This bug was fixed in the package linux - 5.15.0-125.135 --------------- linux (5.15.0-125.135) jammy; urgency=medium
* jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001) * CVE-2024-26800 - tls: rx: coalesce exit paths in tls_decrypt_sg() - tls: separate no-async decryption request handling from async - tls: fix use-after-free on failed backlog decryption * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch (LP: #2077321) - x86/CPU/AMD: Improve the erratum 1386 workaround * Jammy update: v5.15.167 upstream stable release (LP: #2081279) - drm: panel-orientation-quirks: Add quirk for OrangePi Neo - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown - ALSA: hda/conexant: Mute speakers at suspend / shutdown - i2c: Fix conditional for substituting empty ACPI functions - dma-debug: avoid deadlock between dma debug vs printk and netconsole - net: usb: qmi_wwan: add MeiG Smart SRM825L - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr - drm/amd/display: Assign linear_pitch_alignment even for VM - drm/amdgpu: fix overflowed array index read warning - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr - drm/amd/pm: fix warning using uninitialized value of max_vid_step - drm/amd/pm: fix the Out-of-bounds read warning - drm/amdgpu: fix uninitialized scalar variable warning - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr - drm/amdgpu: avoid reading vf2pf info size from FB - drm/amd/display: Check gpio_id before used as array index - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 - drm/amd/display: Add array index check for hdcp ddc access - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] - drm/amd/display: Check msg_id before processing transcation - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create - drm/amd/amdgpu: Check tbo resource pointer - drm/amdgpu/pm: Fix uninitialized variable warning for smu10 - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response - drm/amdgpu: Fix out-of-bounds write warning - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number - drm/amdgpu: fix ucode out-of-bounds read warning - drm/amdgpu: fix mc_data out-of-bounds read warning - drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device - apparmor: fix possible NULL pointer dereference - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs - drm/amdgpu: fix the waring dereferencing hive - drm/amd/pm: check specific index for aldebaran - drm/amdgpu: the warning dereferencing obj for nbio_v7_4 - drm/amd/pm: check negtive return for table entries - drm/amdgpu: update type of buf size to u32 for eeprom functions - wifi: iwlwifi: remove fw_running op - cpufreq: scmi: Avoid overflow of target_freq in fast switch - PCI: al: Check IORESOURCE_BUS existence during probe - hwspinlock: Introduce hwspin_lock_bust() - RDMA/efa: Properly handle unexpected AQ completions - ionic: fix potential irq name truncation - rcu/nocb: Remove buggy bypass lock contention mitigation - usbip: Don't submit special requests twice - usb: typec: ucsi: Fix null pointer dereference in trace - fsnotify: clear PARENT_WATCHED flags lazily - smack: tcp: ipv4, fix incorrect labeling - drm/meson: plane: Add error handling - drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ - wifi: cfg80211: make hash table duplicates more survivable - block: remove the blk_flush_integrity call in blk_integrity_unregister - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null - media: uvcvideo: Enforce alignment of frame and interval - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr - virtio_net: Fix napi_skb_cache_put warning - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow - ext4: reject casefold inode flag without casefold feature - udf: Limit file size to 4TB - ext4: handle redirtying in ext4_bio_write_page() - i2c: Use IS_REACHABLE() for substituting empty ACPI functions - sch/netem: fix use after free in netem_dequeue - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices - ALSA: hda/realtek: add patch for internal mic in Lenovo V145 - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx - ata: libata: Fix memory leak for error path in ata_host_alloc() - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init() - rtmutex: Drop rt_mutex::wait_lock before scheduling - nvme-pci: Add sleep quirk for Samsung 990 Evo - Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE" - Bluetooth: MGMT: Ignore keys being loaded with invalid type - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K - mmc: sdhci-of-aspeed: fix module autoloading - mmc: cqhci: Fix checking of CQHCI_HALT state - fuse: update stats for pages in dropped aux writeback list - fuse: use unsigned type for getxattr/listxattr size truncation - clk: qcom: clk-alpha-pll: Fix the pll post div mask - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open - tracing: Avoid possible softlockup in tracing_iter_reset() - ila: call nf_unregister_net_hooks() sooner - sched: sch_cake: fix bulk flow accounting logic for host fairness - nilfs2: fix missing cleanup on rollforward recovery error - nilfs2: fix state management in error path of log writing function - mptcp: pm: re-using ID of unused flushed subflows - mptcp: pm: only decrement add_addr_accepted for MPJ req - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR - mptcp: pm: fullmesh: select the right ID later - mptcp: constify a bunch of of helpers - mptcp: pm: avoid possible UaF when selecting endp - mptcp: avoid duplicated SUB_CLOSED events - mptcp: close subflow when receiving TCP+FIN - mptcp: pm: ADD_ADDR 0 is not a new address - mptcp: pm: do not remove already closed subflows - mptcp: pm: skip connecting to already established sf - mptcp: pr_debug: add missing \n at the end - mptcp: pm: send ACK on an active subflow - ALSA: hda: Add input value sanity checks to HDMI channel map controls - smack: unix sockets: fix accept()ed socket label - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 - af_unix: Remove put_pid()/put_cred() in copy_peercred(). - iommu: sun50i: clear bypass register - netfilter: nf_conncount: fix wrong variable type - udf: Avoid excessive partition lengths - media: vivid: fix wrong sizeimage value for mplane - leds: spi-byte: Call of_node_put() on error path - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 - usb: uas: set host status byte on data completion error - drm/amd/display: Check HDCP returned status - media: vivid: don't set HDMI TX controls if there are no HDMI outputs - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse - pcmcia: Use resource_size function on resource object - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6 - can: bcm: Remove proc entry when dev is unregistered. - can: m_can: Release irq on error in m_can_open - igb: Fix not clearing TimeSync interrupts for 82580 - platform/x86: dell-smbios: Fix error path in dell_smbios_init() - tcp_bpf: fix return value of tcp_bpf_sendmsg() - igc: Unlock on error in