Ubuntu
linux package

Jammy update: v5.15.127 upstream stable release

Bug #2038382 reported by Kamal Mostafa on 2023-10-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Jammy	Fix Released	Medium	Kamal Mostafa

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.15.127 upstream stable release
from git://git.kernel.org/

ksmbd: validate command request size
ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
wireguard: allowedips: expand maximum node depth
mmc: moxart: read scr register without changing byte order
ipv6: adjust ndisc_is_useropt() to also return true for PIO
dmaengine: pl330: Return DMA_PAUSED when transaction is paused
riscv,mmio: Fix readX()-to-delay() ordering
drm/nouveau/gr: enable memory loads on helper invocation on all channels
drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap()
drm/amd/display: check attr flag before set cursor degamma on DCN3+
hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100
radix tree test suite: fix incorrect allocation size for pthreads
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
bpf: allow precision tracking for programs with subprogs
bpf: stop setting precise in current state
bpf: aggressively forget precise markings during state checkpointing
selftests/bpf: make test_align selftest more robust
selftests/bpf: Workaround verification failure for fexit_bpf2bpf/func_replace_return_code
selftests/bpf: Fix sk_assign on s390x
io_uring: correct check for O_TMPFILE
iio: cros_ec: Fix the allocation size for cros_ec_command
iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
binder: fix memory leak in binder_init()
misc: rtsx: judge ASPM Mode to set PETXCFG Reg
usb-storage: alauda: Fix uninit-value in alauda_check_media()
usb: dwc3: Properly handle processing of pending events
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
usb: typec: tcpm: Fix response to vsafe0V event
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/speculation: Add cpu_show_gds() prototype
x86: Move gds_ucode_mitigated() declaration to header
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
selftests/rseq: Fix build with undefined __weak
selftests: forwarding: Add a helper to skip test when using veth pairs
selftests: forwarding: ethtool: Skip when using veth pairs
selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
selftests: forwarding: Skip test when no interfaces are specified
selftests: forwarding: Switch off timeout
selftests: forwarding: tc_flower: Relax success criterion
net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
bpf, sockmap: Fix map type error in sock_map_del_link
bpf, sockmap: Fix bug that strp_done cannot be called
mISDN: Update parameter type of dsp_cmx_send()
net/packet: annotate data-races around tp->status
tunnels: fix kasan splat when generating ipv4 pmtu error
xsk: fix refcount underflow in error path
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
dccp: fix data-race around dp->dccps_mss_cache
drivers: net: prevent tun_build_skb() to exceed the packet size limit
iavf: fix potential races for FDIR filters
IB/hfi1: Fix possible panic during hotplug remove
drm/rockchip: Don't spam logs in atomic check
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
RDMA/umem: Set iova in ODP flow
net: phy: at803x: remove set/get wol callbacks for AR8032
net: hns3: refactor hclge_mac_link_status_wait for interface reuse
net: hns3: add wait until mac link down
nexthop: Fix infinite nexthop dump when using maximum nexthop ID
nexthop: Make nexthop bucket dump more efficient
nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID
dmaengine: mcf-edma: Fix a potential un-allocated memory access
net/mlx5: Allow 0 for total host VFs
net/mlx5: Skip clock update work when device is in error state
ibmvnic: Enforce stronger sanity checks on login response
ibmvnic: Unmap DMA login rsp buffer on send login fail
ibmvnic: Handle DMA unmapping of login buffs in release functions
btrfs: don't stop integrity writeback too early
btrfs: exit gracefully if reloc roots don't match
btrfs: reject invalid reloc tree root keys with stack dump
btrfs: set cache_block_group_error if we find an error
nvme-tcp: fix potential unbalanced freeze & unfreeze
nvme-rdma: fix potential unbalanced freeze & unfreeze
netfilter: nf_tables: report use refcount overflow
scsi: core: Fix legacy /proc parsing buffer overflow
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: 53c700: Check that command slot is not NULL
scsi: snic: Fix possible memory leak if device_add() fails
scsi: core: Fix possible memory leak if device_add() fails
scsi: fnic: Replace return codes in fnic_clean_pending_aborts()
scsi: qedi: Fix firmware halt over suspend and resume
scsi: qedf: Fix firmware halt over suspend and resume
alpha: remove __init annotation from exported page_is_ram()
sch_netem: fix issues in netem_change() vs get_dist_table()
tick: Detect and fix jiffies update stall
timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick is stopped
timers/nohz: Last resort update jiffies on nohz_full IRQ entry
Linux 5.15.127
UBUNTU: Upstream stable to v5.15.127

