Ubuntu
linux package

amdgpu module crash after 5.15 kernel update

Bug #1981883 reported by Henry Goffin on 2022-07-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Jammy	Fix Released	High	Unassigned

Bug Description

[SRU Justification]

Impact: The 5.15 kernel series introduced a regression compared to 5.13 related to virtual display code on AMD GPUs. This causes crashes for cloud/VM users back to Focal (using rolling cloud or HWE kernels).

Fix: Upstream stable 5.15.61 contains a fix for this which is only needed there since later kernel version have that code rewritten again. This change would get picked up normally in the next stable cycle after 2022.09.19. But given the impact we would apply the following patch from 5.15.61 ahead of time:

commit 27f8f5219fe4658537ba28fd01657e1062ac3960 linux-5.15.y
"drm/amdgpu: fix check in fbdev init"

Test case: Booting the affected kernel on a VM which passes through AMD GPU hardware.

Regression potential: Worst case some driver functions will not get disabled where they did before.

--- original description ---

The kernel 5.15 amdgpu module crashes on load with a “BUG: kernel NULL pointer dereference” on Amazon EC2 G4ad hardware (custom AMD Radeon V520 Pro datacenter GPU) on focal (HWE) and jammy with kernel 5.15.0-1011 and possibly earlier, up through latest (revision 1015.19). This crash bug did not exist in any of the focal HWE 5.13 kernels.

This is probably an upstream kernel bug, but I am also filing it here because existing focal users on EC2 will suddenly stop having access to their AMD GPUs after a reboot once the new 5.15 HWE kernel is installed.

The full backtrace from dmesg is below. The offending function call which crashes in the 5.15 kernel corresponds to this source (sorry, not the right source tree, but the same driver) https://github.com/torvalds/linux/blob/8bb7eca972ad531c9b149c0a51ab43a417385813/drivers/gpu/drm/amd/amdgpu/amdgpu_fb.c#L345

A workaround that I have discovered is adding “options amdgpu virtual_display=;” to a new modprobe.d configuration file - something which shouldn’t be required, but is at least harmless.

Here is the relevant BUG message and backtrace from dmesg:

[ 318.111721] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 318.115443] #PF: supervisor instruction fetch in kernel mode
[ 318.118443] #PF: error_code(0x0010) - not-present page
[ 318.121177] PGD 0 P4D 0
[ 318.122688] Oops: 0010 [#1] SMP NOPTI
[ 318.124592] CPU: 6 PID: 13667 Comm: modprobe Tainted: G W 5.15.0-1015-aws #19~20.04.1-Ubuntu
[ 318.129711] Hardware name: Amazon EC2 g4ad.2xlarge/, BIOS 1.0 10/16/2017
[ 318.133167] RIP: 0010:0x0
[ 318.134704] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 318.138291] RSP: 0018:ffff9841828d78e0 EFLAGS: 00010246
[ 318.140938] RAX: 0000000000000000 RBX: ffff8a4f16ae8000 RCX: 0000000000000001
[ 318.144604] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff8a4f16ae8000
[ 318.148319] RBP: ffff9841828d7908 R08: ffff8a4f02460278 R09: ffff8a4f06422c40
[ 318.152151] R10: c01c42494f8affff R11: ffff8a4f01dcb5b8 R12: ffff8a4f024602e8
[ 318.155929] R13: ffffffffc107e4a0 R14: 0000000000000000 R15: ffff8a4f02460010
[ 318.159685] FS: 00007f8afdc1c740(0000) GS:ffff8a55f0980000(0000) knlGS:0000000000000000
[ 318.163897] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 318.167038] CR2: ffffffffffffffd6 CR3: 000000011817e000 CR4: 00000000003506e0
[ 318.170758] Call Trace:
[ 318.173964] <TASK>
[ 318.176822] __drm_helper_disable_unused_functions+0xe7/0x100 [drm_kms_helper]
[ 318.184230] drm_helper_disable_unused_functions+0x44/0x50 [drm_kms_helper]
[ 318.189761] amdgpu_fbdev_init+0x104/0x110 [amdgpu]
[ 318.194264] amdgpu_device_init.cold+0x7cc/0xc48 [amdgpu]
[ 318.199061] ? pci_read_config_byte+0x27/0x40
[ 318.203206] amdgpu_driver_load_kms+0x1e/0x270 [amdgpu]
[ 318.207901] amdgpu_pci_probe+0x1ea/0x290 [amdgpu]
[ 318.212445] local_pci_probe+0x4b/0x90
[ 318.216386] pci_device_probe+0x182/0x1f0
[ 318.220407] really_probe.part.0+0xcb/0x370
[ 318.224460] really_probe+0x40/0x80
[ 318.228232] __driver_probe_device+0x115/0x190
[ 318.232412] driver_probe_device+0x23/0xa0
[ 318.236436] __driver_attach+0xbd/0x160
[ 318.240348] ? __device_attach_driver+0x110/0x110
[ 318.244637] bus_for_each_dev+0x7e/0xc0
[ 318.248570] driver_attach+0x1e/0x20
[ 318.252474] bus_add_driver+0x161/0x200
[ 318.256412] driver_register+0x74/0xd0
[ 318.260332] __pci_register_driver+0x68/0x70
[ 318.264496] amdgpu_init+0x7c/0x1000 [amdgpu]
[ 318.268841] ? 0xffffffffc146e000
[ 318.272521] do_one_initcall+0x48/0x1d0
[ 318.276446] ? __cond_resched+0x19/0x30
[ 318.280378] ? kmem_cache_alloc_trace+0x15a/0x420
[ 318.284736] do_init_module+0x52/0x230
[ 318.288644] load_module+0x1372/0x1600
[ 318.292529] __do_sys_finit_module+0xbf/0x120
[ 318.296706] ? __do_sys_finit_module+0xbf/0x120
[ 318.300947] __x64_sys_finit_module+0x1a/0x20
[ 318.305265] do_syscall_64+0x5c/0xc0
[ 318.308984] ? do_syscall_64+0x69/0xc0
[ 318.312841] ? do_syscall_64+0x69/0xc0
[ 318.316693] ? do_syscall_64+0x69/0xc0
[ 318.320545] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 318.324975] RIP: 0033:0x7f8afdd6273d
[ 318.328700] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 23 37 0d 00 f7 d8 64 89 01 48
[ 318.343601] RSP: 002b:00007ffe48e5c8c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 318.351197] RAX: ffffffffffffffda RBX: 0000560c79e39260 RCX: 00007f8afdd6273d
[ 318.356678] RDX: 0000000000000000 RSI: 0000560c78e96358 RDI: 000000000000000f
[ 318.362340] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
[ 318.367743] R10: 000000000000000f R11: 0000000000000246 R12: 0000560c78e96358
[ 318.373241] R13: 0000000000000000 R14: 0000560c79e39390 R15: 0000560c79e39260
[ 318.378699] </TASK>
[ 318.381783] Modules linked in: amdgpu(+) iommu_v2 gpu_sched drm_ttm_helper ttm drm_kms_helper cec rc_core i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt btrfs blake2b_generic xor zstd_compress raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c nls_iso8859_1 dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ppdev crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel psmouse crypto_simd parport_pc input_leds parport cryptd ena serio_raw sch_fq_codel ipmi_devintf ipmi_msghandler msr drm ip_tables x_tables autofs4
[ 318.418449] CR2: 0000000000000000
[ 318.422130] ---[ end trace d6b9efffe55f5322 ]---
[ 318.426391] RIP: 0010:0x0
[ 318.429681] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
[ 318.434994] RSP: 0018:ffff9841828d78e0 EFLAGS: 00010246
[ 318.439489] RAX: 0000000000000000 RBX: ffff8a4f16ae8000 RCX: 0000000000000001
[ 318.444896] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff8a4f16ae8000
[ 318.450518] RBP: ffff9841828d7908 R08: ffff8a4f02460278 R09: ffff8a4f06422c40
[ 318.455937] R10: c01c42494f8affff R11: ffff8a4f01dcb5b8 R12: ffff8a4f024602e8
[ 318.461581] R13: ffffffffc107e4a0 R14: 0000000000000000 R15: ffff8a4f02460010
[ 318.466999] FS: 00007f8afdc1c740(0000) GS:ffff8a55f0980000(0000) knlGS:0000000000000000
[ 318.474744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 318.479525] CR2: ffffffffffffffd6 CR3: 000000011817e000 CR4: 00000000003506e0