igc_io_resume() - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset - net: usb: don't write directly to netdev->dev_addr - usbnet: modern method to get random MAC - bareudp: Fix device stats updates. - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers - fou: Fix null-ptr-deref in GRO. - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN - net: dsa: vsc73xx: fix possible subblocks range of CAPT block - ASoC: topology: Properly initialize soc_enum values - dm init: Handle minors larger than 255 - iommu/vt-d: Handle volatile descriptor status read - cgroup: Protect css->cgroup write under css_set_lock - um: line: always fill *error_out in setup_one_line() - devres: Initialize an uninitialized struct member - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv - hwmon: (adc128d818) Fix underflows seen when writing limit attributes - hwmon: (lm95234) Fix underflows seen when writing limit attributes - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes - libbpf: Add NULL checks to bpf_object__{prev_map,next_map} - drm/amdgpu: Set no_hw_access when VF request full GPU fails - ext4: fix possible tid_t sequence overflows - dma-mapping: benchmark: Don't starve others when doing the test - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu() - fs/ntfs3: Check more cases when directory is corrupted - btrfs: replace BUG_ON with ASSERT in walk_down_proc() - btrfs: clean up our handling of refs == 0 in snapshot delete - btrfs: replace BUG_ON() with error handling at update_ref_for_cow() - riscv: set trap vector earlier - PCI: Add missing bridge lock to pci_bus_lock() - net: dpaa: avoid on-stack arrays of NR_CPUS elements - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated - btrfs: initialize location to fix -Wmaybe-uninitialized in btrfs_lookup_dentry() - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup - HID: amd_sfh: free driver_data after destroying hid device - Input: uinput - reject requests with unreasonable number of slots - usbnet: ipheth: race between ipheth_close and error handling - Squashfs: sanity check symbolic link size - of/irq: Prevent device address out-of-bounds read in interrupt map walk - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed - ata: pata_macio: Use WARN instead of BUG - NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations - cifs: Check the lease context if we actually got a lease - staging: iio: frequency: ad9834: Validate frequency parameter value - iio: buffer-dmaengine: fix releasing dma channel on error - iio: fix scale application in iio_convert_raw_to_processed_unlocked - iio: adc: ad7124: fix config comparison - iio: adc: ad7124: fix chip ID mismatch - usb: dwc3: core: update LC timer as per USB Spec V3.2 - binder: fix UAF caused by offsets overwrite - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic - VMCI: Fix use-after-free when removing resource in vmci_resource_remove() - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime - clocksource/drivers/timer-of: Remove percpu irq related code - uprobes: Use kzalloc to allocate xol area - perf/aux: Fix AUX buffer serialization - ksmbd: unset the binding mark of a reused connection - ksmbd: Unlock on in ksmbd_tcp_set_interfaces() - nilfs2: replace snprintf in show functions with sysfs_emit - nilfs2: protect references to superblock parameters exposed in sysfs - workqueue: wq_watchdog_touch is always called with valid CPU - workqueue: Improve scalability of workqueue watchdog touch - ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() - ACPI: processor: Fix memory leaks in error paths of processor_add() - arm64: acpi: Move get_cpu_for_acpi_id() to a header - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry - nvmet-tcp: fix kernel crash if commands allocation fails - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused - drm/i915/fence: Mark debug_fence_free() with __maybe_unused - gpio: rockchip: fix OF node leak in probe() - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation - net: change maximum number of UDP segments to 128 - gso: fix dodgy bit handling for GSO_UDP_L4 - net: drop bad gso csum_start and offset in virtio_net_hdr - x86/mm: Fix PTI for i386 some more - net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket - btrfs: fix race between direct IO write and fsync when using same fd - memcg: protect concurrent access to mem_cgroup_idr - udp: fix receiving fraglist GSO packets - Linux 5.15.167 * CVE-2024-41071 - wifi: mac80211: Avoid address calculations via out of bounds array indexing * CVE-2024-40915 - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context * CVE-2024-38611 - media: i2c: et8ek8: Don't strip remove function when driver is builtin * CVE-2024-38602 - ax25: Fix reference count leak issues of ax25_dev * CVE-2024-26669 - net/sched: flower: Fix chain template offload * CVE-2024-26607 - drm/bridge: sii902x: Fix probing race issue * Jammy update: v5.15.166 upstream stable release (LP: #2080594) - fuse: Initialize beyond-EOF page contents before setting uptodate - char: xillybus: Don't destroy workqueue from work item running on it - char: xillybus: Refine workqueue handling - char: xillybus: Check USB endpoints when probing device - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET - ALSA: usb-audio: Support Yamaha P-125 quirk entry - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration - thunderbolt: Mark XDomain as unplugged when router is removed - s390/dasd: fix error recovery leading to data corruption on ESE devices - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE - dm resume: don't return EINVAL when signalled - dm persistent data: fix memory allocation failure - vfs: Don't evict inode under the inode lru traversing context - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64() - s390/cio: rename bitmap_size() -> idset_bitmap_size() - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() - bitmap: introduce generic optimized bitmap_size() - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE - selinux: fix potential counting error in avc_add_xperms_decision() - btrfs: tree-checker: add dev extent item checks - drm/amdgpu: Actually check flags for all context ops. - memcg_write_event_control(): fix a user-triggerable oops - drm/amdgpu/jpeg2: properly set atomics vmid field - s390/uv: Panic for set and remove shared access UVC errors - igc: Correct the launchtime offset - igc: remove I226 Qbv BaseTime restriction - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer - net/mlx5e: Correctly report errors for ethtool rx flows - atm: idt77252: prevent use after free in dequeue_rx() - net: axienet: Fix register defines comment description - net: dsa: vsc73xx: pass value in phy_write operation - net: dsa: vsc73xx: use read_poll_timeout instead delay loop - net: dsa: vsc73xx: check busy flag in MDIO operations - mlxbf_gige: Remove two unused function declarations - mlxbf_gige: disable RX filters until RX path initialized - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size - netfilter: allow ipv6 fragments to arrive on different devices - netfilter: flowtable: initialise extack before use - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks - net: hns3: fix wrong use of semaphore up - net: hns3: fix a deadlock problem when config TC during resetting - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 - ssb: Fix division by zero issue in ssb_calc_clock_rate - wifi: cfg80211: check wiphy mutex is held for wdev mutex - wifi: mac80211: fix BA session teardown race - wifi: cw1200: Avoid processing an invalid TIM IE - i2c: riic: avoid potential division by zero - RDMA/rtrs: Fix the problem of variable not initialized fully - s390/smp,mcck: fix early IPI handling - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer - media: radio-isa: use dev_name to fill in bus_info - staging: iio: resolver: ad2s1210: fix use before initialization - drm/amd/display: Validate hw_points_num before using it - staging: ks7010: disable bh on tx_dev_lock - binfmt_misc: cleanup on filesystem umount - media: qcom: venus: fix incorrect return value - scsi: spi: Fix sshdr use - gfs2: setattr_chown: Add missing initialization - wifi: iwlwifi: abort scan when rfkill on but device enabled - wifi: iwlwifi: fw: Fix debugfs command sending - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock - hwmon: (ltc2992) Avoid division by zero - arm64: Fix KASAN random tag seed initialization - memory: tegra: Skip SID programming if SID registers aren't set - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu - nvmet-trace: avoid dereferencing pointer too early - ext4: do not trim the group with corrupted block bitmap - afs: fix __afs_break_callback() / afs_drop_open_mmap() race - fuse: fix UAF in rcu pathwalks - quota: Remove BUG_ON from dqget() - media: pci: cx23885: check cx23885_vdev_init() return - fs: binfmt_elf_efpic: don't use missing interpreter's properties - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() - media: drivers/media/dvb-core: copy user arrays safely - net/sun3_82586: Avoid reading past buffer in debug output - drm/lima: set gp bus_stop bit before hard reset - virtiofs: forbid newlines in tags - clocksource/drivers/arm_global_timer: Guard against division by zero - netlink: hold nlk->cb_mutex longer in __netlink_dump_start() - md: clean up invalid BUG_ON in md_ioctl - x86: Increase brk randomness entropy for 64-bit systems - memory: stm32-fmc2-ebi: check regmap_read return value - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 - powerpc/boot: Handle allocation failure in simple_realloc() - powerpc/boot: Only free if realloc() succeeds - btrfs: change BUG_ON to assertion when checking for delayed_node root - btrfs: handle invalid root reference found in may_destroy_subvol() - btrfs: send: handle unexpected data in header buffer in begin_cmd() - btrfs: change BUG_ON to assertion in tree_move_down() - btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() - f2fs: fix to do sanity check in update_sit_entry - usb: gadget: fsl: Increase size of name buffer for endpoints - Bluetooth: bnep: Fix out-of-bound access - net: hns3: add checking for vf id of mailbox - nvmet-tcp: do not continue for invalid icreq - NFS: avoid infinite loop in pnfs_update_layout. - openrisc: Call setup_memory() earlier in the init sequence - s390/iucv: fix receive buffer virtual vs physical address confusion - clocksource: Make watchdog and suspend-timing multiplication overflow safe - platform/x86: lg-laptop: fix %s null argument warning - usb: dwc3: core: Skip setting event buffers for host only controllers - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc - ext4: set the type of max_zeroout to unsigned int to avoid overflow - nvmet-rdma: fix possible bad dereference when freeing rsps - hrtimer: Prevent queuing of hrtimer without a function callback - gtp: pull network headers in gtp_dev_xmit() - block: use "unsigned long" for blk_validate_block_size(). - nfsd: move reply cache initialization into nfsd startup - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net - NFSD: Refactor nfsd_reply_cache_free_locked() - NFSD: Rename nfsd_reply_cache_alloc() - NFSD: Replace nfsd_prune_bucket() - NFSD: Refactor the duplicate reply cache shrinker - NFSD: Rewrite synopsis of nfsd_percpu_counters_init() - NFSD: Fix frame size warning in svc_export_parse() - sunrpc: don't change ->sv_stats if it doesn't exist - nfsd: stop setting ->pg_stats for unused stats - sunrpc: pass in the sv_stats struct through svc_create_pooled - sunrpc: remove ->pg_stats from svc_program - sunrpc: use the struct net as the svc proc private - nfsd: rename NFSD_NET_* to NFSD_STATS_* - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces - nfsd: make all of the nfsd stats per-network namespace - nfsd: remove nfsd_stats, make th_cnt a global counter - nfsd: make svc_stat per-network namespace instead of global - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) - dm suspend: return -ERESTARTSYS instead of -EINTR - net: mana: Fix doorbell out of order violation and avoid unnecessary doorbell rings - platform/surface: aggregator: Fix warning when controller is destroyed in probe - Bluetooth: hci_core: Fix LE quote calculation - Bluetooth: SMP: Fix assumption of Central always being Initiator - tc-testing: don't access non-existent variable on exception - kcm: Serialise kcm_sendmsg() for the same socket. - netfilter: nft_counter: Disable BH in nft_counter_offload_stats(). - netfilter: nft_counter: Synchronize nft_counter_reset() against reader. - ip6_tunnel: Fix broken GRO - bonding: fix bond_ipsec_offload_ok return type - bonding: fix null pointer deref in bond_ipsec_offload_ok - bonding: fix xfrm real_dev null pointer dereference - bonding: fix xfrm state handling when clearing active slave - ice: fix ICE_LAST_OFFSET formula - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp() - net: dsa: mv88e6xxx: read FID when handling ATU violations - net: dsa: mv88e6xxx: replace ATU violation prints with trace points - net: dsa: mv88e6xxx: Fix out-of-bound access - ipv6: prevent UAF in ip6_send_skb() - ipv6: fix possible UAF in ip6_finish_output2() - ipv6: prevent possible UAF in ip6_xmit() - netfilter: flowtable: validate vlan header - net: xilinx: axienet: Always disable promiscuous mode - net: xilinx: axienet: Fix dangling multicast addresses - drm/msm/dpu: don't play tricks with debug macros - drm/msm/dp: reset the link phy params before link training - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails - mmc: mmc_test: Fix NULL dereference on allocation failure - Bluetooth: MGMT: Add error handling to pair_device() - scsi: core: Fix the return value of scsi_logical_block_count() - MIPS: Loongson64: Set timer mode in cpu-probe - HID: wacom: Defer calculation of resolution until resolution_code is known - HID: microsoft: Add rumble support to latest xbox controllers - cxgb4: add forgotten u64 ivlan cast before shift - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 - mmc: dw_mmc: allow biu and ciu clocks to defer - Revert "drm/amd/display: Validate hw_points_num before using it" - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt() - ALSA: timer: Relax start tick time check for slave timer elements - mm/numa: no task_numa_fault() call if PMD is changed - mm/numa: no task_numa_fault() call if PTE is changed - Input: MT - limit max slots - tools: move alignment-related macros to new <linux/align.h> - btrfs: run delayed iputs when flushing delalloc - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins - pinctrl: single: fix potential NULL dereference in pcs_get_function() - wifi: mwifiex: duplicate static structs used in driver instances - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response - mptcp: sched: check both backup in retrans - Revert "MIPS: Loongson64: reset: Prioritise firmware service" - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages - ata: libata-core: Fix null pointer dereference on error - cgroup/cpuset: Prevent UAF in proc_cpuset_show() - net:rds: Fix possible deadlock in rds_message_put - soundwire: stream: fix programming slave ports for non-continous port maps - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro - phy: xilinx: add runtime PM support - phy: xilinx: phy-zynqmp: dynamic clock support for power-save - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume - dmaengine: dw: Add peripheral bus width verification - dmaengine: dw: Add memory bus width verification - ethtool: check device is present when getting link settings - gtp: fix a potential NULL pointer dereference - net: busy-poll: use ktime_get_ns() instead of local_clock() - nfc: pn533: Add poll mod list filling check - soc: qcom: cmd-db: Map shared memory as WC, not WB - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller - USB: serial: option: add MeiG Smart SRM825L - usb: dwc3: omap: add missing depopulate in probe error path - usb: dwc3: core: Prevent USB core invalid event buffer address access - usb: dwc3: st: fix probed platform device ref count on probe error path - usb: dwc3: st: add missing depopulate in probe error path - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function - usb: cdnsp: fix for Link TRB with TC - phy: zynqmp: Enable reference clock correctly - igc: Fix reset adapter logics when tx mode change - igc: Fix qbv tx latency by setting gtxoffset - scsi: aacraid: Fix double-free on probe failure - apparmor: fix policy_unpack_test on big endian systems - Linux 5.15.166 * CVE-2024-26893 - firmware: arm_scmi: Fix double free in SMC transport cleanup path * [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys - kernel part (LP: #1959940) - s390: uv: Add offset comments to UV query struct and fix naming - s390/uv: Add SE hdr query information - s390/uv: Add dump fields to query - KVM: s390: pv: Add query interface - KVM: s390: pv: Add dump support definitions - KVM: s390: pv: Add query dump information - KVM: s390: Add configuration dump functionality - KVM: s390: Add CPU dump functionality - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP - Documentation: KVM: add separate directories for architecture-specific documentation - Documentation: virt: Protected virtual machine dumps - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery * turbostat fails with too many open files on large systems (LP: #2069961) - tools/power turbostat: Increase the limit for fd opened * Jammy update: v5.15.165 upstream stable release (LP: #2078428) - f2fs: fix return value of f2fs_convert_inline_inode() - f2fs: fix to don't dirty inode for readonly filesystem - EDAC, i10nm: make skx_common.o a separate module - platform/chrome: cros_ec_debugfs: fix wrong EC message version - block: refactor to use helper - block: cleanup bio_integrity_prep - block: initialize integrity buffer to zero before writing it to media - hfsplus: fix to avoid false alarm of circular locking - x86/of: Return consistent error type from x86_of_pci_irq_enable() - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling - x86/pci/xen: Fix PCIBIOS_* return code handling - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos - hwmon: (adt7475) Fix default duty on fan is disabled - pwm: stm32: Always do lazy disabling - drm/meson: fix canvas release in bind function - hwmon: (max6697) Fix underflow when writing limit attributes - hwmon: (max6697) Fix swapped temp{1,8} critical alarms - arm64: dts: qcom: sdm845: add power-domain to UFS PHY - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings - arm64: dts: qcom: sm8250: add power-domain to UFS PHY - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data() callers - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies - memory: fsl_ifc: Make FSL_IFC config visible and selectable - soc: qcom: pdr: protect locator_addr with the main mutex - soc: qcom: pdr: fix parsing of domains lists - arm64: dts: rockchip: Increase VOP clk rate on RK3328 - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset - ARM: dts: imx6qdl-kontron-samx6i: fix board reset - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property - arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625 - arm64: dts: amlogic: gx: correct hdmi clocks - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages - x86/xen: Convert comma to semicolon - m68k: cmpxchg: Fix return value for default case in __arch_xchg() - ARM: pxa: spitz: use gpio descriptors for audio - ARM: spitz: fix GPIO assignment for backlight - vmlinux.lds.h: catch .bss..L* sections into BSS") - firmware: turris-mox-rwtm: Do not complete if there are no waiters - firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() - firmware: turris-mox-rwtm: Initialize completion before mailbox - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device - selftests/bpf: Fix prog numbers in test_sockmap - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP - tcp: annotate lockless accesses to sk->sk_err_soft - tcp: annotate lockless access to sk->sk_err - tcp: add tcp_done_with_error() helper - tcp: fix race in tcp_write_err() - tcp: fix races in tcp_v[46]_err() - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined - selftests/bpf: Check length of recv in test_sockmap - lib: objagg: Fix general protection fault - mlxsw: spectrum_acl_erp: Fix object nesting warning - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more flexible - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() - wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() - net: fec: Refactor: #define magic constants - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down - libbpf: Checking the btf_type kind when fixing variable offsets - ipvs: Avoid unnecessary calls to skb_is_gso_sctp - netfilter: nf_tables: rise cap on SELinux secmark context - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation - perf: Fix perf_aux_size() for greater-than 32-bit size - perf: Prevent passing zero nr_pages to rb_alloc_aux() - perf: Fix default aux_watermark calculation - wifi: virt_wifi: avoid reporting connection success with wrong SSID - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey - wifi: virt_wifi: don't use strlen() in const context - locking/rwsem: Add __always_inline annotation to __down_write_common() and inlined callers - selftests/bpf: Close fd in error path in drop_on_reuseport - bpf: annotate BTF show functions with __printf - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures - bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o - selftests: forwarding: devlink_lib: Wait for udev events after reloading - xdp: fix invalid wait context of page_pool_destroy() - drm/amd/pm: Fix aldebaran pcie speed reporting - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before regulators - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare() - media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control() - media: imon: Fix race getting ictx->lock - media: i2c: Fix imx412 exposure control - saa7134: Unchecked i2c_transfer function result fixed - media: uvcvideo: Override default flags - media: renesas: vsp1: Fix _irqsave and _irq mix - media: renesas: vsp1: Store RPF partition configuration per RPF instance - drm/mediatek: Add missing plane settings when async update - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property - leds: trigger: Unregister sysfs attributes before calling deactivate() - perf report: Fix condition in sort__sym_cmp() - drm/etnaviv: fix DMA direction handling for cached RW buffers - drm/qxl: Add check for drm_cvt_mode - Revert "leds: led-core: Fix refcount leak in of_led_get()" - ext4: fix infinite loop when replaying fast_commit - media: venus: flush all buffers in output plane streamoff - perf intel-pt: Fix aux_watermark calculation for 64-bit size - perf intel-pt: Fix exclude_guest setting - mfd: rsmu: Split core code into separate module - mfd: omap-usb-tll: Use struct_size to allocate tll - xprtrdma: Fix rpcrdma_reqs_reset() - SUNRPC: avoid soft lockup when transmitting UDP to reachable server. - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server - ext4: return early for non-eligible fast_commit track events - ext4: don't track ranges in fast_commit if inode has inlined data - ext4: avoid writing unitialized memory to disk in EA inodes - sparc64: Fix incorrect function signature and add prototype for prom_cif_init - SUNRPC: Fixup gss_status tracepoint error output - PCI: Fix resource double counting on remove & rescan - clk: qcom: branch: Add helper functions for setting retain bits - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock - coresight: Fix ref leak when of_coresight_parse_endpoint() fails - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE - RDMA/cache: Release GID table even if leak is detected - Input: qt1050 - handle CHIP_ID reading error - RDMA/mlx4: Fix truncated output warning in mad.c - RDMA/mlx4: Fix truncated output warning in alias_GUID.c - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs - ASoC: max98088: Check for clk_prepare_enable() error - mtd: make mtd_test.c a separate module - RDMA/device: Return error earlier if port in not valid - Input: elan_i2c - do not leave interrupt disabled on suspend failure - PCI: endpoint: Clean up error handling in vpci_scan_bus() - vhost/vsock: always initialize seqpacket_allow - net: missing check virtio - MIPS: Octeron: remove source file executable bit - powerpc/xmon: Fix disassembly CPU feature checks - macintosh/therm_windtunnel: fix module unload. - RDMA/hns: Fix missing pagesize and alignment check in FRMR - RDMA/hns: Fix undifined behavior caused by invalid max_sge - RDMA/hns: Fix insufficient extend DB for VFs. - bnxt_re: Fix imm_data endianness - netfilter: ctnetlink: use helper function to calculate expect ID - netfilter: nf_set_pipapo: fix initial map fill - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports - fs/ntfs3: Use ALIGN kernel macro - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT - fs/ntfs3: Fix transform resident to nonresident for compressed files - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting - fs/ntfs3: Fix getting file type - pinctrl: rockchip: update rk3308 iomux routes - pinctrl: core: fix possible memory leak when pinctrl_enable() fails - pinctrl: single: fix possible memory leak when pinctrl_enable() fails - pinctrl: ti: ti-iodelay: Drop if block with always false condition - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails - pinctrl: freescale: mxs: Fix refcount of child - fs/ntfs3: Replace inode_trylock with inode_lock - fs/ntfs3: Fix field-spanning write in INDEX_HDR - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro - rtc: interface: Add RTC offset to alarm after fix-up - fs/ntfs3: Missed error return - landlock: Don't lose track of restrictions on cred_transfer - mm/hugetlb: fix possible recursive locking detected warning - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer - dt-bindings: thermal: correct thermal zone node name limit - tick/broadcast: Make takeover of broadcast hrtimer reliable - net: netconsole: Disable target before netpoll cleanup - af_packet: Handle outgoing VLAN packets without hardware offloading - ipv6: take care of scope when choosing the src addr - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks - fuse: verify {g,u}id mount options correctly - char: tpm: Fix possible memory leak in tpm_bios_measurements_open() - media: venus: fix use after free in vdec_close - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() - ext2: Verify bitmap and itable block numbers before using them - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes - scsi: qla2xxx: Fix optrom version displayed in FDMI - drm/amd/display: Check for NULL pointer - sched/fair: Use all little CPUs for CPU-bound workloads - apparmor: use kvfree_sensitive to free data->data - task_work: s/task_work_cancel()/task_work_cancel_func()/ - task_work: Introduce task_work_cancel() again - udf: Avoid using corrupted block bitmap buffer - m68k: amiga: Turn off Warp1260 interrupts during boot - ext4: check dot and dotdot of dx_root before making dir indexed - ext4: make sure the first directory block is not a hole - io_uring: tighten task exit cancellations - selftests/landlock: Add cred_transfer test - wifi: mwifiex: Fix interface type change - leds: ss4200: Convert PCIBIOS_* return codes to errnos - jbd2: make jbd2_journal_get_max_txn_bufs() internal - media: uvcvideo: Fix integer overflow calculating timestamp - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() - ALSA: usb-audio: Fix microphone sound on HD webcam. - ALSA: usb-audio: Move HD Webcam quirk to the right place - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera - tools/memory-model: Fix bug in lock.cat - hwrng: amd - Convert