[ubuntu/focal-security] linux-gcp-5.15 5.15.0-1041.49~20.04.1 (Accepted)

Andy Whitcroft apw at canonical.com
Thu Sep 7 20:01:39 UTC 2023


linux-gcp-5.15 (5.15.0-1041.49~20.04.1) focal; urgency=medium

  * focal/linux-gcp-5.15: 5.15.0-1041.49~20.04.1 -proposed tracker
    (LP: #2030390)

  [ Ubuntu: 5.15.0-1041.49 ]

  * jammy/linux-gcp: 5.15.0-1041.49 -proposed tracker (LP: #2030391)
  * jammy/linux: 5.15.0-83.92 -proposed tracker (LP: #2031132)
  * libgnutls report "trap invalid opcode" when trying to install packages over
    https (LP: #2031093)
    - [Config]: disable CONFIG_GDS_FORCE_MITIGATION
  * jammy/linux: 5.15.0-81.90 -proposed tracker (LP: #2030422)
  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper
    - [Packaging] resync getabis
    - debian/dkms-versions -- update from kernel-versions (main/2023.08.07)
  * CVE-2022-40982
    - x86/mm: Initialize text poking earlier
    - x86/mm: fix poking_init() for Xen PV guests
    - x86/mm: Use mm_alloc() in poking_init()
    - mm: Move mm_cachep initialization to mm_init()
    - init: Provide arch_cpu_finalize_init()
    - x86/cpu: Switch to arch_cpu_finalize_init()
    - ARM: cpu: Switch to arch_cpu_finalize_init()
    - sparc/cpu: Switch to arch_cpu_finalize_init()
    - um/cpu: Switch to arch_cpu_finalize_init()
    - init: Remove check_bugs() leftovers
    - init: Invoke arch_cpu_finalize_init() earlier
    - init, x86: Move mem_encrypt_init() into arch_cpu_finalize_init()
    - x86/init: Initialize signal frame size late
    - x86/fpu: Remove cpuinfo argument from init functions
    - x86/fpu: Mark init functions __init
    - x86/fpu: Move FPU initialization into arch_cpu_finalize_init()
    - x86/xen: Fix secondary processors' FPU initialization
    - x86/speculation: Add Gather Data Sampling mitigation
    - x86/speculation: Add force option to GDS mitigation
    - x86/speculation: Add Kconfig option for GDS
    - KVM: Add GDS_NO support to KVM
    - Documentation/x86: Fix backwards on/off logic about YMM support
    - [Config]: Enable CONFIG_ARCH_HAS_CPU_FINALIZE_INIT and
      CONFIG_GDS_FORCE_MITIGATION
  * CVE-2023-3609
    - net/sched: cls_u32: Fix reference counter leak leading to overflow
  * CVE-2023-21400
    - io_uring: ensure IOPOLL locks around deferred work
  * CVE-2023-4015
    - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
      set/chain
    - netfilter: nf_tables: unbind non-anonymous set if rule construction fails
    - netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
  * CVE-2023-3995
    - netfilter: nf_tables: disallow rule addition to bound chain via
      NFTA_RULE_CHAIN_ID
  * CVE-2023-3777
    - netfilter: nf_tables: skip bound chain on rule flush
  * losetup with mknod fails on jammy with kernel 5.15.0-69-generic
    (LP: #2015400)
    - loop: do not enforce max_loop hard limit by (new) default
  * Include the MAC address pass through function on RTL8153DD-CG (LP: #2020295)
    - r8152: add USB device driver for config selection
  * Jammy update: v5.15.116 upstream stable release (LP: #2029401)
    - RDMA/bnxt_re: Fix the page_size used during the MR creation
    - RDMA/efa: Fix unsupported page sizes in device
    - RDMA/hns: Fix base address table allocation
    - RDMA/hns: Modify the value of long message loopback slice
    - dmaengine: at_xdmac: Move the free desc to the tail of the desc list
    - dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
    - RDMA/bnxt_re: Fix a possible memory leak
    - RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
    - iommu/rockchip: Fix unwind goto issue
    - iommu/amd: Don't block updates to GATag if guest mode is on
    - dmaengine: pl330: rename _start to prevent build error
    - riscv: Fix unused variable warning when BUILTIN_DTB is set
    - net/mlx5: fw_tracer, Fix event handling
    - net/mlx5e: Don't attach netdev profile while handling internal error
    - net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure
    - netrom: fix info-leak in nr_write_internal()
    - af_packet: Fix data-races of pkt_sk(sk)->num.