See original description

Tags:

CVE References

2022-3176

Revision history for this message

Henry Goffin (amzn-hgoffin) wrote on 2022-07-16:

This crash occurs after also firing several warnings with backtraces -

[ 318.108644] WARNING: CPU: 6 PID: 13667 at drivers/gpu/drm/drm_crtc_helper.c:221 drm_helper_disable_unused_functions+0x32/0x50 [drm_kms_helper]

[ 318.109727] WARNING: CPU: 6 PID: 13667 at drivers/gpu/drm/drm_crtc_helper.c:101 drm_helper_encoder_in_use+0x4d/0xe0 [drm_kms_helper]

[ 318.110742] WARNING: CPU: 6 PID: 13667 at drivers/gpu/drm/drm_crtc_helper.c:141 drm_helper_crtc_in_use+0x3c/0xb0 [drm_kms_helper]

All of these warnings are the same code check, which warns when the driver reports atomic modesetting but calls legacy modesetting functions. Beyond that summary, I am way out of my depth, and someone from AMD will probably have to untangle this for 5.15 (later in 5.17 this entire custom fbdev implementation was removed and replaced with common code).

Henry Goffin (amzn-hgoffin) on 2022-07-18

affects:

linux-meta-aws-5.15 (Ubuntu) → linux-aws-5.15 (Ubuntu)

Revision history for this message

Henry Goffin (amzn-hgoffin) wrote on 2022-07-19 (last edit on 2022-07-19):

Alexander Deucher at AMD came up with a quick fix for the 5.15 branch, which I was able to test and verify - amdgpu_fb.c, line 344:

- if (!amdgpu_device_has_dc_support(adev) && !amdgpu_virtual_display)
+ if (!amdgpu_device_has_dc_support(adev) && !amdgpu_virtual_display && !amdgpu_sriov_vf(adev))

With this change, the amdgpu module loads and runs correctly on AWS EC2 G4ad instances. The change only affects datacenter cards with SRIO-V support and not consumer cards.

Revision history for this message

Henry Goffin (amzn-hgoffin) wrote on 2022-07-20:

Patch now posted upstream for linux stable kernel 5.15

https://lore<email address hidden>/T/#u

Stefan Bader (smb) on 2022-09-15

affects:	linux-aws-5.15 (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
status:	New → Confirmed
Changed in linux (Ubuntu Jammy):
importance:	Undecided → High
status:	New → Confirmed
Changed in linux (Ubuntu):
status:	Confirmed → Invalid

Stefan Bader (smb) on 2022-09-15

description:	updated
Changed in linux (Ubuntu Jammy):
status:	Confirmed → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-09-21:

This bug is awaiting verification that the linux/5.15.0-50.56 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Henry Goffin (amzn-hgoffin) wrote on 2022-10-06:

Sorry I am late to the party on confirming the fix, was traveling. Confirming that everything is working properly with the latest jammy-proposed kernel.

tested package: linux-image-5.15.0-1021-aws 5.15.0-1021.25

ubuntu@ip-172-31-31-116:~$ sudo dmesg | grep 5.15.60
[ 0.000000] Linux version 5.15.0-1021-aws (buildd@lcy02-amd64-074) (gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #25-Ubuntu SMP Fri Sep 23 12:20:42 UTC 2022 (Ubuntu 5.15.0-1021.25-aws 5.15.60)
ubuntu@ip-172-31-31-116:~$ sudo dmesg | grep "zed amd"
[ 5.170324] [drm] Initialized amdgpu 3.42.0 20150101 for 0000:00:1e.0 on minor 0
ubuntu@ip-172-31-31-116:~$ uname -a
Linux ip-172-31-31-116 5.15.0-1021-aws #25-Ubuntu SMP Fri Sep 23 12:20:42 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
ubuntu@ip-172-31-31-116:~$ ls /dev/dri
by-path card0 renderD128
ubuntu@ip-172-31-31-116:~$ apt list | grep linux- | grep installed | grep proposed

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

binutils-x86-64-linux-gnu/jammy-proposed,now 2.38-4ubuntu2 amd64 [installed,automatic]
linux-aws-headers-5.15.0-1021/jammy-proposed,now 5.15.0-1021.25 all [installed,automatic]
linux-aws/jammy-proposed,now 5.15.0.1021.21 amd64 [installed]
linux-firmware/jammy-proposed,now 20220329.git681281e4-0ubuntu3.6 all [installed]
linux-headers-5.15.0-1021-aws/jammy-proposed,now 5.15.0-1021.25 amd64 [installed,automatic]
linux-headers-aws/jammy-proposed,now 5.15.0.1021.21 amd64 [installed]
linux-image-5.15.0-1021-aws/jammy-proposed,now 5.15.0-1021.25 amd64 [installed,automatic]
linux-image-aws/jammy-proposed,now 5.15.0.1021.21 amd64 [installed]
linux-modules-5.15.0-1021-aws/jammy-proposed,now 5.15.0-1021.25 amd64 [installed,automatic]
linux-modules-extra-5.15.0-1021-aws/jammy-proposed,now 5.15.0-1021.25 amd64 [installed,automatic]
linux-modules-extra-aws/jammy-proposed,now 5.15.0.1021.21 amd64 [installed]

tags:

added: verification-done-jammy

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-10-10:

Download full text (42.9 KiB)

This bug was fixed in the package linux - 5.15.0-50.56

---------------
linux (5.15.0-50.56) jammy; urgency=medium

* jammy/linux: 5.15.0-50.56 -proposed tracker (LP: #1990148)

