This bug was fixed in the package linux - 5.15.0-142.152
---------------
linux (5.15.0-142.152) jammy; urgency=medium
* jammy/linux: 5.15.0-142.152 -proposed tracker (LP: #2110829)
* Rotate the Canonical Livepatch key (LP: #2111244)
- [Config] Prepare for Canonical Livepatch key rotation
* Jammy generic-64k fails to initialize gVNIC devices (LP: #2109537)
- gve: Perform adminq allocations through a dma_pool.
- gve: Deprecate adminq_pfn for pci revision 0x1.
- gve: Remove obsolete checks that rely on page size.
- gve: Add page size register to the register_page_list command.
- gve: Remove dependency on 4k page size.
* CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
(LP: #2099914) // CVE-2025-2312
- CIFS: New mount option for cifs.upcall namespace resolution
* [UBUNTU 22.04] net/smc: fix neighbour and rtable leak in smc_ib_find_route()
(LP: #2109601) // CVE-2024-36945
- net/smc: fix neighbour and rtable leak in smc_ib_find_route()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355)
- clockevents/drivers/i8253: Fix stop sequence for timer 0
- sched/isolation: Prevent boot crash when the boot CPU is nohz_full
- fbdev: hyperv_fb: iounmap() the correct memory when removing a device
- pinctrl: bcm281xx: Fix incorrect regmap max_registers value
- netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
- net: dsa: mv88e6xxx: Verify after ATU Load ops
- netpoll: hold rcu read lock in __netpoll_send_skb()
- Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
- ipvs: prevent integer overflow in do_ip_vs_get_ctl()
- netfilter: nft_exthdr: fix offset with ipv4_find_option()
- gre: Fix IPv6 link-local address generation.
- slab: clean up function prototypes
- slab: Introduce kmalloc_size_roundup()
- openvswitch: Use kmalloc_size_roundup() to match ksize() usage
- net: openvswitch: remove misbehaving actions length check
- net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed
devices
- nvme-fc: go straight to connecting state when initializing
- hrtimers: Mark is_migration_base() with __always_inline
- powercap: call put_device() on an error path in
powercap_register_control_type()
- scsi: core: Use GFP_NOIO to avoid circular locking dependency
- ACPI: resource: IRQ override for Eluktronics MECH-17
- alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
- vboxsf: fix building with GCC 15
- HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
- sched: Clarify wake_up_q()'s write to task->wake_q.next
- s390/cio: Fix CHPID "configure" attribute caching
- thermal/cpufreq_cooling: Remove structure member documentation
- ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
- ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
- ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
- net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
- nvmet-rdma: recheck queue state is LIVE in state lock in recv done
- sctp: Fix undefined behavior in left shift operation
- nvme: only allow entering LIVE from CONNECTING state
- ASoC: tas2770: Fix volume scale
- ASoC: tas2764: Fix power control mask
- ASoC: tas2764: Set the SDOUT polarity correctly
- fuse: don't truncate cached, mutated symlink
- x86/irq: Define trace events conditionally
- mptcp: safety check before fallback
- drm/nouveau: Do not override forced connector status
- block: fix 'kmem_cache of name 'bio-108' already exists'
- USB: serial: ftdi_sio: add support for Altera USB Blaster 3
- USB: serial: option: add Telit Cinterion FE990B compositions
- USB: serial: option: fix Telit Cinterion FE990A name
- USB: serial: option: match on interface class for Telit FN990B
- drm/atomic: Filter out redundant DPMS calls
- drm/amd/display: Restore correct backlight brightness after a GPU reset
- qlcnic: fix memory leak issues in qlcnic_sriov_common.c
- lib/buildid: Handle memfd_secret() files in build_id_parse()
- tcp: fix races in tcp_abort()
- ASoC: ops: Consistently treat platform_max as control value
- drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
- ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
- cifs: Fix integer overflow while processing actimeo mount option
- i2c: ali1535: Fix an error handling path in ali1535_probe()
- i2c: ali15x3: Fix an error handling path in ali15x3_probe()
- i2c: sis630: Fix an error handling path in sis630_probe()
- drm/amd/display: Check for invalid input params when building scaling
params
- smb: client: Fix match_session bug preventing session reuse
- Revert "smb: client: fix potential UAF in cifs_debug_files_proc_show()"
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
- firmware: imx-scu: fix OF node leak in .probe()
- xfrm_output: Force software GSO only in tunnel mode
- ARM: dts: bcm2711: PL011 UARTs are actually r1p5
- RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
- ARM: dts: bcm2711: Don't mark timer regs unconfigured
- RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
- RDMA/hns: Remove redundant 'phy_addr' in hns_roce_hem_list_find_mtt()
- RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
- RDMA/hns: Fix a missing rollback in error path of
hns_roce_create_qp_common()
- RDMA/hns: Fix wrong value of max_sge_rd
- ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
- net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
- Revert "gre: Fix IPv6 link-local address generation."