    - amd-xgbe: fix the false linkup in xgbe_phy_status
    - mtd: rawnand: ingenic: fix empty stub helper definitions
    - RDMA/irdma: Add SW mechanism to generate completions on error
    - RDMA/irdma: Prevent QP use after free
    - RDMA/irdma: Fix Local Invalidate fencing
    - af_packet: do not use READ_ONCE() in packet_bind()
    - tcp: deny tcp_disconnect() when threads are waiting
    - tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
    - net/sched: sch_ingress: Only create under TC_H_INGRESS
    - net/sched: sch_clsact: Only create under TC_H_CLSACT
    - net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
    - net/sched: Prohibit regrafting ingress or clsact Qdiscs
    - net: sched: fix NULL pointer dereference in mq_attach
    - net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
    - udp6: Fix race condition in udp6_sendmsg & connect
    - net/mlx5e: Fix error handling in mlx5e_refresh_tirs
    - net/mlx5: Read embedded cpu after init bit cleared
    - net: dsa: mv88e6xxx: Increase wait after reset deactivation
    - mtd: rawnand: marvell: ensure timing values are written
    - mtd: rawnand: marvell: don't set the NAND frequency select
    - rtnetlink: call validate_linkmsg in rtnl_create_link
    - drm/amdgpu: release gpu full access after "amdgpu_device_ip_late_init"
    - watchdog: menz069_wdt: fix watchdog initialisation
    - ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
    - drm/amdgpu: Use the default reset when loading or reloading the driver
    - mailbox: mailbox-test: Fix potential double-free in
      mbox_test_message_write()
    - drm/ast: Fix ARM compatibility
    - btrfs: abort transaction when sibling keys check fails for leaves
    - ARM: 9295/1: unwind:fix unwind abort for uleb128 case
    - media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
    - platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
    - gfs2: Don't deref jdesc in evict
    - fbdev: imsttfb: Fix use after free bug in imsttfb_probe
    - fbdev: modedb: Add 1920x1080 at 60 Hz video mode
    - fbdev: stifb: Fix info entry in sti_struct on error path
    - nbd: Fix debugfs_create_dir error checking
    - block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
    - nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G
    - nvme-pci: add quirk for missing secondary temperature thresholds
    - ASoC: dwc: limit the number of overrun messages
    - um: harddog: fix modular build
    - xfrm: Check if_id in inbound policy/secpath match
    - ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
    - ASoC: ssm2602: Add workaround for playback distortions
    - media: dvb_demux: fix a bug for the continuity counter
    - media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
    - media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
    - media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
    - media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
    - media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
    - media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
    - media: netup_unidvb: fix irq init by register it at the end of probe
    - media: dvb_ca_en50221: fix a size write bug
    - media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
    - media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
    - media: dvb-core: Fix use-after-free due on race condition at dvb_net
    - media: dvb-core: Fix use-after-free due to race at dvb_register_device()
    - media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
    - s390/pkey: zeroize key blobs
    - s390/topology: honour nr_cpu_ids when adding CPUs
    - ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P
    - wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
    - ARM: dts: stm32: add pin map for CAN controller on stm32f7
    - arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
    - arm64: vdso: Pass (void *) to virt_to_page()
    - wifi: mac80211: simplify chanctx allocation
    - scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
    - wifi: b43: fix incorrect __packed annotation
    - netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with
      CONFIG_NF_NAT
    - nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk
    - ALSA: oss: avoid missing-prototype warnings
    - drm/msm: Be more shouty if per-process pgtables aren't working
    - atm: hide unused procfs functions
    - drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged
    - nvme-pci: Add quirk for Teamgroup MP33 SSD
    - mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
    - media: uvcvideo: Don't expose unsupported formats to userspace
    - iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT
      method
    - iio: adc: mxs-lradc: fix the order of two cleanup operations
    - HID: google: add jewel USB id
    - HID: wacom: avoid integer overflow in wacom_intuos_inout()
    - iio: imu: inv_icm42600: fix timestamp reset
    - dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value
    - iio: light: vcnl4035: fixed chip ID check
    - iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag
    - iio: dac: mcp4725: Fix i2c_master_send() return value handling
    - iio: adc: ad7192: Change "shorted" channels to differential
    - iio: dac: build ad5758 driver when AD5758 is selected
    - net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
    - dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type
    - usb: gadget: f_fs: Add unbind event before functionfs_unbind
    - md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk()
    - misc: fastrpc: return -EPIPE to invocations on device removal
    - misc: fastrpc: reject new invocations during device removal
    - scsi: stex: Fix gcc 13 warnings
    - ata: libata-scsi: Use correct device no in ata_find_dev()
    - drm/amd/pm: reverse mclk and fclk clocks levels for vangogh
    - drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp
    - drm/amd/pm: reverse mclk and fclk clocks levels for renoir
    - x86/boot: Wrap literal addresses in absolute_pointer()
    - ath6kl: Use struct_group() to avoid size-mismatched casting
    - block/blk-iocost (gcc13): keep large values in a new enum
    - mmc: vub300: fix invalid response handling
    - mmc: pwrseq: sd8787: Fix WILC CHIP_EN and RESETN toggling order
    - tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of
      UARTCTRL_SBK
    - btrfs: fix csum_tree_block page iteration to avoid tripping on
      -Werror=array-bounds
    - powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
    - iommu/amd: Fix domain flush size when syncing iotlb
    - usb: cdns3: allocate TX FIFO size according to composite EP number
    - usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM
    - block: fix revalidate performance regression
    - selinux: don't use make's grouped targets feature yet
    - tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
    - selftests: mptcp: connect: skip if MPTCP is not supported
    - selftests: mptcp: pm nl: skip if MPTCP is not supported
    - selftests: mptcp: sockopt: skip if MPTCP is not supported
    - ext4: add EA_INODE checking to ext4_iget()
    - ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
    - ext4: disallow ea_inodes with extended attributes
    - ext4: add lockdep annotations for i_data_sem for ea_inode's
    - fbcon: Fix null-ptr-deref in soft_cursor
    - serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
    - test_firmware: fix the memory leak of the allocated firmware buffer
    - KVM: x86: Account fastpath-only VM-Exits in vCPU stats
    - ksmbd: fix credit count leakage
    - ksmbd: fix incorrect AllocationSize set in smb2_get_info
    - KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
    - regmap: Account for register length when chunking
    - tpm, tpm_tis: Request threaded interrupt handler
    - drm/rcar: stop using 'imply' for dependencies
    - [Config] updateconfigs for DRM_RCAR_LVDS
    - scsi: dpt_i2o: Remove broken pass-through ioctl (I2OUSERCMD)
    - scsi: dpt_i2o: Do not process completions with invalid addresses
    - [Config] updateconfigs for SCSI_DPT_I2O
    - drm/amdgpu/gfx10: Disable gfxoff before disabling powergating.