  * CVE-2022-3176
    - io_uring: refactor poll update
    - io_uring: move common poll bits
    - io_uring: kill poll linking optimisation
    - io_uring: inline io_poll_complete
    - io_uring: correct fill events helpers types
    - io_uring: clean cqe filling functions
    - io_uring: poll rework
    - io_uring: remove poll entry from list when canceling all
    - io_uring: bump poll refs to full 31-bits
    - io_uring: fail links when poll fails
    - io_uring: fix wrong arm_poll error handling
    - io_uring: fix UAF due to missing POLLFREE handling

  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809)
    - selftests/net: test nexthop without gw

  * ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809) // icmp_redirect.sh in ubuntu_kernel_selftests failed on
    Jammy 5.15.0-49.55 (LP: #1990124)
    - ip: fix triggering of 'icmp redirect'

linux (5.15.0-49.55) jammy; urgency=medium

* jammy/linux: 5.15.0-49.55 -proposed tracker (LP: #1989785)

* amdgpu module crash after 5.15 kernel update (LP: #1981883)
- drm/amdgpu: fix check in fbdev init

  * scsi: hisi_sas: Increase debugfs_dump_index after dump is completed
    (LP: #1982070)
    - scsi: hisi_sas: Increase debugfs_dump_index after dump is completed

* [UBUNTU 22.04] s390/qeth: cache link_info for ethtool (LP: #1984103)
- s390/qeth: cache link_info for ethtool

* WARN in trace_event_dyn_put_ref (LP: #1987232)
- tracing/perf: Fix double put of trace event when init fails

  * Jammy update: v5.15.60 upstream stable release (LP: #1989221)
    - x86/speculation: Make all RETbleed mitigations 64-bit only
    - selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads
    - selftests/bpf: Check dst_port only on the client socket
    - block: fix default IO priority handling again
    - tools/vm/slabinfo: Handle files in debugfs
    - ACPI: video: Force backlight native for some TongFang devices
    - ACPI: video: Shortening quirk list by identifying Clevo by board_name only
    - ACPI: APEI: Better fix to avoid spamming the console with old error logs
    - crypto: arm64/poly1305 - fix a read out-of-bound
    - KVM: x86: do not report a vCPU as preempted outside instruction boundaries
    - KVM: x86: do not set st->preempted when going back to user space
    - KVM: selftests: Make hyperv_clock selftest more stable
    - tools/kvm_stat: fix display of error when multiple processes are found
    - selftests: KVM: Handle compiler optimizations in ucall
    - KVM: x86/svm: add __GFP_ACCOUNT to __sev_dbg_{en,de}crypt_user()
    - arm64: set UXN on swapper page tables
    - btrfs: zoned: prevent allocation from previous data relocation BG
    - btrfs: zoned: fix critical section of relocation inode writeback
    - Bluetooth: hci_bcm: Add BCM4349B1 variant
    - Bluetooth: hci_bcm: Add DT compatible for CYW55572
    - dt-bindings: bluetooth: broadcom: Add BCM4349B1 DT binding
    - Bluetooth: btusb: Add support of IMC Netw...

This bug was fixed in the package linux - 5.15.0-50.56

---------------
linux (5.15.0-50.56) jammy; urgency=medium

* jammy/linux: 5.15.0-50.56 -proposed tracker (LP: #1990148)

* ip/nexthop: fix default address selection for connected nexthop
    (LP: #1988809)
    - selftests/net: test nexthop without gw

linux (5.15.0-49.55) jammy; urgency=medium

* jammy/linux: 5.15.0-49.55 -proposed tracker (LP: #1989785)

* amdgpu module crash after 5.15 kernel update (LP: #1981883)
    - drm/amdgpu: fix check in fbdev init

* scsi: hisi_sas: Increase debugfs_dump_index after dump is  completed
    (LP: #1982070)
    - scsi: hisi_sas: Increase debugfs_dump_index after dump is completed

* [UBUNTU 22.04] s390/qeth: cache link_info for ethtool (LP: #1984103)
    - s390/qeth: cache link_info for ethtool

* WARN in trace_event_dyn_put_ref (LP: #1987232)
    - tracing/perf: Fix double put of trace event when init fails

* Jammy update: v5.15.59 upstream stable release (LP: #1989218)
    - Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
    - Revert "ocfs2: mount shared volume without ha stack"
    - ntfs: fix use-after-free in ntfs_ucsncmp()
    - fs: sendfile handles O_NONBLOCK of out_fd
    - secretmem: fix unhandled fault in truncate
    - mm: fix page leak with multiple threads mapping the same page
    - hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte
    - asm-generic: remove a broken and needless ifdef conditional
    - s390/archrandom: prevent CPACF trng invocations in interrupt context
    - nouveau/svm: Fix to migrate all requested pages
    - drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid()
    - watch_queue: Fix missing rcu annotation
    - watch_queue: Fix missing locking in add_watch_to_object()
    - tcp: Fix data-races around sysctl_tcp_dsack.
    - tcp: Fix a data-race around sysctl_tcp_app_win.
    - tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
    - tcp: Fix a data-race around sysctl_tcp_frto.
    - tcp: Fix a data-race around sysctl_tcp_nometrics_save.
    - tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save.
    - ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
    - ice: do not setup vlan for loopback VSI
    - scsi: ufs: host: Hold reference returned by of_parse_phandle()
    - Revert "tcp: change pingpong threshold to 3"
    - octeontx2-pf: Fix UDP/TCP src and dst port tc filters
    - tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
    - tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
    - tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
    - scsi: core: Fix warning in scsi_alloc_sgtables()
    - scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown
    - net: ping6: Fix memleak in ipv6_renew_options().
    - ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
    - net/tls: Remove the context from the list in tls_device_down
    - igmp: Fix data-races around sysctl_igmp_qrv.
    - net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii
    - net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
    - tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
    - tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
    - tcp: Fix a data-race around sysctl_tcp_autocorking.
    - tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
    - Documentation: fix sctp_wmem in ip-sysctl.rst
    - macsec: fix NULL deref in macsec_add_rxsa
    - macsec: fix error message in macsec_add_rxsa and _txsa
    - macsec: limit replay window size with XPN
    - macsec: always read MACSEC_SA_ATTR_PN as a u64
    - net: macsec: fix potential resource leak in macsec_add_rxsa() and
      macsec_add_txsa()
    - net: mld: fix reference count leak in mld_{query | report}_work()
    - tcp: Fix data-races around sk_pacing_rate.
    - net: Fix data-races around sysctl_[rw]mem(_offset)?.
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns.
    - tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
    - tcp: Fix data-races around sysctl_tcp_reflect_tos.
    - ipv4: Fix data-races around sysctl_fib_notify_on_flag_change.
    - i40e: Fix interface init with MSI interrupts (no MSI-X)
    - sctp: fix sleep in atomic context bug in timer handlers
    - octeontx2-pf: cn10k: Fix egress ratelimit configuration
    - virtio-net: fix the race between refill work and close
    - perf symbol: Correct address for bss symbols
    - sfc: disable softirqs for ptp TX
    - sctp: leave the err path free in sctp_stream_init to sctp_stream_free
    - ARM: crypto: comment out gcc warning that breaks clang builds
    - mm/hmm: fault non-owner device private entries
    - page_alloc: fix invalid watermark check on a negative value
    - ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow
    - EDAC/ghes: Set the DIMM label unconditionally
    - docs/kernel-parameters: Update descriptions for "mitigations=" param with
      retbleed
    - locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by
      first waiter
    - x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available
    - Linux 5.15.59

