This bug was fixed in the package linux - 5.15.0-125.135

---------------
linux (5.15.0-125.135) jammy; urgency=medium

  * jammy/linux: 5.15.0-125.135 -proposed tracker (LP: #2083001)

  * CVE-2024-26800
    - tls: rx: coalesce exit paths in tls_decrypt_sg()
    - tls: separate no-async decryption request handling from async
    - tls: fix use-after-free on failed backlog decryption

  * Please backport the more restrictive XSAVES deactivation for  Zen1/2 arch
    (LP: #2077321)
    - x86/CPU/AMD: Improve the erratum 1386 workaround

  * Jammy update: v5.15.167 upstream stable release (LP: #2081279)
    - drm: panel-orientation-quirks: Add quirk for OrangePi Neo
    - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown
    - ALSA: hda/conexant: Mute speakers at suspend / shutdown
    - i2c: Fix conditional for substituting empty ACPI functions
    - dma-debug: avoid deadlock between dma debug vs printk and netconsole
    - net: usb: qmi_wwan: add MeiG Smart SRM825L
    - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
    - drm/amd/display: Assign linear_pitch_alignment even for VM
    - drm/amdgpu: fix overflowed array index read warning
    - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc
    - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
    - drm/amd/pm: fix warning using uninitialized value of max_vid_step
    - drm/amd/pm: fix the Out-of-bounds read warning
    - drm/amdgpu: fix uninitialized scalar variable warning
    - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
    - drm/amdgpu: avoid reading vf2pf info size from FB
    - drm/amd/display: Check gpio_id before used as array index
    - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
    - drm/amd/display: Add array index check for hdcp ddc access
    - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
    - drm/amd/display: Check msg_id before processing transcation
    - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
      dal_gpio_service_create
    - drm/amd/amdgpu: Check tbo resource pointer
    - drm/amdgpu/pm: Fix uninitialized variable warning for smu10
    - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
    - drm/amdgpu: Fix out-of-bounds write warning
    - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
    - drm/amdgpu: fix ucode out-of-bounds read warning
    - drm/amdgpu: fix mc_data out-of-bounds read warning
    - drm/amdkfd: Reconcile the definition and use of oem_id in struct
      kfd_topology_device
    - apparmor: fix possible NULL pointer dereference
    - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy
      SOCs
    - drm/amdgpu: fix the waring dereferencing hive
    - drm/amd/pm: check specific index for aldebaran
    - drm/amdgpu: the warning dereferencing obj for nbio_v7_4
    - drm/amd/pm: check negtive return for table entries
    - drm/amdgpu: update type of buf size to u32 for eeprom functions
    - wifi: iwlwifi: remove fw_running op
    - cpufreq: scmi: Avoid overflow of target_freq in fast switch
    - PCI: al: Check IORESOURCE_BUS existence during probe
    - hwspinlock: Introduce hwspin_lock_bust()
    - RDMA/efa: Properly handle unexpected AQ completions
    - ionic: fix potential irq name truncation
    - rcu/nocb: Remove buggy bypass lock contention mitigation
    - usbip: Don't submit special requests twice
    - usb: typec: ucsi: Fix null pointer dereference in trace
    - fsnotify: clear PARENT_WATCHED flags lazily
    - smack: tcp: ipv4, fix incorrect labeling
    - drm/meson: plane: Add error handling
    - drm/bridge: tc358767: Check if fully initialized before signalling HPD 
event
      via IRQ
    - wifi: cfg80211: make hash table duplicates more survivable
    - block: remove the blk_flush_integrity call in blk_integrity_unregister
    - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
    - media: uvcvideo: Enforce alignment of frame and interval
    - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
    - virtio_net: Fix napi_skb_cache_put warning
    - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
    - ext4: reject casefold inode flag without casefold feature
    - udf: Limit file size to 4TB
    - ext4: handle redirtying in ext4_bio_write_page()
    - i2c: Use IS_REACHABLE() for substituting empty ACPI functions
    - sch/netem: fix use after free in netem_dequeue
    - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
    - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE
    - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is 
missing
    - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius
      devices
    - ALSA: hda/realtek: add patch for internal mic in Lenovo V145
    - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
    - ata: libata: Fix memory leak for error path in ata_host_alloc()
    - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
    - rtmutex: Drop rt_mutex::wait_lock before scheduling
    - nvme-pci: Add sleep quirk for Samsung 990 Evo
    - Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over 
BREDR/LE"
    - Bluetooth: MGMT: Ignore keys being loaded with invalid type
    - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
    - mmc: sdhci-of-aspeed: fix module autoloading
    - mmc: cqhci: Fix checking of CQHCI_HALT state
    - fuse: update stats for pages in dropped aux writeback list
    - fuse: use unsigned type for getxattr/listxattr size truncation
    - clk: qcom: clk-alpha-pll: Fix the pll post div mask
    - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
    - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
    - tracing: Avoid possible softlockup in tracing_iter_reset()
    - ila: call nf_unregister_net_hooks() sooner
    - sched: sch_cake: fix bulk flow accounting logic for host fairness
    - nilfs2: fix missing cleanup on rollforward recovery error
    - nilfs2: fix state management in error path of log writing function
    - mptcp: pm: re-using ID of unused flushed subflows
    - mptcp: pm: only decrement add_addr_accepted for MPJ req
    - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR
    - mptcp: pm: fullmesh: select the right ID later
    - mptcp: constify a bunch of of helpers
    - mptcp: pm: avoid possible UaF when selecting endp
    - mptcp: avoid duplicated SUB_CLOSED events
    - mptcp: close subflow when receiving TCP+FIN
    - mptcp: pm: ADD_ADDR 0 is not a new address
    - mptcp: pm: do not remove already closed subflows
    - mptcp: pm: skip connecting to already established sf
    - mptcp: pr_debug: add missing \n at the end
    - mptcp: pm: send ACK on an active subflow
    - ALSA: hda: Add input value sanity checks to HDMI channel map controls
    - smack: unix sockets: fix accept()ed socket label
    - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
    - af_unix: Remove put_pid()/put_cred() in copy_peercred().
    - iommu: sun50i: clear bypass register
    - netfilter: nf_conncount: fix wrong variable type
    - udf: Avoid excessive partition lengths
    - media: vivid: fix wrong sizeimage value for mplane
    - leds: spi-byte: Call of_node_put() on error path
    - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
    - usb: uas: set host status byte on data completion error
    - drm/amd/display: Check HDCP returned status
    - media: vivid: don't set HDMI TX controls if there are no HDMI outputs
    - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
    - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
    - pcmcia: Use resource_size function on resource object
    - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6
    - can: bcm: Remove proc entry when dev is unregistered.
    - can: m_can: Release irq on error in m_can_open
    - igb: Fix not clearing TimeSync interrupts for 82580
    - platform/x86: dell-smbios: Fix error path in dell_smbios_init()
    - tcp_bpf: fix return value of tcp_bpf_sendmsg()
    - igc: Unlock on error in igc_io_resume()
    - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset
    - net: usb: don't write directly to netdev->dev_addr
    - usbnet: modern method to get random MAC
    - bareudp: Fix device stats updates.
    - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
    - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
    - fou: Fix null-ptr-deref in GRO.
    - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
    - net: dsa: vsc73xx: fix possible subblocks range of CAPT block
    - ASoC: topology: Properly initialize soc_enum values
    - dm init: Handle minors larger than 255
    - iommu/vt-d: Handle volatile descriptor status read
    - cgroup: Protect css->cgroup write under css_set_lock
    - um: line: always fill *error_out in setup_one_line()
    - devres: Initialize an uninitialized struct member
    - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
    - hwmon: (adc128d818) Fix underflows seen when writing limit attributes
    - hwmon: (lm95234) Fix underflows seen when writing limit attributes
    - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
    - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
    - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
    - drm/amdgpu: Set no_hw_access when VF request full GPU fails
    - ext4: fix possible tid_t sequence overflows
    - dma-mapping: benchmark: Don't starve others when doing the test
    - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
    - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
    - fs/ntfs3: Check more cases when directory is corrupted
    - btrfs: replace BUG_ON with ASSERT in walk_down_proc()
    - btrfs: clean up our handling of refs == 0 in snapshot delete
    - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()
    - riscv: set trap vector earlier
    - PCI: Add missing bridge lock to pci_bus_lock()
    - net: dpaa: avoid on-stack arrays of NR_CPUS elements
    - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup
    - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated
    - btrfs: initialize location to fix -Wmaybe-uninitialized in
      btrfs_lookup_dentry()
    - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section
    - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
    - HID: amd_sfh: free driver_data after destroying hid device
    - Input: uinput - reject requests with unreasonable number of slots
    - usbnet: ipheth: race between ipheth_close and error handling
    - Squashfs: sanity check symbolic link size
    - of/irq: Prevent device address out-of-bounds read in interrupt map walk
    - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
    - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed
    - ata: pata_macio: Use WARN instead of BUG
    - NFSv4: Add missing rescheduling points in
      nfs_client_return_marked_delegations
    - cifs: Check the lease context if we actually got a lease
    - staging: iio: frequency: ad9834: Validate frequency parameter value
    - iio: buffer-dmaengine: fix releasing dma channel on error
    - iio: fix scale application in iio_convert_raw_to_processed_unlocked
    - iio: adc: ad7124: fix config comparison
    - iio: adc: ad7124: fix chip ID mismatch
    - usb: dwc3: core: update LC timer as per USB Spec V3.2
    - binder: fix UAF caused by offsets overwrite
    - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
    - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
    - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
    - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
    - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
    - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
    - clocksource/drivers/timer-of: Remove percpu irq related code
    - uprobes: Use kzalloc to allocate xol area
    - perf/aux: Fix AUX buffer serialization
    - ksmbd: unset the binding mark of a reused connection
    - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()
    - nilfs2: replace snprintf in show functions with sysfs_emit
    - nilfs2: protect references to superblock parameters exposed in sysfs
    - workqueue: wq_watchdog_touch is always called with valid CPU
    - workqueue: Improve scalability of workqueue watchdog touch
    - ACPI: processor: Return an error if acpi_processor_get_info() fails in
      processor_add()
    - ACPI: processor: Fix memory leaks in error paths of processor_add()
    - arm64: acpi: Move get_cpu_for_acpi_id() to a header
    - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
    - nvmet-tcp: fix kernel crash if commands allocation fails
    - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode
    - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused
    - drm/i915/fence: Mark debug_fence_free() with __maybe_unused
    - gpio: rockchip: fix OF node leak in probe()
    - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation
    - net: change maximum number of UDP segments to 128
    - gso: fix dodgy bit handling for GSO_UDP_L4
    - net: drop bad gso csum_start and offset in virtio_net_hdr
    - x86/mm: Fix PTI for i386 some more
    - net, sunrpc: Remap EPERM in case of connection failure in
      xs_tcp_setup_socket
    - btrfs: fix race between direct IO write and fsync when using same fd
    - memcg: protect concurrent access to mem_cgroup_idr
    - udp: fix receiving fraglist GSO packets
    - Linux 5.15.167

