    - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
    - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
    - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency
    - ALSA: hda/realtek: Add more codec ID to no shutup pins list
    - mips: fix compat_sys_lseek syscall
    - Input: elantech - fix touchpad state on resume for Lenovo N24
    - Input: i8042 - add Ayaneo Kun to i8042 quirk table
    - bytcr_rt5640 : inverse jack detect for Archos 101 cesium
    - ALSA: dmaengine: Synchronize dma channel after drop()
    - ASoC: ti: davinci-mcasp: Set min period size using FIFO config
    - ASoC: ti: omap-hdmi: Fix too long driver name
    - can: kvaser_usb: fix return value for hif_usb_send_regout
    - s390/sclp: Fix sclp_init() cleanup on failure
    - platform/x86: wireless-hotkey: Add support for LG Airplane Button
    - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling
    - platform/x86: lg-laptop: Change ACPI device id
    - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB
    - btrfs: qgroup: fix quota root leak after quota disable failure
    - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx
    - ALSA: dmaengine_pcm: terminate dmaengine before synchronize
    - net: usb: qmi_wwan: add Telit FN912 compositions
    - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and
      DEV_STATS_ADD()
    - powerpc/pseries: Whitelist dtl slub object for copying to userspace
    - powerpc/eeh: avoid possible crash when edev->pdev changes
    - scsi: libsas: Fix exp-attached device scan after probe failure scanned in
      again after probe failed
    - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
    - drm/radeon: check bo_va->bo is non-NULL before using it
    - fs: better handle deep ancestor chains in is_subdir()
    - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()
    - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
    - selftests/vDSO: fix clang build errors and warnings
    - hfsplus: fix uninit-value in copy_name
    - spi: mux: set ctlr->bits_per_word_mask
    - tracing: Define the is_signed_type() macro once
    - minmax: sanity check constant bounds when clamping
    - minmax: clamp more efficiently by avoiding extra comparison
    - minmax: fix header inclusions
    - minmax: allow min()/max()/clamp() if the arguments have the same signedness.
    - minmax: allow comparisons of 'int' against 'unsigned char/short'
    - minmax: relax check to allow comparison between unsigned arguments and
      signed constants
    - mm/damon/core: merge regions aggressively when max_nr_regions is unmet
    - wifi: mac80211: disable softirqs for queued frame handling
    - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
    - samples: Add fs error monitoring example
    - samples: Make fs-monitor depend on libc and headers
    - docs: Fix formatting of literal sections in fanotify docs
    - Add gitignore file for samples/fanotify/ subdirectory
    - net: relax socket state check at accept time.
    - ocfs2: add bounds checking to ocfs2_check_dir_entry()
    - jfs: don't walk off the end of ealist
    - fs/ntfs3: Validate ff offset
    - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
    - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360
    - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB
    - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB
    - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused
    - filelock: Fix fcntl/close race recovery compat path
    - wifi: rt2x00: use explicitly signed or unsigned types
    - tun: add missing verification for short frame
    - tap: add missing verification for short frame
    - Linux 5.15.164

* Jammy update: v5.15.166 upstream stable release (LP: #2080594) //
    CVE-2024-45016
    - netem: fix return value if duplicate enqueue fails

* CVE-2024-38630
    - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

* CVE-2024-27397
    - netfilter: nf_tables: use timestamp to check for set element timeout

-- Stefan Bader <stefan.bader@canonical.com>  Fri, 27 Sep 2024 14:49:00 +0200

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Juerg Haefliger (juergh) on 2025-04-18

tags:

added: kernel-daily-bug

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package