* Jammy update: v5.15.58 upstream stable release (LP: #1988479)
    - pinctrl: stm32: fix optional IRQ support to gpios
    - riscv: add as-options for modules with assembly compontents
    - mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication
    - lockdown: Fix kexec lockdown bypass with ima policy
    - drm/ttm: fix locking in vmap/vunmap TTM GEM helpers
    - bus: mhi: host: pci_generic: add Telit FN980 v1 hardware revision
    - bus: mhi: host: pci_generic: add Telit FN990
    - Revert "selftest/vm: verify remap destination address in mremap_test"
    - Revert "selftest/vm: verify mmap addr in mremap_test"
    - PCI: hv: Fix multi-MSI to allow more than one MSI vector
    - PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI
    - PCI: hv: Reuse existing IRTE allocation in compose_msi_msg()
    - PCI: hv: Fix interrupt mapping for multi-MSI
    - serial: mvebu-uart: correctly report configured baudrate value
    - batman-adv: Use netif_rx_any_context() any.
    - xfs: fix maxlevels comparisons in the btree staging code
    - xfs: fold perag loop iteration logic into helper function
    - xfs: rename the next_agno perag iteration variable
    - xfs: terminate perag iteration reliably on agcount
    - xfs: fix perag reference leak on iteration race with growfs
    - xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()
    - r8152: fix a WOL issue
    - ip: Fix data-races around sysctl_ip_default_ttl.
    - xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in
      xfrm_bundle_lookup()
    - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe
    - RDMA/irdma: Do not advertise 1GB page size for x722
    - RDMA/irdma: Fix sleep from invalid context BUG
    - pinctrl: ralink: rename MT7628(an) functions to MT76X8
    - pinctrl: ralink: rename pinctrl-rt2880 to pinctrl-ralink
    - pinctrl: ralink: Check for null return of devm_kcalloc
    - perf/core: Fix data race between perf_event_set_output() and
      perf_mmap_close()
    - ipv4/tcp: do not use per netns ctl sockets
    - net: tun: split run_ebpf_filter() and pskb_trim() into different "if
      statement"
    - mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30%
    - sysctl: move some boundary constants from sysctl.c to sysctl_vals
    - tcp: Fix data-races around sysctl_tcp_ecn.
    - drm/amd/display: Add option to defer works of hpd_rx_irq
    - drm/amd/display: Fork thread to offload work of hpd_rx_irq
    - drm/amdgpu/display: add quirk handling for stutter mode
    - drm/amd/display: Ignore First MST Sideband Message Return Error
    - scsi: megaraid: Clear READ queue map's nr_queues
    - scsi: ufs: core: Drop loglevel of WriteBoost message
    - nvme: check for duplicate identifiers earlier
    - nvme: fix block device naming collision
    - igc: Reinstate IGC_REMOVED logic and implement it properly
    - ip: Fix data-races around sysctl_ip_no_pmtu_disc.
    - ip: Fix data-races around sysctl_ip_fwd_use_pmtu.
    - ip: Fix data-races around sysctl_ip_fwd_update_priority.
    - ip: Fix data-races around sysctl_ip_nonlocal_bind.
    - ip: Fix a data-race around sysctl_ip_autobind_reuse.
    - ip: Fix a data-race around sysctl_fwmark_reflect.
    - tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept.
    - tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if()
    - tcp: Fix data-races around sysctl_tcp_l3mdev_accept.
    - tcp: Fix data-races around sysctl_tcp_mtu_probing.
    - tcp: Fix data-races around sysctl_tcp_base_mss.
    - tcp: Fix data-races around sysctl_tcp_min_snd_mss.
    - tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor.
    - tcp: Fix a data-race around sysctl_tcp_probe_threshold.
    - tcp: Fix a data-race around sysctl_tcp_probe_interval.
    - net: stmmac: fix pm runtime issue in stmmac_dvr_remove()
    - net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow
    - mtd: rawnand: gpmi: validate controller clock rate
    - mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times
    - net: dsa: microchip: ksz_common: Fix refcount leak bug
    - net: skb: introduce kfree_skb_reason()
    - net: skb: use kfree_skb_reason() in tcp_v4_rcv()
    - net: skb: use kfree_skb_reason() in __udp4_lib_rcv()
    - net: socket: rename SKB_DROP_REASON_SOCKET_FILTER
    - net: skb_drop_reason: add document for drop reasons
    - net: netfilter: use kfree_drop_reason() for NF_DROP
    - net: ipv4: use kfree_skb_reason() in ip_rcv_core()
    - net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core()
    - i2c: mlxcpld: Fix register setting for 400KHz frequency
    - i2c: cadence: Change large transfer count reset logic to be unconditional
    - perf tests: Fix Convert perf time to TSC test for hybrid
    - net: stmmac: fix dma queue left shift overflow issue
    - net/tls: Fix race in TLS device down flow
    - igmp: Fix data-races around sysctl_igmp_llm_reports.
    - igmp: Fix a data-race around sysctl_igmp_max_memberships.
    - igmp: Fix data-races around sysctl_igmp_max_msf.
    - tcp: Fix data-races around keepalive sysctl knobs.
    - tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries.
    - tcp: Fix data-races around sysctl_tcp_syncookies.
    - tcp: Fix data-races around sysctl_tcp_migrate_req.
    - tcp: Fix data-races around sysctl_tcp_reordering.
    - tcp: Fix data-races around some timeout sysctl knobs.
    - tcp: Fix a data-race around sysctl_tcp_notsent_lowat.
    - tcp: Fix a data-race around sysctl_tcp_tw_reuse.
    - tcp: Fix data-races around sysctl_max_syn_backlog.
