Ubuntu
linux package

net/sched: Fix conntrack use-after-free

Noble (24.04)
Bug #2073092

Bug #2073092 reported by gerald.yang on 2024-07-15

This bug affects 1 person

	Status	Importance	Assigned to
linux (Ubuntu)	Status tracked in Oracular
Jammy	Fix Committed	High	gerald.yang
Noble	Fix Committed	High	gerald.yang
Oracular	Invalid	Undecided	gerald.yang
linux-hwe-6.8 (Ubuntu)	Status tracked in Oracular
Jammy	Fix Released	High	gerald.yang
Noble	Invalid	Undecided	Unassigned
Oracular	Invalid	Undecided	Unassigned

Bug Description

BugLink: https://bugs.launchpad.net/bugs/2073092

[Impact]

Hit conntrack refcount use-after-free issue:
refcount_t: addition on 0; use-after-free.

Call Trace:
<IRQ>
? show_regs+0x6d/0x80
? __warn+0x89/0x160
? refcount_warn_saturate+0x12e/0x150
? report_bug+0x17e/0x1b0
? handle_bug+0x46/0x90
? exc_invalid_op+0x18/0x80
? asm_exc_invalid_op+0x1b/0x20
? refcount_warn_saturate+0x12e/0x150
flow_offload_alloc+0xe5/0xf0 [nf_flow_table]
tcf_ct_flow_table_process_conn+0xc2/0x1e0 [act_ct]
tcf_ct_act+0x6c8/0xaa0 [act_ct]
tcf_action_exec+0xbc/0x1a0
fl_classify+0x1f8/0x200 [cls_flower]
__tcf_classify+0x169/0x200
tcf_classify+0xff/0x250
sch_handle_ingress.constprop.0+0x11f/0x290
? srso_alias_return_thunk+0x5/0x7f
__netif_receive_skb_core.constprop.0+0x60b/0xd70
? __udp4_lib_lookup+0x25f/0x2a0
__netif_receive_skb_list_core+0xfd/0x250
netif_receive_skb_list_internal+0x1a3/0x2d0
? srso_alias_return_thunk+0x5/0x7f
? dev_gro_receive+0x196/0x350
napi_complete_done+0x74/0x1c0
gro_cell_poll+0x7c/0xb0
__napi_poll+0x33/0x1f0
net_rx_action+0x181/0x2e0
__do_softirq+0xdc/0x349
? srso_alias_return_thunk+0x5/0x7f
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>

[Fix]
I enabled kasan and get:
BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
Read of size 1 at addr ffff888c07603600 by task handler130/6469

Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
print_address_description.constprop.0+0x33/0x3d0
print_report+0xc0/0x2b0
kasan_report+0xd0/0x120
__asan_load1+0x6c/0x80
tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
tcf_ct_act+0x886/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491
__irq_exit_rcu+0x82/0xc0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa1/0xb0
</IRQ>

Allocated by task 6469:
kasan_save_stack+0x38/0x70
kasan_set_track+0x25/0x40
kasan_save_alloc_info+0x1e/0x40
__kasan_krealloc+0x133/0x190
krealloc+0xaa/0x130
nf_ct_ext_add+0xed/0x230 [nf_conntrack]
tcf_ct_act+0x1095/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491

Freed by task 6469:
kasan_save_stack+0x38/0x70
kasan_set_track+0x25/0x40
kasan_save_free_info+0x2b/0x60
____kasan_slab_free+0x180/0x1f0
__kasan_slab_free+0x12/0x30
slab_free_freelist_hook+0xd2/0x1a0
__kmem_cache_free+0x1a2/0x2f0
kfree+0x78/0x120
nf_conntrack_free+0x74/0x130 [nf_conntrack]
nf_ct_destroy+0xb2/0x140 [nf_conntrack]
__nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]
nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]
__nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]
tcf_ct_act+0x12ad/0x1350 [act_ct]
tcf_action_exec+0xf8/0x1f0
fl_classify+0x355/0x360 [cls_flower]
__tcf_classify+0x1fd/0x330
tcf_classify+0x21c/0x3c0
sch_handle_ingress.constprop.0+0x2c5/0x500
__netif_receive_skb_core.constprop.0+0xb25/0x1510
__netif_receive_skb_list_core+0x220/0x4c0
netif_receive_skb_list_internal+0x446/0x620
napi_complete_done+0x157/0x3d0
gro_cell_poll+0xcf/0x100
__napi_poll+0x65/0x310
net_rx_action+0x30c/0x5c0
__do_softirq+0x14f/0x491

When resolving a clash, a duplicate conntrack will be freed,
but in tcf_ct_act, it still uses the freed conntrack instead of the correct conntrack.

We sent a patch to upstream to fix it and got merged:
commit 26488172b0292bed837b95a006a3f3431d1898c3
Author: Chengen Du <email address hidden>
Date: Wed Jul 10 13:37:47 2024 +0800

net/sched: Fix UAF when resolving a clash

Cherry-pick this comment to fix the conntrack slab use-after-free issue.

[Testcase]
Built a test kernel and verified on our environment which is constantly hitting this issue.

[Where problems could occur]
This patch ensure when a clash happens and the duplicated conntrack is freed,
call nf_ct_get to get the correct conntrack,
the freed conntrack won't be used and the rest of code path will follow the original path.
This won't cause other issues.

See original description

Tags:

CVE References

gerald.yang (gerald-yang-tw) on 2024-07-15

Changed in linux (Ubuntu):
status:	New → In Progress
assignee:	nobody → gerald.yang (gerald-yang-tw)
summary:	- [SRU] Fix conntrack use-after-free + net/sched: Fix conntrack use-after-free
description:	updated
Changed in linux (Ubuntu Jammy):
status:	New → In Progress
Changed in linux (Ubuntu Noble):
status:	New → In Progress
assignee:	nobody → gerald.yang (gerald-yang-tw)
Changed in linux (Ubuntu Jammy):
assignee:	nobody → gerald.yang (gerald-yang-tw)

gerald.yang (gerald-yang-tw) on 2024-07-15

description:	updated
description:	updated

gerald.yang (gerald-yang-tw) on 2024-07-15

description:	updated
description:	updated

gerald.yang (gerald-yang-tw) on 2024-07-15

Changed in linux (Ubuntu Oracular):
status:	In Progress → Invalid

gerald.yang (gerald-yang-tw) on 2024-07-16

description:	updated
description:	updated

Stefan Bader (smb) on 2024-07-18

Changed in linux-hwe-6.8 (Ubuntu Noble):
status:	New → Invalid
Changed in linux-hwe-6.8 (Ubuntu Oracular):
status:	New → Invalid
Changed in linux-hwe-6.8 (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Triaged
Changed in linux (Ubuntu Noble):
importance:	Undecided → High
Changed in linux (Ubuntu Jammy):
importance:	Undecided → High

Stefan Bader (smb) on 2024-07-18

Changed in linux-hwe-6.8 (Ubuntu Jammy):
status:	Triaged → Fix Committed

Stefan Bader (smb) on 2024-07-19

Changed in linux (Ubuntu Noble):
status:	In Progress → Fix Committed
Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-07-22:

This bug is awaiting verification that the linux-hwe-6.8/6.8.0-40.40~22.04.2 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-hwe-6.8' to 'verification-done-jammy-linux-hwe-6.8'. If the problem still exists, change the tag 'verification-needed-jammy-linux-hwe-6.8' to 'verification-failed-jammy-linux-hwe-6.8'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-hwe-6.8-v2 verification-needed-jammy-linux-hwe-6.8

gerald.yang (gerald-yang-tw) on 2024-07-27

tags:

added: verification-done-jammy-linux-hwe-6.8
removed: verification-needed-jammy-linux-hwe-6.8

gerald.yang (gerald-yang-tw) on 2024-07-29

Changed in linux-hwe-6.8 (Ubuntu Jammy):
assignee:	nobody → gerald.yang (gerald-yang-tw)

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-08-08:

This bug is awaiting verification that the linux/6.8.0-43.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux' to 'verification-done-noble-linux'. If the problem still exists, change the tag 'verification-needed-noble-linux' to 'verification-failed-noble-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-noble-linux-v2 verification-needed-noble-linux

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-08-09:

This bug is awaiting verification that the linux/5.15.0-120.130 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux

Revision history for this message

gerald.yang (gerald-yang-tw) wrote on 2024-08-09:

This patch has been verified on PS6 for few weeks

tags:

added: verification-done-jammy-linux verification-done-noble-linux
removed: verification-needed-jammy-linux verification-needed-noble-linux

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-08-13:

Download full text (73.3 KiB)

This bug was fixed in the package linux-hwe-6.8 - 6.8.0-40.40~22.04.3

---------------
linux-hwe-6.8 (6.8.0-40.40~22.04.3) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.3 -proposed tracker (LP: #2075181)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.hwe-6.8/dkms-versions -- update from kernel-versions
      (main/2024.07.08)

  * Linux 6.8 fails to boot on ARM64 if any param is more than 146 chars
    (LP: #2069534)
    - SAUCE: arm64: v6.8: cmdline param >= 146 chars kills kernel

  * revert support for arbitrary symbol length in modversion in hwe kernels
    (LP: #2039010)
    - Revert "UBUNTU: SAUCE: modpost: Replace 0-length array with flex-array
      member"
    - Revert "UBUNTU: SAUCE: allows to enable Rust with modversions"
    - Revert "UBUNTU: SAUCE: modpost: support arbitrary symbol length in
      modversion"

linux-hwe-6.8 (6.8.0-40.40~22.04.2) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.2 -proposed tracker (LP: #2073455)

* net/sched: Fix conntrack use-after-free (LP: #2073092)
- net/sched: Fix UAF when resolving a clash

linux-hwe-6.8 (6.8.0-40.40~22.04.1) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.1 -proposed tracker (LP: #2072200)

  * Packaging resync (LP: #1786013)
    - [Packaging] Include parent config for HWE-6.5
    - [Packaging] update variants

[ Ubuntu: 6.8.0-40.40 ]

This bug was fixed in the package linux-hwe-6.8 - 6.8.0-40.40~22.04.3

---------------
linux-hwe-6.8 (6.8.0-40.40~22.04.3) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.3 -proposed tracker (LP: #2075181)

* Packaging resync (LP: #1786013)
    - [Packaging] debian.hwe-6.8/dkms-versions -- update from kernel-versions
      (main/2024.07.08)

* Linux 6.8 fails to boot on ARM64 if any param is more than 146 chars
    (LP: #2069534)
    - SAUCE: arm64: v6.8: cmdline param >= 146 chars kills kernel

linux-hwe-6.8 (6.8.0-40.40~22.04.2) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.2 -proposed tracker (LP: #2073455)

* net/sched: Fix conntrack use-after-free (LP: #2073092)
    - net/sched: Fix UAF when resolving a clash

linux-hwe-6.8 (6.8.0-40.40~22.04.1) jammy; urgency=medium

* jammy/linux-hwe-6.8: 6.8.0-40.40~22.04.1 -proposed tracker (LP: #2072200)

* Packaging resync (LP: #1786013)
    - [Packaging] Include parent config for HWE-6.5
    - [Packaging] update variants

[ Ubuntu: 6.8.0-40.40 ]

* noble/linux: 6.8.0-40.40 -proposed tracker (LP: #2072201)
  * FPS of glxgear with fullscreen is too low on MTL platform (LP: #2069380)
    - drm/i915: Bypass LMEMBAR/GTTMMADR for MTL stolen memory access
  * a critical typo in the code managing the ASPM  settings for PCI Express
    devices (LP: #2071889)
    - PCI/ASPM: Restore parent state to parent, child state to child
  * [UBUNTU 24.04] IOMMU DMA mode changed in kernel config causes massive
    throughput degradation for PCI-related network workloads (LP: #2071471)
    - [Config] Set IOMMU_DEFAULT_DMA_STRICT=n and IOMMU_DEFAULT_DMA_LAZY=yes for
      s390x
  * UBSAN: array-index-out-of-bounds in
    /build/linux-D15vQj/linux-6.5.0/drivers/md/bcache/bset.c:1098:3
    (LP: #2039368)
    - bcache: fix variable length array abuse in btree_iter
  * Mute/mic LEDs and speaker no function on EliteBook 645/665 G11
    (LP: #2071296)
    - ALSA: hda/realtek: fix mute/micmute LEDs don't work for EliteBook 645/665
      G11.
  * failed to enable IPU6 camera sensor on kernel >= 6.8: ivsc_ace
    intel_vsc-5db76cf6-0a68-4ed6-9b78-0361635e2447: switch camera to host
    failed: -110 (LP: #2067364)
    - mei: vsc: Don't stop/restart mei device during system suspend/resume
    - SAUCE: media: ivsc: csi: don't count privacy on as error
    - SAUCE: media: ivsc: csi: add separate lock for v4l2 control handler
    - SAUCE: media: ivsc: csi: remove privacy status in struct mei_csi
    - SAUCE: mei: vsc: Enhance IVSC chipset stability during warm reboot
    - SAUCE: mei: vsc: Enhance SPI transfer of IVSC rom
    - SAUCE: mei: vsc: Utilize the appropriate byte order swap function
    - SAUCE: mei: vsc: Prevent timeout error with added delay post-firmware
      download
  * failed to probe camera sensor on Dell XPS 9315: ov01a10 i2c-OVTI01A0:00:
    failed to check hwcfg: -22 (LP: #2070251)
    - ACPI: utils: Make acpi_handle_path() not static
    - ACPI: property: Ignore bad graph port nodes on Dell XPS 9315
    - ACPI: property: Polish ignoring bad data nodes
    - ACPI: scan: Ignore camera graph port nodes on all Dell Tiger, Alder and
      Raptor Lake models
  * Update amd_sfh for AMD strix series (LP: #2058331)
    - HID: amd_sfh: Increase sensor command timeout
    - HID: amd_sfh: Improve boot time when SFH is available
    - HID: amd_sfh: Extend MP2 register access to SFH
    - HID: amd_sfh: Set the AMD SFH driver to depend on x86
  * RFIM and SAGV Linux Support for G10 models (LP: #2070158)
    - drm/i915/display: Add meaningful traces for QGV point info error handling
    - drm/i915/display: Extract code required to calculate max qgv/psf gv point
    - drm/i915/display: extract code to prepare qgv points mask
    - drm/i915/display: Disable SAGV on bw init, to force QGV point recalculation
    - drm/i915/display: handle systems with duplicate psf gv points
    - drm/i915/display: force qgv check after the hw state readout
  * Update amd-pmf for AMD strix series (LP: #2058330)
    - platform/x86/amd/pmf: Differentiate PMF ACPI versions
    - platform/x86/amd/pmf: Disable debugfs support for querying power thermals
    - platform/x86/amd/pmf: Add support to get sbios requests in PMF driver
    - platform/x86/amd/pmf: Add support to notify sbios heart beat event
    - platform/x86/amd/pmf: Add support to get APTS index numbers for static
      slider
    - platform/x86/amd/pmf: Add support to get sps default APTS index values
    - platform/x86/amd/pmf: Update sps power thermals according to the platform-
      profiles
  * noble:linux: ADT ubuntu-regression-suite misses fakeroot dependency
    (LP: #2070042)
    - [DEP-8] Add missing fakeroot dependency
  * Noble update: v6.8.12 upstream stable release (LP: #2071621)
    - sunrpc: use the struct net as the svc proc private
    - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
    - selftests/ftrace: Fix BTFARG testcase to check fprobe is enabled correctly
    - ftrace: Fix possible use-after-free issue in ftrace_location()
    - Revert "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD"
    - arm64/fpsimd: Avoid erroneous elide of user state reload
    - Reapply "arm64: fpsimd: Implement lazy restore for kernel mode FPSIMD"
    - tty: n_gsm: fix missing receive state reset after mode switch
    - speakup: Fix sizeof() vs ARRAY_SIZE() bug
    - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler
    - serial: 8250_bcm7271: use default_mux_rate if possible
    - serial: 8520_mtk: Set RTS on shutdown for Rx in-band wakeup
    - Input: try trimming too long modalias strings
    - io_uring: fail NOP if non-zero op flags is passed in
    - Revert "r8169: don't try to disable interrupts if NAPI is, scheduled
      already"
    - r8169: Fix possible ring buffer corruption on fragmented Tx packets.
    - ring-buffer: Fix a race between readers and resize checks
    - net: mana: Fix the extra HZ in mana_hwc_send_request
    - tools/latency-collector: Fix -Wformat-security compile warns
    - tools/nolibc/stdlib: fix memory error in realloc()
    - net: ti: icssg_prueth: Fix NULL pointer dereference in prueth_probe()
    - net: lan966x: remove debugfs directory in probe() error path
    - net: smc91x: Fix m68k kernel compilation for ColdFire CPU
    - nilfs2: fix use-after-free of timer for log writer thread
    - nilfs2: fix unexpected freezing of nilfs_segctor_sync()
    - nilfs2: fix potential hang in nilfs_detach_log_writer()
    - fs/ntfs3: Remove max link count info display during driver init
    - fs/ntfs3: Taking DOS names into account during link counting
    - fs/ntfs3: Fix case when index is reused during tree transformation
    - fs/ntfs3: Break dir enumeration if directory contents error
    - ksmbd: avoid to send duplicate oplock break notifications
    - ksmbd: ignore trailing slashes in share paths
    - ALSA: core: Fix NULL module pointer assignment at card init
    - ALSA: Fix deadlocks with kctl removals at disconnection
    - KEYS: asymmetric: Add missing dependency on CRYPTO_SIG
    - [Config] updateconfigs for CRYPTO_SIG
    - KEYS: asymmetric: Add missing dependencies of FIPS_SIGNATURE_SELFTEST
    - HID: nintendo: Fix N64 controller being identified as mouse
    - dmaengine: xilinx: xdma: Clarify kdoc in XDMA driver
    - wifi: mac80211: don't use rate mask for scanning
    - wifi: mac80211: ensure beacon is non-S1G prior to extracting the beacon
      timestamp field
    - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt
      class
    - dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node
    - HID: mcp-2221: cancel delayed_work only when CONFIG_IIO is enabled
    - net: usb: qmi_wwan: add Telit FN920C04 compositions
    - drm/amd/display: Set color_mgmt_changed to true on unsuspend
    - drm/amdgpu: Update BO eviction priorities
    - drm/amd/pm: Restore config space after reset
    - drm/amdkfd: Add VRAM accounting for SVM migration
    - drm/amdgpu: Fix the ring buffer size for queue VM flush
    - Revert "net: txgbe: fix i2c dev name cannot match clkdev"
    - Revert "net: txgbe: fix clk_name exceed MAX_DEV_ID limits"
    - cpu: Ignore "mitigations" kernel parameter if CPU_MITIGATIONS=n
    - LoongArch: Lately init pmu after smp is online
    - drm/etnaviv: fix tx clock gating on some GC7000 variants
    - selftests: sud_test: return correct emulated syscall value on RISC-V
    - riscv: thead: Rename T-Head PBMT to MAE
    - [Config] updateconfigs for ERRATA_THEAD_MAE
    - riscv: T-Head: Test availability bit before enabling MAE errata
    - sched/isolation: Fix boot crash when maxcpus < first housekeeping CPU
    - ASoC: Intel: bytcr_rt5640: Apply Asus T100TA quirk to Asus T100TAM too
    - regulator: irq_helpers: duplicate IRQ name
    - ALSA: hda: cs35l56: Exit cache-only after cs35l56_wait_for_firmware_boot()
    - ASoC: SOF: ipc4-pcm: Use consistent name for snd_sof_pcm_stream pointer
    - ASoC: SOF: ipc4-pcm: Use consistent name for sof_ipc4_timestamp_info pointer
    - ASoC: SOF: ipc4-pcm: Introduce generic sof_ipc4_pcm_stream_priv
    - ASoC: SOF: pcm: Restrict DSP D0i3 during S0ix to IPC3
    - ASoC: acp: Support microphone from device Acer 315-24p
    - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
    - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
    - ASoC: rt722-sdca: modify channel number to support 4 channels
    - ASoC: rt722-sdca: add headset microphone vrefo setting
    - regulator: qcom-refgen: fix module autoloading
    - regulator: vqmmc-ipq4019: fix module autoloading
    - ASoC: cs35l41: Update DSP1RX5/6 Sources for DSP config
    - ASoC: rt715: add vendor clear control register
    - ASoC: rt715-sdca: volume step modification
    - KVM: selftests: Add test for uaccesses to non-existent vgic-v2 CPUIF
    - Input: xpad - add support for ASUS ROG RAIKIRI
    - btrfs: take the cleaner_mutex earlier in qgroup disable
    - EDAC/versal: Do not register for NOC errors
    - fpga: dfl-pci: add PCI subdevice ID for Intel D5005 card
    - bpf, x86: Fix PROBE_MEM runtime load check
    - ALSA: emu10k1: make E-MU FPGA writes potentially more reliable
    - softirq: Fix suspicious RCU usage in __do_softirq()
    - platform/x86: ISST: Add Grand Ridge to HPM CPU list
    - ASoC: da7219-aad: fix usage of device_get_named_child_node()
    - ASoC: cs35l56: fix usages of device_get_named_child_node()
    - ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection
    - Input: amimouse - mark driver struct with __refdata to prevent section
      mismatch
    - drm/amdgpu: Fix VRAM memory accounting
    - drm/amd/display: Ensure that dmcub support flag is set for DCN20
    - drm/amd/display: Add dtbclk access to dcn315
    - drm/amd/display: Allocate zero bw after bw alloc enable
    - drm/amd/display: Add VCO speed parameter for DCN31 FPU
    - drm/amd/display: Fix DC mode screen flickering on DCN321
    - drm/amd/display: Disable seamless boot on 128b/132b encoding
    - drm/amdkfd: Flush the process wq before creating a kfd_process
    - x86/mm: Remove broken vsyscall emulation code from the page fault code
    - nvme: find numa distance only if controller has valid numa id
    - nvmet-auth: return the error code to the nvmet_auth_host_hash() callers
    - nvmet-auth: replace pr_debug() with pr_err() to report an error.
    - nvme: cancel pending I/O if nvme controller is in terminal state
    - nvmet-tcp: fix possible memory leak when tearing down a controller
    - nvmet: fix nvme status code when namespace is disabled
    - nvme-tcp: strict pdu pacing to avoid send stalls on TLS
    - epoll: be better about file lifetimes
    - nvmet: prevent sprintf() overflow in nvmet_subsys_nsid_exists()
    - openpromfs: finish conversion to the new mount API
    - crypto: bcm - Fix pointer arithmetic
    - firmware: qcom: qcm: fix unused qcom_scm_qseecom_allowlist
    - mm/slub, kunit: Use inverted data to corrupt kmem cache
    - firmware: raspberrypi: Use correct device for DMA mappings
    - ecryptfs: Fix buffer size for tag 66 packet
    - nilfs2: fix out-of-range warning
    - parisc: add missing export of __cmpxchg_u8()
    - crypto: ccp - drop platform ifdef checks
    - crypto: x86/nh-avx2 - add missing vzeroupper
    - crypto: x86/sha256-avx2 - add missing vzeroupper
    - crypto: x86/sha512-avx2 - add missing vzeroupper
    - s390/cio: fix tracepoint subchannel type field
    - io_uring: use the right type for work_llist empty check
    - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
    - rcu: Fix buffer overflow in print_cpu_stall_info()
    - ARM: configs: sunxi: Enable DRM_DW_HDMI
    - jffs2: prevent xattr node from overflowing the eraseblock
    - libfs: Re-arrange locking in offset_iterate_dir()
    - libfs: Define a minimum directory offset
    - libfs: Add simple_offset_empty()
    - maple_tree: Add mtree_alloc_cyclic()
    - libfs: Convert simple directory offsets to use a Maple Tree
    - libfs: Fix simple_offset_rename_exchange()
    - libfs: Add simple_offset_rename() API
    - shmem: Fix shmem_rename2()
    - io-wq: write next_work before dropping acct_lock
    - mm/userfaultfd: Do not place zeropages when zeropages are disallowed
    - s390/mm: Re-enable the shared zeropage for !PV and !skeys KVM guests
    - crypto: octeontx2 - add missing check for dma_map_single
    - crypto: qat - improve error message in adf_get_arbiter_mapping()
    - crypto: qat - improve error logging to be consistent across features
    - soc: qcom: pmic_glink: don't traverse clients list without a lock
    - soc: qcom: pmic_glink: notify clients about the current state
    - firmware: qcom: scm: Fix __scm and waitq completion variable initialization
    - soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE
    - null_blk: Fix missing mutex_destroy() at module removal
    - crypto: qat - validate slices count returned by FW
    - hwrng: stm32 - use logical OR in conditional
    - hwrng: stm32 - put IP into RPM suspend on failure
    - hwrng: stm32 - repair clock handling
    - kunit/fortify: Fix mismatched kvalloc()/vfree() usage
    - io_uring/net: remove dependency on REQ_F_PARTIAL_IO for sr->done_io
    - io_uring/net: fix sendzc lazy wake polling
    - soc: qcom: pmic_glink: Make client-lock non-sleeping
    - lkdtm: Disable CFI checking for perms functions
    - md: fix resync softlockup when bitmap size is less than array size
    - crypto: qat - specify firmware files for 402xx
    - block: refine the EOF check in blkdev_iomap_begin
    - block: fix and simplify blkdevparts= cmdline parsing
    - block: support to account io_ticks precisely
    - wifi: ath10k: poll service ready message before failing
    - wifi: brcmfmac: pcie: handle randbuf allocation failure
    - wifi: ath11k: don't force enable power save on non-running vdevs
    - bpftool: Fix missing pids during link show
    - libbpf: Prevent null-pointer dereference when prog to load has no BTF
    - wifi: ath12k: use correct flag field for 320 MHz channels
    - wifi: mt76: mt7915: workaround too long expansion sparse warnings
    - x86/boot: Ignore relocations in .notes sections in walk_relocs() too
    - wifi: ieee80211: fix ieee80211_mle_basic_sta_prof_size_ok()
    - wifi: iwlwifi: mvm: Do not warn on invalid link on scan complete
    - wifi: iwlwifi: mvm: allocate STA links only for active links
    - wifi: mac80211: don't select link ID if not provided in scan request
    - wifi: iwlwifi: implement can_activate_links callback
    - wifi: iwlwifi: mvm: fix active link counting during recovery
    - wifi: iwlwifi: mvm: select STA mask only for active links
    - wifi: iwlwifi: reconfigure TLC during HW restart
    - wifi: iwlwifi: mvm: fix check in iwl_mvm_sta_fw_id_mask
    - sched/fair: Add EAS checks before updating root_domain::overutilized
    - ACPI: bus: Indicate support for _TFP thru _OSC
    - ACPI: bus: Indicate support for more than 16 p-states thru _OSC
    - ACPI: bus: Indicate support for the Generic Event Device thru _OSC
    - ACPI: Fix Generic Initiator Affinity _OSC bit
    - ACPI: bus: Indicate support for IRQ ResourceSource thru _OSC
    - enetc: avoid truncating error message
    - qed: avoid truncating work queue length
    - mlx5: avoid truncating error message
    - mlx5: stop warning for 64KB pages
    - bitops: add missing prototype check
    - dlm: fix user space lock decision to copy lvb
    - wifi: carl9170: re-fix fortified-memset warning
    - bpftool: Mount bpffs on provided dir instead of parent dir
    - bpf: Pack struct bpf_fib_lookup
    - bpf: prevent r10 register from being marked as precise
    - x86/microcode/AMD: Avoid -Wformat warning with clang-15
    - scsi: ufs: qcom: Perform read back after writing reset bit
    - scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US
    - scsi: ufs: qcom: Perform read back after writing unipro mode
    - scsi: ufs: qcom: Perform read back after writing CGC enable
    - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
    - scsi: ufs: core: Perform read back after writing UTP_TASK_REQ_LIST_BASE_H
    - scsi: ufs: core: Perform read back after disabling interrupts
    - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
    - ACPI: LPSS: Advertise number of chip selects via property
    - EDAC/skx_common: Allow decoding of SGX addresses
    - locking/atomic/x86: Correct the definition of __arch_try_cmpxchg128()
    - irqchip/alpine-msi: Fix off-by-one in allocation error path
    - irqchip/loongson-pch-msi: Fix off-by-one on allocation error path
    - ACPI: disable -Wstringop-truncation
    - gfs2: Don't forget to complete delayed withdraw
    - gfs2: Fix "ignore unlock failures after withdraw"
    - arm64: Remove unnecessary irqflags alternative.h include
    - x86/boot/64: Clear most of CR4 in startup_64(), except PAE, MCE and LA57
    - selftests/bpf: Fix umount cgroup2 error in test_sockmap
    - tcp: increase the default TCP scaling ratio
    - cpufreq: exit() callback is optional
    - x86/pat: Introduce lookup_address_in_pgd_attr()
    - x86/pat: Restructure _lookup_address_cpa()
    - x86/pat: Fix W^X violation false-positives when running as Xen PV guest
    - udp: Avoid call to compute_score on multiple sites
    - openrisc: traps: Don't send signals to kernel mode threads
    - cppc_cpufreq: Fix possible null pointer dereference
    - wifi: iwlwifi: mvm: init vif works only once
    - scsi: libsas: Fix the failure of adding phy with zero-address to port
    - scsi: hpsa: Fix allocation size for Scsi_Host private data
    - x86/purgatory: Switch to the position-independent small code model
    - wifi: ath12k: fix out-of-bound access of qmi_invoke_handler()
    - thermal/drivers/mediatek/lvts_thermal: Add coeff for mt8192
    - thermal/drivers/tsens: Fix null pointer dereference
    - dt-bindings: thermal: loongson,ls2k-thermal: Add Loongson-2K0500 compatible
    - dt-bindings: thermal: loongson,ls2k-thermal: Fix incorrect compatible
      definition
    - wifi: ath10k: Fix an error code problem in
      ath10k_dbg_sta_write_peer_debug_trigger()
    - gfs2: Remove ill-placed consistency check
    - gfs2: Fix potential glock use-after-free on unmount
    - gfs2: finish_xmote cleanup
    - gfs2: do_xmote fixes
    - thermal/debugfs: Avoid excessive updates of trip point statistics
    - selftests/bpf: Fix a fd leak in error paths in open_netns
    - scsi: ufs: core: mcq: Fix ufshcd_mcq_sqe_search()
    - cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations
    - wifi: ath10k: populate board data for WCN3990
    - net: dsa: mv88e6xxx: Add support for model-specific pre- and post-reset
      handlers
    - net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on 88E6250-family
      switches
    - tcp: avoid premature drops in tcp_add_backlog()
    - thermal/debugfs: Create records for cdev states as they get used
    - thermal/debugfs: Pass cooling device state to thermal_debug_cdev_add()
    - pwm: sti: Prepare removing pwm_chip from driver data
    - pwm: sti: Simplify probe function using devm functions
    - drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group
    - drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group
    - drivers/perf: hisi: hns3: Actually use devm_add_action_or_reset()
    - net: give more chances to rcu in netdev_wait_allrefs_any()
    - macintosh/via-macii: Fix "BUG: sleeping function called from invalid
      context"
    - wifi: carl9170: add a proper sanity check for endpoints
    - bpf: Fix verifier assumptions about socket->sk
    - selftests/bpf: Run cgroup1_hierarchy test in own mount namespace
    - wifi: ar5523: enable proper endpoint verification
    - pwm: Drop useless member .of_pwm_n_cells of struct pwm_chip
    - pwm: Let the of_xlate callbacks accept references without period
    - pwm: Drop duplicate check against chip->npwm in of_pwm_xlate_with_flags()
    - pwm: Reorder symbols in core.c
    - pwm: Provide an inline function to get the parent device of a given chip
    - pwm: meson: Change prototype of a few helpers to prepare further changes
    - pwm: meson: Make use of pwmchip_parent() accessor
    - pwm: meson: Add check for error from clk_round_rate()
    - pwm: meson: Use mul_u64_u64_div_u64() for frequency calculating
    - bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE
    - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
    - Revert "sh: Handle calling csum_partial with misaligned data"
    - wifi: mt76: mt7603: fix tx queue of loopback packets
    - wifi: mt76: mt7603: add wpdma tx eof flag for PSE client reset