See original description

Tags:

CVE References

Kamal Mostafa (kamalmostafa) on 2023-10-03

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug

Kamal Mostafa (kamalmostafa) on 2023-10-03

Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Jammy):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Kamal Mostafa (kamalmostafa)
description:	updated

Stefan Bader (smb) on 2023-10-16

Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-12-07:

Download full text (23.1 KiB)

This bug was fixed in the package linux - 5.15.0-91.101

---------------
linux (5.15.0-91.101) jammy; urgency=medium

* jammy/linux: 5.15.0-91.101 -proposed tracker (LP: #2043452)

  * USB bus error after upgrading to proposed kernel on lunar and jammy
    (LP: #2043197)
    - USB: core: Fix oversight in SuperSpeed initialization

linux (5.15.0-90.100) jammy; urgency=medium

* jammy/linux: 5.15.0-90.100 -proposed tracker (LP: #2041603)

  * CVE-2023-25775
    - RDMA/irdma: Remove irdma_uk_mw_bind()
    - RDMA/irdma: Remove irdma_sc_send_lsmm_nostag()
    - RDMA/irdma: Remove irdma_cqp_up_map_cmd()
    - RDMA/irdma: Remove irdma_get_hw_addr()
    - RDMA/irdma: Make irdma_uk_cq_init() return a void
    - RDMA/irdma: optimize rx path by removing unnecessary copy
    - RDMA/irdma: Remove enum irdma_status_code
    - RDMA/irdma: Remove excess error variables
    - RDMA/irdma: Prevent zero-length STAG registration

* CVE-2023-39189
- netfilter: nfnetlink_osf: avoid OOB read

  * SMC stats: Wrong bucket calculation for payload of exactly 4096 bytes
    (LP: #2039575)
    - net/smc: Fix pos miscalculation in statistics

* CVE-2023-45871
- igb: set max size RX buffer when store bad packet is enabled

* CVE-2023-39193
- netfilter: xt_sctp: validate the flag_info count

* CVE-2023-39192
- netfilter: xt_u32: validate user space input

* CVE-2023-31085
- ubi: Refuse attaching if mtd's erasesize is 0

* CVE-2023-5717
- perf: Disallow mis-matched inherited group reads

* CVE-2023-5178
- nvmet-tcp: Fix a possible UAF in queue intialization setup

* CVE-2023-5158
- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()

  * [SRU][J/L/M] UBUNTU: [Packaging] Make WWAN driver a loadable module
    (LP: #2033406)
    - [Packaging] Make WWAN driver loadable modules

  * HP ProBook 450 G8 Notebook fail to wifi test (LP: #2037513)
    - iwlwifi: mvm: Don't fail if PPAG isn't supported
    - wifi: iwlwifi: fw: skip PPAG for JF

* usbip: error: failed to open /usr/share/hwdata//usb.ids (LP: #2039439)
- [Packaging] Make linux-tools-common depend on hwdata

* scripts/pahole-flags.sh change return to exit 0 (LP: #2035123)
- SAUCE: scripts/pahole-flags.sh change return to exit 0

  * Unable to use nvme drive to install Ubuntu 23.10 (LP: #2040157)
    - misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to
      probe

This bug was fixed in the package linux - 5.15.0-91.101

---------------
linux (5.15.0-91.101) jammy; urgency=medium

* jammy/linux: 5.15.0-91.101 -proposed tracker (LP: #2043452)

* USB bus error after upgrading to proposed kernel on lunar and jammy
    (LP: #2043197)
    - USB: core: Fix oversight in SuperSpeed initialization

linux (5.15.0-90.100) jammy; urgency=medium

* jammy/linux: 5.15.0-90.100 -proposed tracker (LP: #2041603)

* CVE-2023-39189
    - netfilter: nfnetlink_osf: avoid OOB read

* SMC stats: Wrong bucket calculation for payload of exactly 4096 bytes
    (LP: #2039575)
    - net/smc: Fix pos miscalculation in statistics

* CVE-2023-45871
    - igb: set max size RX buffer when store bad packet is enabled

