Public bug reported:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
v5.15.203 upstream stable release
from git://git.kernel.org/
ARM: clean up the memset64() C wrapper
Revert "UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage"
ip6_tunnel: Fix usage of skb_vlan_inet_prepare()
scsi: lpfc: Properly set WC for DPP mapping
scsi: ufs: core: Always initialize the UIC done completion
scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
ALSA: usb-audio: Cap the packet size pre-calculations
ALSA: usb-audio: Use inclusive terms
btrfs: fix incorrect key offset in error message in check_dev_extent_item()
bpf: Fix stack-out-of-bounds write in devmap
memory: mtk-smi: Convert to platform remove callback returning void
memory: mtk-smi: fix device leak on larb probe
ARM: OMAP2+: add missing of_node_put before break and return
ARM: omap2: Fix reference count leaks in omap_control_init()
scsi: ata: Call scsi_done() directly
ata: libata-scsi: drop DPRINTK calls for cdb translation
ata: libata: remove pointless VPRINTK() calls
ata: libata-scsi: refactor ata_scsi_translate()
drm/tegra: dsi: fix device leak on probe
mfd: qcom-pm8xxx: switch away from using chained IRQ handlers
mfd: qcom-pm8xxx: Convert to platform remove callback returning void
mfd: qcom-pm8xxx: Fix OF populate on driver rebind
mfd: omap-usb-host: Convert to platform remove callback returning void
mfd: omap-usb-host: Fix OF populate on driver rebind
clk: tegra: tegra124-emc: fix device leak on set_rate()
usb: cdns3: remove redundant if branch
usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
usb: cdns3: fix role switching during resume
ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced
race
ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
fbcon: Use delayed work for cursor
fbcon: Extract fbcon_open/release helpers
fbcon: move more common code into fb_open()
fbcon: check return value of con2fb_acquire_newinfo()
ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
net: arcnet: com20020-pci: fix support for 2.5Mbit cards
eventpoll: Fix integer overflow in ep_loop_check_proc()
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
nfc: pn533: properly drop the usb interface reference on disconnect
net: usb: kaweth: validate USB endpoints
net: usb: kalmia: validate USB endpoints
net: usb: pegasus: validate USB endpoints
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
can: ucan: Fix infinite loop from zero-length messages
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
x86/efi: defer freeing of boot services memory
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
platform/x86: dell-wmi: Add audio/mic mute key codes
ALSA: usb-audio: Use correct version for UAC3 header validation
wifi: radiotap: reject radiotap with unknown bits
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
net/sched: ets: fix divide by zero in the offload path
Squashfs: check metadata block offset is within range
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
scsi: core: Fix refcount leak for tagset_refcnt
selftests: mptcp: more stable simult_flows tests
platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE
table
net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
net: dpaa2-switch: serialize changes to priv->mac with a mutex
dpaa2-switch: do not clear any interrupts automatically
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
can: bcm: fix locking for bcm_op runtime updates
can: mcp251x: fix deadlock in error path of mcp251x_open
wifi: wlcore: Fix a locking bug
indirect_call_wrapper: do not reevaluate function pointer
xen/acpi-processor: fix _CST detection using undersized evaluation buffer
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
amd-xgbe: fix sleep while atomic on suspend/resume
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
net: nfc: nci: Fix zero-length proprietary notifications
nfc: nci: free skb on nci_transceive early error paths
nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
nfc: rawsock: cancel tx_work before socket teardown
net: stmmac: Fix error handling in VLAN add and delete paths
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
ACPI: PM: Save NVS memory on Lenovo G70-35
scsi: mpi3mr: Add NULL checks when resetting request and reply queues
unshare: fix unshare_fs() handling
ACPI: OSI: Add DMI quirk for Acer Aspire One D255
scsi: ses: Fix devices attaching to different hosts
ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
x86/CPU: Fix FPDSS on Zen1
ALSA: usb-audio: Check max frame size for implicit feedback mode, too
powerpc/uaccess: Fix inline assembly for clang build on PPC32
remoteproc: sysmon: Correct subsys_name_len type in QMI request
remoteproc: mediatek: Unprepare SCP clock during system suspend
powerpc: 83xx: km83xx: Fix keymile vendor prefix
xprtrdma: Decrement re_receiving on the early exit paths
bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave
xmit
ASoC: soc-core: drop delayed_work_pending() check before flush
ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt()
ASoC: core: Exit all links before removing their components
ASoC: core: Do not call link_exit() on uninitialized rtd objects
ASoC: soc-core: flush delayed work before removing DAIs and widgets
serial: caif: hold tty->link reference in ldisc_open and ser_release
can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
netfilter: x_tables: guard option walkers against 1-byte tail reads
netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
regulator: pca9450: Make IRQ optional
regulator: pca9450: Correct interrupt type
sched: idle: Make skipping governor callbacks more consistent
nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
i40e: fix src IP mask checks and memcpy argument names in cloud filter
e1000/e1000e: Fix leak in DMA error cleanup
ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
ASoC: detect empty DMI strings
octeontx2-af: devlink: fix NIX RAS reporter recovery condition
cgroup: fix race between task migration and iteration
net: usb: lan78xx: fix silent drop of packets with checksum errors
net: usb: lan78xx: skip LTM configuration for LAN7850
usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
usb: xhci: Fix memory leak in xhci_disable_slot()
usb: yurex: fix race in probe
usb: misc: uss720: properly clean up reference in uss720_probe()
usb: core: don't power off roothub PHYs if phy_set_mode() fails
usb: cdc-acm: Restore CAP_BRK functionnality to CH343
USB: usbcore: Introduce usb_bulk_msg_killable()
USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
USB: core: Limit the length of unkillable synchronous timeouts
usb: class: cdc-wdm: fix reordering issue in read code path
usb: renesas_usbhs: fix use-after-free in ISR during device removal
usb: mdc800: handle signal and read racing
usb: image: mdc800: kill download URB on timeout
mm/tracing: rss_stat: ensure curr is false from kthread context
mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
mmc: core: Avoid bitfield RMW for claim/retune flags
tipc: fix divide-by-zero in tipc_sk_filter_connect()
libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
libceph: reject preamble if control segment is empty
libceph: prevent potential out-of-bounds reads in process_message_header()
libceph: Use u32 for non-negative values in ceph_monmap_decode()
libceph: admit message frames only in CEPH_CON_S_OPEN state
ceph: fix i_nlink underrun during async unlink
time: add kernel-doc in time.c
time/jiffies: Mark jiffies_64_to_clock_t() notrace
device property: Allow secondary lookup in fwnode_get_next_child_node()
irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS
supports
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
media: dvb-net: fix OOB access in ULE extension header tables
net: mana: Ring doorbell at 4 CQ wraparounds
ice: fix retry for AQ command 0x06EE
batman-adv: Avoid double-rtnl_lock ELP metric worker
parisc: Increase initial mapping to 64 MB with KALLSYMS
nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
parisc: Fix initial page table creation for boot
net: ncsi: fix skb leak in error paths
net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
drm/amdgpu: Fix use-after-free race in VM acquire
tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
xfs: fix undersized l_iclog_roundoff values
lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
x86/apic: Disable x2apic on resume if the kernel expects so
lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
lib/bootconfig: check bounds before writing in __xbc_open_brace()
btrfs: abort transaction on failure to update root in the received subvol ioctl
iio: dac: ds4424: reject -128 RAW value
iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
iio: potentiometer: mcp4131: fix double application of wiper shift
iio: chemical: bme680: Fix measurement wait duration calculation
iio: gyro: mpu3050-core: fix pm_runtime error handling
iio: gyro: mpu3050-i2c: fix pm_runtime error handling
iio: imu: inv_icm42600: fix odr switch to the same value
i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
bpf: Forget ranges when refining tnum after JSET
l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
driver: iio: add missing checks on iio_info's callback access
sunrpc: fix cache_request leak in cache_release
nvdimm/bus: Fix potential use after free in asynchronous initialization
NFC: nxp-nci: allow GPIOs to sleep
net: macb: fix use-after-free access to PTP clock
Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
mmc: sdhci: fix timing selection for 1-bit bus width
mtd: rawnand: pl353: make sure optimal timings are applied
mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in
cadence_nand_init()
mtd: Avoid boot crash in RedBoot partition table parser
iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
serial: 8250_pci: add support for the AX99100
serial: 8250: Fix TX deadlock when using DMA
serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
serial: uartlite: fix PM runtime usage count underflow on probe
drm/radeon: apply state adjust rules to some additional HAINAN vairants
mm/hugetlb: make detecting shared pte more reliable
mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
mm/hugetlb: fix hugetlb_pmd_shared()
mm/hugetlb: fix two comments related to huge_pmd_unshare()
mm/rmap: fix two comments related to huge_pmd_unshare()
mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using
mmu_gather
net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
net: Handle napi_schedule() calls from non-interrupt
drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
drm/exynos: vidi: fix to avoid directly dereferencing user pointer
drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables
related to memory alloc/free
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
ext4: drop extent cache when splitting extent fails
ext4: fix dirtyclusters double decrement on fs shutdown
ksmbd: fix null pointer dereference error in generate_encryptionkey
ext4: always allocate blocks only from groups inode can use
wifi: libertas: fix use-after-free in lbs_free_adapter()
wifi: cfg80211: move scan done work to wiphy work
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
mptcp: pm: avoid sending RM_ADDR over same subflow
pmdomain: bcm: bcm2835-power: Increase ASB control timeout
batman-adv: avoid OGM aggregation when skb tailroom is insufficient
btrfs: tree-checker: fix misleading root drop_level error message
soc: fsl: qbman: fix race condition in qman_destroy_fq
wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