  * CVE-2024-41071
    - wifi: mac80211: Avoid address calculations via out of bounds array 
indexing

  * CVE-2024-40915
    - riscv: rewrite __kernel_map_pages() to fix sleeping in invalid context

  * CVE-2024-38611
    - media: i2c: et8ek8: Don't strip remove function when driver is builtin

  * CVE-2024-38602
    - ax25: Fix reference count leak issues of ax25_dev

  * CVE-2024-26669
    - net/sched: flower: Fix chain template offload

  * CVE-2024-26607
    - drm/bridge: sii902x: Fix probing race issue

  * Jammy update: v5.15.166 upstream stable release (LP: #2080594)
    - fuse: Initialize beyond-EOF page contents before setting uptodate
    - char: xillybus: Don't destroy workqueue from work item running on it
    - char: xillybus: Refine workqueue handling
    - char: xillybus: Check USB endpoints when probing device
    - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET
    - ALSA: usb-audio: Support Yamaha P-125 quirk entry
    - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
    - thunderbolt: Mark XDomain as unplugged when router is removed
    - s390/dasd: fix error recovery leading to data corruption on ESE devices
    - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to
      NUMA_NO_NODE
    - dm resume: don't return EINVAL when signalled
    - dm persistent data: fix memory allocation failure
    - vfs: Don't evict inode under the inode lru traversing context
    - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()
    - s390/cio: rename bitmap_size() -> idset_bitmap_size()
    - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
    - bitmap: introduce generic optimized bitmap_size()
    - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
    - selinux: fix potential counting error in avc_add_xperms_decision()
    - btrfs: tree-checker: add dev extent item checks
    - drm/amdgpu: Actually check flags for all context ops.
    - memcg_write_event_control(): fix a user-triggerable oops
    - drm/amdgpu/jpeg2: properly set atomics vmid field
    - s390/uv: Panic for set and remove shared access UVC errors
    - igc: Correct the launchtime offset
    - igc: remove I226 Qbv BaseTime restriction
    - igc: Fix packet still tx after gate close by reducing i226 MAC retry 
buffer
    - net/mlx5e: Correctly report errors for ethtool rx flows
    - atm: idt77252: prevent use after free in dequeue_rx()
    - net: axienet: Fix register defines comment description
    - net: dsa: vsc73xx: pass value in phy_write operation
    - net: dsa: vsc73xx: use read_poll_timeout instead delay loop
    - net: dsa: vsc73xx: check busy flag in MDIO operations
    - mlxbf_gige: Remove two unused function declarations
    - mlxbf_gige: disable RX filters until RX path initialized
    - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size
    - netfilter: allow ipv6 fragments to arrive on different devices
    - netfilter: flowtable: initialise extack before use
    - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
    - net: hns3: fix wrong use of semaphore up
    - net: hns3: fix a deadlock problem when config TC during resetting
    - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
    - ssb: Fix division by zero issue in ssb_calc_clock_rate
    - wifi: cfg80211: check wiphy mutex is held for wdev mutex
    - wifi: mac80211: fix BA session teardown race
    - wifi: cw1200: Avoid processing an invalid TIM IE
    - i2c: riic: avoid potential division by zero
    - RDMA/rtrs: Fix the problem of variable not initialized fully
    - s390/smp,mcck: fix early IPI handling
    - i3c: mipi-i3c-hci: Remove BUG() when Ring Abort request times out
    - i3c: mipi-i3c-hci: Do not unmap region not mapped for transfer
    - media: radio-isa: use dev_name to fill in bus_info
    - staging: iio: resolver: ad2s1210: fix use before initialization
    - drm/amd/display: Validate hw_points_num before using it
    - staging: ks7010: disable bh on tx_dev_lock
    - binfmt_misc: cleanup on filesystem umount
    - media: qcom: venus: fix incorrect return value
    - scsi: spi: Fix sshdr use
    - gfs2: setattr_chown: Add missing initialization
    - wifi: iwlwifi: abort scan when rfkill on but device enabled
    - wifi: iwlwifi: fw: Fix debugfs command sending
    - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
    - hwmon: (ltc2992) Avoid division by zero
    - arm64: Fix KASAN random tag seed initialization
    - memory: tegra: Skip SID programming if SID registers aren't set
    - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
    - nvmet-trace: avoid dereferencing pointer too early
    - ext4: do not trim the group with corrupted block bitmap
    - afs: fix __afs_break_callback() / afs_drop_open_mmap() race
    - fuse: fix UAF in rcu pathwalks
    - quota: Remove BUG_ON from dqget()
    - media: pci: cx23885: check cx23885_vdev_init() return
    - fs: binfmt_elf_efpic: don't use missing interpreter's properties
    - scsi: lpfc: Initialize status local variable in 
lpfc_sli4_repost_sgl_list()
    - media: drivers/media/dvb-core: copy user arrays safely
    - net/sun3_82586: Avoid reading past buffer in debug output
    - drm/lima: set gp bus_stop bit before hard reset
    - virtiofs: forbid newlines in tags
    - clocksource/drivers/arm_global_timer: Guard against division by zero
    - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
    - md: clean up invalid BUG_ON in md_ioctl
    - x86: Increase brk randomness entropy for 64-bit systems
    - memory: stm32-fmc2-ebi: check regmap_read return value
    - parisc: Use irq_enter_rcu() to fix warning at 
kernel/context_tracking.c:367
    - powerpc/boot: Handle allocation failure in simple_realloc()
    - powerpc/boot: Only free if realloc() succeeds
    - btrfs: change BUG_ON to assertion when checking for delayed_node root
    - btrfs: handle invalid root reference found in may_destroy_subvol()
    - btrfs: send: handle unexpected data in header buffer in begin_cmd()
    - btrfs: change BUG_ON to assertion in tree_move_down()
    - btrfs: delete pointless BUG_ON check on quota root in
      btrfs_qgroup_account_extent()
    - f2fs: fix to do sanity check in update_sit_entry
    - usb: gadget: fsl: Increase size of name buffer for endpoints
    - Bluetooth: bnep: Fix out-of-bound access
    - net: hns3: add checking for vf id of mailbox
    - nvmet-tcp: do not continue for invalid icreq
    - NFS: avoid infinite loop in pnfs_update_layout.
    - openrisc: Call setup_memory() earlier in the init sequence
    - s390/iucv: fix receive buffer virtual vs physical address confusion
    - clocksource: Make watchdog and suspend-timing multiplication overflow safe
