diff -u linux-oem-6.0-6.0.0/arch/x86/kvm/vmx/nested.c linux-oem-6.0-6.0.0/arch/x86/kvm/vmx/nested.c
--- linux-oem-6.0-6.0.0/arch/x86/kvm/vmx/nested.c
+++ linux-oem-6.0-6.0.0/arch/x86/kvm/vmx/nested.c
@@ -3007,7 +3007,7 @@
 					struct vmcs12 *vmcs12,
 					enum vm_entry_failure_code *entry_failure_code)
 {
-	bool ia32e;
+	bool ia32e = !!(vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE);
 
 	*entry_failure_code = ENTRY_FAIL_DEFAULT;
 
@@ -3033,6 +3033,13 @@
 					   vmcs12->guest_ia32_perf_global_ctrl)))
 		return -EINVAL;
 
+	if (CC((vmcs12->guest_cr0 & (X86_CR0_PG | X86_CR0_PE)) == X86_CR0_PG))
+		return -EINVAL;
+
+	if (CC(ia32e && !(vmcs12->guest_cr4 & X86_CR4_PAE)) ||
+	    CC(ia32e && !(vmcs12->guest_cr0 & X86_CR0_PG)))
+		return -EINVAL;
+
 	/*
 	 * If the load IA32_EFER VM-entry control is 1, the following checks
 	 * are performed on the field for the IA32_EFER MSR:
@@ -3044,7 +3051,6 @@
 	 */
 	if (to_vmx(vcpu)->nested.nested_run_pending &&
 	    (vmcs12->vm_entry_controls & VM_ENTRY_LOAD_IA32_EFER)) {
-		ia32e = (vmcs12->vm_entry_controls & VM_ENTRY_IA32E_MODE) != 0;
 		if (CC(!kvm_valid_efer(vcpu, vmcs12->guest_ia32_efer)) ||
 		    CC(ia32e != !!(vmcs12->guest_ia32_efer & EFER_LMA)) ||
 		    CC(((vmcs12->guest_cr0 & X86_CR0_PG) &&
diff -u linux-oem-6.0-6.0.0/debian.oem/abi/abiname linux-oem-6.0-6.0.0/debian.oem/abi/abiname
--- linux-oem-6.0-6.0.0/debian.oem/abi/abiname
+++ linux-oem-6.0-6.0.0/debian.oem/abi/abiname
@@ -1 +1 @@
-1015
+1016
diff -u linux-oem-6.0-6.0.0/debian.oem/abi/amd64/oem linux-oem-6.0-6.0.0/debian.oem/abi/amd64/oem
--- linux-oem-6.0-6.0.0/debian.oem/abi/amd64/oem
+++ linux-oem-6.0-6.0.0/debian.oem/abi/amd64/oem
@@ -140,6 +140,7 @@
 EXPORT_SYMBOL	 drivers/acpi/video 0x7a45377b	acpi_video_unregister
 EXPORT_SYMBOL	 drivers/acpi/video 0x7cc484a5	acpi_video_handles_brightness_key_presses
 EXPORT_SYMBOL	 drivers/acpi/video 0x8826c13b	acpi_video_register
+EXPORT_SYMBOL	 drivers/acpi/video 0xab17113b	acpi_video_backlight_use_native
 EXPORT_SYMBOL	 drivers/acpi/video 0xe92ca535	acpi_video_set_dmi_backlight_type
 EXPORT_SYMBOL	 drivers/acpi/video 0xedcb3068	acpi_video_get_levels
 EXPORT_SYMBOL	 drivers/atm/suni 0x09e4543a	suni_init
diff -u linux-oem-6.0-6.0.0/debian.oem/abi/version linux-oem-6.0-6.0.0/debian.oem/abi/version
--- linux-oem-6.0-6.0.0/debian.oem/abi/version
+++ linux-oem-6.0-6.0.0/debian.oem/abi/version
@@ -1 +1 @@
-6.0.0-1015.15
+6.0.0-1016.16
diff -u linux-oem-6.0-6.0.0/debian.oem/changelog linux-oem-6.0-6.0.0/debian.oem/changelog
--- linux-oem-6.0-6.0.0/debian.oem/changelog
+++ linux-oem-6.0-6.0.0/debian.oem/changelog
@@ -1,3 +1,24 @@
+linux-oem-6.0 (6.0.0-1017.17) jammy; urgency=medium
+
+  * jammy/linux-oem-6.0: 6.0.0-1017.17 -proposed tracker (LP: #2019649)
+
+  * CVE-2023-26606
+    - fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
+
+  * CVE-2023-32233
+    - netfilter: nf_tables: deactivate anonymous set from preparation phase
+
+  * CVE-2023-2612
+    - SAUCE: shiftfs: prevent lock unbalance in shiftfs_create_object()
+
+  * CVE-2023-1670
+    - xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+
+  * CVE-2023-30456
+    - KVM: nVMX: add missing consistency checks for CR0 and CR4
+
+ -- Timo Aaltonen <timo.aaltonen@canonical.com>  Thu, 18 May 2023 15:32:19 +0300
+
 linux-oem-6.0 (6.0.0-1016.16) jammy; urgency=medium
 