of: Add cleanup.h based auto release via __free(device_node) markings
firmware: arm_scpi: Fix device_node reference leak in probe path
Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
Bluetooth: HIDP: Fix possible UAF
Bluetooth: qca: fix ROM version reading on WCN3998 chips
net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
netfilter: ctnetlink: remove refcounting in expectation dumpers
netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in sip_help_tcp()
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
netfilter: nft_ct: add seqadj extension for natted connections
netfilter: nft_ct: drop pending enqueued packets on removal
netfilter: xt_CT: drop pending enqueued packets on template removal
netfilter: xt_time: use unsigned int for monthday bit shift
netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
net: bcmgenet: increase WoL poll timeout
net: mana: Improve the HWC error handling
net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering
teardown
sched: idle: Consolidate the handling of two special cases
PM: runtime: Fix a race condition related to device removal
net/smc: Only save the original clcsock callback functions
net/smc: Fix slab-out-of-bounds issue in fallback
net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
net: usb: aqc111: Do not perform PM inside suspend callback
igc: fix missing update of skb->tail in igc_xmit_frame()
wifi: mac80211: fix NULL deref in mesh_matches_local()
wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom
ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
net: macb: fix uninitialized rx_fs_lock
udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
net: bonding: fix NULL deref in bond_debug_rlb_hash_show
nfnetlink_osf: validate individual option lengths in fingerprints
net: mvpp2: guard flow control update with global_tx_fc in buffer switching
net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
icmp: fix NULL pointer dereference in icmp_tag_validation()
hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
i2c: fsi: Fix a potential leak in fsi_i2c_probe()
mtd: rawnand: serialize lock/unlock against other NAND operations
mtd: rawnand: brcmnand: skip DMA during panic write
ksmbd: fix use-after-free of share_conf in compound request
drm/i915/gt: Check set_default_submission() before deferencing
lib/bootconfig: check xbc_init_node() return in override path
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
xen/privcmd: restrict usage in unprivileged domU
xen/privcmd: add boot control for restricted usage in domU
sh: platform_early: remove pdev->driver_override check
bpf: Release module BTF IDR before module unload
HID: asus: avoid memory leak in asus_report_fixup()
platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
nvme-pci: cap queue creation to used queues
platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on
SUPI S10
nvme-pci: ensure we're polling a polled queue
HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
net: usb: r8152: add TRENDnet TUC-ET2G
HID: mcp2221: cancel last I2C command on read error
module: Fix kernel panic when a symbol st_shndx is out of bounds
ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
dma-buf: Include ioctl.h in UAPI header
ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
xfrm: call xdo_dev_state_delete during state update
xfrm: Fix the usage of skb->sk
esp: fix skb leak with espintcp and async crypto
af_key: validate families in pfkey_send_migrate()
can: statistics: add missing atomic access in hot path
Bluetooth: L2CAP: Validate PDU length before reading SDU length in
l2cap_ecred_data_rcv()
Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold
Bluetooth: hci_ll: Fix firmware leak on error path
Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
pinctrl: mediatek: common: Fix probe failure for devices without EINT
ionic: fix persistent MAC address override on PF
nfc: nci: fix circular locking dependency in nci_close_device
net: openvswitch: Avoid releasing netdev before teardown completes
openvswitch: validate MPLS set/set_masked payload length
net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe
buffer
rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
net: enetc: fix the output issue of 'ethtool --show-ring'
dma-mapping: add missing `inline` for `dma_free_attrs`
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
Bluetooth: btusb: clamp SCO altsetting table indices
netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
netlink: introduce NLA_POLICY_MAX_BE
netfilter: nft_payload: reject out-of-range attributes via policy
netlink: hide validation union fields from kdoc
netlink: introduce bigendian integer types
netlink: allow be16 and be32 types in all uint policy checks
netfilter: ctnetlink: use netlink policy range checks
net: macb: use the current queue number for stats
regmap: Synchronize cache for the page selector
RDMA/rw: Fall back to direct SGE on MR pool exhaustion
RDMA/irdma: Update ibqp state to error if QP is already in error state
RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
RDMA/irdma: Clean up unnecessary dereference of event->cm_node
RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
RDMA/irdma: Fix deadlock during netdev reset with active connections
RDMA/irdma: Return EINVAL for invalid arp index error
scsi: scsi_transport_sas: Fix the maximum channel scanning issue
x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
ASoC: Intel: catpt: Fix the device initialization
ACPICA: include/acpi/acpixf.h: Fix indentation
ACPICA: Allow address_space_handler Install and _REG execution as 2 separate
steps
ACPI: EC: Fix EC address space handler unregistration
ACPI: EC: Fix ECDT probe ordering issues
hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
sysctl: fix uninitialized variable in proc_do_large_bitmap
ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
ASoC: adau1372: Fix clock leak on PLL lock failure
spi: spi-fsl-lpspi: fix teardown order issue (UAF)
s390/syscalls: Add spectre boundary for syscall dispatch table
s390/barrier: Make array_index_mask_nospec() __always_inline
can: gw: fix OOB heap access in cgw_csum_crc8_rel()
cpufreq: conservative: Reset requested_freq on limits change
media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and napi_tx
is false
erofs: add GFP_NOIO in the bio completion if needed
alarmtimer: Fix argument order in alarm_timer_forward()
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
scsi: ses: Handle positive SCSI error from ses_recv_diag()
jbd2: gracefully abort on checkpointing state corruptions
xfs: stop reclaim before pushing AIL during unmount
ext4: convert inline data to extents when truncate exceeds inline size
ext4: make recently_deleted() properly work with lazy itable initialization
ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
ext4: reject mount if bigalloc with s_first_data_block != 0
ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
ext4: always drain queued discard work in ext4_mb_release()
phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
dmaengine: xilinx: xilinx_dma: Fix dma_device directions
dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
btrfs: fix super block offset in error message in btrfs_validate_super()
btrfs: fix lost error when running device stats on multiple devices fs
dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API
dmaengine: idxd: Fix freeing the allocated ida too late
dmaengine: xilinx_dma: Program interrupt delay timeout
dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
futex: Clear stale exiting pointer in futex_lock_pi() retry path
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
atm: lec: fix use-after-free in sock_def_readable()
btrfs: don't take device_list_mutex when querying zone info
objtool: Fix Clang jump table detection
HID: multitouch: Check to ensure report responses match the request
btrfs: reject root items with drop_progress and zero drop_level
dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common
property warning
crypto: af-alg - fix NULL pointer dereference in scatterwalk
net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to
zero to prevent an info-leak
tg3: Fix race for querying speed/duplex
ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
bridge: br_nd_send: linearize skb before parsing ND options
net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
ipv6: prevent possible UaF in addrconf_permanent_addr()
net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to
prevent an info-leak
NFC: pn533: bound the UART receive buffer
net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec
bpf: Fix regsafe() for pointers to packet
net: ipv6: flowlabel: defer exclusive option free until RCU teardown
netfilter: flowtable: strictly check for maximum number of actions
netfilter: nfnetlink_log: account for netlink header size
netfilter: x_tables: ensure names are nul-terminated
netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
netfilter: nf_conntrack_helper: pass helper to expect cleanup
netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for
NFPROTO_ARP
netfilter: nf_tables: reject immediate NF_QUEUE verdict
Bluetooth: MGMT: validate LTK enc_size on load
rds: ib: reject FRMR registration before IB connection is established
net: macb: fix clk handling on PCI glue driver removal
net: macb: properly unregister fixed rate clocks
net/mlx5: Avoid "No data available" when FW version queries fail
net/x25: Fix potential double free of skb
net/x25: Fix overflow when accumulating packets
net/sched: cls_fw: fix NULL pointer dereference on shared blocks
net/sched: cls_flow: fix NULL pointer dereference on shared blocks
net: hsr: fix VLAN add unwind on slave errors
ipv6: avoid overflows in ip6_datagram_send_ctl()
bpf: reject direct access to nullable PTR_TO_BUF pointers
hwmon: (pxe1610) Check return value of page-select write in probe
hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify()
hwmon: (occ) Fix missing newline in occ_show_extended()
riscv: kgdb: fix several debug register assignment bugs
drm/ioc32: stop speculation on the drm_compat_ioctl path
wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
USB: serial: option: add MeiG Smart SRM825WN
ALSA: caiaq: fix stack out-of-bounds read in init_card
ALSA: ctxfi: Fix missing SPDIFI1 index handling
Bluetooth: SMP: derive legacy responder STK authentication from MITM state
Bluetooth: SMP: force responder MITM requirements before building the pairing
response
MIPS: Fix the GCC version check for `__multi3' workaround
hwmon: (occ) Fix division by zero in occ_show_power_1()
drm/ast: dp501: Fix initialization of SCU2C
USB: serial: io_edgeport: add support for Blackbox IC135A
USB: serial: option: add support for Rolling Wireless RW135R-GL
USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
Input: synaptics-rmi4 - fix a locking bug in an error path
Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table
Input: xpad - add support for Razer Wolverine V3 Pro
iio: dac: ad5770r: fix error return in ad5770r_read_raw()
iio: light: vcnl4035: fix scan buffer on big-endian
iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
iio: gyro: mpu3050: Fix incorrect free_irq() variable
iio: gyro: mpu3050: Fix irq resource leak
iio: gyro: mpu3050: Move iio_device_register() to correct location
iio: gyro: mpu3050: Fix out-of-sequence free_irq()
usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
usb: ulpi: fix double free in ulpi_register_interface() error path