    - selftests: mptcp: diag: skip if MPTCP is not supported
    - selftests: mptcp: simult flows: skip if MPTCP is not supported
    - selftests: mptcp: join: skip if MPTCP is not supported
    - ext4: enable the lazy init thread when remounting read/write
    - ARM: defconfig: drop CONFIG_DRM_RCAR_LVDS
    - RDMA/irdma: Fix drain SQ hang with no completion
    - RDMA/irdma: Do not generate SW completions for NOPs
    - Linux 5.15.116
  * CVE-2023-20593
    - x86/cpu/amd: Move the errata checking functionality up
    - x86/cpu/amd: Add a Zenbleed fix
  * CVE-2023-4004
    - netfilter: nft_set_pipapo: fix improper element removal
  * CVE-2023-3611
    - net/sched: sch_qfq: refactor parsing of netlink parameters
    - net/sched: sch_qfq: account for stab overhead in qfq_enqueue
  * CVE-2023-3610
    - netfilter: nf_tables: fix chain binding transaction logic
  * CVE-2023-2898
    - f2fs: fix to avoid NULL pointer dereference f2fs_write_end_io()
  * Backport support to tolerate ZSTD compressed firmware files (LP: #2028550)
    - firmware_loader: EXTRA_FIRMWARE does not support compressed files
    - firmware: Add the support for ZSTD-compressed firmware files
    - [Config] Enable FW_LOADER_COMPRESS_ZSTD by default
  * stacked overlay file system mounts that have chroot() called against them
    appear to be getting locked (by the kernel most likely?) (LP: #2016398)
    - SAUCE: overlayfs: fix reference count mismatch
  * kdump fails on big arm64 systems when offset is not specified (LP: #2024479)
    - arm64: mm: use IS_ENABLED(CONFIG_KEXEC_CORE) instead of #ifdef
    - arm64: kdump: Reimplement crashkernel=X
    - docs: kdump: Update the crashkernel description for arm64
    - arm64: kdump: Do not allocate crash low memory if not needed
    - arm64/mm: Define defer_reserve_crashkernel()
    - arm64: kdump: Provide default size when crashkernel=Y, low is not specified
    - arm64: kdump: Support crashkernel=X fall back to reserve region above DMA
      zones
  * usbrtl sometimes doesn't reload firmware (LP: #2026028)
    - Bluetooth: btrtl: Ask ic_info to drop firmware
  * cifs: fix mid leak during reconnection after timeout threshold
    (LP: #2029138)
    - cifs: fix mid leak during reconnection after timeout threshold
  * Jammy update: v5.15.115 upstream stable release (LP: #2028799)
    - power: supply: bq27xxx: expose battery data when CI=1
    - power: supply: bq27xxx: Move bq27xxx_battery_update() down
    - power: supply: bq27xxx: Ensure power_supply_changed() is called on current
      sign changes
    - power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to
      stabilize
    - power: supply: core: Refactor
      power_supply_set_input_current_limit_from_supplier()
    - power: supply: bq24190: Call power_supply_changed() after updating input
      current
    - bpf: fix a memory leak in the LRU and LRU_PERCPU hash maps
    - net/mlx5: devcom only supports 2 ports
    - net/mlx5e: Fix deadlock in tc route query code
    - net/mlx5: Devcom, serialize devcom registration
    - platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering
    - platform/x86: ISST: Remove 8 socket limit
    - net: phy: mscc: enable VSC8501/2 RGMII RX clock
    - net: dsa: introduce helpers for iterating through ports using dp
    - net: dsa: mt7530: rework mt753[01]_setup
    - net: dsa: mt7530: split-off common parts from mt7531_setup
    - net: dsa: mt7530: fix network connectivity with multiple CPU ports
    - Bonding: add arp_missed_max option
    - bonding: fix send_peer_notif overflow
    - binder: fix UAF caused by faulty buffer cleanup
    - irqchip/mips-gic: Get rid of the reliance on irq_cpu_online()
    - irqchip/mips-gic: Use raw spinlock for gic_lock
    - net/mlx5e: Fix SQ wake logic in ptp napi_poll context
    - xdp: Allow registering memory model without rxq reference
    - net: page_pool: use in_softirq() instead
    - page_pool: fix inconsistency for page_pool_ring_[un]lock()
    - irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable
    - xdp: xdp_mem_allocator can be NULL in trace_mem_connect().