    - tcp: Fix data-races around sysctl_tcp_fastopen.
    - tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout.
    - iavf: Fix handling of dummy receive descriptors
    - pinctrl: armada-37xx: Use temporary variable for struct device
    - pinctrl: armada-37xx: Make use of the devm_platform_ioremap_resource()
    - pinctrl: armada-37xx: Convert to use dev_err_probe()
    - pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait
      context
    - i40e: Fix erroneous adapter reinitialization during recovery process
    - ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero
    - net: stmmac: remove redunctant disable xPCS EEE call
    - gpio: pca953x: only use single read/write for No AI mode
    - gpio: pca953x: use the correct range when do regmap sync
    - gpio: pca953x: use the correct register address when regcache sync during
      init
    - be2net: Fix buffer overflow in be_get_module_eeprom
    - net: dsa: sja1105: silent spi_device_id warnings
    - net: dsa: vitesse-vsc73xx: silent spi_device_id warnings
    - drm/imx/dcss: Add missing of_node_put() in fail path
    - ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh.
    - ipv4: Fix data-races around sysctl_fib_multipath_hash_policy.
    - ipv4: Fix data-races around sysctl_fib_multipath_hash_fields.
    - ip: Fix data-races around sysctl_ip_prot_sock.
    - udp: Fix a data-race around sysctl_udp_l3mdev_accept.
    - tcp: Fix data-races around sysctl knobs related to SYN option.
    - tcp: Fix a data-race around sysctl_tcp_early_retrans.
    - tcp: Fix data-races around sysctl_tcp_recovery.
    - tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts.
    - tcp: Fix data-races around sysctl_tcp_slow_start_after_idle.
    - tcp: Fix a data-race around sysctl_tcp_retrans_collapse.
    - tcp: Fix a data-race around sysctl_tcp_stdurg.
    - tcp: Fix a data-race around sysctl_tcp_rfc1337.
    - tcp: Fix a data-race around sysctl_tcp_abort_on_overflow.
    - tcp: Fix data-races around sysctl_tcp_max_reordering.
    - gpio: gpio-xilinx: Fix integer overflow
    - KVM: selftests: Fix target thread to be migrated in rseq_test
    - spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA
      transfers
    - KVM: Don't null dereference ops->destroy
    - mm/mempolicy: fix uninit-value in mpol_rebind_policy()
    - bpf: Make sure mac_header was set before using it
    - sched/deadline: Fix BUG_ON condition for deboosted tasks
    - x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts
    - dlm: fix pending remove if msg allocation fails
    - x86/uaccess: Implement macros for CMPXCHG on user addresses
    - bitfield.h: Fix "type of reg too small for mask" test
    - x86/entry_32: Remove .fixup usage
    - x86/extable: Extend extable functionality
    - x86/msr: Remove .fixup usage
    - x86/futex: Remove .fixup usage
    - KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses
    - xhci: dbc: refactor xhci_dbc_init()
    - xhci: dbc: create and remove dbc structure in dbgtty driver.
    - xhci: dbc: Rename xhci_dbc_init and xhci_dbc_exit
    - xhci: Set HCD flag to defer primary roothub registration
    - mt76: fix use-after-free by removing a non-RCU wcid pointer
    - iwlwifi: fw: uefi: add missing include guards
    - crypto: qat - set to zero DH parameters before free
    - crypto: qat - use pre-allocated buffers in datapath
    - crypto: qat - refactor submission logic
    - crypto: qat - add backlog mechanism
    - crypto: qat - fix memory leak in RSA
    - crypto: qat - remove dma_free_coherent() for RSA
    - crypto: qat - remove dma_free_coherent() for DH
    - crypto: qat - add param check for RSA
    - crypto: qat - add param check for DH
    - crypto: qat - re-enable registration of algorithms
    - exfat: fix referencing wrong parent directory information after renaming
    - tracing: Have event format check not flag %p* on __get_dynamic_array()
    - tracing: Place trace_pid_list logic into abstract functions
    - tracing: Fix return value of trace_pid_write()
    - um: virtio_uml: Allow probing from devicetree
    - um: virtio_uml: Fix broken device handling in time-travel
    - Bluetooth: Add bt_skb_sendmsg helper
    - Bluetooth: Add bt_skb_sendmmsg helper
    - Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg
    - Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg
    - Bluetooth: Fix passing NULL to PTR_ERR
    - Bluetooth: SCO: Fix sco_send_frame returning skb->len
    - Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks
    - exfat: use updated exfat_chain directly during renaming
    - x86/amd: Use IBPB for firmware calls
    - x86/alternative: Report missing return thunk details
    - watchqueue: make sure to serialize 'wqueue->defunct' properly
    - tty: drivers/tty/, stop using tty_schedule_flip()
    - tty: the rest, stop using tty_schedule_flip()
    - tty: drop tty_schedule_flip()
    - tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push()
    - tty: use new tty_insert_flip_string_and_push_buffer() in pty_write()
    - watch-queue: remove spurious double semicolon
    - drm/amd/display: invalid parameter check in dmub_hpd_callback
    - x86/extable: Prefer local labels in .set directives
    - KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness
    - x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm()
    - drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq()
    - x86/entry_32: Fix segment exceptions
    - Linux 5.15.58