* CVE-2023-39193
    - netfilter: xt_sctp: validate the flag_info count

* CVE-2023-39192
    - netfilter: xt_u32: validate user space input

* CVE-2023-31085
    - ubi: Refuse attaching if mtd's erasesize is 0

* CVE-2023-5717
    - perf: Disallow mis-matched inherited group reads

* CVE-2023-5178
    - nvmet-tcp: Fix a possible UAF in queue intialization setup

* CVE-2023-5158
    - vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()

* [SRU][J/L/M] UBUNTU: [Packaging] Make WWAN driver a loadable module
    (LP: #2033406)
    - [Packaging] Make WWAN driver loadable modules

* HP ProBook 450 G8 Notebook fail to wifi test (LP: #2037513)
    - iwlwifi: mvm: Don't fail if PPAG isn't supported
    - wifi: iwlwifi: fw: skip PPAG for JF

* usbip: error: failed to open /usr/share/hwdata//usb.ids (LP: #2039439)
    - [Packaging] Make linux-tools-common depend on hwdata

* scripts/pahole-flags.sh change return to exit 0 (LP: #2035123)
    - SAUCE: scripts/pahole-flags.sh change return to exit 0

* Unable to use nvme drive to install Ubuntu 23.10 (LP: #2040157)
    - misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to
      probe

* Jammy update: v5.15.131 upstream stable release (LP: #2039610)
    - erofs: ensure that the post-EOF tails are all zeroed
    - ksmbd: fix wrong DataOffset validation of create context
    - ksmbd: replace one-element array with flex-array member in struct
      smb2_ea_info
    - ARM: pxa: remove use of symbol_get()
    - mmc: au1xmmc: force non-modular build and remove symbol_get usage
    - net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index
    - rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
    - modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
    - USB: serial: option: add Quectel EM05G variant (0x030e)
    - USB: serial: option: add FOXCONN T99W368/T99W373 product
    - ALSA: usb-audio: Fix init call orders for UAC1
    - usb: dwc3: meson-g12a: do post init to fix broken usb after resumption
    - usb: chipidea: imx: improve logic if samsung,picophy-* parameter is 0
    - HID: wacom: remove the battery when the EKR is off
    - staging: rtl8712: fix race condition
    - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race
      condition
    - wifi: mt76: mt7921: do not support one stream on secondary antenna only
    - serial: qcom-geni: fix opp vote on shutdown
    - serial: sc16is7xx: fix broken port 0 uart init
    - serial: sc16is7xx: fix bug when first setting GPIO direction
    - firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe
    - fsi: master-ast-cf: Add MODULE_FIRMWARE macro
    - tcpm: Avoid soft reset when partner does not support get_status
    - nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
    - nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
    - pinctrl: amd: Don't show `Invalid config param` errors
    - usb: typec: tcpci: move tcpci.h to include/linux/usb/
    - usb: typec: tcpci: clear the fault status bit
    - Linux 5.15.131

* Jammy update: v5.15.130 upstream stable release (LP: #2039608)
    - ACPI: thermal: Drop nocrt parameter
    - module: Expose module_init_layout_section()
    - arm64: module-plts: inline linux/moduleloader.h
    - arm64: module: Use module_init_layout_section() to spot init sections
    - ARM: module: Use module_init_layout_section() to spot init sections
    - rcu: Prevent expedited GP from enabling tick on offline CPU
    - rcu-tasks: Fix IPI failure handling in trc_wait_for_one_reader
    - rcu-tasks: Wait for trc_read_check_handler() IPIs
    - rcu-tasks: Add trc_inspect_reader() checks for exiting critical section
    - Linux 5.15.130