usb: usbtmc: Flush anchored URBs in usbtmc_release
usb: ehci-brcm: fix sleep during atomic
usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
usb: cdns3: gadget: fix state inconsistency on gadget init failure
nvmet-tcp: fix use-before-check of sg in bounds validation
phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
phy: renesas: rcar-gen3-usb2: Move IRQ request in probe
phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data
phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off
bridge: br_nd_send: validate ND option lengths
cdc-acm: new quirk for EPSON HMD
comedi: dt2815: add hardware detection to prevent crash
comedi: Reinit dev->spinlock between attachments to low-level drivers
comedi: ni_atmio16d: Fix invalid clean-up after failed attach
comedi: me_daq: Fix potential overrun of firmware buffer
comedi: me4000: Fix potential overrun of firmware buffer
vxlan: validate ND option lengths in vxlan_na_create
net: ftgmac100: fix ring allocation unwind on open failure
thunderbolt: Fix property read in nhi_wake_supported()
USB: dummy-hcd: Fix locking/synchronization error
USB: dummy-hcd: Fix interrupt synchronization error
usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial
transfer
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb()
error
can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
fbcon: Set fb_display[i]->mode to NULL when the mode is released
net: mctp: Don't access ifa_index when missing
smb: client: Fix refcount leak for cifs_sb_tlink
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
usb: gadget: f_rndis: Protect RNDIS options with mutex
usb: gadget: f_uac1_legacy: validate control request size
io_uring/tctx: work around xa_store() allocation error issue
wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
lib/crypto: chacha: Zeroize permuted_state before it leaves scope
wifi: rt2x00usb: fix devres lifetime
xfrm_user: fix info leak in build_report()
mptcp: fix slab-use-after-free in __inet_lookup_established
Input: uinput - fix circular locking dependency with ff-core
Input: uinput - take event lock when submitting FF request "event"
media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
media: uvcvideo: Use heuristic to find stream entity
gpiolib: cdev: fix uninitialised kfifo
iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer
netfilter: nft_ct: fix use-after-free in timeout object destroy
tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
wifi: brcmsmac: Fix dma_free_coherent() size
arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
nfc: pn533: allocate rx skb before consuming bytes
batman-adv: reject oversized global TT response buffers
net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
mmc: vub300: fix NULL-deref on disconnect
net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure
net: stmmac: fix integer underflow in chain mode
rxrpc: fix reference count leak in rxrpc_server_keyring()
rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
netlink: add nla be16/32 types to minlen array
xen/privcmd: unregister xenstore notifier on module exit
Revert "mptcp: add needs_id for netlink appending addr"
seg6: separate dst_cache for input and output paths in seg6 lwtunnel
net: rfkill: prevent unlimited numbers of rfkill events from being created
usb: gadget: f_hid: move list and spinlock inits from bind to alloc
usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
usb: gadget: uvc: fix NULL pointer dereference during unbind race
ext4: publish jinode after initialization
ext4: fix the might_sleep() warnings in kvfree()
ext4: fix use-after-free in update_super_work when racing with umount
xfs: save ailp before dropping the AIL lock in push callbacks
dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
dmaengine: sh: rz-dmac: Protect the driver specific lists
KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
net: macb: Move devm_{free,request}_irq() out of spin lock area
scsi: target: tcm_loop: Drain commands in target_reset handler
mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
tracing: Fix potential deadlock in cpu hotplug with osnoise
ksmbd: fix potencial OOB in get_file_all_info() for compound requests
ksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
i2c: cp2615: replace deprecated strncpy with strscpy
i2c: cp2615: fix serial string NULL-deref at probe
Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
ksmbd: Fix refcount leak when invalid session is found on session lookup
ksmbd: Fix dangling pointer in krb_authenticate
io_uring/poll: correctly handle io_poll_add() return value on update
Linux 5.15.203
UBUNTU: Upstream stable to v5.15.203
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: linux (Ubuntu Jammy)
Importance: Medium
Assignee: Noah Wager (nwager)
Status: In Progress
** Tags: kernel-stable-tracking-bug
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: Confirmed => Invalid
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Jammy)
Status: New => In Progress
** Changed in: linux (Ubuntu Jammy)
Assignee: (unassigned) => Noah Wager (nwager)
** Description changed:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
v5.15.203 upstream stable release
from git://git.kernel.org/
-
+ ARM: clean up the memset64() C wrapper
+ Revert "UBUNTU: SAUCE: Fix skb_vlan_inet_prepare() usage"
+ ip6_tunnel: Fix usage of skb_vlan_inet_prepare()
+ scsi: lpfc: Properly set WC for DPP mapping
+ scsi: ufs: core: Always initialize the UIC done completion
+ scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
+ ALSA: usb-audio: Cap the packet size pre-calculations
+ ALSA: usb-audio: Use inclusive terms
+ btrfs: fix incorrect key offset in error message in check_dev_extent_item()
+ bpf: Fix stack-out-of-bounds write in devmap
+ memory: mtk-smi: Convert to platform remove callback returning void
+ memory: mtk-smi: fix device leak on larb probe
+ ARM: OMAP2+: add missing of_node_put before break and return
+ ARM: omap2: Fix reference count leaks in omap_control_init()
+ scsi: ata: Call scsi_done() directly
+ ata: libata-scsi: drop DPRINTK calls for cdb translation
+ ata: libata: remove pointless VPRINTK() calls
+ ata: libata-scsi: refactor ata_scsi_translate()
+ drm/tegra: dsi: fix device leak on probe
+ mfd: qcom-pm8xxx: switch away from using chained IRQ handlers
+ mfd: qcom-pm8xxx: Convert to platform remove callback returning void
+ mfd: qcom-pm8xxx: Fix OF populate on driver rebind
+ mfd: omap-usb-host: Convert to platform remove callback returning void
+ mfd: omap-usb-host: Fix OF populate on driver rebind
+ clk: tegra: tegra124-emc: fix device leak on set_rate()
+ usb: cdns3: remove redundant if branch
+ usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
+ usb: cdns3: fix role switching during resume
+ ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
+ hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced
race
+ ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
+ fbcon: Use delayed work for cursor
+ fbcon: Extract fbcon_open/release helpers
+ fbcon: move more common code into fb_open()
+ fbcon: check return value of con2fb_acquire_newinfo()
+ ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
+ net: arcnet: com20020-pci: fix support for 2.5Mbit cards
+ eventpoll: Fix integer overflow in ep_loop_check_proc()
+ media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
+ nfc: pn533: properly drop the usb interface reference on disconnect
+ net: usb: kaweth: validate USB endpoints
+ net: usb: kalmia: validate USB endpoints
+ net: usb: pegasus: validate USB endpoints
+ can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a
message
+ can: ucan: Fix infinite loop from zero-length messages
+ can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
+ HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
+ x86/efi: defer freeing of boot services memory
+ platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
+ platform/x86: dell-wmi: Add audio/mic mute key codes
+ ALSA: usb-audio: Use correct version for UAC3 header validation
+ wifi: radiotap: reject radiotap with unknown bits
+ wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
+ IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
+ net/sched: ets: fix divide by zero in the offload path
+ Squashfs: check metadata block offset is within range
+ drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
+ scsi: core: Fix refcount leak for tagset_refcnt
+ selftests: mptcp: more stable simult_flows tests
+ platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
+ net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in
ALE table
+ net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
+ net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
+ net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
+ net: dpaa2-switch: serialize changes to priv->mac with a mutex
+ dpaa2-switch: do not clear any interrupts automatically
+ dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
+ atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
+ can: bcm: fix locking for bcm_op runtime updates
+ can: mcp251x: fix deadlock in error path of mcp251x_open
+ wifi: wlcore: Fix a locking bug
+ indirect_call_wrapper: do not reevaluate function pointer
+ xen/acpi-processor: fix _CST detection using undersized evaluation buffer
+ ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
+ amd-xgbe: fix sleep while atomic on suspend/resume
+ net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
+ net: nfc: nci: Fix zero-length proprietary notifications
+ nfc: nci: free skb on nci_transceive early error paths
+ nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
+ nfc: rawsock: cancel tx_work before socket teardown
+ net: stmmac: Fix error handling in VLAN add and delete paths
+ net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
+ net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
+ net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
+ net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared
blocks
+ scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
+ ACPI: PM: Save NVS memory on Lenovo G70-35
+ scsi: mpi3mr: Add NULL checks when resetting request and reply queues
+ unshare: fix unshare_fs() handling
+ ACPI: OSI: Add DMI quirk for Acer Aspire One D255
+ scsi: ses: Fix devices attaching to different hosts
+ ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
+ x86/CPU: Fix FPDSS on Zen1
+ ALSA: usb-audio: Check max frame size for implicit feedback mode, too
+ powerpc/uaccess: Fix inline assembly for clang build on PPC32
+ remoteproc: sysmon: Correct subsys_name_len type in QMI request
+ remoteproc: mediatek: Unprepare SCP clock during system suspend
+ powerpc: 83xx: km83xx: Fix keymile vendor prefix
+ xprtrdma: Decrement re_receiving on the early exit paths
+ bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
+ net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
+ net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave
xmit
+ ASoC: soc-core: drop delayed_work_pending() check before flush
+ ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt()
+ ASoC: core: Exit all links before removing their components
+ ASoC: core: Do not call link_exit() on uninitialized rtd objects
+ ASoC: soc-core: flush delayed work before removing DAIs and widgets
+ serial: caif: hold tty->link reference in ldisc_open and ser_release
+ can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
+ netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
+ netfilter: x_tables: guard option walkers against 1-byte tail reads
+ netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
+ netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
+ regulator: pca9450: Make IRQ optional
+ regulator: pca9450: Correct interrupt type
+ sched: idle: Make skipping governor callbacks more consistent
+ nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
+ i40e: fix src IP mask checks and memcpy argument names in cloud filter
+ e1000/e1000e: Fix leak in DMA error cleanup
+ ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
+ ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
+ ASoC: detect empty DMI strings
+ octeontx2-af: devlink: fix NIX RAS reporter recovery condition
+ cgroup: fix race between task migration and iteration
+ net: usb: lan78xx: fix silent drop of packets with checksum errors
+ net: usb: lan78xx: skip LTM configuration for LAN7850
+ usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
+ usb: xhci: Fix memory leak in xhci_disable_slot()
+ usb: yurex: fix race in probe
+ usb: misc: uss720: properly clean up reference in uss720_probe()
+ usb: core: don't power off roothub PHYs if phy_set_mode() fails
+ usb: cdc-acm: Restore CAP_BRK functionnality to CH343
+ USB: usbcore: Introduce usb_bulk_msg_killable()
+ USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
+ USB: core: Limit the length of unkillable synchronous timeouts
+ usb: class: cdc-wdm: fix reordering issue in read code path
+ usb: renesas_usbhs: fix use-after-free in ISR during device removal
+ usb: mdc800: handle signal and read racing
+ usb: image: mdc800: kill download URB on timeout
+ mm/tracing: rss_stat: ensure curr is false from kthread context
+ mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
+ mmc: core: Avoid bitfield RMW for claim/retune flags
+ tipc: fix divide-by-zero in tipc_sk_filter_connect()
+ libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
+ libceph: reject preamble if control segment is empty
+ libceph: prevent potential out-of-bounds reads in process_message_header()
+ libceph: Use u32 for non-negative values in ceph_monmap_decode()
+ libceph: admit message frames only in CEPH_CON_S_OPEN state
+ ceph: fix i_nlink underrun during async unlink
+ time: add kernel-doc in time.c
+ time/jiffies: Mark jiffies_64_to_clock_t() notrace
+ device property: Allow secondary lookup in fwnode_get_next_child_node()
+ irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS
supports
+ staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
+ staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
+ media: dvb-net: fix OOB access in ULE extension header tables
+ net: mana: Ring doorbell at 4 CQ wraparounds
+ ice: fix retry for AQ command 0x06EE
+ batman-adv: Avoid double-rtnl_lock ELP metric worker
+ parisc: Increase initial mapping to 64 MB with KALLSYMS
+ nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
+ hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
+ parisc: Fix initial page table creation for boot
+ net: ncsi: fix skb leak in error paths
+ net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
+ drm/amdgpu: Fix use-after-free race in VM acquire
+ tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
+ xfs: fix undersized l_iclog_roundoff values
+ lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
+ x86/apic: Disable x2apic on resume if the kernel expects so
+ lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
+ lib/bootconfig: check bounds before writing in __xbc_open_brace()
+ btrfs: abort transaction on failure to update root in the received subvol
ioctl
+ iio: dac: ds4424: reject -128 RAW value
+ iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
+ iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
+ iio: potentiometer: mcp4131: fix double application of wiper shift
+ iio: chemical: bme680: Fix measurement wait duration calculation
+ iio: gyro: mpu3050-core: fix pm_runtime error handling
+ iio: gyro: mpu3050-i2c: fix pm_runtime error handling
+ iio: imu: inv_icm42600: fix odr switch to the same value
+ i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
+ i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
+ i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
+ bpf: Forget ranges when refining tnum after JSET
+ l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
+ io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
+ driver: iio: add missing checks on iio_info's callback access
+ sunrpc: fix cache_request leak in cache_release
+ nvdimm/bus: Fix potential use after free in asynchronous initialization
+ NFC: nxp-nci: allow GPIOs to sleep
+ net: macb: fix use-after-free access to PTP clock
+ Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
+ Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
+ mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
+ mmc: sdhci: fix timing selection for 1-bit bus width
+ mtd: rawnand: pl353: make sure optimal timings are applied
+ mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in
cadence_nand_init()
+ mtd: Avoid boot crash in RedBoot partition table parser
+ iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
+ serial: 8250_pci: add support for the AX99100
+ serial: 8250: Fix TX deadlock when using DMA
+ serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
+ serial: uartlite: fix PM runtime usage count underflow on probe
+ drm/radeon: apply state adjust rules to some additional HAINAN vairants
+ mm/hugetlb: make detecting shared pte more reliable
+ mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
+ mm/hugetlb: fix hugetlb_pmd_shared()
+ mm/hugetlb: fix two comments related to huge_pmd_unshare()
+ mm/rmap: fix two comments related to huge_pmd_unshare()
+ mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using
mmu_gather
+ net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
+ net: Handle napi_schedule() calls from non-interrupt
+ drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
+ drm/exynos: vidi: fix to avoid directly dereferencing user pointer
+ drm/exynos: vidi: use ctx->lock to protect struct vidi_context member
variables related to memory alloc/free
+ ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
+ ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
+ ext4: drop extent cache when splitting extent fails
+ ext4: fix dirtyclusters double decrement on fs shutdown
+ ksmbd: fix null pointer dereference error in generate_encryptionkey
+ ext4: always allocate blocks only from groups inode can use
+ wifi: libertas: fix use-after-free in lbs_free_adapter()
+ wifi: cfg80211: move scan done work to wiphy work
+ wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
+ RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
+ smb: client: Don't log plaintext credentials in cifs_set_cifscreds
+ net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
+ drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
+ mptcp: pm: avoid sending RM_ADDR over same subflow
+ pmdomain: bcm: bcm2835-power: Increase ASB control timeout
+ batman-adv: avoid OGM aggregation when skb tailroom is insufficient
+ btrfs: tree-checker: fix misleading root drop_level error message
+ soc: fsl: qbman: fix race condition in qman_destroy_fq
+ wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
+ of: Add cleanup.h based auto release via __free(device_node) markings
+ firmware: arm_scpi: Fix device_node reference leak in probe path
+ Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
+ Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
+ Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
+ Bluetooth: HIDP: Fix possible UAF
+ Bluetooth: qca: fix ROM version reading on WCN3998 chips
+ net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
+ netfilter: ctnetlink: remove refcounting in expectation dumpers
+ netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
+ netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
sip_help_tcp()
+ netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
+ netfilter: nft_ct: add seqadj extension for natted connections
+ netfilter: nft_ct: drop pending enqueued packets on removal
+ netfilter: xt_CT: drop pending enqueued packets on template removal
+ netfilter: xt_time: use unsigned int for monthday bit shift
+ netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
+ net: bcmgenet: increase WoL poll timeout
+ net: mana: Improve the HWC error handling
+ net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering
teardown
+ sched: idle: Consolidate the handling of two special cases
+ PM: runtime: Fix a race condition related to device removal
+ net/smc: Only save the original clcsock callback functions
+ net/smc: Fix slab-out-of-bounds issue in fallback
+ net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
+ net: usb: aqc111: Do not perform PM inside suspend callback
+ igc: fix missing update of skb->tail in igc_xmit_frame()
+ wifi: mac80211: fix NULL deref in mesh_matches_local()
+ wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough
headroom
+ ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
+ net: macb: fix uninitialized rx_fs_lock
+ udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
+ net: bonding: fix NULL deref in bond_debug_rlb_hash_show
+ nfnetlink_osf: validate individual option lengths in fingerprints
+ net: mvpp2: guard flow control update with global_tx_fc in buffer switching
+ net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
+ icmp: fix NULL pointer dereference in icmp_tag_validation()
+ hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
+ i2c: fsi: Fix a potential leak in fsi_i2c_probe()
+ mtd: rawnand: serialize lock/unlock against other NAND operations
+ mtd: rawnand: brcmnand: skip DMA during panic write
+ ksmbd: fix use-after-free of share_conf in compound request
+ drm/i915/gt: Check set_default_submission() before deferencing
+ lib/bootconfig: check xbc_init_node() return in override path
+ tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
+ xen/privcmd: restrict usage in unprivileged domU
+ xen/privcmd: add boot control for restricted usage in domU
+ sh: platform_early: remove pdev->driver_override check
+ bpf: Release module BTF IDR before module unload
+ HID: asus: avoid memory leak in asus_report_fixup()
+ platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
+ nvme-pci: cap queue creation to used queues
+ platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
+ platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on
SUPI S10
+ nvme-pci: ensure we're polling a polled queue
+ HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
+ HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
+ net: usb: r8152: add TRENDnet TUC-ET2G
+ HID: mcp2221: cancel last I2C command on read error
+ module: Fix kernel panic when a symbol st_shndx is out of bounds
+ ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
+ ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
+ dma-buf: Include ioctl.h in UAPI header
+ ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
+ xfrm: call xdo_dev_state_delete during state update
+ xfrm: Fix the usage of skb->sk
+ esp: fix skb leak with espintcp and async crypto
+ af_key: validate families in pfkey_send_migrate()
+ can: statistics: add missing atomic access in hot path
+ Bluetooth: L2CAP: Validate PDU length before reading SDU length in
l2cap_ecred_data_rcv()
+ Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing
sock_hold
+ Bluetooth: hci_ll: Fix firmware leak on error path
+ Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