* Jammy update: v5.15.57 upstream stable release (LP: #1988353)
    - x86/xen: Fix initialisation in hypercall_page after rethunk
    - tools arch x86: Sync the msr-index.h copy with the kernel sources
    - tools headers cpufeatures: Sync with the kernel sources
    - um: Add missing apply_returns()
    - x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
    - Linux 5.15.57

* Jammy update: v5.15.56 upstream stable release (LP: #1988351)
    - ALSA: hda - Add fixup for Dell Latitidue E5430
    - ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model
    - ALSA: hda/realtek: Fix headset mic for Acer SF313-51
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671
    - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221
    - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
    - xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue
    - fix race between exit_itimers() and /proc/pid/timers
    - mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages
    - mm: split huge PUD on wp_huge_pud fallback
    - tracing/histograms: Fix memory leak problem
    - net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale
      pointer
    - ip: fix dflt addr selection for connected nexthop
    - ARM: 9213/1: Print message about disabled Spectre workarounds only once
    - ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction
    - wifi: mac80211: fix queue selection for mesh/OCB interfaces
    - cgroup: Use separate src/dst nodes when preloading css_sets for migration
    - btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline
      extents
    - drm/panfrost: Put mapping instead of shmem obj on
      panfrost_mmu_map_fault_addr() error
    - drm/panfrost: Fix shrinker list corruption by madvise IOCTL
    - fs/remap: constrain dedupe of EOF blocks
    - nilfs2: fix incorrect masking of permission flags for symlinks
    - sh: convert nommu io{re,un}map() to static inline functions
    - Revert "evm: Fix memleak in init_desc"
    - xfs: only run COW extent recovery when there are no live extents
    - xfs: don't include bnobt blocks when reserving free block pool
    - xfs: run callbacks before waking waiters in xlog_state_shutdown_callbacks
    - xfs: drop async cache flushes from CIL commits.
    - reset: Fix devm bulk optional exclusive control getter
    - ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count
    - spi: amd: Limit max transfer and message size
    - ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle
    - ARM: 9210/1: Mark the FDT_FIXED sections as shareable
    - net/mlx5e: kTLS, Fix build time constant test in TX
    - net/mlx5e: kTLS, Fix build time constant test in RX
    - net/mlx5e: Fix enabling sriov while tc nic rules are offloaded
    - net/mlx5e: Fix capability check for updating vnic env counters
    - net/mlx5e: Ring the TX doorbell on DMA errors
    - drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector()
    - ima: Fix a potential integer overflow in ima_appraise_measurement
    - ASoC: sgtl5000: Fix noise on shutdown/remove
    - ASoC: tas2764: Add post reset delays
    - ASoC: tas2764: Fix and extend FSYNC polarity handling
    - ASoC: tas2764: Correct playback volume range
    - ASoC: tas2764: Fix amp gain register offset & default
    - ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks()
    - ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array
    - net: stmmac: dwc-qos: Disable split header for Tegra194
    - net: ethernet: ti: am65-cpsw: Fix devlink port register sequence
    - sysctl: Fix data races in proc_dointvec().
    - sysctl: Fix data races in proc_douintvec().
    - sysctl: Fix data races in proc_dointvec_minmax().
    - sysctl: Fix data races in proc_douintvec_minmax().
    - sysctl: Fix data races in proc_doulongvec_minmax().
    - sysctl: Fix data races in proc_dointvec_jiffies().
    - tcp: Fix a data-race around sysctl_tcp_max_orphans.
    - inetpeer: Fix data-races around sysctl.
    - net: Fix data-races around sysctl_mem.
    - cipso: Fix data-races around sysctl.
    - icmp: Fix data-races around sysctl.
    - ipv4: Fix a data-race around sysctl_fib_sync_mem.
    - ARM: dts: at91: sama5d2: Fix typo in i2s1 node
    - ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero
    - arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC
    - arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot
    - netfilter: nf_log: incorrect offset to network header
    - netfilter: nf_tables: replace BUG_ON by element length check
    - drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist()
    - xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE
    - lockd: set fl_owner when unlocking files
    - lockd: fix nlm_close_files
    - tracing: Fix sleeping while atomic in kdb ftdump
    - drm/i915/selftests: fix a couple IS_ERR() vs NULL tests
    - drm/i915/dg2: Add Wa_22011100796
    - drm/i915/gt: Serialize GRDOM access between multiple engine resets
    - drm/i915/gt: Serialize TLB invalidates with GT resets
    - drm/i915/uc: correctly track uc_fw init failure
    - drm/i915: Require the vm mutex for i915_vma_bind()
    - bnxt_en: Fix bnxt_reinit_after_abort() code path
    - bnxt_en: Fix bnxt_refclk_read()
    - sysctl: Fix data-races in proc_dou8vec_minmax().
    - sysctl: Fix data-races in proc_dointvec_ms_jiffies().
    - icmp: Fix data-races around sysctl_icmp_echo_enable_probe.
    - icmp: Fix a data-race around sysctl_icmp_ignore_bogus_error_responses.
    - icmp: Fix a data-race around sysctl_icmp_errors_use_inbound_ifaddr.
    - icmp: Fix a data-race around sysctl_icmp_ratelimit.
    - icmp: Fix a data-race around sysctl_icmp_ratemask.
    - raw: Fix a data-race around sysctl_raw_l3mdev_accept.
    - tcp: Fix a data-race around sysctl_tcp_ecn_fallback.
    - ipv4: Fix data-races around sysctl_ip_dynaddr.
    - nexthop: Fix data-races around nexthop_compat_mode.
    - net: ftgmac100: Hold reference returned by of_get_child_by_name()
    - net: stmmac: fix leaks in probe
    - ima: force signature verification when CONFIG_KEXEC_SIG is configured
    - ima: Fix potential memory leak in ima_init_crypto()
    - drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines.
    - drm/amd/pm: Prevent divide by zero
    - sfc: fix use after free when disabling sriov
    - ceph: switch netfs read ops to use rreq->inode instead of
      rreq->mapping->host
    - seg6: fix skb checksum evaluation in SRH encapsulation/insertion
    - seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors
    - seg6: bpf: fix skb checksum in bpf_push_seg6_encap()
    - sfc: fix kernel panic when creating VF
    - KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op()
    - net/tls: Check for errors in tls_device_init
    - ACPI: video: Fix acpi_video_handles_brightness_key_presses()
    - mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE
    - btrfs: rename btrfs_bio to btrfs_io_context
    - btrfs: zoned: fix a leaked bioc in read_zone_info
    - ksmbd: use SOCK_NONBLOCK type for kernel_accept()
    - powerpc/xive/spapr: correct bitmap allocation size
    - vdpa/mlx5: Initialize CVQ vringh only once
    - vduse: Tie vduse mgmtdev and its device
    - virtio_mmio: Add missing PM calls to freeze/restore
    - virtio_mmio: Restore guest page size on resume
    - netfilter: br_netfilter: do not skip all hooks with 0 priority
    - scsi: hisi_sas: Limit max hw sectors for v3 HW
    - cpufreq: pmac32-cpufreq: Fix refcount leak bug
    - firmware: sysfb: Make sysfb_create_simplefb() return a pdev pointer
    - firmware: sysfb: Add sysfb_disable() helper function
    - fbdev: Disable sysfb device registration when removing conflicting FBs
    - net: tipc: fix possible refcount leak in tipc_sk_create()
    - NFC: nxp-nci: don't print header length mismatch on i2c error
    - nvme-tcp: always fail a request when sending it failed
    - nvme: fix regression when disconnect a recovering ctrl
    - net: sfp: fix memory leak in sfp_probe()
    - ASoC: ops: Fix off by one in range control validation
    - pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux()
    - ASoC: Realtek/Maxim SoundWire codecs: disable pm_runtime on remove
    - ASoC: rt711-sdca-sdw: fix calibrate mutex initialization
    - ASoC: Intel: sof_sdw: handle errors on card registration
    - ASoC: rt711: fix calibrate mutex initialization
    - ASoC: rt7*-sdw: harden jack_detect_handler
    - ASoC: codecs: rt700/rt711/rt711-sdca: initialize workqueues in probe
    - ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow
    - ASoC: wcd938x: Fix event generation for some controls
    - ASoC: Intel: bytcr_wm5102: Fix GPIO related probe-ordering problem
    - ASoC: wm5110: Fix DRE control
    - ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error
    - ASoC: dapm: Initialise kcontrol data for mux/demux controls
    - ASoC: cs47l15: Fix event generation for low power mux control
    - ASoC: madera: Fix event generation for OUT1 demux
    - ASoC: madera: Fix event generation for rate controls
    - irqchip: or1k-pic: Undefine mask_ack for level triggered hardware
    - x86: Clear .brk area at early boot
    - soc: ixp4xx/npe: Fix unused match warning
    - ARM: dts: stm32: use the correct clock source for CEC on stm32mp151
    - Revert "can: xilinx_can: Limit CANFD brp to 2"
    - ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices
    - ALSA: usb-audio: Add quirk for Fiero SC-01
    - ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0)
    - nvme-pci: phison e16 has bogus namespace ids
    - signal handling: don't use BUG_ON() for debugging
    - USB: serial: ftdi_sio: add Belimo device ids
    - usb: typec: add missing uevent when partner support PD
    - usb: dwc3: gadget: Fix event pending check
    - tty: serial: samsung_tty: set dma burst_size to 1
    - vt: fix memory overlapping when deleting chars in the buffer
    - serial: 8250: fix return error code in serial8250_request_std_resource()
    - serial: stm32: Clear prev values before setting RTS delays
    - serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle
    - serial: 8250: Fix PM usage_count for console handover
    - x86/pat: Fix x86_has_pat_wp()
    - drm/aperture: Run fbdev removal before internal helpers
    - Linux 5.15.56