    - platform/x86: lg-laptop: fix %s null argument warning
    - usb: dwc3: core: Skip setting event buffers for host only controllers
    - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
    - ext4: set the type of max_zeroout to unsigned int to avoid overflow
    - nvmet-rdma: fix possible bad dereference when freeing rsps
    - hrtimer: Prevent queuing of hrtimer without a function callback
    - gtp: pull network headers in gtp_dev_xmit()
    - block: use "unsigned long" for blk_validate_block_size().
    - nfsd: move reply cache initialization into nfsd startup
    - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net
    - NFSD: Refactor nfsd_reply_cache_free_locked()
    - NFSD: Rename nfsd_reply_cache_alloc()
    - NFSD: Replace nfsd_prune_bucket()
    - NFSD: Refactor the duplicate reply cache shrinker
    - NFSD: Rewrite synopsis of nfsd_percpu_counters_init()
    - NFSD: Fix frame size warning in svc_export_parse()
    - sunrpc: don't change ->sv_stats if it doesn't exist
    - nfsd: stop setting ->pg_stats for unused stats
    - sunrpc: pass in the sv_stats struct through svc_create_pooled
    - sunrpc: remove ->pg_stats from svc_program
    - sunrpc: use the struct net as the svc proc private
    - nfsd: rename NFSD_NET_* to NFSD_STATS_*
    - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
    - nfsd: make all of the nfsd stats per-network namespace
    - nfsd: remove nfsd_stats, make th_cnt a global counter
    - nfsd: make svc_stat per-network namespace instead of global
    - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
    - dm suspend: return -ERESTARTSYS instead of -EINTR
    - net: mana: Fix doorbell out of order violation and avoid unnecessary
      doorbell rings
    - platform/surface: aggregator: Fix warning when controller is destroyed in
      probe
    - Bluetooth: hci_core: Fix LE quote calculation
    - Bluetooth: SMP: Fix assumption of Central always being Initiator
    - tc-testing: don't access non-existent variable on exception
    - kcm: Serialise kcm_sendmsg() for the same socket.
    - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
    - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
    - ip6_tunnel: Fix broken GRO
    - bonding: fix bond_ipsec_offload_ok return type
    - bonding: fix null pointer deref in bond_ipsec_offload_ok
    - bonding: fix xfrm real_dev null pointer dereference
    - bonding: fix xfrm state handling when clearing active slave
    - ice: fix ICE_LAST_OFFSET formula
    - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()
    - net: dsa: mv88e6xxx: read FID when handling ATU violations
    - net: dsa: mv88e6xxx: replace ATU violation prints with trace points
    - net: dsa: mv88e6xxx: Fix out-of-bound access
    - ipv6: prevent UAF in ip6_send_skb()
    - ipv6: fix possible UAF in ip6_finish_output2()
    - ipv6: prevent possible UAF in ip6_xmit()
    - netfilter: flowtable: validate vlan header
    - net: xilinx: axienet: Always disable promiscuous mode
    - net: xilinx: axienet: Fix dangling multicast addresses
    - drm/msm/dpu: don't play tricks with debug macros
    - drm/msm/dp: reset the link phy params before link training
    - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails
    - mmc: mmc_test: Fix NULL dereference on allocation failure
    - Bluetooth: MGMT: Add error handling to pair_device()
    - scsi: core: Fix the return value of scsi_logical_block_count()
    - MIPS: Loongson64: Set timer mode in cpu-probe
    - HID: wacom: Defer calculation of resolution until resolution_code is known
    - HID: microsoft: Add rumble support to latest xbox controllers
    - cxgb4: add forgotten u64 ivlan cast before shift
    - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
    - mmc: dw_mmc: allow biu and ciu clocks to defer
    - Revert "drm/amd/display: Validate hw_points_num before using it"
    - hwmon: (ltc2992) Fix memory leak in ltc2992_parse_dt()
    - ALSA: timer: Relax start tick time check for slave timer elements
    - mm/numa: no task_numa_fault() call if PMD is changed
    - mm/numa: no task_numa_fault() call if PTE is changed
    - Input: MT - limit max slots
    - tools: move alignment-related macros to new <linux/align.h>
    - btrfs: run delayed iputs when flushing delalloc
    - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
    - pinctrl: single: fix potential NULL dereference in pcs_get_function()
    - wifi: mwifiex: duplicate static structs used in driver instances
    - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response
    - mptcp: sched: check both backup in retrans
    - Revert "MIPS: Loongson64: reset: Prioritise firmware service"
    - drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
    - ata: libata-core: Fix null pointer dereference on error
    - cgroup/cpuset: Prevent UAF in proc_cpuset_show()
    - net:rds: Fix possible deadlock in rds_message_put
    - soundwire: stream: fix programming slave ports for non-continous port maps
    - PM: core: Remove DEFINE_UNIVERSAL_DEV_PM_OPS() macro
    - PM: core: Add EXPORT[_GPL]_SIMPLE_DEV_PM_OPS macros
    - PM: runtime: Add DEFINE_RUNTIME_DEV_PM_OPS() macro
    - phy: xilinx: add runtime PM support
    - phy: xilinx: phy-zynqmp: dynamic clock support for power-save
    - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume
    - dmaengine: dw: Add peripheral bus width verification
    - dmaengine: dw: Add memory bus width verification
    - ethtool: check device is present when getting link settings
    - gtp: fix a potential NULL pointer dereference
    - net: busy-poll: use ktime_get_ns() instead of local_clock()
    - nfc: pn533: Add poll mod list filling check
    - soc: qcom: cmd-db: Map shared memory as WC, not WB
    - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
    - USB: serial: option: add MeiG Smart SRM825L
    - usb: dwc3: omap: add missing depopulate in probe error path
    - usb: dwc3: core: Prevent USB core invalid event buffer address access
    - usb: dwc3: st: fix probed platform device ref count on probe error path
    - usb: dwc3: st: add missing depopulate in probe error path
    - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in
      remove_power_attributes()
    - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function
    - usb: cdnsp: fix for Link TRB with TC
    - phy: zynqmp: Enable reference clock correctly
    - igc: Fix reset adapter logics when tx mode change
    - igc: Fix qbv tx latency by setting gtxoffset
    - scsi: aacraid: Fix double-free on probe failure
    - apparmor: fix policy_unpack_test on big endian systems
    - Linux 5.15.166