    - bluetooth: Add cmd validity checks at the start of hci_sock_ioctl()
    - Revert "binder_alloc: add missing mmap_lock calls when using the VMA"
    - Revert "android: binder: stop saving a pointer to the VMA"
    - binder: add lockless binder_alloc_(set|get)_vma()
    - binder: fix UAF of alloc->vma in race with munmap()
    - ipv{4,6}/raw: fix output xfrm lookup wrt protocol
    - netfilter: ctnetlink: Support offloaded conntrack entry deletion
    - Linux 5.15.115
  * Jammy update: v5.15.114 upstream stable release (LP: #2028701)
    - usb: gadget: Properly configure the device for remote wakeup
    - usb: dwc3: fix gadget mode suspend interrupt handler issue
    - dt-bindings: ata: ahci-ceva: convert to yaml
    - dt-bindings: ata: ahci-ceva: Cover all 4 iommus entries
    - watchdog: sp5100_tco: Immediately trigger upon starting.
    - ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
    - spi: fsl-spi: Re-organise transfer bits_per_word adaptation
    - spi: fsl-cpm: Use 16 bit mode for large transfers with even size
    - ocfs2: Switch to security_inode_init_security()
    - arm64: Also reset KASAN tag if page is not PG_mte_tagged
    - ALSA: hda/ca0132: add quirk for EVGA X299 DARK
    - ALSA: hda: Fix unhandled register update during auto-suspend period
    - ALSA: hda/realtek: Enable headset onLenovo M70/M90
    - mmc: sdhci-esdhc-imx: make "no-mmc-hs400" works
    - ASoC: rt5682: Disable jack detection interrupt during suspend
    - net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
    - m68k: Move signal frame following exception on 68020/030
    - parisc: Handle kgdb breakpoints only in kernel context
    - parisc: Allow to reboot machine after system halt
    - gpio: mockup: Fix mode of debugfs files
    - btrfs: use nofs when cleaning up aborted transactions
    - dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
    - selftests/memfd: Fix unknown type name build failure
    - parisc: Fix flush_dcache_page() for usage from irq context
    - perf/x86/uncore: Correct the number of CHAs on SPR
    - x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
    - debugobjects: Don't wake up kswapd from fill_pool()
    - fbdev: udlfb: Fix endpoint check
    - net: fix stack overflow when LRO is disabled for virtual interfaces
    - udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
    - USB: core: Add routines for endpoint checks in old drivers
    - USB: sisusbvga: Add endpoint checks
    - media: radio-shark: Add endpoint checks
    - ASoC: lpass: Fix for KASAN use_after_free out of bounds
    - net: fix skb leak in __skb_tstamp_tx()
    - selftests: fib_tests: mute cleanup error message
    - octeontx2-pf: Fix TSOv6 offload
    - bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
    - ipv6: Fix out-of-bounds access in ipv6_find_tlv()
    - cifs: mapchars mount option ignored
    - power: supply: leds: Fix blink to LED on transition
    - power: supply: mt6360: add a check of devm_work_autocancel in
      mt6360_charger_probe
    - power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
    - power: supply: bq27xxx: Fix I2C IRQ race on remove
    - power: supply: bq27xxx: Fix poll_interval handling and races on remove
    - power: supply: bq27xxx: Add cache parameter to
      bq27xxx_battery_current_and_status()
    - power: supply: sbs-charger: Fix INHIBITED bit for Status reg
    - firmware: arm_ffa: Check if ffa_driver remove is present before executing
    - firmware: arm_ffa: Fix FFA device names for logical partitions
    - fs: fix undefined behavior in bit shift for SB_NOUSER
    - regulator: pca9450: Fix BUCK2 enable_mask
    - coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
    - xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
    - x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
    - ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
    - sctp: fix an issue that plpmtu can never go to complete state
    - forcedeth: Fix an error handling path in nv_probe()
    - platform/mellanox: mlxbf-pmc: fix sscanf() error checking
    - net/mlx5e: do as little as possible in napi poll when budget is 0
    - net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
    - net/mlx5: DR, Check force-loopback RC QP capability independently from RoCE
    - net/mlx5: Fix error message when failing to allocate device memory
    - net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
    - arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
    - firmware: arm_ffa: Set reserved/MBZ fields to zero in the memory descriptors
    - regulator: mt6359: add read check for PMIC MT6359
    - 3c589_cs: Fix an error handling path in tc589_probe()
    - net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
    - Linux 5.15.114
  * Jammy update: v5.15.113 upstream stable release (LP: #2028408)
    - drm/mipi-dsi: Set the fwnode for mipi_dsi_device
    - ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
    - net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
    - scsi: ufs: core: Fix I/O hang that occurs when BKOPS fails in W-LUN suspend
    - tick/broadcast: Make broadcast device replacement work correctly
    - linux/dim: Do nothing if no time delta between samples
    - net: stmmac: switch to use interrupt for hw crosstimestamping
    - net: stmmac: Initialize MAC_ONEUS_TIC_COUNTER register
    - net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
    - netfilter: nf_tables: always release netdev hooks from notifier
    - netfilter: conntrack: fix possible bug_on with enable_hooks=1
    - netlink: annotate accesses to nlk->cb_running
    - net: annotate sk->sk_err write from do_recvmmsg()
    - net: deal with most data-races in sk_wait_event()
    - net: add vlan_get_protocol_and_depth() helper
    - tcp: add annotations around sk->sk_shutdown accesses
    - gve: Remove the code of clearing PBA bit
    - net: datagram: fix data-races in datagram_poll()
    - af_unix: Fix a data race of sk->sk_receive_queue->qlen.
    - af_unix: Fix data races around sk->sk_shutdown.
    - drm/i915/dp: prevent potential div-by-zero
    - fbdev: arcfb: Fix error handling in arcfb_probe()
    - ext4: remove an unused variable warning with CONFIG_QUOTA=n
    - ext4: reflect error codes from ext4_multi_mount_protect() to its callers
    - ext4: fix lockdep warning when enabling MMP
    - ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
    - ext4: allow ext4_get_group_info() to fail
    - refscale: Move shutdown from wait_event() to wait_event_idle()
    - rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
    - fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
    - drm/displayid: add displayid_get_header() and check bounds better
    - drm/amd/display: Use DC_LOG_DC in the trasform pixel function
    - regmap: cache: Return error in cache sync operations for REGCACHE_NONE
    - arm64: dts: qcom: msm8996: Add missing DWC3 quirks
    - media: cx23885: Fix a null-ptr-deref bug in buffer_prepare() and
      buffer_finish()
    - media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish
    - firmware: arm_sdei: Fix sleep from invalid context BUG
    - ACPI: EC: Fix oops when removing custom query handlers
    - remoteproc: stm32_rproc: Add mutex protection for workqueue
    - drm/tegra: Avoid potential 32-bit integer overflow
    - drm/msm/dp: Clean up handling of DP AUX interrupts
    - ACPICA: Avoid undefined behavior: applying zero offset to null pointer
    - ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in
      acpi_db_display_objects
    - drm/amd: Fix an out of bounds error in BIOS parser
    - media: Prefer designated initializers over memset for subdev pad ops
    - wifi: ath: Silence memcpy run-time false positive warning
    - bpf: Annotate data races in bpf_local_storage
    - wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
    - ext2: Check block size validity during mount
    - scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
    - bnxt: avoid overflow in bnxt_get_nvram_directory()
    - net: pasemi: Fix return type of pasemi_mac_start_tx()
    - net: Catch invalid index in XPS mapping
    - scsi: target: iscsit: Free cmds before session free
    - lib: cpu_rmap: Avoid use after free on rmap->obj array entries
    - scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race
      condition
    - gfs2: Fix inode height consistency check
    - scsi: ufs: ufs-pci: Add support for Intel Lunar Lake
    - ext4: set goal start correctly in ext4_mb_normalize_request
    - ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
    - f2fs: fix to drop all dirty pages during umount() if cp_error is set
    - f2fs: fix to check readonly condition correctly
    - samples/bpf: Fix fout leak in hbm's run_bpf_prog
    - bpf: Add preempt_count_{sub,add} into btf id deny list
    - wifi: iwlwifi: pcie: fix possible NULL pointer dereference
    - wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
    - null_blk: Always check queue mode setting from configfs
    - wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
    - wifi: ath11k: Fix SKB corruption in REO destination ring
    - nbd: fix incomplete validation of ioctl arg
    - ipvs: Update width of source for ip_vs_sync_conn_options
    - Bluetooth: btintel: Add LE States quirk support
    - Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
    - Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
    - HID: logitech-hidpp: Don't use the USB serial for USB devices
    - HID: logitech-hidpp: Reconcile USB and Unifying serials
    - spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
    - HID: wacom: generic: Set battery quirk only when we see battery data
    - usb: typec: tcpm: fix multiple times discover svids error
    - serial: 8250: Reinit port->pm on port specific driver unbind
    - mcb-pci: Reallocate memory region to avoid memory overlapping
    - sched: Fix KCSAN noinstr violation
    - recordmcount: Fix memory leaks in the uwrite function
    - RDMA/core: Fix multiple -Warray-bounds warnings
    - iommu/arm-smmu-qcom: Limit the SMR groups to 128
    - fs/ntfs3: Fix NULL pointer dereference in 'ni_write_inode'
    - fs/ntfs3: Enhance the attribute size check
    - fs/ntfs3: Fix NULL dereference in ni_write_inode
    - fs/ntfs3: Validate MFT flags before replaying logs
    - fs/ntfs3: Add length check in indx_get_root
    - fs/ntfs3: Fix a possible null-pointer dereference in ni_clear()
    - clk: tegra20: fix gcc-7 constant overflow warning
    - iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
    - iommu/sprd: Release dma buffer to avoid memory leak
    - Input: xpad - add constants for GIP interface numbers
    - phy: st: miphy28lp: use _poll_timeout functions for waits
    - soundwire: qcom: gracefully handle too many ports in DT
    - mfd: dln2: Fix memory leak in dln2_probe()
    - parisc: Replace regular spinlock with spin_trylock on panic path
    - platform/x86: hp-wmi: Support touchpad on/off
    - [Config] updateconfigs for X86_PLATFORM_DRIVERS_HP
    - platform/x86: Move existing HP drivers to a new hp subdir
    - platform/x86: hp-wmi: add micmute to hp_wmi_keymap struct
    - xfrm: don't check the default policy if the policy allows the packet
    - Revert "Fix XFRM-I support for nested ESP tunnels"
    - drm/msm/dp: unregister audio driver during unbind
    - drm/msm/dpu: Add INTF_5 interrupts
    - drm/msm/dpu: Move non-MDP_TOP INTF_INTR offsets out of hwio header
    - drm/msm/dpu: Remove duplicate register defines from INTF
    - dt-bindings: display/msm: dsi-controller-main: Document qcom, master-dsi and
      qcom, sync-dual-dsi
    - ASoC: fsl_micfil: Fix error handler with pm_runtime_enable
    - cpupower: Make TSC read per CPU for Mperf monitor
    - af_key: Reject optional tunnel/BEET mode templates in outbound policies
    - selftests: seg6: disable DAD on IPv6 router cfg for srv6_end_dt4_l3vpn_test
    - selftets: seg6: disable rp_filter by default in srv6_end_dt4_l3vpn_test
    - net: fec: Better handle pm_runtime_get() failing in .remove()
    - net: phy: dp83867: add w/a for packet errors seen with short cables
    - ALSA: firewire-digi00x: prevent potential use after free
    - ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
    - vsock: avoid to close connected socket after the timeout
    - tcp: fix possible sk_priority leak in tcp_v4_send_reset()
    - serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
    - serial: 8250_bcm7271: balance clk_enable calls
    - serial: 8250_bcm7271: fix leak in `brcmuart_probe`
    - erspan: get the proto with the md version for collect_md
    - net: hns3: fix output information incomplete for dumping tx queue info with
      debugfs
    - net: hns3: fix sending pfc frames after reset issue
    - net: hns3: fix reset delay time to avoid configuration timeout
    - media: netup_unidvb: fix use-after-free at del_timer()
    - SUNRPC: double free xprt_ctxt while still in use
    - tracing: Introduce helpers to safely handle dynamic-sized sockaddrs
    - SUNRPC: Clean up svc_deferred_class trace events
    - SUNRPC: Remove dead code in svc_tcp_release_rqst()
    - SUNRPC: Remove svc_rqst::rq_xprt_hlen
    - SUNRPC: always free ctxt when freeing deferred request
    - SUNRPC: Fix trace_svc_register() call site
    - drm/exynos: fix g2d_open/close helper function definitions
    - net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
    - virtio-net: Maintain reverse cleanup order
    - virtio_net: Fix error unwinding of XDP initialization
    - tipc: add tipc_bearer_min_mtu to calculate min mtu
    - tipc: do not update mtu if msg_max is too small in mtu negotiation
    - tipc: check the bearer min mtu properly when setting it by netlink
    - s390/cio: include subchannels without devices also for evaluation
    - net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
    - net: bcmgenet: Restore phy_stop() depending upon suspend/close
    - wifi: mac80211: fix min center freq offset tracing
    - wifi: iwlwifi: mvm: fix cancel_delayed_work_sync() deadlock
    - wifi: iwlwifi: mvm: don't trust firmware n_channels
    - scsi: storvsc: Don't pass unused PFNs to Hyper-V host
    - cassini: Fix a memory leak in the error handling path of cas_init_one()
    - net: dsa: mv88e6xxx: Fix mv88e6393x EPC write command offset
    - igb: fix bit_shift to be in [1..8] range
    - vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
    - netfilter: nf_tables: fix nft_trans type confusion
    - netfilter: nft_set_rbtree: fix null deref on element insertion
    - bridge: always declare tunnel functions
    - ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
    - USB: usbtmc: Fix direction for 0-length ioctl control messages
    - usb-storage: fix deadlock when a scsi command timeouts more than once
    - USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
    - usb: dwc3: debugfs: Resume dwc3 before accessing registers
    - usb: gadget: u_ether: Fix host MAC address case
    - usb: typec: altmodes/displayport: fix pin_assignment_show
    - xhci-pci: Only run d3cold avoidance quirk for s2idle
    - xhci: Fix incorrect tracking of free space on transfer rings
    - ALSA: hda: Fix Oops by 9.1 surround channel names
    - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
    - ALSA: hda/realtek: Add quirk for Clevo L140AU
    - ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
    - ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
    - can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
    - can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
    - can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
    - can: kvaser_pciefd: Call request_irq() before enabling interrupts
    - can: kvaser_pciefd: Empty SRB buffer in probe
    - can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
    - can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
    - can: kvaser_pciefd: Disable interrupts in probe error path
    - SMB3: Close all deferred handles of inode in case of handle lease break
    - SMB3: drop reference to cfile before sending oplock break
    - ksmbd: smb2: Allow messages padded to 8byte boundary
    - ksmbd: allocate one more byte for implied bcc[0]
    - ksmbd: fix wrong UserName check in session_user
    - ksmbd: fix global-out-of-bounds in smb2_find_context_vals
    - statfs: enforce statfs[64] structure initialization
    - serial: Add support for Advantech PCI-1611U card
    - serial: 8250_exar: Add support for USR298x PCI Modems
    - serial: qcom-geni: fix enabling deactivated interrupt
    - thunderbolt: Clear registers properly when auto clear isn't in use
    - vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
    - ceph: force updating the msg pointer in non-split case
    - powerpc/iommu: Incorrect DDW Table is referenced for SR-IOV device
    - tpm/tpm_tis: Disable interrupts for more Lenovo devices
    - powerpc/64s/radix: Fix soft dirty tracking
    - nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
    - s390/qdio: fix do_sqbs() inline assembly constraint
    - HID: wacom: Force pen out of prox if no events have been received in a while
    - HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
    - HID: wacom: add three styli to wacom_intuos_get_tool_type
    - Linux 5.15.113
  * Jammy update: v5.15.112 upstream stable release (LP: #2026607)
    - ring-buffer: Ensure proper resetting of atomic variables in
      ring_buffer_reset_online_cpus
    - crypto: ccp - Clear PSP interrupt status register before calling handler
    - ubifs: Fix AA deadlock when setting xattr for encrypted file
    - ubifs: Fix memory leak in do_rename
    - bus: mhi: Move host MHI code to "host" directory
    - bus: mhi: host: Remove duplicate ee check for syserr
    - bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state
    - bus: mhi: host: Range check CHDBOFF and ERDBOFF
    - mailbox: zynq: Switch to flexible array to simplify code
    - mailbox: zynqmp: Fix counts of child nodes
    - ASoC: soc-pcm: use GFP_ATOMIC for dpcm structure
    - ASoC: soc-pcm: align BE 'atomicity' with that of the FE
    - ASoC: soc-pcm: Fix and cleanup DPCM locking
    - ASoC: soc-pcm: serialize BE triggers
    - ASoC: soc-pcm: test refcount before triggering
    - ASoC: soc-pcm: fix BE handling of PAUSE_RELEASE
    - fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup()
    - drm/hyperv: Don't overwrite dirt_needed value set by host
    - scsi: qedi: Fix use after free bug in qedi_remove()
    - net/ncsi: clear Tx enable mode when handling a Config required AEN
    - net/sched: cls_api: remove block_cb from driver_list before freeing
    - sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
    - selftests: srv6: make srv6_end_dt46_l3vpn_test more robust
    - net: dsa: mv88e6xxx: add mv88e6321 rsvd2cpu
    - writeback: fix call of incorrect macro
    - watchdog: dw_wdt: Fix the error handling path of dw_wdt_drv_probe()
    - RISC-V: mm: Enable huge page support to kernel_page_present() function
    - net/sched: act_mirred: Add carrier check
    - r8152: fix flow control issue of RTL8156A
    - r8152: fix the poor throughput for 2.5G devices
    - r8152: move setting r8153b_rx_agg_chg_indicate()
    - sfc: Fix module EEPROM reporting for QSFP modules
    - rxrpc: Fix hard call timeout units
    - octeontx2-af: Secure APR table update with the lock
    - octeontx2-af: Skip PFs if not enabled
    - octeontx2-pf: Disable packet I/O for graceful exit
    - octeontx2-vf: Detach LF resources on probe cleanup
    - ionic: remove noise from ethtool rxnfc error msg
    - ethtool: Fix uninitialized number of lanes
    - ionic: catch failure from devlink_alloc
    - af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
    - drm/amdgpu: add a missing lock for AMDGPU_SCHED
    - ALSA: caiaq: input: Add error handling for unsupported input methods in
      `snd_usb_caiaq_input_init`
    - net: dsa: mt7530: fix corrupt frames using trgmii on 40 MHz XTAL MT7621
    - virtio_net: split free_unused_bufs()
    - virtio_net: suppress cpu stall when free_unused_bufs
    - net: enetc: check the index of the SFI rather than the handle
    - perf scripts intel-pt-events.py: Fix IPC output for Python 2
    - perf vendor events power9: Remove UTF-8 characters from JSON files
    - perf pmu: zfree() expects a pointer to a pointer to zero it after freeing
      its contents
    - perf map: Delete two variable initialisations before null pointer checks in
      sort__sym_from_cmp()
    - crypto: sun8i-ss - Fix a test in sun8i_ss_setup_ivs()
    - crypto: engine - check if BH is disabled during completion
    - crypto: api - Add scaffolding to change completion function signature
    - crypto: engine - Use crypto_request_complete
    - crypto: engine - fix crypto_queue backlog handling
    - perf symbols: Fix return incorrect build_id size in elf_read_build_id()
    - perf evlist: Refactor evlist__for_each_cpu()
    - perf stat: Separate bperf from bpf_profiler
    - btrfs: fix btrfs_prev_leaf() to not return the same key twice
    - btrfs: zoned: fix wrong use of bitops API in btrfs_ensure_empty_zones
    - btrfs: fix encoded write i_size corruption with no-holes
    - btrfs: don't free qgroup space unless specified
    - btrfs: zero the buffer before marking it dirty in btrfs_redirty_list_add
    - btrfs: print-tree: parent bytenr must be aligned to sector size
    - btrfs: fix space cache inconsistency after error loading it from disk
    - cifs: fix pcchunk length type in smb2_copychunk_range
    - cifs: release leases for deferred close handles when freezing
    - platform/x86: touchscreen_dmi: Add upside-down quirk for GDIX1002 ts on the
      Juno Tablet
    - platform/x86: touchscreen_dmi: Add info for the Dexp Ursus KX210i
    - inotify: Avoid reporting event with invalid wd
    - smb3: fix problem remounting a share after shutdown
    - SMB3: force unmount was failing to close deferred close files
    - sh: math-emu: fix macro redefined warning
    - sh: mcount.S: fix build error when PRINTK is not enabled
    - sh: init: use OF_EARLY_FLATTREE for early init
    - sh: nmi_debug: fix return value of __setup handler
    - remoteproc: stm32: Call of_node_put() on iteration error
    - remoteproc: st: Call of_node_put() on iteration error
    - remoteproc: imx_rproc: Call of_node_put() on iteration error
    - ARM: dts: exynos: fix WM8960 clock name in Itop Elite
    - ARM: dts: s5pv210: correct MIPI CSIS clock name
    - drm/bridge: lt8912b: Fix DSI Video Mode
    - drm/msm: fix NULL-deref on snapshot tear down
    - drm/msm: fix NULL-deref on irq uninstall
    - f2fs: fix potential corruption when moving a directory
    - drm/panel: otm8009a: Set backlight parent to panel device
    - drm/amd/display: fix flickering caused by S/G mode
    - drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini()
    - drm/amdgpu/gfx: disable gfx9 cp_ecc_error_irq only when enabling legacy gfx
      ras
    - drm/amdgpu: Fix vram recover doesn't work after whole GPU reset (v2)
    - drm/amdgpu: disable sdma ecc irq only when sdma RAS is enabled in suspend
    - HID: wacom: Set a default resolution for older tablets
    - HID: wacom: insert timestamp to packed Bluetooth (BT) events
    - fs/ntfs3: Refactoring of various minor issues
    - ASoC: soc-pcm: Fix DPCM lockdep warning due to nested stream locks
    - ASoC: soc-compress: Inherit atomicity from DAI link for Compress FE
    - ASoC: soc-pcm: Move debugfs removal out of spinlock
    - ASoC: DPCM: Don't pick up BE without substream
    - ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close()
    - drm/i915/dg2: Support 4k at 30 on HDMI
    - drm/i915/dg2: Add additional HDMI pixel clock frequencies
    - drm/i915/dg2: Add HDMI pixel clock frequencies 267.30 and 319.89 MHz
    - drm/msm: Remove struct_mutex usage
    - drm/msm/adreno: fix runtime PM imbalance at gpu load
    - drm/amd/display: Refine condition of cursor visibility for pipe-split
    - drm/amd/display: Add NULL plane_state check for cursor disable logic
    - wifi: rtw88: rtw8821c: Fix rfe_option field width
    - ksmbd: set RSS capable in FSCTL_QUERY_NETWORK_INTERFACE_INFO
    - ksmbd: fix multi session connection failure
    - ksmbd: replace sessions list in connection with xarray
    - ksmbd: add channel rwlock
    - ksmbd: fix kernel oops from idr_remove()
    - ksmbd: fix racy issue while destroying session on multichannel
    - ksmbd: fix deadlock in ksmbd_find_crypto_ctx()
    - ksmbd: not allow guest user on multichannel
    - locking/rwsem: Add __always_inline annotation to __down_read_common() and
      inlined callers
    - ext4: fix WARNING in mb_find_extent
    - ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
    - ext4: fix data races when using cached status extents
    - ext4: check iomap type only if ext4_iomap_begin() does not fail
    - ext4: improve error recovery code paths in __ext4_remount()
    - ext4: improve error handling from ext4_dirhash()
    - ext4: fix deadlock when converting an inline directory in nojournal mode
    - ext4: add bounds checking in get_max_inline_xattr_value_size()
    - ext4: bail out of ext4_xattr_ibody_get() fails for any reason
    - ext4: remove a BUG_ON in ext4_mb_release_group_pa()
    - ext4: fix invalid free tracking in ext4_xattr_move_to_block()
    - drm/msm/adreno: adreno_gpu: Use suspend() instead of idle() on load error
    - serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
    - drbd: correctly submit flush bio on barrier
    - RISC-V: Fix up a cherry-pick warning in setup_vm_final()
    - drm/amd/display: Fix hang when skipping modeset
    - Linux 5.15.112
  * CVE-2023-31084 // CVE-2023-31084 was assigned to this bug.
    - media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()
  * CVE-2023-3776
    - net/sched: cls_fw: Fix improper refcount update leads to use-after-free

Date: 2023-08-29 06:46:32.776059+00:00
Changed-By: Khaled El Mously <khalid.elmously at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1041.49~20.04.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list