* Jammy update: v5.15.55 upstream stable release (LP: #1988338)
    - Linux 5.15.55

* Jammy update: v5.15.54 upstream stable release (LP: #1987451)
    - mm/slub: add missing TID updates on slab deactivation
    - mm/filemap: fix UAF in find_lock_entries
    - Revert "selftests/bpf: Add test for bpf_timer overwriting crash"
    - ALSA: usb-audio: Workarounds for Behringer UMC 204/404 HD
    - ALSA: hda/realtek: Add quirk for Clevo L140PU
    - ALSA: cs46xx: Fix missing snd_card_free() call at probe error
    - can: bcm: use call_rcu() instead of costly synchronize_rcu()
    - can: grcan: grcan_probe(): remove extra of_node_get()
    - can: gs_usb: gs_usb_open/close(): fix memory leak
    - can: m_can: m_can_chip_config(): actually enable internal timestamping
    - can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32
      bits
    - can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for
      mcp2517fd
    - can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on
      TBC register
    - bpf: Fix incorrect verifier simulation around jmp32's jeq/jne
    - bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals
    - usbnet: fix memory leak in error case
    - net: rose: fix UAF bug caused by rose_t0timer_expiry
    - netfilter: nft_set_pipapo: release elements in clone from abort path
    - btrfs: rename btrfs_alloc_chunk to btrfs_create_chunk
    - btrfs: add additional parameters to btrfs_init_tree_ref/btrfs_init_data_ref
    - btrfs: fix invalid delayed ref after subvolume creation failure
    - btrfs: fix warning when freeing leaf after subvolume creation failure
    - Input: cpcap-pwrbutton - handle errors from platform_get_irq()
    - Input: goodix - change goodix_i2c_write() len parameter type to int
    - Input: goodix - add a goodix.h header file
    - Input: goodix - refactor reset handling
    - Input: goodix - try not to touch the reset-pin on x86/ACPI devices
    - dma-buf/poll: Get a file reference for outstanding fence callbacks
    - btrfs: fix deadlock between chunk allocation and chunk btree modifications
    - drm/i915: Disable bonding on gen12+ platforms
    - drm/i915/gt: Register the migrate contexts with their engines
    - drm/i915: Replace the unconditional clflush with drm_clflush_virt_range()
    - media: ir_toy: prevent device from hanging during transmit
    - memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash
    - ath11k: add hw_param for wakeup_mhi
    - qed: Improve the stack space of filter_config()
    - platform/x86: wmi: introduce helper to convert driver to WMI driver
    - platform/x86: wmi: Replace read_takes_no_args with a flags field
    - platform/x86: wmi: Fix driver->notify() vs ->probe() race
    - mt76: mt7921: get rid of mt7921_mac_set_beacon_filter
    - mt76: mt7921: introduce mt7921_mcu_set_beacon_filter utility routine
    - mt76: mt7921: fix a possible race enabling/disabling runtime-pm
    - bpf: Stop caching subprog index in the bpf_pseudo_func insn
    - bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC
    - riscv: defconfig: enable DRM_NOUVEAU
    - RISC-V: defconfigs: Set CONFIG_FB=y, for FB console
    - net/mlx5e: Check action fwd/drop flag exists also for nic flows
    - net/mlx5e: Split actions_match_supported() into a sub function
    - net/mlx5e: TC, Reject rules with drop and modify hdr action
    - net/mlx5e: TC, Reject rules with forward and drop actions
    - ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend
    - ASoC: rt5682: Re-detect the combo jack after resuming
    - ASoC: rt5682: Fix deadlock on resume
    - netfilter: nf_tables: convert pktinfo->tprot_set to flags field
    - netfilter: nft_payload: support for inner header matching / mangling
    - netfilter: nft_payload: don't allow th access for fragments
    - s390/boot: allocate amode31 section in decompressor
    - s390/setup: use physical pointers for memblock_reserve()
    - s390/setup: preserve memory at OLDMEM_BASE and OLDMEM_SIZE
    - ibmvnic: init init_done_rc earlier
    - ibmvnic: clear fop when retrying probe
    - ibmvnic: Allow queueing resets during probe
    - virtio-blk: avoid preallocating big SGL for data
    - io_uring: ensure that fsnotify is always called
    - block: use bdev_get_queue() in bio.c
    - block: only mark bio as tracked if it really is tracked
    - block: fix rq-qos breakage from skipping rq_qos_done_bio()
    - stddef: Introduce struct_group() helper macro
    - media: omap3isp: Use struct_group() for memcpy() region
    - media: davinci: vpif: fix use-after-free on driver unbind
    - mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error
    - mt76: mt7921: do not always disable fw runtime-pm
    - cxl/port: Hold port reference until decoder release
    - clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3
    - KVM: x86/mmu: Use yield-safe TDP MMU root iter in MMU notifier unmapping
    - KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook
    - scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue
    - scsi: qla2xxx: Fix laggy FC remote port session recovery
    - scsi: qla2xxx: edif: Replace list_for_each_safe with
      list_for_each_entry_safe
    - scsi: qla2xxx: Fix crash during module load unload test
    - gfs2: Fix gfs2_file_buffered_write endless loop workaround
    - vdpa/mlx5: Avoid processing works if workqueue was destroyed
    - btrfs: handle device lookup with btrfs_dev_lookup_args
    - btrfs: add a btrfs_get_dev_args_from_path helper
    - btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls
    - btrfs: remove device item and update super block in the same transaction
    - drbd: add error handling support for add_disk()
    - drbd: Fix double free problem in drbd_create_device
    - drbd: fix an invalid memory access caused by incorrect use of list iterator
    - drm/amd/display: Set min dcfclk if pipe count is 0
    - drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw
    - NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id)
    - NFSD: COMMIT operations must not return NFS?ERR_INVAL
    - riscv/mm: Add XIP_FIXUP for riscv_pfn_base
    - iio: accel: mma8452: use the correct logic to get mma8452_data
    - batman-adv: Use netif_rx().
    - mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set
    - Compiler Attributes: add __alloc_size() for better bounds checking
    - mm: vmalloc: introduce array allocation functions
    - KVM: use __vcalloc for very large allocations
    - btrfs: don't access possibly stale fs_info data in device_list_add
    - KVM: s390x: fix SCK locking
    - scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test
    - powerpc/32: Don't use lmw/stmw for saving/restoring non volatile regs
    - powerpc: flexible GPR range save/restore macros
    - powerpc/tm: Fix more userspace r13 corruption
    - serial: sc16is7xx: Clear RS485 bits in the shutdown
    - bus: mhi: core: Use correctly sized arguments for bit field
    - bus: mhi: Fix pm_state conversion to string
    - stddef: Introduce DECLARE_FLEX_ARRAY() helper
    - uapi/linux/stddef.h: Add include guards
    - ASoC: rt5682: move clk related code to rt5682_i2c_probe
    - ASoC: rt5682: fix an incorrect NULL check on list iterator
    - drm/amd/vcn: fix an error msg on vcn 3.0
    - KVM: Don't create VM debugfs files outside of the VM directory
    - tty: n_gsm: Modify CR,PF bit when config requester
    - tty: n_gsm: Save dlci address open status when config requester
    - tty: n_gsm: fix frame reception handling