  * CVE-2024-26893
    - firmware: arm_scmi: Fix double free in SMC transport cleanup path

  * [22.10 FEAT] KVM: Secure Execution guest dump encryption with customer keys
    - kernel part (LP: #1959940)
    - s390: uv: Add offset comments to UV query struct and fix naming
    - s390/uv: Add SE hdr query information
    - s390/uv: Add dump fields to query
    - KVM: s390: pv: Add query interface
    - KVM: s390: pv: Add dump support definitions
    - KVM: s390: pv: Add query dump information
    - KVM: s390: Add configuration dump functionality
    - KVM: s390: Add CPU dump functionality
    - KVM: s390: Add KVM_CAP_S390_PROTECTED_DUMP
    - Documentation: KVM: add separate directories for architecture-specific
      documentation
    - Documentation: virt: Protected virtual machine dumps
    - Documentation/virt/kvm/api.rst: Add protvirt dump/info api descriptions
    - Documentation/virt/kvm/api.rst: Explain rc/rrc delivery

  * turbostat fails with too many open files on large systems (LP: #2069961)
    - tools/power turbostat: Increase the limit for fd opened

  * Jammy update: v5.15.165 upstream stable release (LP: #2078428)
    - f2fs: fix return value of f2fs_convert_inline_inode()
    - f2fs: fix to don't dirty inode for readonly filesystem
    - EDAC, i10nm: make skx_common.o a separate module
    - platform/chrome: cros_ec_debugfs: fix wrong EC message version
    - block: refactor to use helper
    - block: cleanup bio_integrity_prep
    - block: initialize integrity buffer to zero before writing it to media
    - hfsplus: fix to avoid false alarm of circular locking
    - x86/of: Return consistent error type from x86_of_pci_irq_enable()
    - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
    - x86/pci/xen: Fix PCIBIOS_* return code handling
    - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
    - hwmon: (adt7475) Fix default duty on fan is disabled
    - pwm: stm32: Always do lazy disabling
    - drm/meson: fix canvas release in bind function
    - hwmon: (max6697) Fix underflow when writing limit attributes
    - hwmon: (max6697) Fix swapped temp{1,8} critical alarms
    - arm64: dts: qcom: sdm845: add power-domain to UFS PHY
    - arm64: dts: qcom: sm8250: switch UFS QMP PHY to new style of bindings
    - arm64: dts: qcom: sm8250: add power-domain to UFS PHY
    - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()
      callers
    - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
    - memory: fsl_ifc: Make FSL_IFC config visible and selectable
    - soc: qcom: pdr: protect locator_addr with the main mutex
    - soc: qcom: pdr: fix parsing of domains lists
    - arm64: dts: rockchip: Increase VOP clk rate on RK3328
    - ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
    - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
    - ARM: dts: imx6qdl-kontron-samx6i: fix board reset
    - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects
    - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
    - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property
    - arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
    - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625
    - arm64: dts: amlogic: gx: correct hdmi clocks
    - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
    - x86/xen: Convert comma to semicolon
    - m68k: cmpxchg: Fix return value for default case in __arch_xchg()
    - ARM: pxa: spitz: use gpio descriptors for audio
    - ARM: spitz: fix GPIO assignment for backlight
    - vmlinux.lds.h: catch .bss..L* sections into BSS")
    - firmware: turris-mox-rwtm: Do not complete if there are no waiters
    - firmware: turris-mox-rwtm: Fix checking return value of
      wait_for_completion_timeout()
    - firmware: turris-mox-rwtm: Initialize completion before mailbox
    - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
    - selftests/bpf: Fix prog numbers in test_sockmap
    - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
    - tcp: annotate lockless accesses to sk->sk_err_soft
    - tcp: annotate lockless access to sk->sk_err
    - tcp: add tcp_done_with_error() helper
    - tcp: fix race in tcp_write_err()
    - tcp: fix races in tcp_v[46]_err()
    - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when
      CONFIG_ARCH_NO_SG_CHAIN is defined
    - selftests/bpf: Check length of recv in test_sockmap
    - lib: objagg: Fix general protection fault
    - mlxsw: spectrum_acl_erp: Fix object nesting warning
    - mlxsw: spectrum_acl_bloom_filter: Make mlxsw_sp_acl_bf_key_encode() more
      flexible
    - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors
    - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
    - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
    - wifi: cfg80211: handle 2x996 RU allocation in
      cfg80211_calculate_bitrate_he()
    - net: fec: Refactor: #define magic constants
    - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
    - libbpf: Checking the btf_type kind when fixing variable offsets
    - ipvs: Avoid unnecessary calls to skb_is_gso_sctp
    - netfilter: nf_tables: rise cap on SELinux secmark context
    - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
    - perf: Fix perf_aux_size() for greater-than 32-bit size
    - perf: Prevent passing zero nr_pages to rb_alloc_aux()
    - perf: Fix default aux_watermark calculation
    - wifi: virt_wifi: avoid reporting connection success with wrong SSID
    - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
    - wifi: virt_wifi: don't use strlen() in const context
    - locking/rwsem: Add __always_inline annotation to __down_write_common() and
      inlined callers
    - selftests/bpf: Close fd in error path in drop_on_reuseport
    - bpf: annotate BTF show functions with __printf
    - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
    - bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o
    - selftests: forwarding: devlink_lib: Wait for udev events after reloading
    - xdp: fix invalid wait context of page_pool_destroy()
    - drm/amd/pm: Fix aldebaran pcie speed reporting
    - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit
    - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before
      regulators
    - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()
    - media: dvb-usb: Fix unexpected infinite loop in
      dvb_usb_read_remote_control()
    - media: imon: Fix race getting ictx->lock
    - media: i2c: Fix imx412 exposure control
    - saa7134: Unchecked i2c_transfer function result fixed
    - media: uvcvideo: Override default flags
    - media: renesas: vsp1: Fix _irqsave and _irq mix
    - media: renesas: vsp1: Store RPF partition configuration per RPF instance
    - drm/mediatek: Add missing plane settings when async update
    - drm/mediatek: Add DRM_MODE_ROTATE_0 to rotation property
    - leds: trigger: Unregister sysfs attributes before calling deactivate()
    - perf report: Fix condition in sort__sym_cmp()
    - drm/etnaviv: fix DMA direction handling for cached RW buffers
    - drm/qxl: Add check for drm_cvt_mode
    - Revert "leds: led-core: Fix refcount leak in of_led_get()"
    - ext4: fix infinite loop when replaying fast_commit
    - media: venus: flush all buffers in output plane streamoff
    - perf intel-pt: Fix aux_watermark calculation for 64-bit size
    - perf intel-pt: Fix exclude_guest setting