   * jammy/linux-oem-6.0: 6.0.0-1016.16 -proposed tracker (LP: #2016550)
diff -u linux-oem-6.0-6.0.0/debian.oem/tracking-bug linux-oem-6.0-6.0.0/debian.oem/tracking-bug
--- linux-oem-6.0-6.0.0/debian.oem/tracking-bug
+++ linux-oem-6.0-6.0.0/debian.oem/tracking-bug
@@ -1 +1 @@
-2016550 2023.04.17-1
+2019649 2023.04.17-4
diff -u linux-oem-6.0-6.0.0/debian/changelog linux-oem-6.0-6.0.0/debian/changelog
--- linux-oem-6.0-6.0.0/debian/changelog
+++ linux-oem-6.0-6.0.0/debian/changelog
@@ -1,3 +1,24 @@
+linux-oem-6.0 (6.0.0-1017.17) jammy; urgency=medium
+
+  * jammy/linux-oem-6.0: 6.0.0-1017.17 -proposed tracker (LP: #2019649)
+
+  * CVE-2023-26606
+    - fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
+
+  * CVE-2023-32233
+    - netfilter: nf_tables: deactivate anonymous set from preparation phase
+
+  * CVE-2023-2612
+    - SAUCE: shiftfs: prevent lock unbalance in shiftfs_create_object()
+
+  * CVE-2023-1670
+    - xirc2ps_cs: Fix use after free bug in xirc2ps_detach
+
+  * CVE-2023-30456
+    - KVM: nVMX: add missing consistency checks for CR0 and CR4
+
+ -- Timo Aaltonen <timo.aaltonen@canonical.com>  Thu, 18 May 2023 15:32:19 +0300
+
 linux-oem-6.0 (6.0.0-1016.16) jammy; urgency=medium
 
   * jammy/linux-oem-6.0: 6.0.0-1016.16 -proposed tracker (LP: #2016550)
diff -u linux-oem-6.0-6.0.0/debian/control linux-oem-6.0-6.0.0/debian/control
--- linux-oem-6.0-6.0.0/debian/control
+++ linux-oem-6.0-6.0.0/debian/control
@@ -62,7 +62,7 @@
 XS-Testsuite: autopkgtest
 #XS-Testsuite-Depends: gcc-4.7 binutils
 
-Package: linux-oem-6.0-headers-6.0.0-1016
+Package: linux-oem-6.0-headers-6.0.0-1017
 Build-Profiles: <!stage1>
 Architecture: all
 Multi-Arch: foreign
@@ -72,20 +72,20 @@
 Description: Header files related to Linux kernel version 6.0.0
  This package provides kernel header files for version 6.0.0, for sites
  that want the latest kernel headers. Please read
- /usr/share/doc/linux-oem-6.0-headers-6.0.0-1016/debian.README.gz for details
+ /usr/share/doc/linux-oem-6.0-headers-6.0.0-1017/debian.README.gz for details
 
-Package: linux-oem-6.0-tools-6.0.0-1016
+Package: linux-oem-6.0-tools-6.0.0-1017
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: devel
 Priority: optional
 Depends: ${misc:Depends}, ${shlibs:Depends}, linux-tools-common
-Description: Linux kernel version specific tools for version 6.0.0-1016
+Description: Linux kernel version specific tools for version 6.0.0-1017
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 6.0.0-1016 on
+ version 6.0.0-1017 on
  64 bit x86.
- You probably want to install linux-tools-6.0.0-1016-<flavour>.
+ You probably want to install linux-tools-6.0.0-1017-<flavour>.
 