* CVE-2023-42754
    - ipv4: fix null-deref in ipv4_link_failure

* Jammy update: v5.15.129 upstream stable release (LP: #2039227)
    - NFSv4.2: fix error handling in nfs42_proc_getxattr
    - NFSv4: fix out path in __nfs4_get_acl_uncached
    - xprtrdma: Remap Receive buffers after a reconnect
    - PCI: acpiphp: Reassign resources on bridge if necessary
    - dlm: improve plock logging if interrupted
    - dlm: replace usage of found with dedicated list iterator variable
    - fs: dlm: add pid to debug log
    - fs: dlm: change plock interrupted message to debug again
    - fs: dlm: use dlm_plock_info for do_unlock_close
    - fs: dlm: fix mismatch of plock results from userspace
    - MIPS: cpu-features: Enable octeon_cache by cpu_type
    - MIPS: cpu-features: Use boot_cpu_type for CPU type based features
    - fbdev: Improve performance of sys_imageblit()
    - fbdev: Fix sys_imageblit() for arbitrary image widths
    - fbdev: fix potential OOB read in fast_imageblit()
    - ALSA: pcm: Fix potential data race at PCM memory allocation helpers
    - jbd2: remove t_checkpoint_io_list
    - jbd2: remove journal_clean_one_cp_list()
    - jbd2: fix a race when checking checkpoint buffer busy
    - can: raw: fix receiver memory leak
    - drm/amd/display: do not wait for mpc idle if tg is disabled
    - drm/amd/display: check TG is non-null before checking if enabled
    - can: raw: fix lockdep issue in raw_release()
    - tracing: Fix cpu buffers unavailable due to 'record_disabled' missed
    - tracing: Fix memleak due to race between current_tracer and trace
    - octeontx2-af: SDP: fix receive link config
    - sock: annotate data-races around prot->memory_pressure
    - dccp: annotate data-races in dccp_poll()
    - ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
    - net: bgmac: Fix return value check for fixed_phy_register()
    - net: bcmgenet: Fix return value check for fixed_phy_register()
    - net: validate veth and vxcan peer ifindexes
    - ice: fix receive buffer size miscalculation
    - igb: Avoid starting unnecessary workqueues
    - igc: Fix the typo in the PTM Control macro
    - net/sched: fix a qdisc modification with ambiguous command request
    - netfilter: nf_tables: flush pending destroy work before netlink notifier
    - netfilter: nf_tables: fix out of memory error handling
    - rtnetlink: return ENODEV when ifname does not exist and group is given
    - rtnetlink: Reject negative ifindexes in RTM_NEWLINK
    - net: remove bond_slave_has_mac_rcu()
    - bonding: fix macvlan over alb bond support
    - net/ncsi: make one oem_gma function for all mfr id
    - net/ncsi: change from ndo_set_mac_address to dev_set_mac_address
    - ibmveth: Use dcbf rather than dcbfl
    - NFSv4: Fix dropped lock for racing OPEN and delegation return
    - clk: Fix slab-out-of-bounds error in devm_clk_release()
    - ALSA: ymfpci: Fix the missing snd_card_free() call at probe error
    - mm: add a call to flush_cache_vmap() in vmap_pfn()
    - NFS: Fix a use after free in nfs_direct_join_group()
    - nfsd: Fix race to FREE_STATEID and cl_revoked
    - selinux: set next pointer before attaching to list
    - batman-adv: Trigger events for auto adjusted MTU
    - batman-adv: Don't increase MTU when set by user
    - batman-adv: Do not get eth header before batadv_check_management_packet
    - batman-adv: Fix TT global entry leak when client roamed back
    - batman-adv: Fix batadv_v_ogm_aggr_send memory leak
    - batman-adv: Hold rtnl lock during MTU update via netlink
    - lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels
    - radix tree: remove unused variable
    - of: unittest: Fix EXPECT for parse_phandle_with_args_map() test
    - of: dynamic: Refactor action prints to not use "%pOF" inside devtree_lock
    - media: vcodec: Fix potential array out-of-bounds in encoder queue_setup
    - PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root
      bus
    - drm/vmwgfx: Fix shader stage validation
    - drm/display/dp: Fix the DP DSC Receiver cap size
    - x86/fpu: Invalidate FPU state correctly on exec()
    - nfs: use vfs setgid helper
    - nfsd: use vfs setgid helper
    - torture: Fix hang during kthread shutdown phase
    - cgroup/cpuset: Rename functions dealing with DEADLINE accounting
    - sched/cpuset: Bring back cpuset_mutex
    - sched/cpuset: Keep track of SCHED_DEADLINE task in cpusets
    - cgroup/cpuset: Iterate only if DEADLINE tasks are present
    - sched/deadline: Create DL BW alloc, free & check overflow interface
    - cgroup/cpuset: Free DL BW in case can_attach() fails
    - drm/i915: Fix premature release of request's reusable memory
    - can: raw: add missing refcount for memory leak fix
    - scsi: snic: Fix double free in snic_tgt_create()
    - scsi: core: raid_class: Remove raid_component_add()
    - clk: Fix undefined reference to `clk_rate_exclusive_{get,put}'
    - pinctrl: renesas: rza2: Add lock around
      pinctrl_generic{{add,remove}_group,{add,remove}_function}
    - dma-buf/sw_sync: Avoid recursive lock during fence signal
    - mm: memory-failure: kill soft_offline_free_page()
    - mm: memory-failure: fix unexpected return value in soft_offline_page()
    - mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer
    - Linux 5.15.129