    - mfd: rsmu: Split core code into separate module
    - mfd: omap-usb-tll: Use struct_size to allocate tll
    - xprtrdma: Fix rpcrdma_reqs_reset()
    - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
    - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server
    - ext4: return early for non-eligible fast_commit track events
    - ext4: don't track ranges in fast_commit if inode has inlined data
    - ext4: avoid writing unitialized memory to disk in EA inodes
    - sparc64: Fix incorrect function signature and add prototype for
      prom_cif_init
    - SUNRPC: Fixup gss_status tracepoint error output
    - PCI: Fix resource double counting on remove & rescan
    - clk: qcom: branch: Add helper functions for setting retain bits
    - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock
    - coresight: Fix ref leak when of_coresight_parse_endpoint() fails
    - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE
    - RDMA/cache: Release GID table even if leak is detected
    - Input: qt1050 - handle CHIP_ID reading error
    - RDMA/mlx4: Fix truncated output warning in mad.c
    - RDMA/mlx4: Fix truncated output warning in alias_GUID.c
    - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
    - ASoC: max98088: Check for clk_prepare_enable() error
    - mtd: make mtd_test.c a separate module
    - RDMA/device: Return error earlier if port in not valid
    - Input: elan_i2c - do not leave interrupt disabled on suspend failure
    - PCI: endpoint: Clean up error handling in vpci_scan_bus()
    - vhost/vsock: always initialize seqpacket_allow
    - net: missing check virtio
    - MIPS: Octeron: remove source file executable bit
    - powerpc/xmon: Fix disassembly CPU feature checks
    - macintosh/therm_windtunnel: fix module unload.
    - RDMA/hns: Fix missing pagesize and alignment check in FRMR
    - RDMA/hns: Fix undifined behavior caused by invalid max_sge
    - RDMA/hns: Fix insufficient extend DB for VFs.
    - bnxt_re: Fix imm_data endianness
    - netfilter: ctnetlink: use helper function to calculate expect ID
    - netfilter: nf_set_pipapo: fix initial map fill
    - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports
    - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
    - fs/ntfs3: Use ALIGN kernel macro
    - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT
    - fs/ntfs3: Fix transform resident to nonresident for compressed files
    - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting
    - fs/ntfs3: Fix getting file type
    - pinctrl: rockchip: update rk3308 iomux routes
    - pinctrl: core: fix possible memory leak when pinctrl_enable() fails
    - pinctrl: single: fix possible memory leak when pinctrl_enable() fails
    - pinctrl: ti: ti-iodelay: Drop if block with always false condition
    - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()
      fails
    - pinctrl: freescale: mxs: Fix refcount of child
    - fs/ntfs3: Replace inode_trylock with inode_lock
    - fs/ntfs3: Fix field-spanning write in INDEX_HDR
    - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
    - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
    - rtc: interface: Add RTC offset to alarm after fix-up
    - fs/ntfs3: Missed error return
    - landlock: Don't lose track of restrictions on cred_transfer
    - mm/hugetlb: fix possible recursive locking detected warning
    - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer
    - dt-bindings: thermal: correct thermal zone node name limit
    - tick/broadcast: Make takeover of broadcast hrtimer reliable
    - net: netconsole: Disable target before netpoll cleanup
    - af_packet: Handle outgoing VLAN packets without hardware offloading
    - ipv6: take care of scope when choosing the src addr
    - sched/fair: set_load_weight() must also call reweight_task() for 
SCHED_IDLE
      tasks
    - fuse: verify {g,u}id mount options correctly
    - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
    - media: venus: fix use after free in vdec_close
    - ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no error
    - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
    - ext2: Verify bitmap and itable block numbers before using them
    - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
    - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
    - scsi: qla2xxx: Fix optrom version displayed in FDMI
    - drm/amd/display: Check for NULL pointer
    - sched/fair: Use all little CPUs for CPU-bound workloads
    - apparmor: use kvfree_sensitive to free data->data
    - task_work: s/task_work_cancel()/task_work_cancel_func()/
    - task_work: Introduce task_work_cancel() again
    - udf: Avoid using corrupted block bitmap buffer
    - m68k: amiga: Turn off Warp1260 interrupts during boot
    - ext4: check dot and dotdot of dx_root before making dir indexed
    - ext4: make sure the first directory block is not a hole
    - io_uring: tighten task exit cancellations
    - selftests/landlock: Add cred_transfer test
    - wifi: mwifiex: Fix interface type change
    - leds: ss4200: Convert PCIBIOS_* return codes to errnos
    - jbd2: make jbd2_journal_get_max_txn_bufs() internal
    - media: uvcvideo: Fix integer overflow calculating timestamp
    - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()
    - ALSA: usb-audio: Fix microphone sound on HD webcam.
    - ALSA: usb-audio: Move HD Webcam quirk to the right place
    - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera
    - tools/memory-model: Fix bug in lock.cat
    - hwrng: amd - Convert PCIBIOS_* return codes to errnos
    - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
    - PCI: dw-rockchip: Fix initial PERST# GPIO value
    - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
    - binder: fix hang of unregistered readers
    - dev/parport: fix the array out-of-bounds risk
    - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed
    - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
    - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
    - ubi: eba: properly rollback inside self_check_eba
    - decompress_bunzip2: fix rare decompression failure
    - kbuild: Fix '-S -c' in x86 stack protector scripts
    - kobject_uevent: Fix OOB access within zap_modalias_env()
    - gve: Fix an edge case for TSO skb validity check
    - devres: Fix devm_krealloc() wasting memory
    - devres: Fix memory leakage caused by driver API devm_free_percpu()
    - mm/numa_balancing: teach mpol_to_str about the balancing mode
    - rtc: cmos: Fix return value of nvmem callbacks
    - scsi: qla2xxx: During vport delete send async logout explicitly
    - scsi: qla2xxx: Unable to act on RSCN for port online
    - scsi: qla2xxx: Fix for possible memory corruption
    - scsi: qla2xxx: Use QP lock to search for bsg
    - scsi: qla2xxx: Fix flash read failure
    - scsi: qla2xxx: Complete command early within lock
    - scsi: qla2xxx: validate nvme_local_port correctly
    - perf: Fix event leak upon exit
    - perf: Fix event leak upon exec and file release
    - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR
    - perf/x86/intel/pt: Fix topa_entry base length
    - perf/x86/intel/pt: Fix a topa_entry base address calculation
    - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8
    - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell
    - drm/i915/dp: Reset intel_dp->link_trained before retraining the link