 Package: linux-oem-6.0-tools-host
 Build-Profiles: <!stage1>
@@ -99,17 +99,17 @@
 
 
 
-Package: linux-image-unsigned-6.0.0-1016-oem
+Package: linux-image-unsigned-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, kvm-api-4, redhat-cluster-modules, ivtv-modules, virtualbox-guest-modules [amd64], ${linux:rprovides}
-Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.0.0-1016-oem
+Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-6.0.0-1017-oem
 Recommends: grub-pc [amd64] | grub-efi-amd64 [amd64] | grub-efi-ia32 [amd64] | grub [amd64] | lilo [amd64] | flash-kernel [armhf arm64] | grub-efi-arm64 [arm64] | grub-efi-arm [armhf] | grub-ieee1275 [ppc64el], initramfs-tools | linux-initramfs-tool
 Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x]
-Conflicts: linux-image-6.0.0-1016-oem
-Suggests: fdutils, linux-oem-6.0-tools, linux-headers-6.0.0-1016-oem
+Conflicts: linux-image-6.0.0-1017-oem
+Suggests: fdutils, linux-oem-6.0-tools, linux-headers-6.0.0-1017-oem
 Description: Linux kernel image for version 6.0.0 on 64 bit x86 SMP
  This package contains the unsigned Linux kernel image for version 6.0.0 on
  64 bit x86 SMP.
@@ -122,12 +122,12 @@
  the linux-oem meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-modules-6.0.0-1016-oem
+Package: linux-modules-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-6.0.0-1016-oem | linux-image-unsigned-6.0.0-1016-oem
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-6.0.0-1017-oem | linux-image-unsigned-6.0.0-1017-oem
 Built-Using: ${linux:BuiltUsing}
 Description: Linux kernel extra modules for version 6.0.0 on 64 bit x86 SMP
  Contains the corresponding System.map file, the modules built by the
@@ -142,12 +142,12 @@
  the linux-oem meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-modules-extra-6.0.0-1016-oem
+Package: linux-modules-extra-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-6.0.0-1016-oem | linux-image-unsigned-6.0.0-1016-oem, wireless-regdb
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-6.0.0-1017-oem | linux-image-unsigned-6.0.0-1017-oem, wireless-regdb
 Description: Linux kernel extra modules for version 6.0.0 on 64 bit x86 SMP
  This package contains the Linux kernel extra modules for version 6.0.0 on
  64 bit x86 SMP.
@@ -164,21 +164,21 @@
  the linux-oem meta-package, which will ensure that upgrades work
  correctly, and that supporting packages are also installed.
 
-Package: linux-headers-6.0.0-1016-oem
+Package: linux-headers-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-oem-6.0-headers-6.0.0-1016, ${shlibs:Depends}
+Depends: ${misc:Depends}, linux-oem-6.0-headers-6.0.0-1017, ${shlibs:Depends}
 Provides: linux-headers, linux-headers-3.0
 Description: Linux kernel headers for version 6.0.0 on 64 bit x86 SMP
  This package provides kernel header files for version 6.0.0 on
  64 bit x86 SMP.
  .
  This is for sites that want the latest kernel headers.  Please read
- /usr/share/doc/linux-headers-6.0.0-1016/debian.README.gz for details.
+ /usr/share/doc/linux-headers-6.0.0-1017/debian.README.gz for details.
 
-Package: linux-image-unsigned-6.0.0-1016-oem-dbgsym
+Package: linux-image-unsigned-6.0.0-1017-oem-dbgsym
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: devel
@@ -195,31 +195,31 @@
  is uncompressed, and unstripped. This package also includes the
  unstripped modules.
 
-Package: linux-tools-6.0.0-1016-oem
+Package: linux-tools-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-oem-6.0-tools-6.0.0-1016
-Description: Linux kernel version specific tools for version 6.0.0-1016
+Depends: ${misc:Depends}, linux-oem-6.0-tools-6.0.0-1017
+Description: Linux kernel version specific tools for version 6.0.0-1017
  This package provides the architecture dependant parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy) for
- version 6.0.0-1016 on
+ version 6.0.0-1017 on
  64 bit x86.
 