* Jammy update: v5.15.128 upstream stable release (LP: #2038486)
    - mmc: sdhci-f-sdh30: Replace with sdhci_pltfm
    - selftests: forwarding: tc_actions: cleanup temporary files when test is
      aborted
    - selftests: forwarding: tc_actions: Use ncat instead of nc
    - macsec: Fix traffic counters/statistics
    - macsec: use DEV_STATS_INC()
    - net/tls: Perform immediate device ctx cleanup when possible
    - net/tls: Multi-threaded calls to TX tls_dev_del
    - net: tls: avoid discarding data on record close
    - PCI: tegra194: Fix possible array out of bounds access
    - ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings
    - iopoll: Call cpu_relax() in busy loops
    - ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion
    - dma-remap: use kvmalloc_array/kvfree for larger dma memory remap
    - HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL
      Keyboard
    - HID: add quirk for 03f0:464a HP Elite Presenter Mouse
    - RDMA/mlx5: Return the firmware result upon destroying QP/RQ
    - ovl: check type and offset of struct vfsmount in ovl_entry
    - smb: client: fix warning in cifs_smb3_do_mount()
    - media: v4l2-mem2mem: add lock to protect parameter num_rdy
    - usb: gadget: u_serial: Avoid spinlock recursion in __gs_console_push
    - media: platform: mediatek: vpu: fix NULL ptr dereference
    - thunderbolt: Read retimer NVM authentication status prior
      tb_retimer_set_inbound_sbtx()
    - usb: chipidea: imx: don't request QoS for imx8ulp
    - usb: chipidea: imx: add missing USB PHY DPDM wakeup setting
    - gfs2: Fix possible data races in gfs2_show_options()
    - pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db()
    - firewire: net: fix use after free in fwnet_finish_incoming_packet()
    - watchdog: sp5100_tco: support Hygon FCH/SCH (Server Controller Hub)
    - Bluetooth: L2CAP: Fix use-after-free
    - Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally
    - drm/amdgpu: Fix potential fence use-after-free v2
    - fs/ntfs3: Enhance sanity check while generating attr_list
    - fs: ntfs3: Fix possible null-pointer dereferences in mi_read()
    - fs/ntfs3: Mark ntfs dirty when on-disk struct is corrupted
    - ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760
    - ALSA: hda: fix a possible null-pointer dereference due to data race in
      snd_hdac_regmap_sync()
    - powerpc/kasan: Disable KCOV in KASAN code
    - ring-buffer: Do not swap cpu_buffer during resize process
    - iio: add addac subdirectory
    - iio: adc: stx104: Utilize iomap interface
    - iio: adc: stx104: Implement and utilize register structures
    - iio: stx104: Move to addac subdirectory
    - iio: addac: stx104: Fix race condition for stx104_write_raw()
    - iio: addac: stx104: Fix race condition when converting analog-to-digital
    - igc: read before write to SRRCTL register
    - ARM: dts: aspeed: asrock: Correct firmware flash SPI clocks
    - drm/amd/display: save restore hdcp state when display is unplugged from mst
      hub
    - drm/amd/display: phase3 mst hdcp for multiple displays
    - drm/amd/display: fix access hdcp_workqueue assert
    - usb: dwc3: gadget: Synchronize IRQ between soft connect/disconnect
    - usb: dwc3: Remove DWC3 locking during gadget suspend/resume
    - usb: dwc3: Fix typos in gadget.c
    - USB: dwc3: gadget: drop dead hibernation code
    - usb: dwc3: gadget: Improve dwc3_gadget_suspend() and dwc3_gadget_resume()
    - tty: serial: fsl_lpuart: Add i.MXRT1050 support
    - tty: serial: fsl_lpuart: make rx_watermark configurable for different
      platforms
    - tty: serial: fsl_lpuart: reduce RX watermark to 0 on LS1028A
    - USB: dwc3: qcom: fix NULL-deref on suspend
    - USB: dwc3: fix use-after-free on core driver unbind
    - mmc: bcm2835: fix deferred probing
    - mmc: sunxi: fix deferred probing
    - ARM: dts: imx6sll: fixup of operating points
    - ARM: dts: nxp/imx6sll: fix wrong property name in usbphy node
    - btrfs: move out now unused BG from the reclaim list
    - virtio-mmio: don't break lifecycle of vm_dev
    - vduse: Use proper spinlock for IRQ injection
    - cifs: fix potential oops in cifs_oplock_break
    - i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue
    - i2c: hisi: Only handle the interrupt of the driver's transfer
    - fbdev: mmp: fix value check in mmphw_probe()
    - powerpc/rtas_flash: allow user copy to flash block cache objects
    - tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
    - tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32
      platforms
    - btrfs: fix BUG_ON condition in btrfs_cancel_balance
    - i2c: designware: Correct length byte validation logic
    - i2c: designware: Handle invalid SMBus block data response length value
    - net: xfrm: Fix xfrm_address_filter OOB read
    - net: af_key: fix sadb_x_filter validation
    - net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure
    - xfrm: fix slab-use-after-free in decode_session6
    - ip6_vti: fix slab-use-after-free in decode_session6
    - ip_vti: fix potential slab-use-after-free in decode_session6
    - xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
    - net: phy: fix IRQ-based wake-on-lan over hibernate / power off
    - selftests: mirror_gre_changes: Tighten up the TTL test match
    - drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
    - netfilter: nf_tables: fix false-positive lockdep splat
    - ipvs: fix racy memcpy in proc_do_sync_threshold
    - net: phy: broadcom: stub c45 read/write for 54810
    - team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
    - iavf: fix FDIR rule fields masks validation
    - i40e: fix misleading debug logs
    - net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
    - sock: Fix misuse of sk_under_memory_pressure()
    - net: do not allow gso_size to be set to GSO_BY_FRAGS
    - bus: ti-sysc: Flush posted write on enable before reset
    - arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict
    - ARM: dts: imx: Set default tuning step for imx6sx usdhc
    - ASoC: rt5665: add missed regulator_bulk_disable
    - ASoC: meson: axg-tdm-formatter: fix channel slot allocation
    - soc: aspeed: socinfo: Add kfree for kstrdup
    - ALSA: hda/realtek - Remodified 3k pull low procedure
    - riscv: uaccess: Return the number of bytes effectively not copied
    - serial: 8250: Fix oops for port->pm on uart_change_pm()
    - ALSA: usb-audio: Add support for Mythware XA001AU capture and playback
      interfaces.
    - cifs: Release folio lock on fscache read hit.
    - mmc: wbsd: fix double mmc_free_host() in wbsd_init()
    - mmc: block: Fix in_flight[issue_type] value error
    - drm/qxl: fix UAF on handle creation
    - drm/amd: flush any delayed gfxoff on suspend entry
    - netfilter: set default timeout to 3 secs for sctp shutdown send and recv
      state
    - arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
    - virtio-net: set queues after driver_ok
    - net: fix the RTO timer retransmitting skb every 1ms if linear option is
      enabled
    - mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
    - Linux 5.15.128

* Jammy update: v5.15.127 upstream stable release (LP: #2038382)
    - ksmbd: validate command request size
    - ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
    - wireguard: allowedips: expand maximum node depth
    - mmc: moxart: read scr register without changing byte order
    - ipv6: adjust ndisc_is_useropt() to also return true for PIO
    - dmaengine: pl330: Return DMA_PAUSED when transaction is paused
    - riscv,mmio: Fix readX()-to-delay() ordering
    - drm/nouveau/gr: enable memory loads on helper invocation on all channels
    - drm/shmem-helper: Reset vma->vm_ops before calling dma_buf_mmap()
    - drm/amd/display: check attr flag before set cursor degamma on DCN3+
    - hwmon: (pmbus/bel-pfe) Enable PMBUS_SKIP_STATUS_CHECK for pfe1100
    - radix tree test suite: fix incorrect allocation size for pthreads
    - nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
    - bpf: allow precision tracking for programs with subprogs
    - bpf: stop setting precise in current state
    - bpf: aggressively forget precise markings during state checkpointing
    - selftests/bpf: make test_align selftest more robust
    - selftests/bpf: Workaround verification failure for
      fexit_bpf2bpf/func_replace_return_code
    - selftests/bpf: Fix sk_assign on s390x
    - io_uring: correct check for O_TMPFILE
    - iio: cros_ec: Fix the allocation size for cros_ec_command
    - iio: adc: ina2xx: avoid NULL pointer dereference on OF device match
    - binder: fix memory leak in binder_init()
    - misc: rtsx: judge ASPM Mode to set PETXCFG Reg
    - usb-storage: alauda: Fix uninit-value in alauda_check_media()
    - usb: dwc3: Properly handle processing of pending events
    - usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
    - usb: typec: tcpm: Fix response to vsafe0V event
    - x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
    - x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
    - x86/speculation: Add cpu_show_gds() prototype
    - x86: Move gds_ucode_mitigated() declaration to header
    - drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
    - selftests/rseq: Fix build with undefined __weak
    - selftests: forwarding: Add a helper to skip test when using veth pairs
    - selftests: forwarding: ethtool: Skip when using veth pairs
    - selftests: forwarding: ethtool_extended_state: Skip when using veth pairs
    - selftests: forwarding: Skip test when no interfaces are specified
    - selftests: forwarding: Switch off timeout
    - selftests: forwarding: tc_flower: Relax success criterion
    - net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
    - bpf, sockmap: Fix map type error in sock_map_del_link
    - bpf, sockmap: Fix bug that strp_done cannot be called
    - mISDN: Update parameter type of dsp_cmx_send()
    - net/packet: annotate data-races around tp->status
    - tunnels: fix kasan splat when generating ipv4 pmtu error
    - xsk: fix refcount underflow in error path
    - bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
    - dccp: fix data-race around dp->dccps_mss_cache
    - drivers: net: prevent tun_build_skb() to exceed the packet size limit
    - iavf: fix potential races for FDIR filters
    - IB/hfi1: Fix possible panic during hotplug remove
    - drm/rockchip: Don't spam logs in atomic check
    - wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
    - RDMA/umem: Set iova in ODP flow
    - net: phy: at803x: remove set/get wol callbacks for AR8032
    - net: hns3: refactor hclge_mac_link_status_wait for interface reuse
    - net: hns3: add wait until mac link down
    - nexthop: Fix infinite nexthop dump when using maximum nexthop ID
    - nexthop: Make nexthop bucket dump more efficient
    - nexthop: Fix infinite nexthop bucket dump when using maximum nexthop ID
    - dmaengine: mcf-edma: Fix a potential un-allocated memory access
    - net/mlx5: Allow 0 for total host VFs
    - net/mlx5: Skip clock update work when device is in error state
    - ibmvnic: Enforce stronger sanity checks on login response
    - ibmvnic: Unmap DMA login rsp buffer on send login fail
    - ibmvnic: Handle DMA unmapping of login buffs in release functions
    - btrfs: don't stop integrity writeback too early
    - btrfs: exit gracefully if reloc roots don't match
    - btrfs: reject invalid reloc tree root keys with stack dump
    - btrfs: set cache_block_group_error if we find an error
    - nvme-tcp: fix potential unbalanced freeze & unfreeze
    - nvme-rdma: fix potential unbalanced freeze & unfreeze
    - netfilter: nf_tables: report use refcount overflow
    - scsi: core: Fix legacy /proc parsing buffer overflow
    - scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
    - scsi: 53c700: Check that command slot is not NULL
    - scsi: snic: Fix possible memory leak if device_add() fails
    - scsi: core: Fix possible memory leak if device_add() fails
    - scsi: fnic: Replace return codes in fnic_clean_pending_aborts()
    - scsi: qedi: Fix firmware halt over suspend and resume
    - scsi: qedf: Fix firmware halt over suspend and resume
    - alpha: remove __init annotation from exported page_is_ram()
    - sch_netem: fix issues in netem_change() vs get_dist_table()
    - tick: Detect and fix jiffies update stall
    - timers/nohz: Switch to ONESHOT_STOPPED in the low-res handler when the tick
      is stopped
    - timers/nohz: Last resort update jiffies on nohz_full IRQ entry
    - Linux 5.15.127
    - Upstream stable to v5.15.127

* CVE-2023-37453
    - USB: core: Unite old scheme and new scheme descriptor reads
    - USB: core: Change usb_get_device_descriptor() API
    - USB: core: Fix race by not overwriting udev->descriptor in hub_port_init()

* Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 14 Nov 2023 11:47:55 +0100

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package