    - rtc: isl1208: Fix return value of nvmem callbacks
    - watchdog/perf: properly initialize the turbo mode timestamp and rearm
      counter
    - platform: mips: cpu_hwmon: Disable driver on unsupported hardware
    - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
    - selftests/sigaltstack: Fix ppc64 GCC build
    - rbd: don't assume rbd_is_lock_owner() for exclusive mappings
    - remoteproc: stm32_rproc: Fix mailbox interrupts queuing
    - remoteproc: imx_rproc: Skip over memory region when node value is NULL
    - MIPS: ip30: ip30-console: Add missing include
    - MIPS: dts: loongson: Fix GMAC phy node
    - MIPS: Loongson64: env: Hook up Loongsson-2K
    - MIPS: Loongson64: Remove memory node for builtin-dtb
    - MIPS: Loongson64: reset: Prioritise firmware service
    - MIPS: Loongson64: Test register availability before use
    - drm/panfrost: Mark simple_ondemand governor as softdep
    - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
    - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
    - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
    - nilfs2: handle inconsistent state in nilfs_btnode_create_block()
    - io_uring/io-wq: limit retrying worker initialisation
    - kernel: rerun task_work while freezing in get_signal()
    - kdb: address -Wformat-security warnings
    - kdb: Use the passed prompt in kdb_position_cursor()
    - jfs: Fix array-index-out-of-bounds in diFree
    - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels
    - phy: cadence-torrent: Check return value on register read
    - um: time-travel: fix time-travel-start option
    - um: time-travel: fix signal blocking race/hang
    - libbpf: Fix no-args func prototype BTF dumping syntax
    - dma: fix call order in dmam_free_coherent
    - bpf, events: Use prog to emit ksymbol event for main program
    - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
    - ipv4: Fix incorrect source address in Record Route option
    - net: bonding: correctly annotate RCU in bond_should_notify_peers()
    - netfilter: nft_set_pipapo_avx2: disable softinterrupts
    - tipc: Return non-zero value from tipc_udp_addr2str() on error
    - net: stmmac: Correct byte order of perfect_match
    - net: nexthop: Initialize all fields in dumped nexthops
    - bpf: Fix a segment issue when downgrading gso_size
    - mISDN: Fix a use after free in hfcmulti_tx()
    - apparmor: Fix null pointer deref when receiving skb during sock creation
    - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
    - lirc: rc_dev_get_from_fd(): fix file leak
    - spi: spidev: Make probe to fail early if a spidev compatible is used
    - spi: spidev: Replace ACPI specific code by device_get_match_data()
    - spi: spidev: Replace OF specific code by device property API
    - spidev: Add Silicon Labs EM3581 device compatible
    - spi: spidev: order compatibles alphabetically
    - spi: spidev: add correct compatible for Rohm BH2228FV
    - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
    - ceph: fix incorrect kmalloc size of pagevec mempool
    - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en
    - nvme: split command copy into a helper
    - nvme: separate command prep and issue
    - nvme-pci: add missing condition check for existence of mapped data
    - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT
    - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC
    - arm64: dts: qcom: msm8996: Move '#clock-cells' to QMP PHY child node
    - arm64: dts: qcom: msm8998: drop USB PHY clock index
    - arm64: dts: qcom: msm8998: switch USB QMP PHY to new style of bindings
    - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB
    - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB
    - sysctl: always initialize i_uid/i_gid
    - ext4: make ext4_es_insert_extent() return void
    - ext4: refactor ext4_da_map_blocks()
    - ext4: convert to exclusive lock while inserting delalloc extents
    - ext4: factor out a common helper to query extent map
    - ext4: check the extent status again before inserting delalloc block
    - soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
    - drivers: soc: xilinx: check return status of get_api_version()
    - leds: trigger: use RCU to protect the led_cdevs list
    - leds: trigger: Remove unused function led_trigger_rename_static()
    - leds: trigger: Store brightness set by led_trigger_event()
    - leds: trigger: Call synchronize_rcu() before calling trig->activate()
    - leds: triggers: Flush pending brightness before activating trigger
    - irqdomain: Fixed unbalanced fwnode get and put
    - genirq: Allow the PM device to originate from irq domain
    - irqchip/imx-irqsteer: Constify irq_chip struct
    - irqchip/imx-irqsteer: Add runtime PM support
    - irqchip/imx-irqsteer: Handle runtime power management correctly
    - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume
    - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init
    - MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000
    - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a
    - MIPS: dts: loongson: Fix liointc IRQ polarity
    - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt
    - drm/nouveau: prime: fix refcount underflow
    - drm/vmwgfx: Fix overlay when using Screen Targets
    - sched: act_ct: take care of padding in struct zones_ht_key
    - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode
    - rtnetlink: enable alt_ifname for setlink/newlink
    - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in
      rtnl_dellink().
    - net/iucv: fix use after free in iucv_sock_close()
    - net: mvpp2: Don't re-use loop iterator
    - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
    - netfilter: iptables: Fix potential null-ptr-deref in
      ip6table_nat_table_init().
    - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
    - ipv6: fix ndisc_is_useropt() handling for PIO
    - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
    - power: supply: bq24190_charger: replace deprecated strncpy with strscpy
    - platform/chrome: cros_ec_proto: Lock device when updating MKBP version
    - HID: wacom: Modify pen IDs
    - protect the fetch of ->fd[fd] in do_dup2() from mispredictions
    - ALSA: usb-audio: Correct surround channels in UAC1 channel map
    - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
    - Revert "ALSA: firewire-lib: obsolete workqueue for period update"
    - Revert "ALSA: firewire-lib: operate for period elapse event in process
      context"
    - drm/vmwgfx: Fix a deadlock in dma buf fence polling
    - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
    - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
    - mptcp: fix duplicate data handling
    - netfilter: ipset: Add list flush to cancel_gc
    - genirq: Allow irq_chip registration functions to take a const irq_chip
    - irqchip/mbigen: Fix mbigen node address layout
    - x86/mm: Fix pti_clone_pgtable() alignment assumption
    - x86/mm: Fix pti_clone_entry_text() for i386
    - sctp: move hlist_node and hashent out of sctp_ep_common
    - sctp: Fix null-ptr-deref in reuseport_add_sock().
    - net: usb: qmi_wwan: fix memory leak for not ip packets
    - net: bridge: mcast: wait for previous gc cycles when removing port
    - net: linkwatch: use system_unbound_wq
    - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
    - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()
    - l2tp: fix lockdep splat
    - net: fec: Stop PPS on driver remove
    - rcutorture: Fix rcu_torture_fwd_cb_cr() data race
    - md: do not delete safemode_timer in mddev_suspend
    - md/raid5: avoid BUG_ON() while continue reshape after reassembling
    - clocksource/drivers/sh_cmt: Address race condition for clock events
    - ACPI: battery: create alarm sysfs attribute atomically
    - ACPI: SBS: manage alarm sysfs attribute through psy core
    - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
    - PCI: Add Edimax Vendor ID to pci_ids.h
    - udf: prevent integer overflow in udf_bitmap_free_blocks()
    - wifi: nl80211: don't give key data to userspace
    - btrfs: fix bitmap leak when loading free space cache on duplicate entry
    - drm/amdgpu/pm: Fix the null pointer dereference for smu7
    - drm/amdgpu: Fix the null pointer dereference to ras_manager
    - drm/amdgpu/pm: Fix the null pointer dereference in 
apply_state_adjust_rules
    - drm/amd/display: Add null checker before passing variables
    - media: uvcvideo: Ignore empty TS packets
    - media: uvcvideo: Fix the bandwdith quirk on USB 3.x
    - ext4: fix uninitialized variable in ext4_inlinedir_to_tree
    - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
    - s390/sclp: Prevent release of buffer in I/O
    - SUNRPC: Fix a race to wake a sync task
    - profiling: remove profile=sleep support
    - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
    - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
    - ext4: fix wrong unit use in ext4_mb_find_by_goal
    - arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-
      space
    - arm64: Add Neoverse-V2 part
    - arm64: barrier: Restore spec_bar() macro
    - arm64: cputype: Add Cortex-X4 definitions
    - arm64: cputype: Add Neoverse-V3 definitions
    - arm64: errata: Add workaround for Arm errata 3194386 and 3312417
    - [Config] Set ARM64_ERRATUM_3194386=y
    - arm64: cputype: Add Cortex-X3 definitions
    - arm64: cputype: Add Cortex-A720 definitions
    - arm64: cputype: Add Cortex-X925 definitions
    - arm64: errata: Unify speculative SSBS errata logic
    - arm64: errata: Expand speculative SSBS workaround
    - arm64: cputype: Add Cortex-X1C definitions
    - arm64: cputype: Add Cortex-A725 definitions
    - arm64: errata: Expand speculative SSBS workaround (again)
    - i2c: smbus: Improve handling of stuck alerts
    - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask
    - ASoC: codecs: wsa881x: Correct Soundwire ports mask
    - spi: spidev: Add missing spi_device_id for bh2228fv
    - i2c: smbus: Send alert notifications to all devices if source not found
    - bpf: kprobe: remove unused declaring of bpf_kprobe_override
    - kprobes: Fix to check symbol prefixes correctly
    - spi: spi-fsl-lpspi: Fix scldiv calculation
    - ALSA: usb-audio: Re-add ScratchAmp quirk entries
    - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT
    - drm/client: fix null pointer dereference in drm_client_modeset_probe
    - ALSA: line6: Fix racy access to midibuf
    - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
    - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
    - usb: vhci-hcd: Do not drop references before new references are gained
    - USB: serial: debug: do not echo input by default
    - usb: gadget: core: Check for unset descriptor
    - usb: gadget: u_serial: Set start_delayed during suspend
    - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES
    - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
    - tick/broadcast: Move per CPU pointer access into the atomic section
    - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler
    - ntp: Clamp maxerror and esterror to operating range
    - clocksource: Reduce the default clocksource_watchdog() retries to 2
    - torture: Enable clocksource watchdog with "tsc=watchdog"
    - clocksource: Scale the watchdog read retries automatically
    - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()
    - irqchip/meson-gpio: support more than 8 channels gpio irq
    - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to
      'raw_spinlock_t'
    - driver core: Fix uevent_show() vs driver detach race
    - ntp: Safeguard against time_constant overflow
    - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()
    - serial: core: check uartclk for zero to avoid divide by zero
    - kcov: properly check for softirq context
    - irqchip/xilinx: Fix shift out of bounds
    - genirq/irqdesc: Honor caller provided affinity in alloc_desc()
    - power: supply: axp288_charger: Fix constant_charge_voltage writes
    - power: supply: axp288_charger: Round constant_charge_voltage writes down
    - tracing: Fix overflow in get_free_elt()
    - padata: Fix possible divide-by-0 panic in padata_mt_helper()
    - x86/mtrr: Check if fixed MTRRs exist before saving them
    - sched/smt: Introduce sched_smt_present_inc/dec() helper
    - sched/smt: Fix unbalance sched_smt_present dec/inc
    - drm/bridge: analogix_dp: properly handle zero sized AUX transactions
    - drm/mgag200: Set DDC timeout in milliseconds
    - mptcp: sched: check both directions for backup
    - mptcp: distinguish rcv vs sent backup flag in requests
    - mptcp: fix NL PM announced address accounting
    - mptcp: mib: count MPJ with backup flag
    - mptcp: fix bad RCVPRUNED mib accounting
    - mptcp: pm: only set request_bkup flag when sending MP_PRIO
    - mptcp: export local_address
    - mptcp: pm: fix backup support in signal endpoints
    - selftests: mptcp: join: validate backup in MPJ
    - selftests: mptcp: join: check backup support in signal endp
    - btrfs: fix corruption after buffer fault in during direct IO append write
    - xfs: fix log recovery buffer allocation for the legacy h_size fixup
    - btrfs: fix double inode unlock for direct IO sync writes
    - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
    - netfilter: nf_tables: set element extended ACK reporting support
    - netfilter: nf_tables: bail out if stateful expression provides no .clone
    - netfilter: nf_tables: allow clone callbacks to sleep
    - netfilter: nf_tables: prefer nft_chain_validate
    - net: stmmac: Enable mac_managed_pm phylink config
    - PCI: dwc: Restore MSI Receiver mask during resume
    - wifi: mac80211: check basic rates validity
    - mptcp: fully established after ADD_ADDR echo on MPJ
    - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
    - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
    - arm64: dts: qcom: msm8996: correct #clock-cells for QMP PHY nodes
    - arm64: cpufeature: Fix the visibility of compat hwcaps
    - exec: Fix ToCToU between perm check and set-uid/gid usage
    - nvme/pci: Add APST quirk for Lenovo N60z laptop
    - usb: gadget: u_audio: Check return codes from usb_ep_enable and
      config_ep_by_speed.
    - binfmt_flat: Fix corruption when not offsetting data start
    - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
    - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
    - media: Revert "media: dvb-usb: Fix unexpected infinite loop in
      dvb_usb_read_remote_control()"
    - Revert "ata: libata-scsi: Honor the D_SENSE bit for CK_COND=1 and no 
error"
    - Linux 5.15.165