- i2c: omap: fix IRQ storms
- drm/v3d: Don't run jobs that have errors flagged in its fence
- mmc: atmel-mci: Add missing clk_disable_unprepare()
- ARM: shmobile: smp: Enforce shmobile_smp_* alignment
- batman-adv: Ignore own maximum aggregation size during RX
- drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
- mptcp: Fix data stream corruption in the address announcement
- arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
- ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
- ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
- ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
- ARM: Remove address checking for MMUless devices
- ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
- counter: stm32-lptimer-cnt: fix error handling when enabling
- counter: microchip-tcb-capture: Fix undefined counter channel state on
probe
- tty: serial: 8250: Add some more device IDs
- tty: serial: 8250: Add Brainboxes XC devices
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
- net: usb: usbnet: restore usb%d name exception for local mac addresses
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
- cpufreq: scpi: compare kHz instead of Hz
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
- x86/fpu: Avoid copying dynamic FP state from init_task in
arch_dup_task_struct()
- x86/platform: Only allow CONFIG_EISA for 32-bit
- [Config] updateconfigs for HAVE_EISA
- PM: sleep: Adjust check before setting power.must_resume
- selinux: Chain up tool resolving errors in install_policy.sh
- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
- EDAC/ie31200: Fix the DIMM size mask for several SoCs
- EDAC/ie31200: Fix the error path order of ie31200_init()
- PM: sleep: Fix handling devices with direct_complete set on errors
- lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
- media: platform: allgro-dvt: unregister v4l2_device on the error path
- HID: remove superfluous (and wrong) Makefile entry for
CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
- ALSA: hda/realtek: Always honor no_shutup_pins
- ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
compatible
- drm/bridge: ti-sn65dsi86: Fix multiple instances
- drm/dp_mst: Fix drm RAD print
- drm: xlnx: zynqmp: Fix max dma segment size
- drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
- PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
payload
- PCI: brcmstb: Use internal register to change link capability
- PCI/portdrv: Only disable pciehp interrupts early when needed
- PCI: Avoid reset when disabled via sysfs
- drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
- PCI: Remove stray put_device() in pci_register_host_bridge()
- PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
- drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
- PCI: pciehp: Don't enable HPIE when resuming in poll mode
- fbdev: au1100fb: Move a variable assignment behind a null pointer check
- mdacon: rework dependency list
- fbdev: sm501fb: Add some geometry checks.
- clk: amlogic: gxbb: drop incorrect flag on 32k clock
- crypto: hisilicon/sec2 - fix for aead authsize alignment
- of: property: Increase NR_FWNODE_REFERENCE_ARGS
- remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
- libbpf: Fix hypothetical STT_SECTION extern NULL deref case
- clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
- bpf: Use preempt_count() directly in bpf_send_signal_common()
- lib: 842: Improve error handling in sw842_compress()
- pinctrl: renesas: rza2: Fix missing of_node_put() call
- pinctrl: renesas: rzg2l: Fix missing of_node_put() call
- clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
- remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
- IB/mad: Check available slots before posting receive WRs
- pinctrl: tegra: Set SFIO mode to Mux Register
- clk: amlogic: g12b: fix cluster A parent data
- clk: amlogic: gxbb: drop non existing 32k clock parent
- clk: amlogic: g12a: fix mmc A peripheral clock
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
- power: supply: max77693: Fix wrong conversion of charge input threshold
value
- crypto: nx - Fix uninitialised hv_nxc on error
- mfd: sm501: Switch to BIT() to mitigate integer overflows
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
misplaced assignment
- crypto: hisilicon/sec2 - fix for aead auth key length
- clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
- soundwire: slave: fix an OF node reference leak in soundwire slave device
- coresight: catu: Fix number of pages while using 64k pages
- iio: accel: mma8452: Ensure error return on failure to matching
oversampling
ratio
- iio: adc: ad7124: Fix comparison of channel configs
- perf units: Fix insufficient array space
- kexec: initialize ELF lowest address to ULONG_MAX
- NFSv4: Don't trigger uneccessary scans for return-on-close delegations
- fuse: fix dax truncate/punch_hole fault path
- i3c: master: svc: Fix missing the IBI rules
- perf python: Fixup description of sample.id event member
- perf python: Decrement the refcount of just created event on failure
- perf python: Don't keep a raw_data pointer to consumed ring buffer space
- perf python: Check if there is space to copy all the event
- fs/procfs: fix the comment above proc_pid_wchan()
- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
- exfat: fix the infinite loop in exfat_find_last_cluster()
- ksmbd: fix multichannel connection failure
- ring-buffer: Fix bytes_dropped calculation issue
- ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are
invalid
- octeontx2-af: Fix mbox INTR handler when num VFs > 64
- octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
- sched/smt: Always inline sched_smt_active()
- wifi: iwlwifi: fw: allocate chained SG tables for dump
- nvme-tcp: fix possible UAF in nvme_tcp_poll
- nvme-pci: clean up CMBMSC when registering CMB fails
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
- affs: generate OFS sequence numbers starting at 1
- affs: don't write overlarge OFS data block size fields
- sched/deadline: Use online cpus for validating runtime
- locking/semaphore: Use wake_q to wake up processes outside lock critical
section
- x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
- drm/amd: Keep display off while going into S4
- ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
- can: statistics: use atomic access in hot path
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
- riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and
make_call_ra
- ntb: intel: Fix using link status DB's
- netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets
only
- vsock: avoid timeout during connect() if the socket is closing
- tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
- ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
- can: flexcan: only change CAN state when link up in system PM
- can: flexcan: disable transceiver during system PM
- mmc: sdhci-brcmstb: Add ability to increase max clock rate for 72116b0
- mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
- tty: serial: fsl_lpuart: use UARTMODIR register bits for lpuart32 platform
- tty: serial: fsl_lpuart: disable transmitter before changing RS485 related
registers
- platform/x86: ISST: Correct command storage data length
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
- x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
- tracing: Ensure module defining synth event cannot be unloaded while
tracing
- tracing: Fix synth event printk format for str fields
- tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
- ext4: don't over-report free space or inodes in statvfs
- jfs: add index corruption check to DT_GETPAGE()
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
- mmc: sdhci-brcmstb: use clk_get_rate(base_clk) in PM resume
- mm, slab: remove duplicate kernel-doc comment for ksize()
- tracing: Do not use PERF enums when perf is not defined
- mmc: sdhci-brcmstb: Initialize base_clk to NULL in sdhci_brcmstb_probe()
- Linux 5.15.180
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22025
- nfsd: put dl_stid if fail to queue dl_recall
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-39735
- jfs: fix slab-out-of-bounds read in ea_get()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-37785
- ext4: fix OOB read when checking dotdot dir
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22035
- tracing: Fix use-after-free in print_graph_function_flags during tracer
switching
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22044
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22045
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46753
- btrfs: handle errors from btrfs_dec_ref() properly
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22050
- usbnet:fix NPE during rx_complete
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46812
- drm/amd/display: Skip inactive planes within
ModeSupportAndSystemConfiguration
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-46821
- drm/amd/pm: Fix negative array index read
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22054
- arcnet: Add NULL check in com20020pci_probe()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22055
- net: fix geneve_opt length integer overflow
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22056
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22060
- net: mvpp2: Prevent parser TCAM memory corruption
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38637
- net_sched: skbprio: Remove overly strict queue assertions
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22063
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22066
- ASoC: imx-card: Add NULL check in imx_card_probe()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2023-53034
- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22071
- spufs: fix a leak in spufs_create_context()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22073
- spufs: fix a leak on spufs_new_file() failure
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21994
- ksmbd: fix incorrect validation for num_aces field of smb_acl
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38575
- ksmbd: use aead_request_free to match aead_request_alloc
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22075
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22079
- ocfs2: validate l_tree_depth to avoid out-of-bounds access
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22081
- fs/ntfs3: Fix a couple integer overflows on 32bit systems
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22086
- RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22089
- RDMA/core: Don't expose hw_counters outside of init net namespace
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-39728
- clk: samsung: Fix UBSAN panic in samsung_clk_init()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-38152
- remoteproc: core: Clear table_sz when rproc_shutdown
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-58093
- PCI/ASPM: Fix link state exit during switch upstream function removal
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22097
- drm/vkms: Fix use after free and double free on init error
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-23136
- thermal: int340x: Add NULL check for adev
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-23138
- watch_queue: fix pipe accounting mismatch
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22020
- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22021
- netfilter: socket: Lookup orig tuple for IPv6 SNAT
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22018
- atm: Fix NULL pointer dereference
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-56664
- bpf, sockmap: Fix race between element replace and close()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2024-53144 // CVE-2024-8805
- Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21996
- drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22014
- soc: qcom: pdr: Fix the potential deadlock
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21999
- proc: fix UAF in proc_get_inode()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22008
- regulator: check that dummy regulator has been probed before using it
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22004
- net: atm: fix use after free in lec_send()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22005
- ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22007
- Bluetooth: Fix error code in chan_alloc_skb_cb()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-22010
- RDMA/hns: Fix soft lockup during bt pages loop
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21941
- drm/amd/display: Fix null check for pipe_ctx->plane_state in
resource_build_scaling_params
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21962
- cifs: Fix integer overflow while processing closetimeo mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21963
- cifs: Fix integer overflow while processing acdirmax mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21964
- cifs: Fix integer overflow while processing acregmax mount option
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21968
- drm/amd/display: Fix slab-use-after-free on hdcp_work
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21956
- drm/amd/display: Assign normalized_pix_clk when color depth = 14
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21991
- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21992
- HID: ignore non-functional sensor in HP 5MP Camera
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21957
- scsi: qla1280: Fix kernel oops when debug level > 2
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21970
- net/mlx5: Bridge, fix the crash caused by LAG state check
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21959
- netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in
insert_tree()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21975