+ pinctrl: mediatek: common: Fix probe failure for devices without EINT
+ ionic: fix persistent MAC address override on PF
+ nfc: nci: fix circular locking dependency in nci_close_device
+ net: openvswitch: Avoid releasing netdev before teardown completes
+ openvswitch: validate MPLS set/set_masked payload length
+ net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe
buffer
+ rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
+ platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
+ net: enetc: fix the output issue of 'ethtool --show-ring'
+ dma-mapping: add missing `inline` for `dma_free_attrs`
+ Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
+ Bluetooth: btusb: clamp SCO altsetting table indices
+ netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
+ netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
+ netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
+ netlink: introduce NLA_POLICY_MAX_BE
+ netfilter: nft_payload: reject out-of-range attributes via policy
+ netlink: hide validation union fields from kdoc
+ netlink: introduce bigendian integer types
+ netlink: allow be16 and be32 types in all uint policy checks
+ netfilter: ctnetlink: use netlink policy range checks
+ net: macb: use the current queue number for stats
+ regmap: Synchronize cache for the page selector
+ RDMA/rw: Fall back to direct SGE on MR pool exhaustion
+ RDMA/irdma: Update ibqp state to error if QP is already in error state
+ RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
+ RDMA/irdma: Clean up unnecessary dereference of event->cm_node
+ RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
+ RDMA/irdma: Fix deadlock during netdev reset with active connections
+ RDMA/irdma: Return EINVAL for invalid arp index error
+ scsi: scsi_transport_sas: Fix the maximum channel scanning issue
+ x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
+ drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
+ ASoC: Intel: catpt: Fix the device initialization
+ ACPICA: include/acpi/acpixf.h: Fix indentation
+ ACPICA: Allow address_space_handler Install and _REG execution as 2 separate
steps
+ ACPI: EC: Fix EC address space handler unregistration
+ ACPI: EC: Fix ECDT probe ordering issues
+ hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
+ sysctl: fix uninitialized variable in proc_do_large_bitmap
+ ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
+ ASoC: adau1372: Fix clock leak on PLL lock failure
+ spi: spi-fsl-lpspi: fix teardown order issue (UAF)
+ s390/syscalls: Add spectre boundary for syscall dispatch table
+ s390/barrier: Make array_index_mask_nospec() __always_inline
+ can: gw: fix OOB heap access in cgw_csum_crc8_rel()
+ cpufreq: conservative: Reset requested_freq on limits change
+ media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
+ virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and
napi_tx is false
+ erofs: add GFP_NOIO in the bio completion if needed
+ alarmtimer: Fix argument order in alarm_timer_forward()
+ scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
+ scsi: ses: Handle positive SCSI error from ses_recv_diag()
+ jbd2: gracefully abort on checkpointing state corruptions
+ xfs: stop reclaim before pushing AIL during unmount
+ ext4: convert inline data to extents when truncate exceeds inline size
+ ext4: make recently_deleted() properly work with lazy itable initialization
+ ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
+ ext4: reject mount if bigalloc with s_first_data_block != 0
+ ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
+ ext4: always drain queued discard work in ext4_mb_release()
+ phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
+ dmaengine: xilinx: xilinx_dma: Fix dma_device directions
+ dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
+ dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
+ btrfs: fix super block offset in error message in btrfs_validate_super()
+ btrfs: fix lost error when running device stats on multiple devices fs
+ dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API
+ dmaengine: idxd: Fix freeing the allocated ida too late
+ dmaengine: xilinx_dma: Program interrupt delay timeout
+ dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
+ futex: Clear stale exiting pointer in futex_lock_pi() retry path
+ HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
+ atm: lec: fix use-after-free in sock_def_readable()
+ btrfs: don't take device_list_mutex when querying zone info
+ objtool: Fix Clang jump table detection
+ HID: multitouch: Check to ensure report responses match the request
+ btrfs: reject root items with drop_progress and zero drop_level
+ dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common
property warning
+ crypto: af-alg - fix NULL pointer dereference in scatterwalk
+ net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
+ net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to
zero to prevent an info-leak
+ tg3: Fix race for querying speed/duplex
+ ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
+ ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
+ bridge: br_nd_send: linearize skb before parsing ND options
+ net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
+ ipv6: prevent possible UaF in addrconf_permanent_addr()
+ net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to
prevent an info-leak
+ NFC: pn533: bound the UART receive buffer
+ net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec
+ bpf: Fix regsafe() for pointers to packet
+ net: ipv6: flowlabel: defer exclusive option free until RCU teardown
+ netfilter: flowtable: strictly check for maximum number of actions
+ netfilter: nfnetlink_log: account for netlink header size
+ netfilter: x_tables: ensure names are nul-terminated
+ netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
+ netfilter: nf_conntrack_helper: pass helper to expect cleanup
+ netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
+ netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for
NFPROTO_ARP
+ netfilter: nf_tables: reject immediate NF_QUEUE verdict
+ Bluetooth: MGMT: validate LTK enc_size on load
+ rds: ib: reject FRMR registration before IB connection is established
+ net: macb: fix clk handling on PCI glue driver removal
+ net: macb: properly unregister fixed rate clocks
+ net/mlx5: Avoid "No data available" when FW version queries fail
+ net/x25: Fix potential double free of skb
+ net/x25: Fix overflow when accumulating packets
+ net/sched: cls_fw: fix NULL pointer dereference on shared blocks
+ net/sched: cls_flow: fix NULL pointer dereference on shared blocks
+ net: hsr: fix VLAN add unwind on slave errors
+ ipv6: avoid overflows in ip6_datagram_send_ctl()
+ bpf: reject direct access to nullable PTR_TO_BUF pointers
+ hwmon: (pxe1610) Check return value of page-select write in probe
+ hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify()
+ hwmon: (occ) Fix missing newline in occ_show_extended()
+ riscv: kgdb: fix several debug register assignment bugs
+ drm/ioc32: stop speculation on the drm_compat_ioctl path
+ wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
+ USB: serial: option: add MeiG Smart SRM825WN
+ ALSA: caiaq: fix stack out-of-bounds read in init_card
+ ALSA: ctxfi: Fix missing SPDIFI1 index handling
+ Bluetooth: SMP: derive legacy responder STK authentication from MITM state
+ Bluetooth: SMP: force responder MITM requirements before building the pairing
response
+ MIPS: Fix the GCC version check for `__multi3' workaround
+ hwmon: (occ) Fix division by zero in occ_show_power_1()
+ drm/ast: dp501: Fix initialization of SCU2C
+ USB: serial: io_edgeport: add support for Blackbox IC135A
+ USB: serial: option: add support for Rolling Wireless RW135R-GL
+ USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
+ Input: synaptics-rmi4 - fix a locking bug in an error path
+ Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table
+ Input: xpad - add support for Razer Wolverine V3 Pro
+ iio: dac: ad5770r: fix error return in ad5770r_read_raw()
+ iio: light: vcnl4035: fix scan buffer on big-endian
+ iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
+ iio: gyro: mpu3050: Fix incorrect free_irq() variable
+ iio: gyro: mpu3050: Fix irq resource leak
+ iio: gyro: mpu3050: Move iio_device_register() to correct location
+ iio: gyro: mpu3050: Fix out-of-sequence free_irq()
+ usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
+ usb: ulpi: fix double free in ulpi_register_interface() error path
+ usb: usbtmc: Flush anchored URBs in usbtmc_release
+ usb: ehci-brcm: fix sleep during atomic
+ usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
+ usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
+ usb: cdns3: gadget: fix state inconsistency on gadget init failure
+ nvmet-tcp: fix use-before-check of sg in bounds validation
+ phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
+ phy: renesas: rcar-gen3-usb2: Move IRQ request in probe
+ phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data
+ phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off
+ bridge: br_nd_send: validate ND option lengths
+ cdc-acm: new quirk for EPSON HMD
+ comedi: dt2815: add hardware detection to prevent crash
+ comedi: Reinit dev->spinlock between attachments to low-level drivers
+ comedi: ni_atmio16d: Fix invalid clean-up after failed attach
+ comedi: me_daq: Fix potential overrun of firmware buffer
+ comedi: me4000: Fix potential overrun of firmware buffer
+ vxlan: validate ND option lengths in vxlan_na_create
+ net: ftgmac100: fix ring allocation unwind on open failure
+ thunderbolt: Fix property read in nhi_wake_supported()
+ USB: dummy-hcd: Fix locking/synchronization error
+ USB: dummy-hcd: Fix interrupt synchronization error
+ usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial
transfer
+ can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
+ can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb()
error
+ can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
+ fbcon: Set fb_display[i]->mode to NULL when the mode is released
+ net: mctp: Don't access ifa_index when missing
+ smb: client: Fix refcount leak for cifs_sb_tlink
+ staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
+ usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
+ usb: gadget: f_rndis: Protect RNDIS options with mutex
+ usb: gadget: f_uac1_legacy: validate control request size
+ io_uring/tctx: work around xa_store() allocation error issue
+ wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
+ lib/crypto: chacha: Zeroize permuted_state before it leaves scope
+ wifi: rt2x00usb: fix devres lifetime
+ xfrm_user: fix info leak in build_report()
+ mptcp: fix slab-use-after-free in __inet_lookup_established
+ Input: uinput - fix circular locking dependency with ff-core
+ Input: uinput - take event lock when submitting FF request "event"
+ media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
+ media: uvcvideo: Use heuristic to find stream entity
+ gpiolib: cdev: fix uninitialised kfifo
+ iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer
+ netfilter: nft_ct: fix use-after-free in timeout object destroy
+ tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
+ wifi: brcmsmac: Fix dma_free_coherent() size
+ arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
+ arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
+ nfc: pn533: allocate rx skb before consuming bytes
+ batman-adv: reject oversized global TT response buffers