  * CVE-2024-26661
    - drm/amd/display: Add NULL test for 'timing generator' in 
'dcn21_set_pipe()'

  * CVE-2024-25744
    - x86: Fix misspelled Kconfig symbols
    - x86: Introduce ia32_enabled()
    - x86/sev: Rename mem_encrypt.c to mem_encrypt_amd.c
    - x86/coco: Disable 32-bit emulation by default on TDX and SEV
    - x86/entry: Convert INT 0x80 emulation to IDTENTRY
    - x86/entry: Do not allow external 0x80 interrupts
    - x86/entry: Add do_SYSENTER_32() prototype
    - x86/bhi: Add support for clearing branch history at syscall entry

  * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible
    (LP: #2074380)
    - s390/cpum_cf: make crypto counters upward compatible across machine types

  * Jammy update: v5.15.164 upstream stable release (LP: #2076100)
    - gcc-plugins: Rename last_stmt() for GCC 14+
    - filelock: Remove locks reliably when fcntl/close race is detected
    - ARM: 9324/1: fix get_user() broken with veneer
    - ACPI: processor_idle: Fix invalid comparison with insertion sort for 
latency
    - scsi: core: Fix a use-after-free
    - scsi: core: alua: I/O errors for ALUA state transitions
    - scsi: qedf: Don't process stag work during unload and recovery
    - scsi: qedf: Wait for stag work during unload
    - scsi: qedf: Set qed_slowpath_params to zero before use
    - ACPI: EC: Abort address space access upon error
    - ACPI: EC: Avoid returning AE_OK on errors in address space handler
    - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah 
CPUs
    - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
    - wifi: mac80211: handle tasklet frames before stopping
    - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup
    - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd
    - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option
    - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
    - selftests/openat2: Fix build warnings on ppc64
    - Input: silead - Always support 10 fingers
    - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()
    - ila: block BH in ila_output()
    - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process
    - null_blk: fix validation of block size
    - kconfig: gconf: give a proper initial state to the Save button
    - kconfig: remove wrong expr_trans_bool()
    - fs/file: fix the check in find_next_fd()
    - mei: demote client disconnect warning on suspend to debug
    - nvme: avoid double free special payload
    - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
    - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
    - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency
    - ALSA: hda/realtek: Add more codec ID to no shutup pins list
    - mips: fix compat_sys_lseek syscall
    - Input: elantech - fix touchpad state on resume for Lenovo N24
    - Input: i8042 - add Ayaneo Kun to i8042 quirk table
    - bytcr_rt5640 : inverse jack detect for Archos 101 cesium
    - ALSA: dmaengine: Synchronize dma channel after drop()
    - ASoC: ti: davinci-mcasp: Set min period size using FIFO config
    - ASoC: ti: omap-hdmi: Fix too long driver name
    - can: kvaser_usb: fix return value for hif_usb_send_regout
    - s390/sclp: Fix sclp_init() cleanup on failure
    - platform/x86: wireless-hotkey: Add support for LG Airplane Button
    - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling
    - platform/x86: lg-laptop: Change ACPI device id
    - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB
    - btrfs: qgroup: fix quota root leak after quota disable failure
    - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx
    - ALSA: dmaengine_pcm: terminate dmaengine before synchronize
    - net: usb: qmi_wwan: add Telit FN912 compositions
    - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and
      DEV_STATS_ADD()
    - powerpc/pseries: Whitelist dtl slub object for copying to userspace
    - powerpc/eeh: avoid possible crash when edev->pdev changes
    - scsi: libsas: Fix exp-attached device scan after probe failure scanned in
      again after probe failed
    - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
    - drm/radeon: check bo_va->bo is non-NULL before using it
    - fs: better handle deep ancestor chains in is_subdir()
    - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()
    - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
    - selftests/vDSO: fix clang build errors and warnings
    - hfsplus: fix uninit-value in copy_name
    - spi: mux: set ctlr->bits_per_word_mask
    - tracing: Define the is_signed_type() macro once
    - minmax: sanity check constant bounds when clamping
    - minmax: clamp more efficiently by avoiding extra comparison
    - minmax: fix header inclusions
    - minmax: allow min()/max()/clamp() if the arguments have the same 
signedness.
    - minmax: allow comparisons of 'int' against 'unsigned char/short'
    - minmax: relax check to allow comparison between unsigned arguments and
      signed constants
    - mm/damon/core: merge regions aggressively when max_nr_regions is unmet
    - wifi: mac80211: disable softirqs for queued frame handling
    - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
    - samples: Add fs error monitoring example
    - samples: Make fs-monitor depend on libc and headers
    - docs: Fix formatting of literal sections in fanotify docs
    - Add gitignore file for samples/fanotify/ subdirectory
    - net: relax socket state check at accept time.
    - ocfs2: add bounds checking to ocfs2_check_dir_entry()
    - jfs: don't walk off the end of ealist
    - fs/ntfs3: Validate ff offset
    - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
    - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360
    - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB
    - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB
    - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused
    - filelock: Fix fcntl/close race recovery compat path
    - wifi: rt2x00: use explicitly signed or unsigned types
    - tun: add missing verification for short frame
    - tap: add missing verification for short frame
    - Linux 5.15.164

  * Jammy update: v5.15.166 upstream stable release (LP: #2080594) //
    CVE-2024-45016
    - netem: fix return value if duplicate enqueue fails

  * CVE-2024-38630
    - watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

  * CVE-2024-27397
    - netfilter: nf_tables: use timestamp to check for set element timeout

 -- Stefan Bader <stefan.ba...@canonical.com>  Fri, 27 Sep 2024 14:49:00
+0200

** Changed in: linux (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-25744

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26607

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26661

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26669

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26800

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26893

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27397

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38602

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38611

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38630

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-40915

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-41071

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45016

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2080594

Title:
  Jammy update: v5.15.166 upstream stable release

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2080594/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to