PCIBIOS_* return codes to errnos - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN - PCI: dw-rockchip: Fix initial PERST# GPIO value - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio - binder: fix hang of unregistered readers - dev/parport: fix the array out-of-bounds risk - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use - ubi: eba: properly rollback inside self_check_eba - decompress_bunzip2: fix rare decompression failure - kbuild: Fix '-S -c' in x86 stack protector scripts - kobject_uevent: Fix OOB access within zap_modalias_env() - gve: Fix an edge case for TSO skb validity check - devres: Fix devm_krealloc() wasting memory - devres: Fix memory leakage caused by driver API devm_free_percpu() - mm/numa_balancing: teach mpol_to_str about the balancing mode - rtc: cmos: Fix return value of nvmem callbacks - scsi: qla2xxx: During vport delete send async logout explicitly - scsi: qla2xxx: Unable to act on RSCN for port online - scsi: qla2xxx: Fix for possible memory corruption - scsi: qla2xxx: Use QP lock to search for bsg - scsi: qla2xxx: Fix flash read failure - scsi: qla2xxx: Complete command early within lock - scsi: qla2xxx: validate nvme_local_port correctly - perf: Fix event leak upon exit - perf: Fix event leak upon exec and file release - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR - perf/x86/intel/pt: Fix topa_entry base length - perf/x86/intel/pt: Fix a topa_entry base address calculation - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8 - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell - drm/i915/dp: Reset intel_dp->link_trained before retraining the link - rtc: isl1208: Fix return value of nvmem callbacks - watchdog/perf: properly initialize the turbo mode timestamp and rearm counter - platform: mips: cpu_hwmon: Disable driver on unsupported hardware - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs - selftests/sigaltstack: Fix ppc64 GCC build - rbd: don't assume rbd_is_lock_owner() for exclusive mappings - remoteproc: stm32_rproc: Fix mailbox interrupts queuing - remoteproc: imx_rproc: Skip over memory region when node value is NULL - MIPS: ip30: ip30-console: Add missing include - MIPS: dts: loongson: Fix GMAC phy node - MIPS: Loongson64: env: Hook up Loongsson-2K - MIPS: Loongson64: Remove memory node for builtin-dtb - MIPS: Loongson64: reset: Prioritise firmware service - MIPS: Loongson64: Test register availability before use - drm/panfrost: Mark simple_ondemand governor as softdep - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 - nilfs2: handle inconsistent state in nilfs_btnode_create_block() - io_uring/io-wq: limit retrying worker initialisation - kernel: rerun task_work while freezing in get_signal() - kdb: address -Wformat-security warnings - kdb: Use the passed prompt in kdb_position_cursor() - jfs: Fix array-index-out-of-bounds in diFree - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels - phy: cadence-torrent: Check return value on register read - um: time-travel: fix time-travel-start option - um: time-travel: fix signal blocking race/hang - libbpf: Fix no-args func prototype BTF dumping syntax - dma: fix call order in dmam_free_coherent - bpf, events: Use prog to emit ksymbol event for main program - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later - ipv4: Fix incorrect source address in Record Route option - net: bonding: correctly annotate RCU in bond_should_notify_peers() - netfilter: nft_set_pipapo_avx2: disable softinterrupts - tipc: Return non-zero value from tipc_udp_addr2str() on error - net: stmmac: Correct byte order of perfect_match - net: nexthop: Initialize all fields in dumped nexthops - bpf: Fix a segment issue when downgrading gso_size - mISDN: Fix a use after free in hfcmulti_tx() - apparmor: Fix null pointer deref when receiving skb during sock creation - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap() - lirc: rc_dev_get_from_fd(): fix file leak - spi: spidev: Make probe to fail early if a spidev compatible is used - spi: spidev: Replace ACPI specific code by device_get_match_data() - spi: spidev: Replace OF specific code by device property API - spidev: Add Silicon Labs EM3581 device compatible - spi: spidev: order compatibles alphabetically - spi: spidev: add correct compatible for Rohm BH2228FV - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable - ceph: fix incorrect kmalloc size of pagevec mempool - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en - nvme: split command copy into a helper - nvme: separate command prep and issue - nvme-pci: add missing condition check for existence of mapped data - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node - arm64: dts: qcom: msm8998: drop USB PHY clock index - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB - sysctl: always initialize i_uid/i_gid - ext4: make ext4_es_insert_extent() return void - ext4: refactor ext4_da_map_blocks() - ext4: convert to exclusive lock while inserting delalloc extents - ext4: factor out a common helper to query extent map - ext4: check the extent status again before inserting delalloc block - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver - drivers: soc: xilinx: check return status of get_api_version() - leds: trigger: use RCU to protect the led_cdevs list - leds: trigger: Remove unused function led_trigger_rename_static() - leds: trigger: Store brightness set by led_trigger_event() - leds: trigger: Call synchronize_rcu() before calling trig->activate() - leds: triggers: Flush pending brightness before activating trigger - irqdomain: Fixed unbalanced fwnode get and put - genirq: Allow the PM device to originate from irq domain - irqchip/imx-irqsteer: Constify irq_chip struct - irqchip/imx-irqsteer: Add runtime PM support - irqchip/imx-irqsteer: Handle runtime power management correctly - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000 - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a - MIPS: dts: loongson: Fix liointc IRQ polarity - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt - drm/nouveau: prime: fix refcount underflow - drm/vmwgfx: Fix overlay when using Screen Targets - sched: act_ct: take care of padding in struct zones_ht_key - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode - rtnetlink: enable alt_ifname for setlink/newlink - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink(). - net/iucv: fix use after free in iucv_sock_close() - net: mvpp2: Don't re-use loop iterator - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). - netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys - ipv6: fix ndisc_is_useropt() handling for PIO - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() - power: supply: bq24190_charger: replace deprecated strncpy with strscpy - platform/chrome: cros_ec_proto: Lock device when updating MKBP version - HID: wacom: Modify pen IDs - protect the fetch of ->fd[fd] in do_dup2() from mispredictions - ALSA: usb-audio: Correct surround channels in UAC1 channel map - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G - Revert "ALSA: firewire-lib: obsolete workqueue for period update" - Revert "ALSA: firewire-lib: operate for period elapse event in process context" - drm/vmwgfx: Fix a deadlock in dma buf fence polling - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY - mptcp: fix duplicate data handling - netfilter: ipset: Add list flush to cancel_gc - genirq: Allow irq_chip registration functions to take a const irq_chip - irqchip/mbigen: Fix mbigen node address layout - x86/mm: Fix pti_clone_pgtable() alignment assumption - x86/mm: Fix pti_clone_entry_text() for i386 - sctp: move hlist_node and hashent out of sctp_ep_common - sctp: Fix null-ptr-deref in reuseport_add_sock(). - net: usb: qmi_wwan: fix memory leak for not ip packets - net: bridge: mcast: wait for previous gc cycles when removing port - net: linkwatch: use system_unbound_wq - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() - l2tp: fix lockdep splat - net: fec: Stop PPS on driver remove - rcutorture: Fix rcu_torture_fwd_cb_cr() data race - md: do not delete safemode_timer in mddev_suspend - md/raid5: avoid BUG_ON() while continue reshape after reassembling - clocksource/drivers/sh_cmt: Address race condition for clock events - ACPI: battery: create alarm sysfs attribute atomically - ACPI: SBS: manage alarm sysfs attribute through psy core - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT - PCI: Add Edimax Vendor ID to pci_ids.h - udf: prevent integer overflow in udf_bitmap_free_blocks() - wifi: nl80211: don't give key data to userspace - btrfs: fix bitmap leak when loading free space cache on duplicate entry - drm/amdgpu/pm: Fix the null pointer dereference for smu7 - drm/amdgpu: Fix the null pointer dereference to ras_manager - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules - drm/amd/display: Add null checker before passing variables - media: uvcvideo: Ignore empty TS packets - media: uvcvideo: Fix the bandwdith quirk on USB 3.x - ext4: fix uninitialized variable in ext4_inlinedir_to_tree - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer - s390/sclp: Prevent release of buffer in I/O - SUNRPC: Fix a race to wake a sync task - profiling: remove profile=sleep support - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime - ext4: fix wrong unit use in ext4_mb_find_by_goal - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user- space - arm64: Add Neoverse-V2 part - arm64: barrier: Restore spec_bar() macro - arm64: cputype: Add Cortex-X4 definitions - arm64: cputype: Add Neoverse-V3 definitions - arm64: errata: Add workaround for Arm errata 3194386 and 3312417 - [Config] Set ARM64_ERRATUM_3194386=y - arm64: cputype: Add Cortex-X3 definitions - arm64: cputype: Add Cortex-A720 definitions - arm64: cputype: Add Cortex-X925 definitions - arm64: errata: Unify speculative SSBS errata logic - arm64: errata: Expand speculative SSBS workaround - arm64: cputype: Add Cortex-X1C definitions - arm64: cputype: Add Cortex-A725 definitions - arm64: errata: Expand speculative SSBS workaround (again) - i2c: smbus: Improve handling of stuck alerts - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask - ASoC: codecs: wsa881x: Correct Soundwire ports mask - spi: spidev: Add missing spi_device_id for bh2228fv - i2c: smbus: Send alert notifications to all devices if source not found - bpf: kprobe: remove unused declaring of bpf_kprobe_override - kprobes: Fix to check symbol prefixes correctly - spi: spi-fsl-lpspi: Fix scldiv calculation - ALSA: usb-audio: Re-add ScratchAmp quirk entries - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT - drm/client: fix null pointer dereference in drm_client_modeset_probe - ALSA: line6: Fix racy access to midibuf - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 - usb: vhci-hcd: Do not drop references before new references are gained - USB: serial: debug: do not echo input by default - usb: gadget: core: Check for unset descriptor - usb: gadget: u_serial: Set start_delayed during suspend - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic - tick/broadcast: Move per CPU pointer access into the atomic section - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler - ntp: Clamp maxerror and esterror to operating range - clocksource: Reduce the default clocksource_watchdog() retries to 2 - torture: Enable clocksource watchdog with "tsc=watchdog" - clocksource: Scale the watchdog read retries automatically - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read() - irqchip/meson-gpio: support more than 8 channels gpio irq - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' - driver core: Fix uevent_show() vs driver detach race - ntp: Safeguard against time_constant overflow - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex() - serial: core: check uartclk for zero to avoid divide by zero - kcov: properly check for softirq context - irqchip/xilinx: Fix shift out of bounds - genirq/irqdesc: Honor caller provided affinity in alloc_desc() - power: supply: axp288_charger: Fix constant_charge_voltage writes - power: supply: axp288_charger: Round constant_charge_voltage writes down - tracing: Fix overflow in get_free_elt() - padata: Fix possible divide-by-0 panic in padata_mt_helper() - x86/mtrr: Check if fixed MTRRs exist before saving them - sched/smt: Introduce sched_smt_present_inc/dec() helper - sched/smt: Fix unbalance sched_smt_present dec/inc - drm/bridge: analogix_dp: properly handle zero sized AUX transactions - drm/mgag200: Set DDC timeout in milliseconds - mptcp: sched: check both directions for backup - mptcp: distinguish rcv vs sent backup flag in requests - mptcp: fix NL PM announced address accounting - mptcp: mib: count MPJ with backup flag - mptcp: fix bad RCVPRUNED mib accounting - mptcp: pm: only set request_bkup flag when sending MP_PRIO - mptcp: export local_address - mptcp: pm: fix backup support in signal endpoints - selftests: mptcp: join: validate backup in MPJ - selftests: mptcp: join: check backup support in signal endp - btrfs: fix corruption after buffer fault in during direct IO append write - xfs: fix log recovery buffer allocation for the legacy h_size fixup - btrfs: fix double inode unlock for direct IO sync writes - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal - netfilter: nf_tables: set element extended ACK reporting support - netfilter: nf_tables: bail out if stateful expression provides no .clone - netfilter: nf_tables: allow clone callbacks to sleep - netfilter: nf_tables: prefer nft_chain_validate - net: stmmac: Enable mac_managed_pm phylink config - PCI: dwc: Restore MSI Receiver mask during resume - wifi: mac80211: check basic rates validity - mptcp: fully established after ADD_ADDR echo on MPJ - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes - arm64: cpufeature: Fix the visibility of compat hwcaps - exec: Fix ToCToU