    - wifi: mt76: mt7996: fix size of txpower MCU command
    - wifi: mt76: mt7925: ensure 4-byte alignment for suspend & wow command
    - wifi: mt76: mt7996: fix uninitialized variable in mt7996_irq_tasklet()
    - wifi: mt76: mt7996: fix potential memory leakage when reading chip
      temperature
    - libbpf: Fix error message in attach_kprobe_multi
    - wifi: nl80211: Avoid address calculations via out of bounds array indexing
    - wifi: rtw89: wow: refine WoWLAN flows of HCI interrupts and low power mode
    - selftests/binderfs: use the Makefile's rules, not Make's implicit rules
    - selftests/resctrl: fix clang build failure: use LOCAL_HDRS
    - selftests: default to host arch for LLVM builds
    - kunit: Fix kthread reference
    - kunit: unregister the device on error
    - kunit: bail out early in __kunit_test_suites_init() if there are no suites
      to test
    - selftests/bpf: Fix pointer arithmetic in test_xdp_do_redirect
    - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
    - scsi: bfa: Ensure the copied buf is NUL terminated
    - scsi: qedf: Ensure the copied buf is NUL terminated
    - scsi: qla2xxx: Fix debugfs output for fw_resource_count
    - gpio: nuvoton: Fix sgpio irq handle error
    - x86/numa: Fix SRAT lookup of CFMWS ranges with numa_fill_memblks()
    - wifi: mwl8k: initialize cmd->addr[] properly
    - HID: amd_sfh: Handle "no sensors" in PM operations
    - usb: aqc111: stop lying about skb->truesize
    - net: usb: sr9700: stop lying about skb->truesize
    - m68k: Fix spinlock race in kernel thread creation
    - m68k: mac: Fix reboot hang on Mac IIci
    - dm-delay: fix workqueue delay_timer race
    - dm-delay: fix hung task introduced by kthread mode
    - dm-delay: fix max_delay calculations
    - ptp: ocp: fix DPLL functions
    - net: ipv6: fix wrong start position when receive hop-by-hop fragment
    - eth: sungem: remove .ndo_poll_controller to avoid deadlocks
    - selftests: net: add missing config for amt.sh
    - selftests: net: move amt to socat for better compatibility
    - net: ethernet: mediatek: split tx and rx fields in mtk_soc_data struct
    - net: ethernet: mediatek: use ADMAv1 instead of ADMAv2.0 on MT7981 and MT7986
    - ice: Fix package download algorithm
    - net: ethernet: cortina: Locking fixes
    - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
    - net: usb: smsc95xx: stop lying about skb->truesize
    - net: openvswitch: fix overwriting ct original tuple for ICMPv6
    - ipv6: sr: add missing seg6_local_exit
    - ipv6: sr: fix incorrect unregister order
    - ipv6: sr: fix invalid unregister error path
    - net/mlx5: Fix peer devlink set for SF representor devlink port
    - net/mlx5: Reload only IB representors upon lag disable/enable
    - net/mlx5: Add a timeout to acquire the command queue semaphore
    - net/mlx5: Discard command completions in internal error
    - s390/bpf: Emit a barrier for BPF_FETCH instructions
    - riscv, bpf: make some atomic operations fully ordered
    - ax25: Use kernel universal linked list to implement ax25_dev_list
    - ax25: Fix reference count leak issues of ax25_dev
    - ax25: Fix reference count leak issue of net_device
    - dpll: fix return value check for kmemdup
    - net: fec: remove .ndo_poll_controller to avoid deadlocks
    - mptcp: SO_KEEPALIVE: fix getsockopt support
    - mptcp: cleanup writer wake-up
    - mptcp: avoid some duplicate code in socket option handling
    - mptcp: implement TCP_NOTSENT_LOWAT support
    - mptcp: cleanup SOL_TCP handling
    - mptcp: fix full TCP keep-alive support
    - net: stmmac: Offload queueMaxSDU from tc-taprio
    - net: stmmac: est: Per Tx-queue error count for HLBF
    - net: stmmac: Report taprio offload status
    - net: stmmac: move the EST lock to struct stmmac_priv
    - net: micrel: Fix receiving the timestamp in the frame for lan8841
    - Bluetooth: compute LE flow credits based on recvbuf space
    - Bluetooth: qca: Fix error code in qca_read_fw_build_info()
    - Bluetooth: ISO: Add hcon for listening bis sk
    - Bluetooth: ISO: Clean up returns values in iso_connect_ind()
    - Bluetooth: ISO: Make iso_get_sock_listen generic
    - Bluetooth: Remove usage of the deprecated ida_simple_xx() API
    - Bluetooth: hci_event: Remove code to removed CONFIG_BT_HS
    - Bluetooth: HCI: Remove HCI_AMP support
    - ice: make ice_vsi_cfg_rxq() static
    - ice: make ice_vsi_cfg_txq() static
    - overflow: Change DEFINE_FLEX to take __counted_by member
    - Bluetooth: hci_conn, hci_sync: Use __counted_by() to avoid -Wfamnae warnings
    - Bluetooth: hci_core: Fix not handling hdev->le_num_of_adv_sets=1
    - drm/bridge: Fix improper bridge init order with pre_enable_prev_first
    - drm/ci: update device type for volteer devices
    - drm/nouveau/dp: Fix incorrect return code in r535_dp_aux_xfer()
    - drm/omapdrm: Fix console by implementing fb_dirty
    - drm/omapdrm: Fix console with deferred ops
    - printk: Let no_printk() use _printk()
    - dev_printk: Add and use dev_no_printk()
    - drm/lcdif: Do not disable clocks on already suspended hardware
    - drm/dp: Don't attempt AUX transfers when eDP panels are not powered
    - drm/panel: atna33xc20: Fix unbalanced regulator in the case HPD doesn't
      assert
    - drm/amd/display: Fix potential index out of bounds in color transformation
      function
    - drm/amd/display: Remove redundant condition in dcn35_calc_blocks_to_gate()
    - ASoC: Intel: Disable route checks for Skylake boards
    - ASoC: Intel: avs: ssm4567: Do not ignore route checks
    - mtd: core: Report error if first mtd_otp_size() call fails in
      mtd_otp_nvmem_add()
    - mtd: rawnand: hynix: fixed typo
    - drm/imagination: avoid -Woverflow warning
    - ASoC: mediatek: Assign dummy when codec not specified for a DAI link
    - drm/panel: ltk050h3146w: add MIPI_DSI_MODE_VIDEO to LTK050H3148W flags
    - drm/panel: ltk050h3146w: drop duplicate commands from LTK050H3148W init
    - fbdev: shmobile: fix snprintf truncation
    - ASoC: kirkwood: Fix potential NULL dereference
    - drm/meson: vclk: fix calculation of 59.94 fractional rates
    - drm/mediatek: Add 0 size check to mtk_drm_gem_obj
    - drm/mediatek: Init `ddp_comp` with devm_kcalloc()
    - ASoC: SOF: Intel: hda-dai: fix channel map configuration for aggregated
      dailink
    - powerpc/fsl-soc: hide unused const variable
    - ASoC: SOF: Intel: mtl: Correct rom_status_reg
    - ASoC: SOF: Intel: lnl: Correct rom_status_reg
    - ASoC: SOF: Intel: mtl: Disable interrupts when firmware boot failed
    - ASoC: SOF: Intel: mtl: Implement firmware boot state check
    - fbdev: sisfb: hide unused variables
    - selftests: cgroup: skip test_cgcore_lesser_ns_open when cgroup2 mounted
      without nsdelegate
    - ASoC: Intel: avs: Restore stream decoupling on prepare
    - ASoC: Intel: avs: Fix ASRC module initialization
    - ASoC: Intel: avs: Fix potential integer overflow
    - ASoC: Intel: avs: Test result of avs_get_module_entry()
    - media: ngene: Add dvb_ca_en50221_init return value check
    - staging: media: starfive: Remove links when unregistering devices
    - media: rcar-vin: work around -Wenum-compare-conditional warning
    - media: radio-shark2: Avoid led_names truncations
    - drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference
    - platform/x86: xiaomi-wmi: Fix race condition when reporting key events
    - drm/msm/dp: allow voltage swing / pre emphasis of 3
    - drm/msm/dp: Avoid a long timeout for AUX transfer if nothing connected
    - media: ipu3-cio2: Request IRQ earlier
    - media: dt-bindings: ovti,ov2680: Fix the power supply names
    - media: i2c: et8ek8: Don't strip remove function when driver is builtin
    - media: v4l2-subdev: Fix stream handling for crop API
    - fbdev: sh7760fb: allow modular build
    - media: atomisp: ssh_css: Fix a null-pointer dereference in
      load_video_binaries
    - drm/arm/malidp: fix a possible null pointer dereference
    - drm: vc4: Fix possible null pointer dereference
    - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
    - drm/bridge: anx7625: Don't log an error when DSI host can't be found
    - drm/bridge: icn6211: Don't log an error when DSI host can't be found
    - drm/bridge: lt8912b: Don't log an error when DSI host can't be found
    - drm/bridge: lt9611: Don't log an error when DSI host can't be found
    - drm/bridge: lt9611uxc: Don't log an error when DSI host can't be found
    - drm/bridge: tc358775: Don't log an error when DSI host can't be found
    - drm/bridge: dpc3433: Don't log an error when DSI host can't be found
    - drm/panel: novatek-nt35950: Don't log an error when DSI host can't be found
    - drm/bridge: anx7625: Update audio status while detecting
    - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
    - ALSA: hda: cs35l41: Remove Speaker ID for Lenovo Legion slim 7 16ARHA7
    - drm/mipi-dsi: use correct return type for the DSC functions
    - media: uvcvideo: Add quirk for Logitech Rally Bar
    - drm/rockchip: vop2: Do not divide height twice for YUV
    - drm/edid: Parse topology block for all DispID structure v1.x
    - media: cadence: csi2rx: configure DPHY before starting source stream
    - clk: samsung: exynosautov9: fix wrong pll clock id value
    - RDMA/mlx5: Uncacheable mkey has neither rb_key or cache_ent
    - RDMA/mlx5: Change check for cacheable mkeys
    - RDMA/mlx5: Adding remote atomic access flag to updatable flags
    - clk: mediatek: pllfh: Don't log error for missing fhctl node
    - iommu: Undo pasid attachment only for the devices that have succeeded
    - RDMA/hns: Fix return value in hns_roce_map_mr_sg
    - RDMA/hns: Fix deadlock on SRQ async events.
    - RDMA/hns: Fix UAF for cq async event
    - RDMA/hns: Fix GMV table pagesize
    - RDMA/hns: Use complete parentheses in macros
    - RDMA/hns: Modify the print level of CQE error
    - clk: mediatek: mt8365-mm: fix DPI0 parent
    - clk: rs9: fix wrong default value for clock amplitude
    - clk: qcom: clk-alpha-pll: remove invalid Stromer register offset
    - RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt
    - RDMA/rxe: Allow good work requests to be executed
    - RDMA/rxe: Fix incorrect rxe_put in error path
    - IB/mlx5: Use __iowrite64_copy() for write combining stores
    - clk: renesas: r8a779a0: Fix CANFD parent clock