- net/mlx5: handle errors in mlx5_chains_create_table()
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2025-21981
- ice: fix memory leak in aRFS after reset
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2022-49728
- ipv6: Fix signed integer overflow in __ip6_append_data
* Jammy update: v5.15.180 upstream stable release (LP: #2109355) //
CVE-2022-49636
- vlan: fix memory leak in vlan_newlink()
* VM boots slowly with large-BAR GPU Passthrough due to pci/probe.c redundancy
(LP: #2097389)
- PCI: Batch BAR sizing operations
* kexec fails in LPAR when some cpus are disabled (LP: #2075575)
- powerpc/pseries: Fix scv instruction crash with kexec
* CVE-2024-56608
- drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
* CVE-2024-53168
- net: make sock_inuse_add() available
- sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket
* CVE-2024-56551
- drm/amdgpu: fix usage slab after free
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
-- Stefan Bader <stefan.ba...@canonical.com> Mon, 19 May 2025 12:17:06
+0200
** Changed in: linux (Ubuntu Jammy)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-49636
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-49728
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-53034
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-36945
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46812
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-46821
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53144
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-53168
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-58093
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8805
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21941
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21956
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21957
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21959
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21962
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21963
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21964
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21968
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21970
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21975
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21981
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21992
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21994
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21996
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21999
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22004
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22005
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22007
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22008
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22010
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22014
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22018
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22020
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22021
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22025
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22035
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22044
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22045
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22050
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22054
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22055
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22056
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22060
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22063
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22066
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22071
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22073
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22075
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22079
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22081
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22086
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22089
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-22097
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-2312
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-23136
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-23138
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37785
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38152
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38575
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-38637
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-39728
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-39735
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2097389
Title:
VM boots slowly with large-BAR GPU Passthrough due to pci/probe.c
redundancy
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Fix Released
Status in linux source package in Noble:
Fix Released
Status in linux source package in Oracular:
Fix Released
Bug description:
SRU Justification:
[ Impact ]
VM guests that have large-BAR GPUs passed through to them will take 2x
as long to initialize all device BARs without this patch
[ Test Plan ]
I verified that this patch applies cleanly to the Noble kernel
and resolves the bug on DGX H100 and DGX A100. I observed no regressions.
This can be verified on any machine with a sufficiently large BAR and the
capability to pass through to a VM using vfio.
To verify no regressions, I applied this patch to the guest kernel, then
rebooted and confirmed that:
1. The measured PCI initialization time on boot was ~50% of the unmodified
kernel
2. Relevant parts of /proc/iomem mappings, the PCI init section of dmesg
output, and lspci -vv output remained unchanged between the system with the
unmodified kernel and with the patched kernel
3. The Nvidia driver still successfully loaded and was shown via nvidia-smi
after the patch was applied
[ Fix ]
Roughly half of the time consuming device configuration options invoked during
the PCI probe function can be eliminated by rearranging the memory and I/O
disable/enable
calls such that they only occur per-device rather than per-BAR. This is what
the upstream
patch does, and it results in roughly half the excess initialization time
being eliminated
reliably during VM boot.
[ Where problems could occur ]
I do not expect any regressions. The only callers of ABIs changed by
this patch are also adjusted within this patch, and the functional
change only removes entirely redundant calls to disable/enable PCI
memory/IO.
[ Additional Context ]
Upstream patch:
https://lore.kernel.org/all/20250111210652.402845-1-alex.william...@redhat.com/
Upstream bug report:
https://lore.kernel.org/all/cahta-uyp07fgm6t1ozqkqadsa5jrzo0reneyzgqzub4mdrr...@mail.gmail.com/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2097389/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