between perm check and set-uid/gid usage - nvme/pci: Add APST quirk for Lenovo N60z laptop - usb: gadget: u_audio: Check return codes from usb_ep_enable and config_ep_by_speed. - binfmt_flat: Fix corruption when not offsetting data start - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode - media: Revert "media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()" - Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error" - Linux 5.15.165 * CVE-2024-26661 - drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' * CVE-2024-25744 - x86: Fix misspelled Kconfig symbols - x86: Introduce ia32_enabled() - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c - x86/coco: Disable 32-bit emulation by default on TDX and SEV - x86/entry: Convert INT 0x80 emulation to IDTENTRY - x86/entry: Do not allow external 0x80 interrupts - x86/entry: Add do_SYSENTER_32() prototype - x86/bhi: Add support for clearing branch history at syscall entry * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible (LP: #2074380) - s390/cpum_cf: make crypto counters upward compatible across machine types * Jammy update: v5.15.164 upstream stable release (LP: #2076100) - gcc-plugins: Rename last_stmt() for GCC 14+ - filelock: Remove locks reliably when fcntl/close race is detected - ARM: 9324/1: fix get_user() broken with veneer - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency - scsi: core: Fix a use-after-free - scsi: core: alua: I/O errors for ALUA state transitions - scsi: qedf: Don't process stag work during unload and recovery - scsi: qedf: Wait for stag work during unload - scsi: qedf: Set qed_slowpath_params to zero before use - ACPI: EC: Abort address space access upon error - ACPI: EC: Avoid returning AE_OK on errors in address space handler - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata - wifi: mac80211: handle tasklet frames before stopping - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() - selftests/openat2: Fix build warnings on ppc64 - Input: silead - Always support 10 fingers - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() - ila: block BH in ila_output() - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process - null_blk: fix validation of block size - kconfig: gconf: give a proper initial state to the Save button - kconfig: remove wrong expr_trans_bool() - fs/file: fix the check in find_next_fd() - mei: demote client disconnect warning on suspend to debug - nvme: avoid double free special payload - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency - ALSA: hda/realtek: Add more codec ID to no shutup pins list - mips: fix compat_sys_lseek syscall - Input: elantech - fix touchpad state on resume for Lenovo N24 - Input: i8042 - add Ayaneo Kun to i8042 quirk table - bytcr_rt5640 : inverse jack detect for Archos 101 cesium - ALSA: dmaengine: Synchronize dma channel after drop() - ASoC: ti: davinci-mcasp: Set min period size using FIFO config - ASoC: ti: omap-hdmi: Fix too long driver name - can: kvaser_usb: fix return value for hif_usb_send_regout - s390/sclp: Fix sclp_init() cleanup on failure - platform/x86: wireless-hotkey: Add support for LG Airplane Button - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling - platform/x86: lg-laptop: Change ACPI device id - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB - btrfs: qgroup: fix quota root leak after quota disable failure - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx - ALSA: dmaengine_pcm: terminate dmaengine before synchronize - net: usb: qmi_wwan: add Telit FN912 compositions - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() - powerpc/pseries: Whitelist dtl slub object for copying to userspace - powerpc/eeh: avoid possible crash when edev->pdev changes - scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed - Bluetooth: hci_core: cancel all works upon hci_unregister_dev() - drm/radeon: check bo_va->bo is non-NULL before using it - fs: better handle deep ancestor chains in is_subdir() - riscv: stacktrace: fix usage of ftrace_graph_ret_addr() - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices - selftests/vDSO: fix clang build errors and warnings - hfsplus: fix uninit-value in copy_name - spi: mux: set ctlr->bits_per_word_mask - tracing: Define the is_signed_type() macro once - minmax: sanity check constant bounds when clamping - minmax: clamp more efficiently by avoiding extra comparison - minmax: fix header inclusions - minmax: allow min()/max()/clamp() if the arguments have the same signedness. - minmax: allow comparisons of 'int' against 'unsigned char/short' - minmax: relax check to allow comparison between unsigned arguments and signed constants - mm/damon/core: merge regions aggressively when max_nr_regions is unmet - wifi: mac80211: disable softirqs for queued frame handling - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() - samples: Add fs error monitoring example - samples: Make fs-monitor depend on libc and headers - docs: Fix formatting of literal sections in fanotify docs - Add gitignore file for samples/fanotify/ subdirectory - net: relax socket state check at accept time. - ocfs2: add bounds checking to ocfs2_check_dir_entry() - jfs: don't walk off the end of ealist - fs/ntfs3: Validate ff offset - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused - filelock: Fix fcntl/close race recovery compat path - wifi: rt2x00: use explicitly signed or unsigned types - tun: add missing verification for short frame - tap: add missing verification for short frame - Linux 5.15.164 * Jammy update: v5.15.166 upstream stable release (LP: #2080594) // CVE-2024-45016 - netem: fix return value if duplicate enqueue fails * CVE-2024-38630 - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger * CVE-2024-27397 - netfilter: nf_tables: use timestamp to check for set element timeout -- Stefan Bader <stefan.ba...@canonical.com> Fri, 27 Sep 2024 14:49:00 +0200 ** Changed in: linux (Ubuntu Jammy) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-25744 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26607 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26661 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26669 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26800 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26893 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27397 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38602 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38611 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38630 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-40915 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-41071 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45016 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080594 Title: Jammy update: v5.15.166 upstream stable release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2080594/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs