Bug #2058477 “[Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kern...” : Bugs : linux package : Ubuntu

Revision history for this message

Akira Tanaka (popo1897) wrote on 2024-03-20:

#1

apport.linux-image-6.5.0-26-generic.4wdzb1mh.apport Edit (5.0 KiB, text/plain)

summary:

- [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] UBSAN: array-index-out-of-
- bounds in /build/linux-hwe-6.5-34pCLi/linux-
- hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41
+ [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output "UBSAN:
+ array-index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-
+ hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41" multiple times,
+ especially during boot.

Brett Grandbois (brettgrand) on 2024-03-21

Changed in linux (Ubuntu):
assignee:	nobody → Marcelo Cerri (mhcerri)

Revision history for this message

GuoqingJiang (guoqingjiang) wrote on 2024-04-01:

#2

I think it was fixed by upstream commit bb9b0e46b84c ("hv: hyperv.h: Replace one-element array with flexible-array member"), need to double check.

Revision history for this message

GuoqingJiang (guoqingjiang) wrote on 2024-04-02:

#3

[Impact]
error message "UBSAN: array-index-out-of-bounds in drivers/net/hyperv/netvsc.c:1446:41" appears
multiple times during boot for a Hyper-V environment.

[Fix]
Clean cherry-pick commit bb9b0e46b84 for Focal, Jammy and Mantic.

[Test case]
check the dmesg to see if there is the error message "UBSAN: array-index-out-of-bounds"

[Regression Potential]
DPDK which processes netvsc packets, so it might incompatible with ancient DPDK, but modern DPDK
had already used flexible array member.

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2024-04-04:

#4

Patch submitted for review: https://lists.ubuntu.com/archives/kernel-team/2024-April/149922.html

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-04-04:

#5

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu Focal):
status:	New → Confirmed
Changed in linux (Ubuntu Jammy):
status:	New → Confirmed
Changed in linux (Ubuntu Mantic):
status:	New → Confirmed
Changed in linux (Ubuntu):
status:	New → Confirmed

Roxana Nicolescu (roxanan) on 2024-04-23

Changed in linux (Ubuntu Focal):
status:	Confirmed → Fix Committed
Changed in linux (Ubuntu Jammy):
status:	Confirmed → Fix Committed
Changed in linux (Ubuntu Mantic):
status:	Confirmed → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-05-07:

#9

This bug is awaiting verification that the linux/5.15.0-111.121 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux' to 'verification-done-jammy-linux'. If the problem still exists, change the tag 'verification-needed-jammy-linux' to 'verification-failed-jammy-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-v2 verification-needed-jammy-linux

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-05-07:

#10

This bug is awaiting verification that the linux/5.4.0-186.206 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux' to 'verification-done-focal-linux'. If the problem still exists, change the tag 'verification-needed-focal-linux' to 'verification-failed-focal-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-v2 verification-needed-focal-linux

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-05-29:

#11

This bug is awaiting verification that the linux-azure-fips/5.15.0-1065.74+fips1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure-fips' to 'verification-done-jammy-linux-azure-fips'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure-fips' to 'verification-failed-jammy-linux-azure-fips'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-azure-fips-v2 verification-needed-jammy-linux-azure-fips

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-05-29:

#12

This bug is awaiting verification that the linux-azure-5.15/5.15.0-1065.74~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-azure-5.15' to 'verification-done-focal-linux-azure-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-azure-5.15' to 'verification-failed-focal-linux-azure-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-azure-5.15-v2 verification-needed-focal-linux-azure-5.15

Roxana Nicolescu (roxanan) on 2024-06-03

tags:

added: verification-done-focal-linux verification-done-focal-linux-azure-5.15 verification-done-jammy-linux verification-done-jammy-linux-azure-fips
removed: verification-needed-focal-linux verification-needed-focal-linux-azure-5.15 verification-needed-jammy-linux verification-needed-jammy-linux-azure-fips

Revision history for this message

Launchpad Janitor (janitor) wrote 3 hours ago:

#13

Download full text (47.3 KiB)

This bug was fixed in the package linux - 5.15.0-112.122

---------------
linux (5.15.0-112.122) jammy; urgency=medium

* jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)

  * CVE-2024-21823
    - dmanegine: idxd: reformat opcap output to match bitmap_parse() input
    - dmaengine: idxd: add WQ operation cap restriction support
    - dmaengine: idxd: add knob for enqcmds retries
    - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist
    - dmaengine: idxd: add a new security check to deal with a hardware erratum
    - dmaengine: idxd: add a write() method for applications to submit work

linux (5.15.0-111.121) jammy; urgency=medium

* jammy/linux: 5.15.0-111.121 -proposed tracker (LP: #2063763)

  * RTL8852BE fw security fail then lost WIFI function during suspend/resume
    cycle (LP: #2063096)
    - wifi: rtw89: download firmware with five times retry

* Mount CIFS fails with Permission denied (LP: #2061986)
- cifs: fix ntlmssp auth when there is no key exchange

* USB stick can't be detected (LP: #2040948)
- usb: Disable USB3 LPM at shutdown

  * Jammy update: v5.15.153 upstream stable release (LP: #2063290)
    - io_uring/unix: drop usage of io_uring socket
    - io_uring: drop any code related to SCM_RIGHTS
    - selftests: tls: use exact comparison in recv_partial
    - ASoC: rt5645: Make LattePanda board DMI match more precise
    - x86/xen: Add some null pointer checking to smp.c
    - MIPS: Clear Cause.BD in instruction_pointer_set
    - HID: multitouch: Add required quirk for Synaptics 0xcddc device
    - gen_compile_commands: fix invalid escape sequence warning
    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
    - RDMA/mlx5: Relax DEVX access upon modify commands
    - riscv: dts: sifive: add missing #interrupt-cells to pmic
    - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h
    - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
    - net/iucv: fix the allocation size of iucv_path_table array
    - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check
    - block: sed-opal: handle empty atoms when parsing response
    - dm-verity, dm-crypt: align "struct bvec_iter" correctly
    - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready
    - ALSA: hda/realtek - ALC285 reduce pop noise from Headphone port
    - drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series
    - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
    - firewire: core: use long bus reset on gap count error
    - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet
    - Input: gpio_keys_polled - suppress deferred probe error for gpio
    - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
    - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
    - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
    - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
    - s390/dasd: put block allocation in separate function
    - s390/dasd: add query PPRC function
    - s390/dasd: add copy pair setup
    - s390/dasd: add autoquiesce feature
    - s390/dasd: Use dev_*() for device lo...

This bug was fixed in the package linux - 5.15.0-112.122

---------------
linux (5.15.0-112.122) jammy; urgency=medium

* jammy/linux: 5.15.0-112.122 -proposed tracker (LP: #2065898)

* CVE-2024-21823
    - dmanegine: idxd: reformat opcap output to match bitmap_parse() input
    - dmaengine: idxd: add WQ operation cap restriction support
    - dmaengine: idxd: add knob for enqcmds retries
    - VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist
    - dmaengine: idxd: add a new security check to deal with a hardware erratum
    - dmaengine: idxd: add a write() method for applications to submit work

linux (5.15.0-111.121) jammy; urgency=medium

* jammy/linux: 5.15.0-111.121 -proposed tracker (LP: #2063763)

* RTL8852BE fw security fail then lost WIFI function during suspend/resume
    cycle (LP: #2063096)
    - wifi: rtw89: download firmware with five times retry

* Mount CIFS fails with Permission denied (LP: #2061986)
    - cifs: fix ntlmssp auth when there is no key exchange

* USB stick can't be detected (LP: #2040948)
    - usb: Disable USB3 LPM at shutdown

* Jammy update: v5.15.153 upstream stable release (LP: #2063290)
    - io_uring/unix: drop usage of io_uring socket
    - io_uring: drop any code related to SCM_RIGHTS
    - selftests: tls: use exact comparison in recv_partial
    - ASoC: rt5645: Make LattePanda board DMI match more precise
    - x86/xen: Add some null pointer checking to smp.c
    - MIPS: Clear Cause.BD in instruction_pointer_set
    - HID: multitouch: Add required quirk for Synaptics 0xcddc device
    - gen_compile_commands: fix invalid escape sequence warning
    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment
    - RDMA/mlx5: Relax DEVX access upon modify commands
    - riscv: dts: sifive: add missing #interrupt-cells to pmic
    - x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h
    - x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
    - net/iucv: fix the allocation size of iucv_path_table array
    - parisc/ftrace: add missing CONFIG_DYNAMIC_FTRACE check
    - block: sed-opal: handle empty atoms when parsing response
    - dm-verity, dm-crypt: align "struct bvec_iter" correctly
    - scsi: mpt3sas: Prevent sending diag_reset when the controller is ready
    - ALSA: hda/realtek - ALC285 reduce pop noise from Headphone port
    - drm/amdgpu: Enable gpu reset for S3 abort cases on Raven series
    - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
    - firewire: core: use long bus reset on gap count error
    - ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet
    - Input: gpio_keys_polled - suppress deferred probe error for gpio
    - ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
    - ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
    - ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
    - do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
    - s390/dasd: put block allocation in separate function
    - s390/dasd: add query PPRC function
    - s390/dasd: add copy pair setup
    - s390/dasd: add autoquiesce feature
    - s390/dasd: Use dev_*() for device log messages
    - s390/dasd: fix double module refcount decrement
    - fs/select: rework stack allocation hack for clang
    - md: Don't clear MD_CLOSING when the raid is about to stop
    - lib/cmdline: Fix an invalid format specifier in an assertion msg
    - time: test: Fix incorrect format specifier
    - rtc: test: Fix invalid format specifier.
    - aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
    - timekeeping: Fix cross-timestamp interpolation on counter wrap
    - timekeeping: Fix cross-timestamp interpolation corner case decision
    - timekeeping: Fix cross-timestamp interpolation for non-x86
    - sched/fair: Take the scheduling domain into account in select_idle_core()
    - wifi: ath10k: fix NULL pointer dereference in
      ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
    - wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is disabled
    - wifi: b43: Stop/wake correct queue in PIO Tx path when QoS is disabled
    - wifi: b43: Stop correct queue in DMA worker when QoS is disabled
    - wifi: b43: Disable QoS for bcm4331
    - wifi: wilc1000: fix declarations ordering
    - wifi: wilc1000: fix RCU usage in connect path
    - wifi: rtl8xxxu: add cancel_work_sync() for c2hcmd_work
    - wifi: wilc1000: fix multi-vif management when deleting a vif
    - wifi: mwifiex: debugfs: Drop unnecessary error check for
      debugfs_create_dir()
    - cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value
    - cpufreq: Explicitly include correct DT includes
    - cpufreq: mediatek-hw: Wait for CPU supplies before probing
    - sock_diag: annotate data-races around sock_diag_handlers[family]
    - inet_diag: annotate data-races around inet_diag_table[]
    - bpftool: Silence build warning about calloc()
    - af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
    - cpufreq: mediatek-hw: Don't error out if supply is not found
    - arm64: dts: imx8mm-kontron: Disable pullups for I2C signals on SL/BL i.MX8MM
    - arm64: dts: imx8mm-kontron: Disable pullups for onboard UART signals on BL
      board
    - arm64: dts: imx8mm-kontron: Add support for ultra high speed modes on SD
      card
    - arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card IO
      voltage
    - arm64: dts: imx8mm-kontron: Disable pull resistors for SD card signals on BL
      board
    - wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete
    - wifi: iwlwifi: mvm: report beacon protection failures
    - wifi: iwlwifi: dbg-tlv: ensure NUL termination
    - wifi: iwlwifi: fix EWRD table validity check
    - arm64: dts: imx8mm-venice-gw71xx: fix USB OTG VBUS
    - pwm: atmel-hlcdc: Convert to platform remove callback returning void
    - pwm: atmel-hlcdc: Use consistent variable naming
    - pwm: atmel-hlcdc: Fix clock imbalance related to suspend support
    - net: blackhole_dev: fix build warning for ethh set but not used
    - wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
    - pwm: sti: Implement .apply() callback
    - pwm: sti: Fix capture for st,pwm-num-chan < st,capture-num-chan
    - wifi: iwlwifi: mvm: don't set replay counters to 0xff
    - s390/vdso: drop '-fPIC' from LDFLAGS
    - ipv6: mcast: remove one synchronize_net() barrier in ipv6_mc_down()
    - arm64: dts: mt8183: kukui: Add Type C node
    - arm64: dts: mt8183: kukui: Split out keyboard node and describe detachables
    - arm64: dts: mt8183: Move CrosEC base detection node to kukui-based DTs
    - arm64: dts: mediatek: mt7622: add missing "device_type" to memory nodes
    - bpf: Mark bpf_spin_{lock,unlock}() helpers with notrace correctly
    - wireless: Remove redundant 'flush_workqueue()' calls
    - wifi: wilc1000: prevent use-after-free on vif when cleaning up all
      interfaces
    - ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()
    - bus: tegra-aconnect: Update dependency to ARCH_TEGRA
    - [Config]: update CONFIG_TEGRA_ACONNECT
    - iommu/amd: Mark interrupt as managed
    - wifi: brcmsmac: avoid function pointer casts
    - net: ena: Remove ena_select_queue
    - ARM: dts: arm: realview: Fix development chip ROM compatible value
    - arm64: dts: renesas: r8a779a0: Update to R-Car Gen4 compatible values
    - arm64: dts: renesas: r8a779a0: Correct avb[01] reg sizes
    - ARM: dts: imx6dl-yapp4: Move phy reset into switch node
    - ARM: dts: imx6dl-yapp4: Fix typo in the QCA switch register address
    - ARM: dts: imx6dl-yapp4: Move the internal switch PHYs under the switch node
    - arm64: dts: marvell: reorder crypto interrupts on Armada SoCs
    - ACPI: resource: Add Infinity laptops to irq1_edge_low_force_override
    - ACPI: resource: Do IRQ override on Lunnen Ground laptops
    - ACPI: resource: Add MAIBENBEN X577 to irq1_edge_low_force_override
    - ACPI: scan: Fix device check notification handling
    - x86, relocs: Ignore relocations in .notes section
    - SUNRPC: fix some memleaks in gssx_dec_option_array
    - mmc: wmt-sdmmc: remove an incorrect release_mem_region() call in the .remove
      function
    - wifi: rtw88: 8821c: Fix false alarm count
    - PCI: Make pci_dev_is_disconnected() helper public for other drivers
    - iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected
    - igb: move PEROUT and EXTTS isr logic to separate functions
    - igb: Fix missing time sync events
    - Bluetooth: Remove superfluous call to hci_conn_check_pending()
    - Bluetooth: hci_qca: Add support for QTI Bluetooth chip wcn6855
    - Bluetooth: hci_qca: don't use IS_ERR_OR_NULL() with gpiod_get_optional()
    - Bluetooth: hci_core: Fix possible buffer overflow
    - sr9800: Add check for usbnet_get_endpoints
    - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
    - bpf: Fix hashtab overflow check on 32-bit arches
    - bpf: Fix stackmap overflow check on 32-bit arches
    - ipv6: fib6_rules: flush route cache when rule is changed
    - net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
    - net: phy: fix phy_get_internal_delay accessing an empty array
    - net: hns3: fix kernel crash when 1588 is received on HIP08 devices
    - net: hns3: fix port duplex configure error in IMP reset
    - net: phy: DP83822: enable rgmii mode if phy_interface_is_rgmii
    - net: phy: dp83822: Fix RGMII TX delay configuration
    - OPP: debugfs: Fix warning around icc_get_name()
    - tcp: fix incorrect parameter validation in the do_tcp_getsockopt() function
    - net: Change sock_getsockopt() to take the sk ptr instead of the sock ptr
    - bpf: net: Change sk_getsockopt() to take the sockptr_t argument
    - bpf: net: Change do_ip_getsockopt() to take the sockptr_t argument
    - ipmr: fix incorrect parameter validation in the ip_mroute_getsockopt()
      function
    - l2tp: fix incorrect parameter validation in the pppol2tp_getsockopt()
      function
    - udp: fix incorrect parameter validation in the udp_lib_getsockopt() function
    - net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
    - net/x25: fix incorrect parameter validation in the x25_getsockopt() function
    - nfp: flower: handle acti_netdevs allocation failure
    - dm raid: fix false positive for requeue needed during reshape
    - dm: call the resume method on internal suspend
    - drm/tegra: dsi: Add missing check for of_find_device_by_node
    - drm/tegra: dpaux: Populate AUX bus
    - drm/tegra: dpaux: Fix PM disable depth imbalance in tegra_dpaux_probe
    - drm/tegra: dsi: Make use of the helper function dev_err_probe()
    - drm/tegra: dsi: Fix some error handling paths in tegra_dsi_probe()
    - drm/tegra: dsi: Fix missing pm_runtime_disable() in the error handling path
      of tegra_dsi_probe()
    - drm/tegra: dc: rgb: Allow changing PLLD rate on Tegra30+
    - drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()
    - drm/tegra: rgb: Fix missing clk_put() in the error handling paths of
      tegra_dc_rgb_probe()
    - drm/tegra: output: Fix missing i2c_put_adapter() in the error handling paths
      of tegra_output_probe()
    - drm/rockchip: inno_hdmi: Fix video timing
    - drm: Don't treat 0 as -1 in drm_fixp2int_ceil
    - drm/ttm: add ttm_resource_fini v2
    - drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node
    - drm/rockchip: lvds: do not overwrite error code
    - drm/rockchip: lvds: do not print scary message when probing defer
    - drm/lima: fix a memleak in lima_heap_alloc
    - dmaengine: tegra210-adma: Update dependency to ARCH_TEGRA
    - [Config]: update CONFIG_TEGRA210_ADMA
    - media: tc358743: register v4l2 async device only after successful setup
    - PCI/DPC: Print all TLP Prefixes, not just the first
    - perf record: Fix possible incorrect free in record__switch_output()
    - HID: lenovo: Add middleclick_workaround sysfs knob for cptkbd
    - drm/amd/display: Fix a potential buffer overflow in 'dp_dsc_clock_en_read()'
    - drm/amd/display: Fix potential NULL pointer dereferences in
      'dcn10_set_output_transfer_func()'
    - perf evsel: Fix duplicate initialization of data->id in
      evsel__parse_sample()
    - clk: meson: Add missing clocks to axg_clk_regmaps
    - media: em28xx: annotate unchecked call to media_device_register()
    - media: v4l2-tpg: fix some memleaks in tpg_alloc
    - media: v4l2-mem2mem: fix a memleak in v4l2_m2m_register_entity
    - media: edia: dvbdev: fix a use-after-free
    - pinctrl: mediatek: Drop bogus slew rate register range for MT8192
    - clk: qcom: reset: Commonize the de/assert functions
    - clk: qcom: reset: Ensure write completion on reset de/assertion
    - quota: simplify drop_dquot_ref()
    - quota: Fix potential NULL pointer dereference
    - quota: Fix rcu annotations of inode dquot pointers
    - PCI/P2PDMA: Fix a sleeping issue in a RCU read section
    - PCI: switchtec: Fix an error handling path in switchtec_pci_probe()
    - crypto: xilinx - call finalize with bh disabled
    - perf thread_map: Free strlist on normal path in thread_map__new_by_tid_str()
    - drm/radeon/ni: Fix wrong firmware size logging in ni_init_microcode()
    - ALSA: seq: fix function cast warnings
    - perf stat: Avoid metric-only segv
    - ASoC: meson: Use dev_err_probe() helper
    - ASoC: meson: aiu: fix function pointer type mismatch
    - ASoC: meson: t9015: fix function pointer type mismatch
    - powerpc: Force inlining of arch_vmap_p{u/m}d_supported()
    - PCI: endpoint: Support NTB transfer between RC and EP
    - [Config]: update CONFIG_PCI_EPF_VNTB
    - NTB: EPF: fix possible memory leak in pci_vntb_probe()
    - NTB: fix possible name leak in ntb_register_device()
    - media: sun8i-di: Fix coefficient writes
    - media: sun8i-di: Fix power on/off sequences
    - media: sun8i-di: Fix chroma difference threshold
    - media: imx: csc/scaler: fix v4l2_ctrl_handler memory leak
    - media: go7007: add check of return value of go7007_read_addr()
    - media: pvrusb2: remove redundant NULL check
    - media: pvrusb2: fix pvr2_stream_callback casts
    - clk: qcom: dispcc-sdm845: Adjust internal GDSC wait times
    - drm/mediatek: dsi: Fix DSI RGB666 formats and definitions
    - PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
    - clk: hisilicon: hi3519: Release the correct number of gates in
      hi3519_clk_unregister()
    - clk: hisilicon: hi3559a: Fix an erroneous devm_kfree()
    - drm/tegra: put drm_gem_object ref on error in tegra_fb_create
    - mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref
    - mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a
      ref
    - crypto: arm/sha - fix function cast warnings
    - drm/tidss: Fix initial plane zpos values
    - mtd: maps: physmap-core: fix flash size larger than 32-bit
    - mtd: rawnand: lpc32xx_mlc: fix irq handler prototype
    - ASoC: meson: axg-tdm-interface: fix mclk setup without mclk-fs
    - ASoC: meson: axg-tdm-interface: add frame rate constraint
    - HID: amd_sfh: Update HPD sensor structure elements
    - drm/amdgpu: Fix missing break in ATOM_ARG_IMM Case of atom_get_src_int()
    - media: pvrusb2: fix uaf in pvr2_context_set_notify
    - media: dvb-frontends: avoid stack overflow warnings with clang
    - media: go7007: fix a memleak in go7007_load_encoder
    - media: ttpci: fix two memleaks in budget_av_attach
    - media: mediatek: vcodec: avoid -Wcast-function-type-strict warning
    - drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip
    - powerpc/hv-gpci: Fix the H_GET_PERF_COUNTER_INFO hcall return value checks
    - drm/msm/dpu: add division of drm_display_mode's hskew parameter
    - module: Add support for default value for module async_probe
    - modules: wait do_free_init correctly
    - powerpc/embedded6xx: Fix no previous prototype for avr_uart_send() etc.
    - leds: aw2013: Unlock mutex before destroying it
    - leds: sgm3140: Add missing timer cleanup and flash gpio control
    - backlight: lm3630a: Initialize backlight_properties on init
    - backlight: lm3630a: Don't set bl->props.brightness in get_brightness
    - backlight: da9052: Fully initialize backlight_properties during probe
    - backlight: lm3639: Fully initialize backlight_properties during probe
    - backlight: lp8788: Fully initialize backlight_properties during probe
    - sparc32: Fix section mismatch in leon_pci_grpci
    - clk: Fix clk_core_get NULL dereference
    - clk: zynq: Prevent null pointer dereference caused by kmalloc failure
    - ALSA: hda/realtek: fix ALC285 issues on HP Envy x360 laptops
    - ALSA: usb-audio: Stop parsing channels bits when all channels are found.
    - RDMA/srpt: Do not register event handler until srpt device is fully setup
    - f2fs: multidevice: support direct IO
    - f2fs: invalidate META_MAPPING before IPU/DIO write
    - f2fs: replace congestion_wait() calls with io_schedule_timeout()
    - f2fs: fix to invalidate META_MAPPING before DIO write
    - f2fs: invalidate meta pages only for post_read required inode
    - f2fs: reduce stack memory cost by using bitfield in struct f2fs_io_info
    - f2fs: compress: fix to cover normal cluster write with cp_rwsem
    - f2fs: compress: fix to check unreleased compressed cluster
    - scsi: csiostor: Avoid function pointer casts
    - RDMA/device: Fix a race between mad_client and cm_client init
    - RDMA/rtrs-clt: Check strnlen return len in sysfs mpath_policy_store()
    - scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
    - net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
    - NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102
    - NFSv4.2: fix listxattr maximum XDR buffer size
    - watchdog: stm32_iwdg: initialize default timeout
    - NFS: Fix an off by one in root_nfs_cat()
    - f2fs: compress: fix reserve_cblocks counting error when out of space
    - afs: Revert "afs: Hide silly-rename files from userspace"
    - comedi: comedi_test: Prevent timers rescheduling during deletion
    - remoteproc: stm32: use correct format strings on 64-bit
    - remoteproc: stm32: Fix incorrect type in assignment for va
    - remoteproc: stm32: Fix incorrect type assignment returned by
      stm32_rproc_get_loaded_rsc_tablef
    - tty: vt: fix 20 vs 0x20 typo in EScsiignore
    - serial: max310x: fix syntax error in IRQ error message
    - tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
    - arm64: dts: broadcom: bcmbca: bcm4908: drop invalid switch cells
    - kconfig: fix infinite loop when expanding a macro at the end of file
    - rtc: mt6397: select IRQ_DOMAIN instead of depending on it
    - serial: 8250_exar: Don't remove GPIO device on suspend
    - staging: greybus: fix get_channel_from_mode() failure path
    - usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
    - io_uring: don't save/restore iowait state
    - nouveau: reset the bo resource bus info after an eviction
    - octeontx2-af: Use matching wake_up API variant in CGX command interface
    - s390/vtime: fix average steal time calculation
    - soc: fsl: dpio: fix kcalloc() argument order
    - hsr: Fix uninit-value access in hsr_get_node()
    - net: mtk_eth_soc: move MAC_MCR setting to mac_finish()
    - net: mediatek: mtk_eth_soc: clear MAC_MCR_FORCE_LINK only when MAC is up
    - net: ethernet: mtk_eth_soc: fix PPE hanging issue
    - packet: annotate data-races around ignore_outgoing
    - net: veth: do not manipulate GRO when using XDP
    - net: dsa: mt7530: prevent possible incorrect XTAL frequency selection
    - vdpa/mlx5: Allow CVQ size changes
    - wireguard: receive: annotate data-race around receiving_counter.counter
    - rds: introduce acquire/release ordering in acquire/release_in_xmit()
    - hsr: Handle failures in module init
    - net: phy: fix phy_read_poll_timeout argument type in genphy_loopback
    - net/bnx2x: Prevent access to a freed page in page_pool
    - octeontx2-af: Use separate handlers for interrupts
    - netfilter: nf_tables: do not compare internal table flags on updates
    - rcu: add a helper to report consolidated flavor QS
    - net: report RCU QS on threaded NAPI repolling
    - bpf: report RCU QS in cpumap kthread
    - net: dsa: mt7530: fix handling of LLDP frames
    - net: dsa: mt7530: fix handling of 802.1X PAE frames
    - net: dsa: mt7530: fix link-local frames that ingress vlan filtering ports
    - net: dsa: mt7530: fix handling of all link-local frames
    - spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
    - regmap: Add missing map->bus check
    - remoteproc: stm32: fix incorrect optional pointers

* Jammy update: v5.15.152 upstream stable release (LP: #2063276)
    - mmc: mmci: stm32: use a buffer for unaligned DMA requests
    - mmc: mmci: stm32: fix DMA API overlapping mappings warning
    - net: lan78xx: fix runtime PM count underflow on link stop
    - ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able
    - i40e: disable NAPI right after disabling irqs when handling xsk_pool
    - tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string
    - geneve: make sure to pull inner header in geneve_rx()
    - net: sparx5: Fix use after free inside sparx5_del_mact_entry
    - net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()
    - net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
    - cpumap: Zero-initialise xdp_rxq_info struct before running XDP program
    - net/rds: fix WARNING in rds_conn_connect_if_down
    - netfilter: nft_ct: fix l3num expectations with inet pseudo family
    - netfilter: nf_conntrack_h323: Add protection for bmp length out of range
    - erofs: apply proper VMA alignment for memory mapped files on THP
    - netrom: Fix a data-race around sysctl_netrom_default_path_quality
    - netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser
    - netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
    - netrom: Fix a data-race around sysctl_netrom_transport_timeout
    - netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
    - netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay
    - netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
    - netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size
    - netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout
    - netrom: Fix a data-race around sysctl_netrom_routing_control
    - netrom: Fix a data-race around sysctl_netrom_link_fails_count
    - netrom: Fix data-races around sysctl_net_busy_read
    - ALSA: usb-audio: Refcount multiple accesses on the single clock
    - ALSA: usb-audio: Clear fixed clock rate at closing EP
    - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (take#2)
    - ALSA: usb-audio: Properly refcounting clock rate
    - ALSA: usb-audio: Apply mutex around snd_usb_endpoint_set_params()
    - ALSA: usb-audio: Correct the return code from snd_usb_endpoint_set_params()
    - ALSA: usb-audio: Avoid superfluous endpoint setup
    - ALSA: usb-audio: Add quirk for Tascam Model 12
    - ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless
    - ALSA: usb-audio: Fix microphone sound on Nexigo webcam.
    - ALSA: usb-audio: add quirk for RODE NT-USB+
    - drm/amd/display: Fix uninitialized variable usage in core_link_ 'read_dpcd()
      & write_dpcd()' functions
    - nfp: flower: add goto_chain_index for ct entry
    - nfp: flower: add hardware offload check for post ct entry
    - selftests/mm: switch to bash from sh
    - selftests: mm: fix map_hugetlb failure on 64K page size systems
    - xhci: process isoc TD properly when there was a transaction error mid TD.
    - xhci: handle isoc Babble and Buffer Overrun events properly
    - serial: max310x: use regmap methods for SPI batch operations
    - serial: max310x: use a separate regmap for each port
    - serial: max310x: prevent infinite while() loop in port startup
    - drm/amd/pm: do not expose the API used internally only in kv_dpm.c
    - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit
    - selftests: mptcp: decrease BW in simult flows
    - hv_netvsc: use netif_is_bond_master() instead of open code
    - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed
    - drm/amd/display: Re-arrange FPU code structure for dcn2x
    - drm/amd/display: move calcs folder into DML
    - drm/amd/display: remove DML Makefile duplicate lines
    - drm/amd/display: Increase frame-larger-than for all display_mode_vba files
    - getrusage: add the "signal_struct *sig" local variable
    - getrusage: move thread_group_cputime_adjusted() outside of
      lock_task_sighand()
    - getrusage: use __for_each_thread()
    - getrusage: use sig->stats_lock rather than lock_task_sighand()
    - proc: Use task_is_running() for wchan in /proc/$pid/stat
    - fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of
      lock_task_sighand()
    - ALSA: usb-audio: Fix wrong kfree issue in snd_usb_endpoint_free_all
    - ALSA: usb-audio: Always initialize fixed_rate in
      snd_usb_find_implicit_fb_sync_format()
    - ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless
    - ALSA: usb-audio: Sort quirk table entries
    - regmap: allow to define reg_update_bits for no bus configuration
    - regmap: Add bulk read/write callbacks into regmap_config
    - serial: max310x: make accessing revision id interface-agnostic
    - serial: max310x: fix IO data corruption in batched operations
    - Linux 5.15.152

* CVE-2024-26809
    - netfilter: nft_set_pipapo: release elements in clone only from destroy path

* CVE-2024-26792
    - btrfs: fix double free of anonymous device after snapshot creation failure

* CVE-2023-52530
    - wifi: mac80211: fix potential key use-after-free

* CVE-2023-52447
    - bpf: Defer the free of inner map when necessary
    - rcu-tasks: Provide rcu_trace_implies_rcu_gp()

* Avoid creating non-working backlight sysfs knob from ASUS board
    (LP: #2060422)
    - platform/x86: asus-wmi: Consider device is absent when the read is ~0

* [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output "UBSAN: array-
    index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-
    hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41" multiple times,
    especially during boot. (LP: #2058477)
    - hv: hyperv.h: Replace one-element array with flexible-array member

* Jammy update: v5.15.151 upstream stable release (LP: #2060209)
    - netfilter: nf_tables: disallow timeout for anonymous sets
    - mtd: spinand: gigadevice: Fix the get ecc status issue
    - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
    - net: ip_tunnel: prevent perpetual headroom growth
    - tun: Fix xdp_rxq_info's queue_index when detaching
    - cpufreq: intel_pstate: fix pstate limits enforcement for adjust_perf call
      back
    - net: veth: clear GRO when clearing XDP even when down
    - ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
    - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is
      detected
    - net: enable memcg accounting for veth queues
    - veth: try harder when allocating queue memory
    - net: usb: dm9601: fix wrong return value in dm9601_mdio_read
    - uapi: in6: replace temporary label with rfc9486
    - stmmac: Clear variable when destroying workqueue
    - Bluetooth: Avoid potential use-after-free in hci_error_reset
    - Bluetooth: hci_event: Fix wrongly recorded wakeup BD_ADDR
    - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
    - netfilter: nfnetlink_queue: silence bogus compiler warning
    - netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook
    - netfilter: make function op structures const
    - netfilter: let reset rules clean out conntrack entries
    - netfilter: bridge: confirm multicast packets before passing them up the
      stack
    - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
    - igb: extend PTP timestamp adjustments to i211
    - efi/capsule-loader: fix incorrect allocation size
    - power: supply: bq27xxx-i2c: Do not free non existing IRQ
    - ALSA: Drop leftover snd-rtctimer stuff from Makefile
    - fbcon: always restore the old font data in fbcon_do_set_font()
    - afs: Fix endless loop in directory parsing
    - riscv: Sparse-Memory/vmemmap out-of-bounds fix
    - ALSA: firewire-lib: fix to check cycle continuity
    - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
    - wifi: nl80211: reject iftype change with mesh ID change
    - btrfs: dev-replace: properly validate device names
    - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
    - dmaengine: ptdma: use consistent DMA masks
    - dmaengine: fsl-qdma: init irq after reg initialization
    - mmc: core: Fix eMMC initialization with 1-bit bus connection
    - mmc: sdhci-xenon: add timeout for PHY init complete
    - mmc: sdhci-xenon: fix PHY init clock stability
    - pmdomain: qcom: rpmhpd: Fix enabled_corner aggregation
    - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers
    - mptcp: move __mptcp_error_report in protocol.c
    - mptcp: process pending subflow error on close
    - mptcp: rename timer related helper to less confusing names
    - selftests: mptcp: add missing kconfig for NF Filter
    - selftests: mptcp: add missing kconfig for NF Filter in v6
    - mptcp: clean up harmless false expressions
    - mptcp: add needs_id for netlink appending addr
    - mptcp: push at DSS boundaries
    - mptcp: fix possible deadlock in subflow diag
    - cachefiles: fix memory leak in cachefiles_add_cache()
    - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
    - Revert "drm/bridge: lt8912b: Register and attach our DSI device at probe"
    - af_unix: Drop oob_skb ref before purging queue in GC.
    - gpio: 74x164: Enable output pins after registers are reset
    - gpiolib: Fix the error path order in gpiochip_add_data_with_key()
    - gpio: fix resource unwinding order in error path
    - Revert "interconnect: Fix locking for runpm vs reclaim"
    - Revert "interconnect: Teach lockdep about icc_bw_lock order"
    - bpf: Add BPF_FIB_LOOKUP_SKIP_NEIGH for bpf_fib_lookup
    - bpf: Add table ID to bpf_fib_lookup BPF helper
    - bpf: Derive source IP addr via bpf_*_fib_lookup()
    - Linux 5.15.151

* Jammy update: v5.15.151 upstream stable release (LP: #2060209) //
    CVE-2024-26782
    - mptcp: fix double-free on socket dismantle

* Jammy update: v5.15.151 upstream stable release (LP: #2060209) // Fix
    bluetooth connections with 3.0 device (LP: #2063067)
    - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST

* Jammy update: v5.15.150 upstream stable release (LP: #2060142)
    - net/sched: Retire CBQ qdisc
    - [Config] updateconfigs for NET_SCH_CBQ
    - net/sched: Retire ATM qdisc
    - [Config] updateconfigs for NET_SCH_ATM
    - net/sched: Retire dsmark qdisc
    - [Config] updateconfigs for NET_SCH_DSMARK
    - smb: client: fix potential OOBs in smb2_parse_contexts()
    - smb: client: fix parsing of SMB3.1.1 POSIX create context
    - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset
    - PCI: dwc: Fix a 64bit bug in dw_pcie_ep_raise_msix_irq()
    - bpf: Merge printk and seq_printf VARARG max macros
    - bpf: Add struct for bin_args arg in bpf_bprintf_prepare
    - bpf: Do cleanup in bpf_bprintf_cleanup only when needed
    - bpf: Remove trace_printk_lock
    - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb
    - zonefs: Improve error handling
    - x86/fpu: Stop relying on userspace for info to fault in xsave buffer
    - sched/rt: Fix sysctl_sched_rr_timeslice intial value
    - sched/rt: Disallow writing invalid values to sched_rt_period_us
    - scsi: target: core: Add TMF to tmr_list handling
    - dmaengine: shdma: increase size of 'dev_id'
    - dmaengine: fsl-qdma: increase size of 'irq_name'
    - wifi: cfg80211: fix missing interfaces when dumping
    - wifi: mac80211: fix race condition on enabling fast-xmit
    - fbdev: savage: Error out if pixclock equals zero
    - fbdev: sis: Error out if pixclock equals zero
    - spi: hisi-sfc-v3xx: Return IRQ_NONE if no interrupts were detected
    - ahci: asm1166: correct count of reported ports
    - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers
    - MIPS: reserve exception vector space ONLY ONCE
    - platform/x86: touchscreen_dmi: Add info for the TECLAST X16 Plus tablet
    - ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap
      corrupt
    - ext4: avoid allocating blocks from corrupted group in
      ext4_mb_try_best_found()
    - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
    - dmaengine: ti: edma: Add some null pointer checks to the edma_probe
    - regulator: pwm-regulator: Add validity checks in continuous .get_voltage
    - nvmet-tcp: fix nvme tcp ida memory leak
    - ALSA: usb-audio: Check presence of valid altsetting control
    - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616
    - spi: sh-msiof: avoid integer overflow in constants
    - Input: xpad - add Lenovo Legion Go controllers
    - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in
      sctp_new
    - ALSA: usb-audio: Ignore clock selector errors for single connection
    - nvme-fc: do not wait in vain when unloading module
    - nvmet-fcloop: swap the list_add_tail arguments
    - nvmet-fc: release reference on target port
    - nvmet-fc: defer cleanup using RCU properly
    - nvmet-fc: hold reference on hostport match
    - nvmet-fc: abort command when there is no binding
    - nvmet-fc: avoid deadlock on delete association path
    - nvmet-fc: take ref count on tgtport before delete assoc
    - ext4: correct the hole length returned by ext4_map_blocks()
    - Input: i8042 - add Fujitsu Lifebook U728 to i8042 quirk table
    - fs/ntfs3: Modified fix directory element type detection
    - fs/ntfs3: Improve ntfs_dir_count
    - fs/ntfs3: Correct hard links updating when dealing with DOS names
    - fs/ntfs3: Print warning while fixing hard links count
    - fs/ntfs3: Fix detected field-spanning write (size 8) of single field
      "le->name"
    - fs/ntfs3: Add NULL ptr dereference checking at the end of
      attr_allocate_frame()
    - fs/ntfs3: Disable ATTR_LIST_ENTRY size check
    - fs/ntfs3: use non-movable memory for ntfs3 MFT buffer cache
    - fs/ntfs3: Prevent generic message "attempt to access beyond end of device"
    - fs/ntfs3: Correct function is_rst_area_valid
    - fs/ntfs3: Update inode->i_size after success write into compressed file
    - fs/ntfs3: Fix oob in ntfs_listxattr
    - wifi: mac80211: adding missing drv_mgd_complete_tx() call
    - efi: runtime: Fix potential overflow of soft-reserved region size
    - efi: Don't add memblocks for soft-reserved memory
    - hwmon: (coretemp) Enlarge per package core count limit
    - scsi: lpfc: Use unsigned type for num_sge
    - firewire: core: send bus reset promptly on gap count error
    - drm/amdgpu: skip to program GFXDEC registers for suspend abort
    - drm/amdgpu: reset gpu for s3 suspend abort case
    - virtio-blk: Ensure no requests in virtqueues before deleting vqs.
    - pmdomain: mediatek: fix race conditions with genpd
    - ksmbd: free aux buffer if ksmbd_iov_pin_rsp_read fails
    - pmdomain: renesas: r8a77980-sysc: CR7 must be always on
    - erofs: fix lz4 inplace decompression
    - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
    - drm/ttm: Fix an invalid freeing on already freed page in error path
    - dm-crypt: don't modify the data when using authenticated encryption
    - platform/x86: intel-vbtn: Stop calling "VBDL" from notify_handler
    - platform/x86: touchscreen_dmi: Allow partial (prefix) matches for ACPI names
    - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler
    - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()
    - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
    - PCI/MSI: Prevent MSI hardware interrupt number truncation
    - l2tp: pass correct message length to ip6_append_data
    - ARM: ep93xx: Add terminator to gpiod_lookup_table
    - Revert "x86/ftrace: Use alternative RET encoding"
    - x86/text-patching: Make text_gen_insn() play nice with ANNOTATE_NOENDBR
    - x86/ibt,paravirt: Use text_gen_insn() for paravirt_patch()
    - x86/ftrace: Use alternative RET encoding
    - x86/returnthunk: Allow different return thunks
    - Revert "x86/alternative: Make custom return thunk unconditional"
    - x86/alternative: Make custom return thunk unconditional
    - serial: amba-pl011: Fix DMA transmission in RS485 mode
    - usb: dwc3: gadget: Don't disconnect if not started
    - usb: cdnsp: blocked some cdns3 specific code
    - usb: cdnsp: fixed issue with incorrect detecting CDNSP family controllers
    - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
    - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
    - usb: roles: fix NULL pointer issue when put module's reference
    - usb: roles: don't get/set_role() when usb_role_switch is unregistered
    - mptcp: fix lockless access in subflow ULP diag
    - clk: imx: imx8mp: add shared clk gate for usb suspend clk
    - clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents
    - clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents
    - mtd: rawnand: sunxi: Fix the size of the last OOB region
    - RISC-V: fix funct4 definition for c.jalr in parse_asm.h
    - Input: iqs269a - drop unused device node references
    - Input: iqs269a - configure device with a single block write
    - Input: iqs269a - increase interrupt handler return delay
    - clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() failed
    - Input: ads7846 - don't report pressure for ads7845
    - clk: renesas: cpg-mssr: Remove superfluous check in resume code
    - clk: imx: avoid memory leak
    - Input: ads7846 - always set last command to PWRDOWN
    - Input: ads7846 - don't check penirq immediately for 7845
    - powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
    - clk: qcom: gpucc-sc7180: fix clk_dis_wait being programmed for CX GDSC
    - clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX GDSC
    - clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled()
    - powerpc/pseries/lparcfg: add missing RTAS retry status handling
    - powerpc/perf/hv-24x7: add missing RTAS retry status handling
    - powerpc/pseries/lpar: add missing RTAS retry status handling
    - MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set
    - MIPS: vpe-mt: drop physical_memsize
    - vdpa/mlx5: Don't clear mr struct on destroy MR
    - ARM: dts: BCM53573: Drop nonexistent #usb-cells
    - RDMA/siw: Balance the reference of cep->kref in the error path
    - RDMA/siw: Correct wrong debug message
    - clk: linux/clk-provider.h: fix kernel-doc warnings and typos
    - platform/x86: asus-wmi: Document the dgpu_disable sysfs attribute
    - acpi: property: Let args be NULL in __acpi_node_get_property_reference
    - ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger
    - tools headers UAPI: Sync linux/fscrypt.h with the kernel sources
    - perf beauty: Update copy of linux/socket.h with the kernel sources
    - tools/virtio: fix build
    - drm/amdgpu: init iommu after amdkfd device init
    - f2fs: don't set GC_FAILURE_PIN for background GC
    - f2fs: write checkpoint during FG_GC
    - drm/i915/dg1: Update DMC_DEBUG3 register
    - kernel/sched: Remove dl_boosted flag comment
    - cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()
    - serial: 8250: Remove serial_rs485 sanitization from em485
    - clk: imx8mp: Add DISP2 pixel clock
    - clk: imx8mp: add clkout1/2 support
    - dt-bindings: clocks: imx8mp: Add ID for usb suspend clock
    - net: ethernet: ti: add missing of_node_put before return
    - powerpc/rtas: make all exports GPL
    - powerpc/rtas: ensure 4KB alignment for rtas_data_buf
    - powerpc/eeh: Small refactor of eeh_handle_normal_event()
    - powerpc/eeh: Set channel state after notifying the drivers
    - PM: core: Redefine pm_ptr() macro
    - PM: core: Add new *_PM_OPS macros, deprecate old ones
    - mmc: jz4740: Use the new PM macros
    - mmc: mxc: Use the new PM macros
    - PM: core: Remove static qualifier in DEFINE_SIMPLE_DEV_PM_OPS macro
    - Input: iqs269a - switch to DEFINE_SIMPLE_DEV_PM_OPS() and pm_sleep_ptr()
    - Input: iqs269a - do not poll during suspend or resume
    - Input: iqs269a - do not poll during ATI
    - net/sched: Refactor qdisc_graft() for ingress and clsact Qdiscs
    - netfilter: nf_tables: add rescheduling points during loop detection walks
    - debugobjects: Recheck debug_objects_enabled before reporting
    - nbd: Add the maximum limit of allocated index in nbd_dev_add
    - md: fix data corruption for raid456 when reshape restart while grow up
    - md/raid10: prevent soft lockup while flush writes
    - posix-timers: Ensure timer ID search-loop limit is valid
    - btrfs: add xxhash to fast checksum implementations
    - ACPI: button: Add lid disable DMI quirk for Nextbook Ares 8A
    - ACPI: video: Add backlight=native DMI quirk for Apple iMac11,3
    - ACPI: video: Add backlight=native DMI quirk for Lenovo ThinkPad X131e (3371
      AMD version)
    - arm64: set __exception_irq_entry with __irq_entry as a default
    - arm64: mm: fix VA-range sanity check
    - sched/fair: Don't balance task to its current running CPU
    - wifi: ath11k: fix registration of 6Ghz-only phy without the full channel
      range
    - bpf: Address KCSAN report on bpf_lru_list
    - devlink: report devlink_port_type_warn source device
    - wifi: wext-core: Fix -Wstringop-overflow warning in
      ioctl_standard_iw_point()
    - wifi: iwlwifi: mvm: avoid baid size integer overflow
    - exfat: support dynamic allocate bh for exfat_entry_set_cache
    - arm64: dts: rockchip: fix regulator name on rk3399-rock-4
    - arm64: dts: rockchip: add ES8316 codec for ROCK Pi 4
    - arm64: dts: rockchip: add SPDIF node for ROCK Pi 4
    - ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
    - ACPI: video: Add backlight=native DMI quirk for Apple iMac12,1 and iMac12,2
    - ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA
    - ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks
    - ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA
    - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA
    - xhci: cleanup xhci_hub_control port references
    - xhci: move port specific items such as state completions to port structure
    - xhci: rename resume_done to resume_timestamp
    - xhci: clear usb2 resume related variables in one place.
    - xhci: decouple usb2 port resume and get_port_status request handling
    - xhci: track port suspend state correctly in unsuccessful resume cases
    - cifs: add a warning when the in-flight count goes negative
    - IB/hfi1: Fix a memleak in init_credit_return
    - RDMA/bnxt_re: Return error for SRQ resize
    - RDMA/irdma: Fix KASAN issue with tasklet
    - RDMA/irdma: Validate max_send_wr and max_recv_wr
    - RDMA/irdma: Set the CQ read threshold for GEN 1
    - RDMA/irdma: Add AE for too many RNRS
    - RDMA/srpt: Support specifying the srpt_service_guid parameter
    - RDMA/qedr: Fix qedr_create_user_qp error flow
    - arm64: dts: rockchip: set num-cs property for spi on px30
    - RDMA/srpt: fix function pointer cast warnings
    - bpf, scripts: Correct GPL license name
    - scsi: jazz_esp: Only build if SCSI core is builtin
    - nouveau: fix function cast warnings
    - net: stmmac: Fix incorrect dereference in interrupt handlers
    - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
    - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
    - ata: libahci_platform: Convert to using devm bulk clocks API
    - ata: libahci_platform: Introduce reset assertion/deassertion methods
    - ata: ahci_ceva: fix error handling for Xilinx GT PHY support
    - bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel
    - drm/nouveau/instmem: fix uninitialized_var.cocci warning
    - octeontx2-af: Consider the action set by PF
    - s390: use the correct count for __iowrite64_copy()
    - netfilter: nf_tables: set dormant flag on hook register failure
    - netfilter: flowtable: simplify route logic
    - netfilter: nft_flow_offload: reset dst in route object after setting up flow
    - netfilter: nft_flow_offload: release dst in case direct xmit path is used
    - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set
    - drm/amd/display: Fix memory leak in dm_sw_fini()
    - i2c: imx: Add timer for handling the stop condition
    - i2c: imx: when being a target, mark the last read as processed
    - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
    - netfilter: nf_tables: fix scheduling-while-atomic splat
    - ext4: regenerate buddy after block freeing failed if under fc replay
    - ext4: avoid bb_free and bb_fragments inconsistency in mb_free_blocks()
    - netfilter: nf_tables: can't schedule in nft_chain_validate
    - r8169: use new PM macros
    - Linux 5.15.150

* Jammy update: v5.15.150 upstream stable release (LP: #2060142) //
    CVE-2024-26733
    - packet: move from strlcpy with unused retval to strscpy
    - net: dev: Convert sa_data to flexible array in struct sockaddr
    - arp: Prevent overflow in arp_req_get().

* Jammy update: v5.15.150 upstream stable release (LP: #2060142) //
    CVE-2024-26735
    - ipv6: sr: fix possible use-after-free and null-ptr-deref

* Jammy update: v5.15.150 upstream stable release (LP: #2060142) //
    CVE-2024-26736
    - afs: Increase buffer size in afs_update_volume_status()

* Jammy update: v5.15.150 upstream stable release (LP: #2060142) //
    CVE-2024-26748
    - usb: cdns3: fix memory double free when handle zero packet

* CVE-2023-47233
    - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach

* CVE-2024-26584
    - net: tls: handle backlogging of crypto requests

* CVE-2024-26585
    - tls: fix race between tx work scheduling and socket close

* CVE-2024-26583
    - tls: rx: jump to a more appropriate label
    - tls: rx: drop pointless else after goto
    - tls: stop recv() if initial process_rx_list gave us non-DATA
    - tls: rx: don't store the record type in socket context
    - tls: rx: don't store the decryption status in socket context
    - tls: rx: don't issue wake ups when data is decrypted
    - tls: rx: refactor decrypt_skb_update()
    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
    - tls: rx: don't report text length from the bowels of decrypt
    - tls: rx: wrap decryption arguments in a structure
    - tls: rx: factor out writing ContentType to cmsg
    - tls: rx: don't track the async count
    - tls: rx: move counting TlsDecryptErrors for sync
    - tls: rx: assume crypto always calls our callback
    - tls: rx: use async as an in-out argument
    - tls: decrement decrypt_pending if no async completion will be called
    - net: tls: fix async vs NIC crypto offload
    - Revert "tls: rx: move counting TlsDecryptErrors for sync"
    - tls: rx: simplify async wait
    - tls: rx: return the already-copied data on crypto error
    - tls: rx: allow only one reader at a time
    - tls: rx: release the sock lock on locking timeout
    - tls: extract context alloc/initialization out of tls_set_sw_offload
    - net: tls: factor out tls_*crypt_async_wait()
    - tls: fix race between async notify and socket close

* CVE-2024-26622
    - tomoyo: fix UAF write bug in tomoyo_write_control()

-- Roxana Nicolescu <roxana.nicolescu@canonical.com>  Thu, 23 May 2024 09:20:33 +0200

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#14

This bug is awaiting verification that the linux-bluefield/5.15.0-1044.46 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-done-jammy-linux-bluefield'. If the problem still exists, change the tag 'verification-needed-jammy-linux-bluefield' to 'verification-failed-jammy-linux-bluefield'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-bluefield-v2 verification-needed-jammy-linux-bluefield

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#15

This bug is awaiting verification that the linux-aws/5.15.0-1063.69 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws' to 'verification-done-jammy-linux-aws'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws' to 'verification-failed-jammy-linux-aws'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-aws-v2 verification-needed-jammy-linux-aws

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#16

This bug is awaiting verification that the linux-gkeop/5.15.0-1046.53 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-gkeop' to 'verification-done-jammy-linux-gkeop'. If the problem still exists, change the tag 'verification-needed-jammy-linux-gkeop' to 'verification-failed-jammy-linux-gkeop'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-gkeop-v2 verification-needed-jammy-linux-gkeop

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#17

This bug is awaiting verification that the linux-kvm/5.15.0-1060.65 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-kvm' to 'verification-done-jammy-linux-kvm'. If the problem still exists, change the tag 'verification-needed-jammy-linux-kvm' to 'verification-failed-jammy-linux-kvm'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-kvm-v2 verification-needed-jammy-linux-kvm

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#18

This bug is awaiting verification that the linux-raspi/5.15.0-1056.59 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-done-jammy-linux-raspi'. If the problem still exists, change the tag 'verification-needed-jammy-linux-raspi' to 'verification-failed-jammy-linux-raspi'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-raspi-v2 verification-needed-jammy-linux-raspi

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#19

This bug is awaiting verification that the linux-hwe-5.15/5.15.0-112.122~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-hwe-5.15' to 'verification-done-focal-linux-hwe-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-hwe-5.15' to 'verification-failed-focal-linux-hwe-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-hwe-5.15-v2 verification-needed-focal-linux-hwe-5.15

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#20

This bug is awaiting verification that the linux-nvidia/5.15.0-1058.59 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia' to 'verification-done-jammy-linux-nvidia'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia' to 'verification-failed-jammy-linux-nvidia'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-nvidia-v2 verification-needed-jammy-linux-nvidia

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#21

This bug is awaiting verification that the linux-azure/5.15.0-1066.75 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure' to 'verification-done-jammy-linux-azure'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure' to 'verification-failed-jammy-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-azure-v2 verification-needed-jammy-linux-azure

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#22

This bug is awaiting verification that the linux-ibm-5.15/5.15.0-1056.59~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-ibm-5.15' to 'verification-done-focal-linux-ibm-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-ibm-5.15' to 'verification-failed-focal-linux-ibm-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-ibm-5.15-v2 verification-needed-focal-linux-ibm-5.15

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#23

This bug is awaiting verification that the linux-intel-iotg-5.15/5.15.0-1058.64~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-intel-iotg-5.15' to 'verification-done-focal-linux-intel-iotg-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-intel-iotg-5.15' to 'verification-failed-focal-linux-intel-iotg-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-intel-iotg-5.15-v2 verification-needed-focal-linux-intel-iotg-5.15

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote 3 hours ago:

#24

This bug is awaiting verification that the linux-oracle-5.15/5.15.0-1061.67~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-oracle-5.15' to 'verification-done-focal-linux-oracle-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-oracle-5.15' to 'verification-failed-focal-linux-oracle-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-oracle-5.15-v2 verification-needed-focal-linux-oracle-5.15

Agathe Porte (gagath) 55 minutes ago

tags:

added: verification-done-focal-linux-intel-iotg-5.15
removed: verification-needed-focal-linux-intel-iotg-5.15

	Status	Importance	Assigned to
linux (Ubuntu)	Confirmed	Undecided	Marcelo Cerri
Focal	Fix Committed	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned
Mantic	Fix Committed	Undecided	Unassigned

Ubuntu
linux package

[Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output "UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41" multiple times, especially during boot.

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntulinux package

[Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output "UBSAN: array-index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41" multiple times, especially during boot.

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package