    - clk: renesas: r9a07g043: Add clock and reset entry for PLIC
    - lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure
    - mm/ksm: fix ksm exec support for prctl
    - clk: qcom: dispcc-sm8450: fix DisplayPort clocks
    - clk: qcom: dispcc-sm6350: fix DisplayPort clocks
    - clk: qcom: dispcc-sm8550: fix DisplayPort clocks
    - clk: qcom: dispcc-sm8650: fix DisplayPort clocks
    - clk: qcom: mmcc-msm8998: fix venus clock issue
    - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
    - x86/insn: Add VEX versions of VPDPBUSD, VPDPBUSDS, VPDPWSSD and VPDPWSSDS
    - ext4: avoid excessive credit estimate in ext4_tmpfile()
    - RDMA/mana_ib: Introduce helpers to create and destroy mana queues
    - RDMA/mana_ib: Use struct mana_ib_queue for CQs
    - RDMA/mana_ib: boundary check before installing cq callbacks
    - virt: acrn: stop using follow_pfn
    - drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()
    - sunrpc: removed redundant procp check
    - nfsd: don't create nfsv4recoverydir in nfsdfs when not used.
    - ext4: fix potential unnitialized variable
    - ext4: remove the redundant folio_wait_stable()
    - clk: qcom: Fix SC_CAMCC_8280XP dependencies
    - [Config] updateconfigs for SC_CAMCC_8280XP
    - clk: qcom: Fix SM_GPUCC_8650 dependencies
    - [Config] updateconfigs for SM_GPUCC_8650
    - clk: qcom: apss-ipq-pll: fix PLL rate for IPQ5018
    - of: module: add buffer overflow check in of_modalias()
    - bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
    - SUNRPC: Fix gss_free_in_token_pages()
    - selftests/damon/_damon_sysfs: check errors from nr_schemes file reads
    - selftests/kcmp: remove unused open mode
    - RDMA/IPoIB: Fix format truncation compilation errors
    - RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use
      siw
    - samples/landlock: Fix incorrect free in populate_ruleset_net
    - tracing/user_events: Prepare find/delete for same name events
    - tracing/user_events: Fix non-spaced field matching
    - modules: Drop the .export_symbol section from the final modules
    - net: bridge: xmit: make sure we have at least eth header len bytes
    - selftests: net: bridge: increase IGMP/MLD exclude timeout membership
      interval
    - net: bridge: mst: fix vlan use-after-free
    - net: qrtr: ns: Fix module refcnt
    - selftests/net/lib: no need to record ns name if it already exist
    - idpf: don't skip over ethtool tcp-data-split setting
    - netrom: fix possible dead-lock in nr_rt_ioctl()
    - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
    - sched/fair: Allow disabling sched_balance_newidle with
      sched_relax_domain_level
    - sched/core: Fix incorrect initialization of the 'burst' parameter in
      cpu_max_write()
    - net: wangxun: fix to change Rx features
    - net: wangxun: match VLAN CTAG and STAG features
    - net: txgbe: move interrupt codes to a separate file
    - net: txgbe: use irq_domain for interrupt controller
    - net: txgbe: fix to control VLAN strip
    - l2tp: fix ICMP error handling for UDP-encap sockets
    - io_uring/net: ensure async prep handlers always initialize ->done_io
    - pwm: Fix setting period with #pwm-cells = <1> and of_pwm_single_xlate()
    - net: txgbe: fix to clear interrupt status after handling IRQ
    - net: txgbe: fix GPIO interrupt blocking
    - Linux 6.8.12
  * Noble update: v6.8.11 upstream stable release (LP: #2070355)
    - drm/amd/display: Fix division by zero in setup_dsc_config
    - net: ks8851: Fix another TX stall caused by wrong ISR flag handling
    - ice: pass VSI pointer into ice_vc_isvalid_q_id
    - ice: remove unnecessary duplicate checks for VF VSI ID
    - Bluetooth: L2CAP: Fix slab-use-after-free in l2cap_connect()
    - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()
    - KEYS: trusted: Fix memory leak in tpm2_key_encode()
    - erofs: get rid of erofs_fs_context
    - erofs: reliably distinguish block based and fscache mode
    - binder: fix max_thread type inconsistency
    - usb: dwc3: Wait unconditionally after issuing EndXfer command
    - net: usb: ax88179_178a: fix link status when link is set to down/up
    - usb: typec: ucsi: displayport: Fix potential deadlock
    - usb: typec: tipd: fix event checking for tps25750
    - usb: typec: tipd: fix event checking for tps6598x
    - serial: kgdboc: Fix NMI-safety problems from keyboard reset code
    - remoteproc: mediatek: Make sure IPI buffer fits in L2TCM
    - KEYS: trusted: Do not use WARN when encode fails
    - admin-guide/hw-vuln/core-scheduling: fix return type of PR_SCHED_CORE_GET
    - docs: kernel_include.py: Cope with docutils 0.21
    - Docs/admin-guide/mm/damon/usage: fix wrong example of DAMOS filter matching
      sysfs file
    - block: add a disk_has_partscan helper
    - block: add a partscan sysfs attribute for disks
    - Linux 6.8.11
  * Noble update: v6.8.10 upstream stable release (LP: #2070349)
    - rust: module: place generated init_module() function in .init.text
    - rust: macros: fix soundness issue in `module!` macro
    - wifi: nl80211: don't free NULL coalescing rule
    - pinctrl: pinctrl-aspeed-g6: Fix register offset for pinconf of GPIOR-T
    - pinctrl/meson: fix typo in PDM's pin name
    - pinctrl: core: delete incorrect free in pinctrl_enable()
    - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback
    - pinctrl: mediatek: paris: Rework support for
      PIN_CONFIG_{INPUT,OUTPUT}_ENABLE
    - sunrpc: add a struct rpc_stats arg to rpc_create_args
    - nfs: expose /proc/net/sunrpc/nfs in net namespaces
    - nfs: make the rpc_stat per net namespace
    - nfs: Handle error of rpc_proc_register() in nfs_net_init().
    - pinctrl: baytrail: Fix selecting gpio pinctrl state
    - power: rt9455: hide unused rt9455_boost_voltage_values
    - power: supply: mt6360_charger: Fix of_match for usb-otg-vbus regulator
    - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
    - nfsd: rename NFSD_NET_* to NFSD_STATS_*
    - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
    - nfsd: make all of the nfsd stats per-network namespace
    - NFSD: add support for CB_GETATTR callback
    - NFSD: Fix nfsd4_encode_fattr4() crasher
    - regulator: mt6360: De-capitalize devicetree regulator subnodes
    - regulator: change stubbed devm_regulator_get_enable to return Ok
    - regulator: change devm_regulator_get_enable_optional() stub to return Ok
    - bpf, kconfig: Fix DEBUG_INFO_BTF_MODULES Kconfig definition
    - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
    - regmap: Add regmap_read_bypassed()
    - ASoC: SOF: Intel: add default firmware library path for LNL
    - nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH
    - bpf: Fix a verifier verbose message
    - spi: axi-spi-engine: use common AXI macros
    - spi: axi-spi-engine: fix version format string
    - spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs
    - bpf, arm64: Fix incorrect runtime stats
    - riscv, bpf: Fix incorrect runtime stats
    - ASoC: Intel: avs: Set name of control as in topology
    - ASoC: codecs: wsa881x: set clk_stop_mode1 flag
    - s390/mm: Fix storage key clearing for guest huge pages
    - s390/mm: Fix clearing storage keys for huge pages
    - arm32, bpf: Reimplement sign-extension mov instruction
    - xdp: use flags field to disambiguate broadcast redirect
    - efi/unaccepted: touch soft lockup during memory accept
    - ice: ensure the copied buf is NUL terminated
    - bna: ensure the copied buf is NUL terminated
    - octeontx2-af: avoid off-by-one read from userspace
    - thermal/debugfs: Free all thermal zone debug memory on zone removal
    - thermal/debugfs: Fix two locking issues with thermal zone debug
    - nsh: Restore skb->{protocol,data,mac_header} for outer header in
      nsh_gso_segment().
    - net l2tp: drop flow hash on forward
    - thermal/debugfs: Prevent use-after-free from occurring after cdev removal
    - s390/vdso: Add CFI for RA register to asm macro vdso_func
    - Fix a potential infinite loop in extract_user_to_sg()
    - ALSA: emu10k1: fix E-MU card dock presence monitoring
    - ALSA: emu10k1: factor out snd_emu1010_load_dock_firmware()
    - ALSA: emu10k1: move the whole GPIO event handling to the workqueue
    - ALSA: emu10k1: fix E-MU dock initialization
    - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()
    - net: qede: use return from qede_parse_flow_attr() for flower
    - net: qede: use return from qede_parse_flow_attr() for flow_spec
    - net: qede: use return from qede_parse_actions()
    - vxlan: Fix racy device stats updates.
    - vxlan: Add missing VNI filter counter update in arp_reduce().
    - ASoC: meson: axg-fifo: use FIELD helpers
    - ASoC: meson: axg-fifo: use threaded irq to check periods
    - ASoC: meson: axg-card: make links nonatomic
    - ASoC: meson: axg-tdm-interface: manage formatters in trigger
    - ASoC: meson: cards: select SND_DYNAMIC_MINORS
    - ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()
    - s390/cio: Ensure the copied buf is NUL terminated
    - cxgb4: Properly lock TX queue for the selftest.
    - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
    - drm/amdgpu: fix doorbell regression
    - spi: fix null pointer dereference within spi_sync
    - net: bridge: fix multicast-to-unicast with fraglist GSO
    - net: core: reject skb_copy(_expand) for fraglist GSO skbs
    - rxrpc: Clients must accept conn from any address
    - tipc: fix a possible memleak in tipc_buf_append
    - vxlan: Pull inner IP header in vxlan_rcv().
    - s390/qeth: Fix kernel panic after setting hsuid
    - drm/panel: ili9341: Correct use of device property APIs
    - [Config] updateconfigs for DRM_PANEL_ILITEK_ILI9341
    - drm/panel: ili9341: Respect deferred probe
    - drm/panel: ili9341: Use predefined error codes
    - ipv4: Fix uninit-value access in __ip_make_skb()
    - net: gro: fix udp bad offset in socket lookup by adding
      {inner_}network_offset to napi_gro_cb
    - net: gro: add flush check in udp_gro_receive_segment
    - drm/xe/display: Fix ADL-N detection
    - clk: qcom: smd-rpm: Restore msm8976 num_clk
    - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
    - powerpc/pseries: make max polling consistent for longer H_CALLs
    - powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE
    - EDAC/versal: Do not log total error counts
    - swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
    - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()
    - exfat: fix timing of synchronizing bitmap and inode
    - firmware: microchip: don't unconditionally print validation success
    - scsi: ufs: core: Fix MCQ MAC configuration
    - scsi: lpfc: Move NPIV's transport unregistration to after resource clean up
    - scsi: lpfc: Remove IRQF_ONESHOT flag from threaded IRQ handling
    - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
    - scsi: lpfc: Replace hbalock with ndlp lock in lpfc_nvme_unregister_port()
    - scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()
    - scsi: lpfc: Use a dedicated lock for ras_fwlog state
    - gfs2: Fix invalid metadata access in punch_hole
    - fs/9p: fix uninitialized values during inode evict
    - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
    - wifi: cfg80211: fix rdev_dump_mpp() arguments order
    - wifi: mac80211: fix prep_connection error path
    - wifi: iwlwifi: read txq->read_ptr under lock
    - wifi: iwlwifi: mvm: guard against invalid STA ID on removal
    - net: mark racy access on sk->sk_rcvbuf
    - drm/xe: Fix END redefinition
    - scsi: mpi3mr: Avoid memcpy field-spanning write WARNING
    - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload
    - btrfs: return accurate error code on open failure in open_fs_devices()
    - drm/amdkfd: Check cgroup when returning DMABuf info
    - drm/amdkfd: range check cp bad op exception interrupts
    - bpf: Check bloom filter map value size
    - selftests/ftrace: Fix event filter target_func selection
    - kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries
    - ASoC: SOF: Intel: hda-dsp: Skip IMR boot on ACE platforms in case of S3
      suspend
    - regulator: tps65132: Add of_match table
    - OSS: dmasound/paula: Mark driver struct with __refdata to prevent section
      mismatch
    - scsi: ufs: core: WLUN suspend dev/link state error recovery
    - scsi: libsas: Align SMP request allocation to ARCH_DMA_MINALIGN
    - scsi: ufs: core: Fix MCQ mode dev command timeout
    - ALSA: line6: Zero-initialize message buffers
    - block: fix overflow in blk_ioctl_discard()
    - ASoC: codecs: ES8326: Solve error interruption issue
    - ASoC: codecs: ES8326: modify clock table
    - net: bcmgenet: Reset RBUF on first open
    - vboxsf: explicitly deny setlease attempts
    - ata: sata_gemini: Check clk_enable() result
    - firewire: ohci: mask bus reset interrupts between ISR and bottom half
    - tools/power turbostat: Fix added raw MSR output
    - tools/power turbostat: Increase the limit for fd opened
    - tools/power turbostat: Fix Bzy_MHz documentation typo
    - tools/power turbostat: Do not print negative LPI residency
    - tools/power turbostat: Expand probe_intel_uncore_frequency()
    - tools/power turbostat: Print ucode revision only if valid
    - tools/power turbostat: Fix warning upon failed /dev/cpu_dma_latency read
    - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve
    - btrfs: always clear PERTRANS metadata during commit
    - memblock tests: fix undefined reference to `early_pfn_to_nid'
    - memblock tests: fix undefined reference to `panic'
    - memblock tests: fix undefined reference to `BIT'
    - nouveau/gsp: Avoid addressing beyond end of rpc->entries
    - scsi: target: Fix SELinux error when systemd-modules loads the target module
    - scsi: hisi_sas: Handle the NCQ error returned by D2H frame
    - blk-iocost: avoid out of bounds shift
    - accel/ivpu: Remove d3hot_after_power_off WA
    - accel/ivpu: Improve clarity of MMU error messages
    - accel/ivpu: Fix missed error message after VPU rename
    - platform/x86: acer-wmi: Add support for Acer PH18-71
    - gpu: host1x: Do not setup DMA for virtual devices
    - MIPS: scall: Save thread_info.syscall unconditionally on entry
    - tools/power/turbostat: Fix uncore frequency file string
    - net: add copy_safe_from_sockptr() helper
    - nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
    - drm/amdgpu: Refine IB schedule error logging
    - drm/amd/display: add DCN 351 version for microcode load
    - drm/amdgpu: add smu 14.0.1 discovery support
    - drm/amdgpu: implement IRQ_STATE_ENABLE for SDMA v4.4.2
    - drm/amd/display: Skip on writeback when it's not applicable
    - drm/amd/pm: fix the high voltage issue after unload
    - drm/amdgpu: Fix VCN allocation in CPX partition
    - amd/amdkfd: sync all devices to wait all processes being evicted
    - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
    - Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails
    - Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl
    - hv_netvsc: Don't free decrypted memory
    - uio_hv_generic: Don't free decrypted memory
    - Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted
    - drm/xe/xe_migrate: Cast to output precision before multiplying operands
    - drm/xe: Label RING_CONTEXT_CONTROL as masked
    - smb3: fix broken reconnect when password changing on the server by allowing
      password rotation
    - iommu: mtk: fix module autoloading
    - fs/9p: only translate RWX permissions for plain 9P2000
    - fs/9p: translate O_TRUNC into OTRUNC
    - fs/9p: fix the cache always being enabled on files with qid flags
    - 9p: explicitly deny setlease attempts
    - powerpc/crypto/chacha-p10: Fix failure on non Power10
    - gpio: wcove: Use -ENOTSUPP consistently
    - gpio: crystalcove: Use -ENOTSUPP consistently
    - clk: Don't hold prepare_lock when calling kref_put()
    - fs/9p: remove erroneous nlink init from legacy stat2inode
    - fs/9p: drop inodes immediately on non-.L too
    - gpio: lpc32xx: fix module autoloading
    - drm/nouveau/dp: Don't probe eDP ports twice harder
    - platform/x86/amd: pmf: Decrease error message to debug
    - platform/x86: ISST: Add Granite Rapids-D to HPM CPU list
    - drm/radeon: silence UBSAN warning (v3)
    - net:usb:qmi_wwan: support Rolling modules
    - blk-iocost: do not WARN if iocg was already offlined
    - SUNRPC: add a missing rpc_stat for TCP TLS
    - qibfs: fix dentry leak
    - xfrm: Preserve vlan tags for transport mode software GRO
    - ARM: 9381/1: kasan: clear stale stack poison
    - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
    - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
    - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
    - Bluetooth: msft: fix slab-use-after-free in msft_do_close()
    - arm64: dts: mediatek: mt8183-pico6: Fix bluetooth node
    - Bluetooth: HCI: Fix potential null-ptr-deref
    - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
    - net: ks8851: Queue RX packets in IRQ handler instead of disabling BHs
    - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
    - hwmon: (corsair-cpro) Use a separate buffer for sending commands
    - hwmon: (corsair-cpro) Use complete_all() instead of complete() in
      ccp_raw_event()
    - hwmon: (corsair-cpro) Protect ccp->wait_input_report with a spinlock
    - phonet: fix rtm_phonet_notify() skb allocation
    - netlink: specs: Add missing bridge linkinfo attrs
    - nfc: nci: Fix kcov check in nci_rx_work()
    - net: bridge: fix corrupted ethernet header on multicast-to-unicast
    - ipv6: Fix potential uninit-value access in __ip6_make_skb()
    - selftests: test_bridge_neigh_suppress.sh: Fix failures due to duplicate MAC
    - rxrpc: Fix the names of the fields in the ACK trailer struct
    - rxrpc: Fix congestion control algorithm
    - rxrpc: Only transmit one ACK per jumbo packet received
    - dt-bindings: net: mediatek: remove wrongly added clocks and SerDes
    - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
    - net-sysfs: convert dev->operstate reads to lockless ones
    - hsr: Simplify code for announcing HSR nodes timer setup
    - ipv6: annotate data-races around cnf.disable_ipv6
    - ipv6: prevent NULL dereference in ip6_output()
    - net/smc: fix neighbour and rtable leak in smc_ib_find_route()
    - net: hns3: using user configure after hardware reset
    - net: hns3: direct return when receive a unknown mailbox message
    - net: hns3: change type of numa_node_mask as nodemask_t
    - net: hns3: release PTP resources if pf initialization failed
    - net: hns3: use appropriate barrier function after setting a bit value
    - net: hns3: fix port vlan filter not disabled issue
    - net: hns3: fix kernel crash when devlink reload during initialization
    - net: dsa: mv88e6xxx: add phylink_get_caps for the mv88e6320/21 family
    - drm/meson: dw-hdmi: power up phy on device init
    - drm/meson: dw-hdmi: add bandgap setting for g12
    - drm/connector: Add \n to message about demoting connector force-probes
    - dm/amd/pm: Fix problems with reboot/shutdown for some SMU 13.0.4/13.0.11
      users
    - gpiolib: cdev: Fix use after free in lineinfo_changed_notify
    - gpiolib: cdev: fix uninitialised kfifo
    - drm/amdgpu: Fix comparison in amdgpu_res_cpu_visible
    - drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2
    - firewire: nosy: ensure user_length is taken into account when fetching
      packet contents
    - Reapply "drm/qxl: simplify qxl_fence_wait"
    - usb: typec: ucsi: Check for notifications after init
    - usb: typec: ucsi: Fix connector check on init
    - usb: Fix regression caused by invalid ep0 maxpacket in virtual SuperSpeed
      device
    - usb: ohci: Prevent missed ohci interrupts
    - USB: core: Fix access violation during port device removal
    - usb: gadget: composite: fix OS descriptors w_value logic
    - usb: gadget: uvc: use correct buffer size when parsing configfs lists
    - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete
    - usb: gadget: f_fs: Fix a race condition when processing setup packets.
    - usb: xhci-plat: Don't include xhci.h
    - usb: dwc3: core: Prevent phy suspend during init
    - usb: typec: tcpm: clear pd_event queue in PORT_RESET
    - usb: typec: tcpm: unregister existing source caps before re-registration
    - usb: typec: tcpm: Check for port partner validity before consuming it
    - ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU
    - ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion
      models
    - firewire: ohci: fulfill timestamp for some local asynchronous transaction
    - mm/slub: avoid zeroing outside-object freepointer for single free
    - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