-Package: linux-cloud-tools-6.0.0-1016-oem
+Package: linux-cloud-tools-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: devel
 Priority: optional
-Depends: ${misc:Depends}, linux-oem-6.0-cloud-tools-6.0.0-1016
-Description: Linux kernel version specific cloud tools for version 6.0.0-1016
+Depends: ${misc:Depends}, linux-oem-6.0-cloud-tools-6.0.0-1017
+Description: Linux kernel version specific cloud tools for version 6.0.0-1017
  This package provides the architecture dependant parts for kernel
- version locked tools for cloud for version 6.0.0-1016 on
+ version locked tools for cloud for version 6.0.0-1017 on
  64 bit x86.
 
 
-Package: linux-buildinfo-6.0.0-1016-oem
+Package: linux-buildinfo-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
@@ -233,18 +233,18 @@
  You likely do not want to install this package.
 
 
-Package: linux-modules-ipu6-6.0.0-1016-oem
+Package: linux-modules-ipu6-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
 Depends:
  ${misc:Depends},
- linux-image-6.0.0-1016-oem | linux-image-unsigned-6.0.0-1016-oem,
+ linux-image-6.0.0-1017-oem | linux-image-unsigned-6.0.0-1017-oem,
 Built-Using: ${linux:BuiltUsing}
-Description: Linux kernel ipu6 modules for version 6.0.0-1016
+Description: Linux kernel ipu6 modules for version 6.0.0-1017
  This package provides the Linux kernel ipu6 modules for version
- 6.0.0-1016.
+ 6.0.0-1017.
  .
  You likely do not want to install this package directly. Instead, install the
  one of the linux-modules-ipu6-oem* meta-packages,
@@ -252,18 +252,18 @@
  also installed.
 
 
-Package: linux-modules-ivsc-6.0.0-1016-oem
+Package: linux-modules-ivsc-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
 Depends:
  ${misc:Depends},
- linux-image-6.0.0-1016-oem | linux-image-unsigned-6.0.0-1016-oem,
+ linux-image-6.0.0-1017-oem | linux-image-unsigned-6.0.0-1017-oem,
 Built-Using: ${linux:BuiltUsing}
-Description: Linux kernel ivsc modules for version 6.0.0-1016
+Description: Linux kernel ivsc modules for version 6.0.0-1017
  This package provides the Linux kernel ivsc modules for version
- 6.0.0-1016.
+ 6.0.0-1017.
  .
  You likely do not want to install this package directly. Instead, install the
  one of the linux-modules-ivsc-oem* meta-packages,
@@ -271,18 +271,18 @@
  also installed.
 
 
-Package: linux-modules-iwlwifi-6.0.0-1016-oem
+Package: linux-modules-iwlwifi-6.0.0-1017-oem
 Build-Profiles: <!stage1>
 Architecture: amd64
 Section: kernel
 Priority: optional
 Depends:
  ${misc:Depends},
- linux-image-6.0.0-1016-oem | linux-image-unsigned-6.0.0-1016-oem,
+ linux-image-6.0.0-1017-oem | linux-image-unsigned-6.0.0-1017-oem,
 Built-Using: ${linux:BuiltUsing}
-Description: Linux kernel iwlwifi modules for version 6.0.0-1016
+Description: Linux kernel iwlwifi modules for version 6.0.0-1017
  This package provides the Linux kernel iwlwifi modules for version
- 6.0.0-1016.
+ 6.0.0-1017.
  .
  You likely do not want to install this package directly. Instead, install the
  one of the linux-modules-iwlwifi-oem* meta-packages,
diff -u linux-oem-6.0-6.0.0/fs/shiftfs.c linux-oem-6.0-6.0.0/fs/shiftfs.c
--- linux-oem-6.0-6.0.0/fs/shiftfs.c
+++ linux-oem-6.0-6.0.0/fs/shiftfs.c
@@ -409,6 +409,8 @@
 	const struct inode_operations *loweri_dir_iop = loweri_dir->i_op;
 	struct dentry *lowerd_link = NULL;
 