    - ALSA: usb-audio: add mapping for MSI MPG X570S Carbon Max Wifi.
    - ALSA: usb-audio: add mapping for MSI MAG X570S Torpedo MAX.
    - tty: n_gsm: fix missing update of modem controls after DLCI open
    - btrfs: zoned: encapsulate inode locking for zoned relocation
    - btrfs: zoned: use dedicated lock for data relocation
    - KVM: Initialize debugfs_dentry when a VM is created to avoid NULL deref
    - mm/hwpoison: mf_mutex for soft offline and unpoison
    - mm/hwpoison: avoid the impact of hwpoison_filter() return value on mce
      handler
    - mm/memory-failure.c: fix race with changing page compound again
    - mm/hwpoison: fix race between hugetlb free/demotion and
      memory_failure_hugetlb()
    - tty: n_gsm: fix invalid use of MSC in advanced option
    - tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output()
    - serial: 8250_mtk: Make sure to select the right FEATURE_SEL
    - tty: n_gsm: fix invalid gsmtty_write_room() result
    - drm/i915: Fix a race between vma / object destruction and unbinding
    - drm/mediatek: Use mailbox rx_callback instead of cmdq_task_cb
    - drm/mediatek: Remove the pointer of struct cmdq_client
    - drm/mediatek: Detect CMDQ execution timeout
    - drm/mediatek: Add cmdq_handle in mtk_crtc
    - drm/mediatek: Add vblank register/unregister callback functions
    - Bluetooth: protect le accept and resolv lists with hdev->lock
    - Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event
    - io_uring: avoid io-wq -EAGAIN looping for !IOPOLL
    - irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling
    - irqchip/gic-v3: Refactor ISB + EOIR at ack time
    - rxrpc: Fix locking issue
    - dt-bindings: soc: qcom: smd-rpm: Add compatible for MSM8953 SoC
    - dt-bindings: soc: qcom: smd-rpm: Fix missing MSM8936 compatible
    - module: change to print useful messages from elf_validity_check()
    - module: fix [e_shstrndx].sh_size=0 OOB access
    - iommu/vt-d: Fix PCI bus rescan device hot add
    - fbdev: fbmem: Fix logo center image dx issue
    - PM: runtime: Redefine pm_runtime_release_supplier()
    - memregion: Fix memregion_free() fallback definition
    - video: of_display_timing.h: include errno.h
    - powerpc/powernv: delay rng platform device creation until later in boot
    - net: dsa: qca8k: reset cpu port on MTU change
    - can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info
    - can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression
    - can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits
    - xfs: remove incorrect ASSERT in xfs_rename
    - Revert "serial: sc16is7xx: Clear RS485 bits in the shutdown"
    - btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2()
    - virtio-blk: modify the value type of num in virtio_queue_rq()
    - btrfs: fix use of uninitialized variable at rm device ioctl
    - tty: n_gsm: fix encoding of command/response bit
    - ARM: meson: Fix refcount leak in meson_smp_prepare_cpus
    - pinctrl: sunxi: a83t: Fix NAND function name for some pins
    - ASoC: rt711: Add endianness flag in snd_soc_component_driver
    - ASoC: rt711-sdca: Add endianness flag in snd_soc_component_driver
    - ASoC: codecs: rt700/rt711/rt711-sdca: resume bus/codec in .set_jack_detect
    - arm64: dts: qcom: msm8994: Fix CPU6/7 reg values
    - arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node
    - ARM: mxs_defconfig: Enable the framebuffer
    - arm64: dts: imx8mp-evk: correct mmc pad settings
    - arm64: dts: imx8mp-evk: correct the uart2 pinctl value
    - arm64: dts: imx8mp-evk: correct gpio-led pad settings
    - arm64: dts: imx8mp-evk: correct vbus pad settings
    - arm64: dts: imx8mp-evk: correct eqos pad settings
    - arm64: dts: imx8mp-evk: correct I2C1 pad settings
    - arm64: dts: imx8mp-evk: correct I2C3 pad settings
    - arm64: dts: imx8mp-phyboard-pollux-rdk: correct uart pad settings
    - arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings
    - arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings
    - pinctrl: sunxi: sunxi_pconf_set: use correct offset
    - arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo
    - ARM: at91: pm: use proper compatible for sama5d2's rtc
    - ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt
    - ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt
    - ARM: dts: at91: sam9x60ek: fix eeprom compatible and size
    - ARM: dts: at91: sama5d2_icp: fix eeprom compatibles
    - ARM: at91: fix soc detection for SAM9X60 SiPs
    - xsk: Clear page contiguity bit when unmapping pool
    - i2c: piix4: Fix a memory leak in the EFCH MMIO support
    - i40e: Fix dropped jumbo frames statistics
    - i40e: Fix VF's MAC Address change on VM
    - ARM: dts: stm32: use usbphyc ck_usbo_48m as USBH OHCI clock on stm32mp151
    - ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15
    - ibmvnic: Properly dispose of all skbs during a failover.
    - selftests: forwarding: fix flood_unicast_test when h2 supports
      IFF_UNICAST_FLT
    - selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT
    - selftests: forwarding: fix error message in learning_test
    - r8169: fix accessing unset transport header
    - i2c: cadence: Unregister the clk notifier in error path
    - dmaengine: imx-sdma: Allow imx8m for imx7 FW revs
    - misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer
    - misc: rtsx_usb: use separate command and response buffers
    - misc: rtsx_usb: set return value in rsp_buf alloc err path
    - Revert "mm/memory-failure.c: fix race with changing page compound again"
    - Revert "serial: 8250_mtk: Make sure to select the right FEATURE_SEL"
    - dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo
    - ida: don't use BUG_ON() for debugging
    - dmaengine: pl330: Fix lockdep warning about non-static key
    - dmaengine: lgm: Fix an error handling path in intel_ldma_probe()
    - dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly
    - dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate
    - dmaengine: qcom: bam_dma: fix runtime PM underflow
    - dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate
    - dmaengine: idxd: force wq context cleanup on device disable path
    - selftests/net: fix section name when using xdp_dummy.o
    - Linux 5.15.54

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 20 Sep 2022 11:17:11 +0200

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-10-14:

This bug is awaiting verification that the linux-gkeop-5.15/5.15.0-1005.7~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-07:

This bug is awaiting verification that the linux-bluefield/5.15.0-1010.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-bluefield verification-needed-jammy
removed: verification-done-jammy

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-12:

#10

This bug is awaiting verification that the linux-nvidia/5.15.0-1011.11 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-nvidia

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-03-01:

#11

This bug is awaiting verification that the linux-mtk/5.15.0-1030.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-done-jammy-linux-mtk'. If the problem still exists, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-failed-jammy-linux-mtk'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-mtk-v2 verification-needed-jammy-linux-mtk

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

amdgpu module crash after 5.15 kernel update

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package