+ net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
+ drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
+ mmc: vub300: fix NULL-deref on disconnect
+ net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure
+ net: stmmac: fix integer underflow in chain mode
+ rxrpc: fix reference count leak in rxrpc_server_keyring()
+ rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
+ netlink: add nla be16/32 types to minlen array
+ xen/privcmd: unregister xenstore notifier on module exit
+ Revert "mptcp: add needs_id for netlink appending addr"
+ seg6: separate dst_cache for input and output paths in seg6 lwtunnel
+ net: rfkill: prevent unlimited numbers of rfkill events from being created
+ usb: gadget: f_hid: move list and spinlock inits from bind to alloc
+ usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
+ usb: gadget: uvc: fix NULL pointer dereference during unbind race
+ ext4: publish jinode after initialization
+ ext4: fix the might_sleep() warnings in kvfree()
+ ext4: fix use-after-free in update_super_work when racing with umount
+ xfs: save ailp before dropping the AIL lock in push callbacks
+ dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
+ dmaengine: sh: rz-dmac: Protect the driver specific lists
+ KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
+ net: macb: Move devm_{free,request}_irq() out of spin lock area
+ scsi: target: tcm_loop: Drain commands in target_reset handler
+ mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
+ x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
+ tracing: Fix potential deadlock in cpu hotplug with osnoise
+ ksmbd: fix potencial OOB in get_file_all_info() for compound requests
+ ksmbd: replace hardcoded hdr2_len with offsetof() in
smb2_calc_max_out_buf_len()
+ i2c: cp2615: replace deprecated strncpy with strscpy
+ i2c: cp2615: fix serial string NULL-deref at probe
+ Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
+ ksmbd: Fix refcount leak when invalid session is found on session lookup
+ ksmbd: Fix dangling pointer in krb_authenticate
+ io_uring/poll: correctly handle io_poll_add() return value on update
Linux 5.15.203
- io_uring/poll: correctly handle io_poll_add() return value on update
- Revert "PCI: Enable ACS after configuring IOMMU for OF platforms"
- ksmbd: Fix dangling pointer in krb_authenticate
- ksmbd: Fix refcount leak when invalid session is found on session lookup
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
- i2c: cp2615: fix serial string NULL-deref at probe
- i2c: cp2615: replace deprecated strncpy with strscpy
- ksmbd: replace hardcoded hdr2_len with offsetof() in
smb2_calc_max_out_buf_len()
- ksmbd: fix potencial OOB in get_file_all_info() for compound requests
- tracing: Fix potential deadlock in cpu hotplug with osnoise
- x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
- mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
- scsi: target: tcm_loop: Drain commands in target_reset handler
- net: macb: Move devm_{free,request}_irq() out of spin lock area
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE
- dmaengine: sh: rz-dmac: Protect the driver specific lists
- dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
- xfs: save ailp before dropping the AIL lock in push callbacks
- ext4: fix use-after-free in update_super_work when racing with umount
- ext4: fix the might_sleep() warnings in kvfree()
- ext4: publish jinode after initialization
- usb: gadget: uvc: fix NULL pointer dereference during unbind race
- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
- usb: gadget: f_hid: move list and spinlock inits from bind to alloc
- net: rfkill: prevent unlimited numbers of rfkill events from being created
- seg6: separate dst_cache for input and output paths in seg6 lwtunnel
- Revert "mptcp: add needs_id for netlink appending addr"
- xen/privcmd: unregister xenstore notifier on module exit
- netlink: add nla be16/32 types to minlen array
- rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
- rxrpc: fix reference count leak in rxrpc_server_keyring()
- net: stmmac: fix integer underflow in chain mode
- net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure
- mmc: vub300: fix NULL-deref on disconnect
- drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
- net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
- net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption
- batman-adv: reject oversized global TT response buffers
- nfc: pn533: allocate rx skb before consuming bytes
- arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
- arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
- wifi: brcmsmac: Fix dma_free_coherent() size
- tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
- netfilter: nft_ct: fix use-after-free in timeout object destroy
- apparmor: fix race between freeing data and fs accessing it
- apparmor: fix race on rawdata dereference
- apparmor: fix differential encoding verification
- apparmor: fix unprivileged local user can do privileged policy management
- apparmor: Fix double free of ns_name in aa_replace_profiles()
- apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
- apparmor: fix side-effect bug in match_char() macro usage
- apparmor: fix: limit the number of levels of policy namespaces
- apparmor: replace recursive profile removal with iterative approach
- apparmor: fix memory leak in verify_header
- apparmor: validate DFA start states are in bounds in unpack_pdb
- iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer
- gpiolib: cdev: fix uninitialised kfifo
- media: uvcvideo: Use heuristic to find stream entity
- media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID
- Input: uinput - take event lock when submitting FF request "event"
- Input: uinput - fix circular locking dependency with ff-core
- mptcp: fix slab-use-after-free in __inet_lookup_established
- xfrm_user: fix info leak in build_report()
- wifi: rt2x00usb: fix devres lifetime
- lib/crypto: chacha: Zeroize permuted_state before it leaves scope
- wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
- io_uring/tctx: work around xa_store() allocation error issue
- usb: gadget: f_uac1_legacy: validate control request size
- usb: gadget: f_rndis: Protect RNDIS options with mutex
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
- staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
- smb: client: Fix refcount leak for cifs_sb_tlink
- net: mctp: Don't access ifa_index when missing
- fbcon: Set fb_display[i]->mode to NULL when the mode is released
- can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
- can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb()
error
- can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
- usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial
transfer
- USB: dummy-hcd: Fix interrupt synchronization error
- USB: dummy-hcd: Fix locking/synchronization error
- thunderbolt: Fix property read in nhi_wake_supported()
- net: ftgmac100: fix ring allocation unwind on open failure
- vxlan: validate ND option lengths in vxlan_na_create
- netfilter: ipset: drop logically empty buckets in mtype_del
- comedi: me4000: Fix potential overrun of firmware buffer
- comedi: me_daq: Fix potential overrun of firmware buffer
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach
- comedi: Reinit dev->spinlock between attachments to low-level drivers
- comedi: dt2815: add hardware detection to prevent crash
- cdc-acm: new quirk for EPSON HMD
- bridge: br_nd_send: validate ND option lengths
- phy: renesas: rcar-gen3-usb2: Assert PLL reset on PHY power off
- phy: renesas: rcar-gen3-usb2: Lock around hardware registers and driver data
- phy: renesas: rcar-gen3-usb2: Move IRQ request in probe
- phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
- nvmet-tcp: fix use-before-check of sg in bounds validation
- usb: cdns3: gadget: fix state inconsistency on gadget init failure
- usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop()
- usb: ehci-brcm: fix sleep during atomic
- usb: usbtmc: Flush anchored URBs in usbtmc_release
- usb: ulpi: fix double free in ulpi_register_interface() error path
- usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
- iio: gyro: mpu3050: Fix out-of-sequence free_irq()
- iio: gyro: mpu3050: Move iio_device_register() to correct location
- iio: gyro: mpu3050: Fix irq resource leak
- iio: gyro: mpu3050: Fix incorrect free_irq() variable
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
- iio: light: vcnl4035: fix scan buffer on big-endian
- iio: dac: ad5770r: fix error return in ad5770r_read_raw()
- Input: xpad - add support for Razer Wolverine V3 Pro
- Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table
- Input: synaptics-rmi4 - fix a locking bug in an error path
- USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
- USB: serial: option: add support for Rolling Wireless RW135R-GL
- USB: serial: io_edgeport: add support for Blackbox IC135A
- drm/ast: dp501: Fix initialization of SCU2C
- hwmon: (occ) Fix division by zero in occ_show_power_1()
- MIPS: Fix the GCC version check for `__multi3' workaround
- Bluetooth: SMP: force responder MITM requirements before building the pairing
response
- Bluetooth: SMP: derive legacy responder STK authentication from MITM state
- ALSA: ctxfi: Fix missing SPDIFI1 index handling
- ALSA: caiaq: fix stack out-of-bounds read in init_card
- USB: serial: option: add MeiG Smart SRM825WN
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
- drm/ioc32: stop speculation on the drm_compat_ioctl path
- riscv: kgdb: fix several debug register assignment bugs
- hwmon: (occ) Fix missing newline in occ_show_extended()
- hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify()
- hwmon: (pxe1610) Check return value of page-select write in probe
- bpf: reject direct access to nullable PTR_TO_BUF pointers
- ipv6: avoid overflows in ip6_datagram_send_ctl()
- net: hsr: fix VLAN add unwind on slave errors
- net/sched: cls_flow: fix NULL pointer dereference on shared blocks
- net/sched: cls_fw: fix NULL pointer dereference on shared blocks
- net/x25: Fix overflow when accumulating packets
- net/x25: Fix potential double free of skb
- net/mlx5: Avoid "No data available" when FW version queries fail
- net: macb: properly unregister fixed rate clocks
- net: macb: fix clk handling on PCI glue driver removal
- rds: ib: reject FRMR registration before IB connection is established
- Bluetooth: MGMT: validate LTK enc_size on load
- netfilter: nf_tables: reject immediate NF_QUEUE verdict
- netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for
NFPROTO_ARP
- netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
- netfilter: nf_conntrack_helper: pass helper to expect cleanup
- netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
- netfilter: x_tables: ensure names are nul-terminated
- netfilter: nfnetlink_log: account for netlink header size
- netfilter: flowtable: strictly check for maximum number of actions
- net: ipv6: flowlabel: defer exclusive option free until RCU teardown
- bpf: Fix regsafe() for pointers to packet
- net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec
- NFC: pn533: bound the UART receive buffer
- net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to
prevent an info-leak
- ipv6: prevent possible UaF in addrconf_permanent_addr()
- net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
- bridge: br_nd_send: linearize skb before parsing ND options
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