+	inode_lock_nested(loweri_dir, I_MUTEX_PARENT);
+
 	if (hardlink) {
 		loweri_iop_ptr = loweri_dir_iop->link;
 	} else {
@@ -434,8 +436,6 @@
 		goto out_iput;
 	}
 
-	inode_lock_nested(loweri_dir, I_MUTEX_PARENT);
-
 	if (!hardlink) {
 		inode = new_inode(dir_sb);
 		if (!inode) {
diff -u linux-oem-6.0-6.0.0/net/netfilter/nf_tables_api.c linux-oem-6.0-6.0.0/net/netfilter/nf_tables_api.c
--- linux-oem-6.0-6.0.0/net/netfilter/nf_tables_api.c
+++ linux-oem-6.0-6.0.0/net/netfilter/nf_tables_api.c
@@ -4805,12 +4805,24 @@
 	}
 }
 
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
+{
+	if (nft_set_is_anonymous(set))
+		nft_clear(ctx->net, set);
+
+	set->use++;
+}
+EXPORT_SYMBOL_GPL(nf_tables_activate_set);
+
 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 			      struct nft_set_binding *binding,
 			      enum nft_trans_phase phase)
 {
 	switch (phase) {
 	case NFT_TRANS_PREPARE:
+		if (nft_set_is_anonymous(set))
+			nft_deactivate_next(ctx->net, set);
+
 		set->use--;
 		return;
 	case NFT_TRANS_ABORT:
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/drivers/net/ethernet/xircom/xirc2ps_cs.c
+++ linux-oem-6.0-6.0.0/drivers/net/ethernet/xircom/xirc2ps_cs.c
@@ -503,6 +503,11 @@
 xirc2ps_detach(struct pcmcia_device *link)
 {
     struct net_device *dev = link->priv;
+    struct local_info *local = netdev_priv(dev);
+
+    netif_carrier_off(dev);
+    netif_tx_disable(dev);
+    cancel_work_sync(&local->tx_timeout_task);
 
     dev_dbg(&link->dev, "detach\n");
 
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/fs/ntfs3/bitmap.c
+++ linux-oem-6.0-6.0.0/fs/ntfs3/bitmap.c
@@ -1424,7 +1424,7 @@
 
 	down_read_nested(&wnd->rw_lock, BITMAP_MUTEX_CLUSTERS);
 
-	for (; iw < wnd->nbits; iw++, wbit = 0) {
+	for (; iw < wnd->nwnd; iw++, wbit = 0) {
 		CLST lcn_wnd = iw * wbits;
 		struct buffer_head *bh;
 
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/include/net/netfilter/nf_tables.h
+++ linux-oem-6.0-6.0.0/include/net/netfilter/nf_tables.h
@@ -600,6 +600,7 @@
 };
 
 enum nft_trans_phase;
+void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set);
 void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set,
 			      struct nft_set_binding *binding,
 			      enum nft_trans_phase phase);
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/net/netfilter/nft_dynset.c
+++ linux-oem-6.0-6.0.0/net/netfilter/nft_dynset.c
@@ -342,7 +342,7 @@
 {
 	struct nft_dynset *priv = nft_expr_priv(expr);
 
-	priv->set->use++;
+	nf_tables_activate_set(ctx, priv->set);
 }
 
 static void nft_dynset_destroy(const struct nft_ctx *ctx,
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/net/netfilter/nft_lookup.c
+++ linux-oem-6.0-6.0.0/net/netfilter/nft_lookup.c
@@ -167,7 +167,7 @@
 {
 	struct nft_lookup *priv = nft_expr_priv(expr);
 
-	priv->set->use++;
+	nf_tables_activate_set(ctx, priv->set);
 }
 
 static void nft_lookup_destroy(const struct nft_ctx *ctx,
only in patch2:
unchanged:
--- linux-oem-6.0-6.0.0.orig/net/netfilter/nft_objref.c
+++ linux-oem-6.0-6.0.0/net/netfilter/nft_objref.c
@@ -184,7 +184,7 @@
 {
 	struct nft_objref_map *priv = nft_expr_priv(expr);
 
-	priv->set->use++;
+	nf_tables_activate_set(ctx, priv->set);
 }
 
 static void nft_objref_map_destroy(const struct nft_ctx *ctx,