    - btrfs: set correct ram_bytes when splitting ordered extent
    - btrfs: qgroup: do not check qgroup inherit if qgroup is disabled
    - btrfs: make sure that WRITTEN is set on all metadata blocks
    - maple_tree: fix mas_empty_area_rev() null pointer dereference
    - mm/slab: make __free(kfree) accept error pointers
    - mptcp: ensure snd_nxt is properly initialized on connect
    - mptcp: only allow set existing scheduler for net.mptcp.scheduler
    - workqueue: Fix selection of wake_cpu in kick_pool()
    - dt-bindings: iio: health: maxim,max30102: fix compatible check
    - iio:imu: adis16475: Fix sync mode setting
    - iio: pressure: Fixes BME280 SPI driver data
    - iio: pressure: Fixes SPI support for BMP3xx devices
    - iio: accel: mxc4005: Interrupt handling fixes
    - iio: accel: mxc4005: Reset chip on probe() and resume()
    - kmsan: compiler_types: declare __no_sanitize_or_inline
    - e1000e: change usleep_range to udelay in PHY mdic access
    - tipc: fix UAF in error path
    - xtensa: fix MAKE_PC_FROM_RA second argument
    - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access
    - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()
    - net: bcmgenet: synchronize UMAC_CMD access
    - ASoC: tegra: Fix DSPK 16-bit playback
    - ASoC: ti: davinci-mcasp: Fix race condition during probe
    - dyndbg: fix old BUG_ON in >control parser
    - slimbus: qcom-ngd-ctrl: Add timeout for wait operation
    - clk: samsung: Revert "clk: Use device_get_match_data()"
    - clk: sunxi-ng: common: Support minimum and maximum rate
    - clk: sunxi-ng: a64: Set minimum and maximum rate for PLL-MIPI
    - mei: me: add lunar lake point M DID
    - drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()
    - Revert "drm/nouveau/firmware: Fix SG_DEBUG error with nvkm_firmware_ctor()"
    - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
    - drm/ttm: Print the memory decryption status just once
    - drm/vmwgfx: Fix Legacy Display Unit
    - drm/vmwgfx: Fix invalid reads in fence signaled events
    - drm/imagination: Ensure PVR_MIPS_PT_PAGE_COUNT is never zero
    - drm/amd/display: Fix idle optimization checks for multi-display and dual eDP
    - drm/nouveau/gsp: Use the sg allocator for level 2 of radix3
    - drm/i915/gt: Automate CCS Mode setting during engine resets
    - drm/i915/bios: Fix parsing backlight BDB data
    - drm/amd/display: Handle Y carry-over in VCP X.Y calculation
    - drm/amd/display: Fix incorrect DSC instance for MST
    - arm64: dts: qcom: sa8155p-adp: fix SDHC2 CD pin configuration
    - iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()
    - net: fix out-of-bounds access in ops_init
    - hwmon: (pmbus/ucd9000) Increase delay from 250 to 500us
    - misc/pvpanic-pci: register attributes via pci_driver
    - x86/apic: Don't access the APIC when disabling x2APIC
    - selftests/mm: fix powerpc ARCH check
    - mm: use memalloc_nofs_save() in page_cache_ra_order()
    - mm/userfaultfd: reset ptes when close() for wr-protected ones
    - iommu/amd: Enhance def_domain_type to handle untrusted device
    - fs/proc/task_mmu: fix loss of young/dirty bits during pagemap scan
    - fs/proc/task_mmu: fix uffd-wp confusion in pagemap_scan_pmd_entry()
    - nvme-pci: Add quirk for broken MSIs
    - regulator: core: fix debugfs creation regression
    - spi: microchip-core-qspi: fix setting spi bus clock rate
    - ksmbd: off ipv6only for both ipv4/ipv6 binding
    - ksmbd: avoid to send duplicate lease break notifications
    - ksmbd: do not grant v2 lease if parent lease key and epoch are not set
    - tracefs: Reset permissions on remount if permissions are options
    - tracefs: Still use mount point as default permissions for instances
    - eventfs: Do not treat events directory different than other directories
    - Bluetooth: qca: fix invalid device address check
    - Bluetooth: qca: fix wcn3991 device address check
    - Bluetooth: qca: add missing firmware sanity checks
    - Bluetooth: qca: fix NVM configuration parsing
    - Bluetooth: qca: generalise device address check
    - Bluetooth: qca: fix info leak when fetching board id
    - Bluetooth: qca: fix info leak when fetching fw build id
    - Bluetooth: qca: fix firmware check error path
    - keys: Fix overwrite of key expiration on instantiation
    - Linux 6.8.10
  * Noble update: v6.8.9 upstream stable release (LP: #2070337)
    - cifs: Fix reacquisition of volume cookie on still-live connection
    - smb: client: fix rename(2) regression against samba
    - cifs: reinstate original behavior again for forceuid/forcegid
    - HID: intel-ish-hid: ipc: Fix dev_err usage with uninitialized dev->devc
    - HID: logitech-dj: allow mice to use all types of reports
    - arm64: dts: rockchip: set PHY address of MT7531 switch to 0x1f
    - arm64: dts: rockchip: enable internal pull-up on Q7_USB_ID for RK3399 Puma
    - arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
    - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
    - arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi CM5
    - arm64: dts: rockchip: Remove unsupported node from the Pinebook Pro dts
    - arm64: dts: mediatek: mt8183: Add power-domains properity to mfgcfg
    - arm64: dts: mediatek: mt8192: Add missing gce-client-reg to mutex
    - arm64: dts: mediatek: mt8195: Add missing gce-client-reg to vpp/vdosys
    - arm64: dts: mediatek: mt8195: Add missing gce-client-reg to mutex
    - arm64: dts: mediatek: mt8195: Add missing gce-client-reg to mutex1
    - arm64: dts: mediatek: cherry: Describe CPU supplies
    - arm64: dts: mediatek: mt8192-asurada: Update min voltage constraint for
      MT6315
    - arm64: dts: mediatek: mt8195-cherry: Update min voltage constraint for
      MT6315
    - arm64: dts: mediatek: mt8183-kukui: Use default min voltage for MT6358
    - arm64: dts: mediatek: mt7622: fix clock controllers
    - arm64: dts: mediatek: mt7622: fix IR nodename
    - arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
    - arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
    - arm64: dts: mediatek: mt7986: reorder properties
    - arm64: dts: mediatek: mt7986: drop invalid properties from ethsys
    - arm64: dts: mediatek: mt7986: drop "#reset-cells" from Ethernet controller
    - arm64: dts: mediatek: mt7986: reorder nodes
    - arm64: dts: mediatek: mt7986: drop invalid thermal block clock
    - arm64: dts: mediatek: mt7986: prefix BPI-R3 cooling maps with "map-"
    - arm64: dts: mediatek: mt2712: fix validation errors
    - arm64: dts: rockchip: mark system power controller and fix typo on
      orangepi-5-plus
    - arm64: dts: rockchip: regulator for sd needs to be always on for BPI-R2Pro
    - block: fix module reference leakage from bdev_open_by_dev error path
    - arm64: dts: qcom: Fix type of "wdog" IRQs for remoteprocs
    - arm64: dts: qcom: x1e80100: Fix the compatible for cluster idle states
    - arm64: dts: qcom: sc8180x: Fix ss_phy_irq for secondary USB controller
    - gpio: tangier: Use correct type for the IRQ chip data
    - ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
    - wifi: mac80211: clean up assignments to pointer cache.
    - wifi: mac80211: split mesh fast tx cache into local/proxied/forwarded
    - wifi: iwlwifi: mvm: remove old PASN station when adding a new one
    - wifi: iwlwifi: mvm: return uid from iwl_mvm_build_scan_cmd
    - drm/gma500: Remove lid code
    - wifi: mac80211_hwsim: init peer measurement result
    - wifi: mac80211: remove link before AP
    - wifi: mac80211: fix unaligned le16 access
    - net: libwx: fix alloc msix vectors failed
    - vxlan: drop packets from invalid src-address
    - net: bcmasp: fix memory leak when bringing down interface
    - mlxsw: core: Unregister EMAD trap using FORWARD action
    - mlxsw: core_env: Fix driver initialization with old firmware
    - mlxsw: pci: Fix driver initialization with old firmware
    - ARM: dts: microchip: at91-sama7g5ek: Replace regulator-suspend-voltage with
      the valid property
    - icmp: prevent possible NULL dereferences from icmp_build_probe()
    - bridge/br_netlink.c: no need to return void function
    - bnxt_en: refactor reset close code
    - bnxt_en: Fix the PCI-AER routines
    - bnxt_en: Fix error recovery for 5760X (P7) chips
    - cxl/core: Fix potential payload size confusion in cxl_mem_get_poison()
    - net: dsa: mv88e6xx: fix supported_interfaces setup in
      mv88e6250_phylink_get_caps()
    - NFC: trf7970a: disable all regulators on removal
    - netfs: Fix writethrough-mode error handling
    - ax25: Fix netdev refcount issue
    - soc: mediatek: mtk-svs: Append "-thermal" to thermal zone names
    - tools: ynl: don't ignore errors in NLMSG_DONE messages
    - net: usb: ax88179_178a: stop lying about skb->truesize
    - tcp: Fix Use-After-Free in tcp_ao_connect_init
    - net: gtp: Fix Use-After-Free in gtp_dellink
    - net: phy: mediatek-ge-soc: follow netdev LED trigger semantics
    - gpio: tegra186: Fix tegra186_gpio_is_accessible() check
    - drm/xe: Remove sysfs only once on action add failure
    - drm/xe: call free_gsc_pkt only once on action add failure
    - Bluetooth: hci_event: Use HCI error defines instead of magic values
    - Bluetooth: hci_conn: Only do ACL connections sequentially
    - Bluetooth: Remove pending ACL connection attempts
    - Bluetooth: hci_conn: Always use sk_timeo as conn_timeout
    - Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync
    - Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue
    - Bluetooth: hci_sync: Attempt to dequeue connection attempt
    - Bluetooth: ISO: Reassemble PA data for bcast sink
    - Bluetooth: hci_sync: Use advertised PHYs on hci_le_ext_create_conn_sync
    - Bluetooth: btusb: Fix triggering coredump implementation for QCA
    - Bluetooth: hci_event: Fix sending HCI_OP_READ_ENC_KEY_SIZE
    - Bluetooth: MGMT: Fix failing to MGMT_OP_ADD_UUID/MGMT_OP_REMOVE_UUID
    - Bluetooth: btusb: mediatek: Fix double free of skb in coredump
    - Bluetooth: hci_sync: Using hci_cmd_sync_submit when removing Adv Monitor
    - Bluetooth: qca: set power_ctrl_enabled on NULL returned by
      gpiod_get_optional()
    - ipvs: Fix checksumming on GSO of SCTP packets
    - net: openvswitch: Fix Use-After-Free in ovs_ct_exit
    - mlxsw: Use refcount_t for reference counting
    - mlxsw: spectrum_acl_tcam: Fix race in region ID allocation
    - mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
    - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
    - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
    - mlxsw: spectrum_acl_tcam: Rate limit error message
    - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
    - mlxsw: spectrum_acl_tcam: Fix warning during rehash
    - mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
    - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
    - eth: bnxt: fix counting packets discarded due to OOM and netpoll
    - ARM: dts: imx6ull-tarragon: fix USB over-current polarity
    - netfilter: nf_tables: honor table dormant flag from netdev release event
      path
    - net: phy: dp83869: Fix MII mode failure
    - net: ti: icssg-prueth: Fix signedness bug in prueth_init_rx_chns()
    - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
    - i40e: Report MFS in decimal base instead of hex
    - iavf: Fix TC config comparison with existing adapter TC config
    - ice: fix LAG and VF lock dependency in ice_reset_vf()
    - net: ethernet: ti: am65-cpts: Fix PTPv1 message type on TX packets
    - octeontx2-af: fix the double free in rvu_npc_freemem()
    - dpll: check that pin is registered in __dpll_pin_unregister()
    - dpll: fix dpll_pin_on_pin_register() for multiple parent pins
    - tls: fix lockless read of strp->msg_ready in ->poll
    - af_unix: Suppress false-positive lockdep splat for spin_lock() in
      __unix_gc().
    - netfs: Fix the pre-flush when appending to a file in writethrough mode
    - drm/amd/display: Check DP Alt mode DPCS state via DMUB
    - Revert "drm/amd/display: fix USB-C flag update after enc10 feature init"
    - xhci: move event processing for one interrupter to a separate function
    - usb: xhci: correct return value in case of STS_HCE
    - KVM: x86/pmu: Zero out PMU metadata on AMD if PMU is disabled
    - KVM: x86/pmu: Set enable bits for GP counters in PERF_GLOBAL_CTRL at "RESET"
    - drm: add drm_gem_object_is_shared_for_memory_stats() helper
    - drm/amdgpu: add shared fdinfo stats
    - drm/amdgpu: fix visible VRAM handling during faults
    - Revert "UBUNTU: SAUCE: selftests/seccomp: fix check of fds being assigned"
    - selftests/seccomp: user_notification_addfd check nextfd is available
    - selftests/seccomp: Change the syscall used in KILL_THREAD test
    - selftests/seccomp: Handle EINVAL on unshare(CLONE_NEWPID)
    - x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range
    - x86/cpu: Fix check for RDPKRU in __show_regs()
    - rust: phy: implement `Send` for `Registration`
    - rust: kernel: require `Send` for `Module` implementations
    - rust: don't select CONSTRUCTORS
    - [Config] updateconfigs to drop CONSTRUCTORS for rust
    - rust: init: remove impl Zeroable for Infallible
    - rust: make mutually exclusive with CFI_CLANG
    - kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE
    - kbuild: rust: force `alloc` extern to allow "empty" Rust files
    - rust: remove `params` from `module` macro example
    - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
    - Bluetooth: qca: fix NULL-deref on non-serdev suspend
    - Bluetooth: qca: fix NULL-deref on non-serdev setup
    - mtd: rawnand: qcom: Fix broken OP_RESET_DEVICE command in
      qcom_misc_cmd_type_exec()
    - mm/hugetlb: fix missing hugetlb_lock for resv uncharge
    - mmc: sdhci-msm: pervent access to suspended controller
    - mmc: sdhci-of-dwcmshc: th1520: Increase tuning loop count to 128
    - mm: create FOLIO_FLAG_FALSE and FOLIO_TYPE_OPS macros
    - mm: support page_mapcount() on page_has_type() pages
    - mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio()
    - smb: client: Fix struct_group() usage in __packed structs
    - smb3: missing lock when picking channel
    - smb3: fix lock ordering potential deadlock in cifs_sync_mid_result
    - btrfs: fallback if compressed IO fails for ENOSPC
    - btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range()
    - btrfs: scrub: run relocation repair when/only needed
    - btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
    - x86/tdx: Preserve shared bit on mprotect()
    - cpu: Re-enable CPU mitigations by default for !X86 architectures
    - [Config] updateconfigs for CPU_MITIGATIONS
    - eeprom: at24: fix memory corruption race condition
    - LoongArch: Fix callchain parse error with kernel tracepoint events
    - LoongArch: Fix access error when read fault on a write-only VMA
    - arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP
    - arm64: dts: qcom: sm8450: Fix the msi-map entries
    - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
    - dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
    - dmaengine: xilinx: xdma: Fix wrong offsets in the buffers addresses in dma
      descriptor
    - dmaengine: xilinx: xdma: Fix synchronization issue
    - drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
    - drm/amdgpu: Assign correct bits for SDMA HDP flush
    - drm/atomic-helper: fix parameter order in drm_format_conv_state_copy() call
    - drm/amdgpu/pm: Remove gpu_od if it's an empty directory
    - drm/amdgpu/umsch: don't execute umsch test when GPU is in reset/suspend
    - drm/amdgpu: Fix leak when GPU memory allocation fails
    - drm/amdkfd: Fix rescheduling of restore worker
    - drm/amdkfd: Fix eviction fence handling
    - irqchip/gic-v3-its: Prevent double free on error
    - ACPI: CPPC: Use access_width over bit_width for system memory accesses
    - ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro
    - ACPI: CPPC: Fix access width used for PCC registers
    - net/mlx5e: Advertise mlx5 ethernet driver updates sk_buff md_dst for MACsec
    - ethernet: Add helper for assigning packet type when dest address does not
      match device address
    - net: b44: set pause params only when interface is up
    - macsec: Enable devices to advertise whether they update sk_buff md_dst
      during offloads
    - macsec: Detect if Rx skb is macsec-related for offloading devices that
      update md_dst
    - stackdepot: respect __GFP_NOLOCKDEP allocation flag
    - fbdev: fix incorrect address computation in deferred IO
    - udp: preserve the connected status if only UDP cmsg
    - mtd: limit OTP NVMEM cell parse to non-NAND devices
    - mtd: diskonchip: work around ubsan link failure
    - firmware: qcom: uefisecapp: Fix memory related IO errors and crashes
    - phy: qcom: qmp-combo: Fix register base for QSERDES_DP_PHY_MODE
    - phy: qcom: qmp-combo: Fix VCO div offset on v3
    - mm: turn folio_test_hugetlb into a PageType
    - mm: zswap: fix shrinker NULL crash with cgroup_disable=memory
    - dmaengine: owl: fix register access functions
    - dmaengine: tegra186: Fix residual calculation
    - idma64: Don't try to serve interrupts when device is powered off
    - soundwire: amd: fix for wake interrupt handling for clockstop mode
    - phy: marvell: a3700-comphy: Fix hardcoded array size
    - phy: freescale: imx8m-pcie: fix pcie link-up instability
    - phy: rockchip-snps-pcie3: fix bifurcation on rk3588
    - phy: rockchip-snps-pcie3: fix clearing PHP_GRF_PCIESEL_CON bits
    - phy: rockchip: naneng-combphy: Fix mux on rk3588
    - phy: qcom: m31: match requested regulator name with dt schema
    - dmaengine: idxd: Convert spinlock to mutex to lock evl workqueue
    - dmaengine: idxd: Fix oops during rmmod on single-CPU platforms
    - riscv: Fix TASK_SIZE on 64-bit NOMMU
    - riscv: Fix loading 64-bit NOMMU kernels past the start of RAM
    - phy: ti: tusb1210: Resolve charger-det crash if charger psy is unregistered
    - dt-bindings: eeprom: at24: Fix ST M24C64-D compatible schema
    - sched/eevdf: Always update V if se->on_rq when reweighting
    - sched/eevdf: Fix miscalculation in reweight_entity() when se is not curr
    - riscv: hwprobe: fix invalid sign extension for RISCV_HWPROBE_EXT_ZVFHMIN
    - RISC-V: selftests: cbo: Ensure asm operands match constraints, take 2
    - phy: qcom: qmp-combo: fix VCO div offset on v5_5nm and v6
    - bounds: Use the right number of bits for power-of-two CONFIG_NR_CPUS
    - Bluetooth: hci_sync: Fix UAF in hci_acl_create_conn_sync
    - Bluetooth: hci_sync: Fix UAF on create_le_conn_complete
    - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync
    - Linux 6.8.9
  * amdgpu hangs on DCN 3.5 at bootup: RIP:
    0010:dcn35_clk_mgr_construct+0x183/0x2210 [amdgpu] (LP: #2066233)
    - drm/amd/display: Atom Integrated System Info v2_2 for DCN35
  * [MTL] ACPI: PM: s2idle: Backport Linux ACPI s2idle patches to fix
    suspend/resume issue (LP: #2069231)
    - ACPI: PM: s2idle: Enable Low-Power S0 Idle MSFT UUID for non-AMD systems
    - ACPI: PM: s2idle: Evaluate all Low-Power S0 Idle _DSM functions
  * Removing legacy virtio-pci devices causes kernel panic (LP: #2067862)
    - virtio-pci: Check if is_avq is NULL
  * Mute/mic LEDs no function on ProBook 445/465 G11 (LP: #2069664)
    - ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 445/465 G11.
  * Mute/mic LEDs no function on  ProBook 440/460 G11 (LP: #2067669)
    - ALSA: hda/realtek: fix mute/micmute LEDs don't work for ProBook 440/460 G11.
  * rtw89_8852ce - Lost WIFI connection after suspend  (LP: #2065128)
    - wifi: rtw89: reset AFEDIG register in power off sequence
    - wifi: rtw89: 8852c: refine power sequence to imporve power consumption
  * CVE-2024-25742
    - x86/sev: Harden #VC instruction emulation somewhat
    - x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler
  * Noble update: v6.8.9 upstream stable release (LP: #2070337) //
    CVE-2024-35984
    - i2c: smbus: fix NULL function pointer dereference
  * Noble update: v6.8.9 upstream stable release (LP: #2070337) //
    CVE-2024-35990
    - dma: xilinx_dpdma: Fix locking
  * Noble update: v6.8.9 upstream stable release (LP: #2070337) //
    CVE-2024-35997
    - HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
  * CVE-2024-36016
    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
  * CVE-2024-36008
    - ipv4: check for NULL idev in ip_route_use_hint()
  * CVE-2024-35992
    - phy: marvell: a3700-comphy: Fix out of bounds read

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 30 Jul 2024 16:33:58 +0200

Changed in linux-hwe-6.8 (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

net/sched: Fix conntrack use-after-free

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package