- tg3: Fix race for querying speed/duplex
- net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to
zero to prevent an info-leak
- net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak
- crypto: af-alg - fix NULL pointer dereference in scatterwalk
- dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common
property warning
- btrfs: reject root items with drop_progress and zero drop_level
- HID: multitouch: Check to ensure report responses match the request
- objtool: Fix Clang jump table detection
- btrfs: don't take device_list_mutex when querying zone info
- atm: lec: fix use-after-free in sock_def_readable()
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
- futex: Clear stale exiting pointer in futex_lock_pi() retry path
- dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
- dmaengine: xilinx_dma: Program interrupt delay timeout
- dmaengine: idxd: Fix freeing the allocated ida too late
- dmaengine: idxd: Remove usage of the deprecated ida_simple_xx() API
- btrfs: fix lost error when running device stats on multiple devices fs
- btrfs: fix super block offset in error message in btrfs_validate_super()
- dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
- dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
- dmaengine: xilinx: xilinx_dma: Fix dma_device directions
- phy: ti: j721e-wiz: Fix device node reference leak in wiz_get_lane_phy_types()
- ext4: always drain queued discard work in ext4_mb_release()
- ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
- ext4: reject mount if bigalloc with s_first_data_block != 0
- ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
- ext4: make recently_deleted() properly work with lazy itable initialization
- ext4: convert inline data to extents when truncate exceeds inline size
- xfs: stop reclaim before pushing AIL during unmount
- jbd2: gracefully abort on checkpointing state corruptions
- scsi: ses: Handle positive SCSI error from ses_recv_diag()
- scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
- alarmtimer: Fix argument order in alarm_timer_forward()
- erofs: add GFP_NOIO in the bio completion if needed
- virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and
napi_tx is false
- media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
- cpufreq: conservative: Reset requested_freq on limits change
- can: gw: fix OOB heap access in cgw_csum_crc8_rel()
- s390/barrier: Make array_index_mask_nospec() __always_inline
- s390/syscalls: Add spectre boundary for syscall dispatch table
- spi: spi-fsl-lpspi: fix teardown order issue (UAF)
- ASoC: adau1372: Fix clock leak on PLL lock failure
- ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
- sysctl: fix uninitialized variable in proc_do_large_bitmap
- hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
- ACPI: EC: Fix ECDT probe ordering issues
- ACPI: EC: Fix EC address space handler unregistration
- ACPICA: Allow address_space_handler Install and _REG execution as 2 separate
steps
- ACPICA: include/acpi/acpixf.h: Fix indentation
- ASoC: Intel: catpt: Fix the device initialization
- drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
- x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue
- RDMA/irdma: Return EINVAL for invalid arp index error
- RDMA/irdma: Fix deadlock during netdev reset with active connections
- RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
- RDMA/irdma: Clean up unnecessary dereference of event->cm_node
- RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
- RDMA/irdma: Update ibqp state to error if QP is already in error state
- RDMA/rw: Fall back to direct SGE on MR pool exhaustion
- regmap: Synchronize cache for the page selector
- net: macb: use the current queue number for stats
- netfilter: ctnetlink: use netlink policy range checks
- netlink: allow be16 and be32 types in all uint policy checks
- netlink: introduce bigendian integer types
- netlink: hide validation union fields from kdoc
- netfilter: nft_payload: reject out-of-range attributes via policy
- netlink: introduce NLA_POLICY_MAX_BE
- netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp
- netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
- netfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD
- Bluetooth: btusb: clamp SCO altsetting table indices
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
- dma-mapping: add missing `inline` for `dma_free_attrs`
- net: enetc: fix the output issue of 'ethtool --show-ring'
- net: fix fanout UAF in packet_release() via NETDEV_UP race
- platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
- rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
- net/smc: fix double-free of smc_spd_priv when tee() duplicates splice pipe
buffer
- openvswitch: validate MPLS set/set_masked payload length
- net: openvswitch: Avoid releasing netdev before teardown completes
- nfc: nci: fix circular locking dependency in nci_close_device
- ionic: fix persistent MAC address override on PF
- pinctrl: mediatek: common: Fix probe failure for devices without EINT
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
- Bluetooth: hci_ll: Fix firmware leak on error path
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing
sock_hold
- Bluetooth: L2CAP: Validate PDU length before reading SDU length in
l2cap_ecred_data_rcv()
- can: statistics: add missing atomic access in hot path
- af_key: validate families in pfkey_send_migrate()
- esp: fix skb leak with espintcp and async crypto
- xfrm: Fix the usage of skb->sk
- xfrm: call xdo_dev_state_delete during state update
- ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
- dma-buf: Include ioctl.h in UAPI header
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
- module: Fix kernel panic when a symbol st_shndx is out of bounds
- HID: mcp2221: cancel last I2C command on read error
- net: usb: r8152: add TRENDnet TUC-ET2G
- HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
- HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
- nvme-pci: ensure we're polling a polled queue
- platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix touchscreen on
SUPI S10
- platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16 Gen 1
- nvme-pci: cap queue creation to used queues
- platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
- HID: asus: avoid memory leak in asus_report_fixup()
- bpf: Release module BTF IDR before module unload
- sh: platform_early: remove pdev->driver_override check
- xen/privcmd: add boot control for restricted usage in domU
- xen/privcmd: restrict usage in unprivileged domU
- netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
- netfilter: nf_tables: de-constify set commit ops function argument
- tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
- lib/bootconfig: check xbc_init_node() return in override path
- drm/i915/gt: Check set_default_submission() before deferencing
- ksmbd: fix use-after-free of share_conf in compound request
- mtd: rawnand: brcmnand: skip DMA during panic write
- mtd: rawnand: serialize lock/unlock against other NAND operations
- i2c: fsi: Fix a potential leak in fsi_i2c_probe()
- hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
- icmp: fix NULL pointer dereference in icmp_tag_validation()
- net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
- net: mvpp2: guard flow control update with global_tx_fc in buffer switching
- nfnetlink_osf: validate individual option lengths in fingerprints
- net: bonding: fix NULL deref in bond_debug_rlb_hash_show
- udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
- net: macb: fix uninitialized rx_fs_lock
- ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough
headroom
- wifi: mac80211: fix NULL deref in mesh_matches_local()
- igc: fix missing update of skb->tail in igc_xmit_frame()
- net: usb: aqc111: Do not perform PM inside suspend callback
- net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
- net/smc: Fix slab-out-of-bounds issue in fallback
- net/smc: Only save the original clcsock callback functions
- PM: runtime: Fix a race condition related to device removal
- sched: idle: Consolidate the handling of two special cases
- net: mana: fix use-after-free in mana_hwc_destroy_channel() by reordering
teardown
- net: mana: Improve the HWC error handling
- net: bcmgenet: increase WoL poll timeout
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
- netfilter: xt_time: use unsigned int for monthday bit shift
- netfilter: xt_CT: drop pending enqueued packets on template removal
- netfilter: nft_ct: drop pending enqueued packets on removal
- netfilter: nft_ct: add seqadj extension for natted connections
- netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
sip_help_tcp()
- netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
- netfilter: ctnetlink: remove refcounting in expectation dumpers
- net/rose: fix NULL pointer dereference in rose_transmit_link on reconnect
- Bluetooth: qca: fix ROM version reading on WCN3998 chips
- Bluetooth: HIDP: Fix possible UAF
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
- firmware: arm_scpi: Fix device_node reference leak in probe path
- of: Add cleanup.h based auto release via __free(device_node) markings
- wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
- soc: fsl: qbman: fix race condition in qman_destroy_fq
- btrfs: tree-checker: fix misleading root drop_level error message
- batman-adv: avoid OGM aggregation when skb tailroom is insufficient
- pmdomain: bcm: bcm2835-power: Increase ASB control timeout
- mptcp: pm: avoid sending RM_ADDR over same subflow
- drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
- net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
- smb: client: Don't log plaintext credentials in cifs_set_cifscreds
- RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
- wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
- wifi: cfg80211: move scan done work to wiphy work
- wifi: libertas: fix use-after-free in lbs_free_adapter()
- ext4: always allocate blocks only from groups inode can use
- ksmbd: fix null pointer dereference error in generate_encryptionkey
- ext4: fix dirtyclusters double decrement on fs shutdown
- ext4: drop extent cache when splitting extent fails
- ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
- ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
- drm/exynos: vidi: use ctx->lock to protect struct vidi_context member
variables related to memory alloc/free
- drm/exynos: vidi: fix to avoid directly dereferencing user pointer
- drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl()
- net: Handle napi_schedule() calls from non-interrupt
- net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
- mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using
mmu_gather
- mm/rmap: fix two comments related to huge_pmd_unshare()
- mm/hugetlb: fix two comments related to huge_pmd_unshare()
- mm/hugetlb: fix hugetlb_pmd_shared()
- mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
- mm/hugetlb: make detecting shared pte more reliable
- drm/radeon: apply state adjust rules to some additional HAINAN vairants
- serial: uartlite: fix PM runtime usage count underflow on probe
- serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART BUSY
- serial: 8250: Fix TX deadlock when using DMA
- serial: 8250_pci: add support for the AX99100
- iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
- mtd: Avoid boot crash in RedBoot partition table parser
- mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in
cadence_nand_init()
- mtd: rawnand: pl353: make sure optimal timings are applied
- mmc: sdhci: fix timing selection for 1-bit bus width
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
- net: macb: fix use-after-free access to PTP clock
- NFC: nxp-nci: allow GPIOs to sleep
- nvdimm/bus: Fix potential use after free in asynchronous initialization
- sunrpc: fix cache_request leak in cache_release
- driver: iio: add missing checks on iio_info's callback access
- io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
- l2tp: do not use sock_hold() in pppol2tp_session_get_sock()
- bpf: Forget ranges when refining tnum after JSET
- i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
- i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
- i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
- iio: imu: inv_icm42600: fix odr switch to the same value
- iio: gyro: mpu3050-i2c: fix pm_runtime error handling
- iio: gyro: mpu3050-core: fix pm_runtime error handling
- iio: chemical: bme680: Fix measurement wait duration calculation
- iio: potentiometer: mcp4131: fix double application of wiper shift
- iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
- iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
- iio: dac: ds4424: reject -128 RAW value
- btrfs: abort transaction on failure to update root in the received subvol
ioctl
- lib/bootconfig: check bounds before writing in __xbc_open_brace()
- lib/bootconfig: fix snprintf truncation check in xbc_node_compose_key_after()
- x86/apic: Disable x2apic on resume if the kernel expects so
- lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
- xfs: fix undersized l_iclog_roundoff values
- tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
- drm/amdgpu: Fix use-after-free race in VM acquire
- net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
- net: ncsi: fix skb leak in error paths
- parisc: Fix initial page table creation for boot
- hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
- parisc: Increase initial mapping to 64 MB with KALLSYMS
- batman-adv: Avoid double-rtnl_lock ELP metric worker
- ice: fix retry for AQ command 0x06EE
- net: mana: Ring doorbell at 4 CQ wraparounds
- media: dvb-net: fix OOB access in ULE extension header tables
- staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
- staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
- irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS
supports
- device property: Allow secondary lookup in fwnode_get_next_child_node()
- time/jiffies: Mark jiffies_64_to_clock_t() notrace
- time: add kernel-doc in time.c
- ceph: fix i_nlink underrun during async unlink
- libceph: admit message frames only in CEPH_CON_S_OPEN state
- libceph: Use u32 for non-negative values in ceph_monmap_decode()
- libceph: prevent potential out-of-bounds reads in process_message_header()
- libceph: reject preamble if control segment is empty
- libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
- tipc: fix divide-by-zero in tipc_sk_filter_connect()
- mmc: core: Avoid bitfield RMW for claim/retune flags
- mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
- mm/tracing: rss_stat: ensure curr is false from kthread context
- usb: image: mdc800: kill download URB on timeout
- usb: mdc800: handle signal and read racing
- usb: renesas_usbhs: fix use-after-free in ISR during device removal
- usb: class: cdc-wdm: fix reordering issue in read code path
- USB: core: Limit the length of unkillable synchronous timeouts
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
- USB: usbcore: Introduce usb_bulk_msg_killable()
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343
- usb: core: don't power off roothub PHYs if phy_set_mode() fails
- usb: misc: uss720: properly clean up reference in uss720_probe()
- usb: yurex: fix race in probe
- usb: xhci: Fix memory leak in xhci_disable_slot()
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
- net: usb: lan78xx: skip LTM configuration for LAN7850
- net: usb: lan78xx: fix silent drop of packets with checksum errors
- cgroup: fix race between task migration and iteration
- Revert "arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on"
- octeontx2-af: devlink: fix NIX RAS reporter recovery condition
- ASoC: detect empty DMI strings
- ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition
- ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
- e1000/e1000e: Fix leak in DMA error cleanup
- i40e: fix src IP mask checks and memcpy argument names in cloud filter
- nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
- sched: idle: Make skipping governor callbacks more consistent
- regulator: pca9450: Correct interrupt type
- regulator: pca9450: Make IRQ optional
- netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels
- netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table()
- netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
- netfilter: x_tables: guard option walkers against 1-byte tail reads
- netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
- can: hi311x: hi3110_open(): add check for hi3110_power_enable() return value
- serial: caif: hold tty->link reference in ldisc_open and ser_release
- ASoC: soc-core: flush delayed work before removing DAIs and widgets
- ASoC: core: Do not call link_exit() on uninitialized rtd objects
- ASoC: core: Exit all links before removing their components
- ASoC: soc-core: accept zero format at snd_soc_runtime_set_dai_fmt()
- ASoC: soc-core: drop delayed_work_pending() check before flush
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL slave
xmit
- net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
- bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
- xprtrdma: Decrement re_receiving on the early exit paths
- powerpc: 83xx: km83xx: Fix keymile vendor prefix
- remoteproc: mediatek: Unprepare SCP clock during system suspend
- remoteproc: sysmon: Correct subsys_name_len type in QMI request
- powerpc/uaccess: Fix inline assembly for clang build on PPC32
- ALSA: usb-audio: Check max frame size for implicit feedback mode, too
- x86/CPU: Fix FPDSS on Zen1
- ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
- scsi: ses: Fix devices attaching to different hosts
- ACPI: OSI: Add DMI quirk for Acer Aspire One D255
- unshare: fix unshare_fs() handling
- scsi: mpi3mr: Add NULL checks when resetting request and reply queues
- ACPI: PM: Save NVS memory on Lenovo G70-35
- scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared
blocks
- net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
- net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
- net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
- net: stmmac: Fix error handling in VLAN add and delete paths
- nfc: rawsock: cancel tx_work before socket teardown
- nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
- nfc: nci: free skb on nci_transceive early error paths
- net: nfc: nci: Fix zero-length proprietary notifications
- net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
- amd-xgbe: fix sleep while atomic on suspend/resume
- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
- xen/acpi-processor: fix _CST detection using undersized evaluation buffer
- indirect_call_wrapper: do not reevaluate function pointer
- wifi: wlcore: Fix a locking bug
- can: mcp251x: fix deadlock in error path of mcp251x_open
- can: bcm: fix locking for bcm_op runtime updates
- atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
- dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
- dpaa2-switch: do not clear any interrupts automatically
- net: dpaa2-switch: serialize changes to priv->mac with a mutex
- net: dpaa2-switch replace direct MAC access with dpaa2_switch_port_has_mac()
- net: dpaa2-switch: assign port_priv->mac after dpaa2_mac_connect() call
- net: dpaa2: replace dpaa2_mac_is_type_fixed() with dpaa2_mac_is_type_phy()
- net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in
ALE table
- platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
- selftests: mptcp: more stable simult_flows tests
- scsi: core: Fix refcount leak for tagset_refcnt
- drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
- Squashfs: check metadata block offset is within range
- net/sched: ets: fix divide by zero in the offload path
- IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
- wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
- wifi: radiotap: reject radiotap with unknown bits
- ALSA: usb-audio: Use correct version for UAC3 header validation
- platform/x86: dell-wmi: Add audio/mic mute key codes
- platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
- x86/efi: defer freeing of boot services memory
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
- can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
- can: ucan: Fix infinite loop from zero-length messages
- can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a
message
- net: usb: pegasus: validate USB endpoints
- net: usb: kalmia: validate USB endpoints
- net: usb: kaweth: validate USB endpoints
- nfc: pn533: properly drop the usb interface reference on disconnect
- media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
- eventpoll: Fix integer overflow in ep_loop_check_proc()
- net: arcnet: com20020-pci: fix support for 2.5Mbit cards
- ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
- fbcon: check return value of con2fb_acquire_newinfo()
- fbcon: move more common code into fb_open()
- fbcon: Extract fbcon_open/release helpers
- fbcon: Use delayed work for cursor
- ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
- hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced
race
- ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
- usb: cdns3: fix role switching during resume
- usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
- usb: cdns3: remove redundant if branch
- clk: tegra: tegra124-emc: fix device leak on set_rate()
- mfd: omap-usb-host: Fix OF populate on driver rebind
- mfd: omap-usb-host: Convert to platform remove callback returning void
- mfd: qcom-pm8xxx: Fix OF populate on driver rebind
- mfd: qcom-pm8xxx: Convert to platform remove callback returning void
- mfd: qcom-pm8xxx: switch away from using chained IRQ handlers
- drm/tegra: dsi: fix device leak on probe
- ata: libata-scsi: refactor ata_scsi_translate()
- ata: libata: remove pointless VPRINTK() calls
- ata: libata-scsi: drop DPRINTK calls for cdb translation
- scsi: ata: Call scsi_done() directly
- ARM: omap2: Fix reference count leaks in omap_control_init()
- ARM: OMAP2+: add missing of_node_put before break and return
- memory: mtk-smi: fix device leak on larb probe
- memory: mtk-smi: Convert to platform remove callback returning void
- bpf: Fix stack-out-of-bounds write in devmap
- btrfs: fix incorrect key offset in error message in check_dev_extent_item()
- ALSA: usb-audio: Use inclusive terms
- ALSA: usb-audio: Cap the packet size pre-calculations
- scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
- scsi: ufs: core: Always initialize the UIC done completion
- scsi: lpfc: Properly set WC for DPP mapping
- ip6_tunnel: Fix usage of skb_vlan_inet_prepare()
- ARM: clean up the memset64() C wrapper
+ UBUNTU: Upstream stable to v5.15.203
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156550
Title:
Jammy update: v5.15.203 upstream stable release
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2156550/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
