This bug was fixed in the package linux - 6.14.0-24.24
---------------
linux (6.14.0-24.24) plucky; urgency=medium
* plucky/linux: 6.14.0-24.24 -proposed tracker (LP: #2114501)
* Packaging resync (LP: #1786013)
- [Packaging] update variants
- [Packaging] update annotations scripts
- [Packaging] debian.master/dkms-versions -- update from kernel-versions
(main/2025.06.16)
* Apple spi keyboard/trackpad not working 25.04 (LP: #2107976)
- iommu/vt-d: Restore context entry setup order for aliased devices
* Unexpected system reboot at loading GUI session on some AMD platforms
(LP: #2112462)
- drm/amdgpu/hdp4: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp5: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp5.2: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp6: use memcfg register to post the write for HDP flush
- drm/amdgpu/hdp7: use memcfg register to post the write for HDP flush
* Fix ARL-U/H suspend issues (LP: #2112469)
- platform/x86/intel/pmc: Remove duplicate enum
- platform/x86:intel/pmc: Make tgl_core_generic_init() static
- platform/x86:intel/pmc: Create generic_core_init() for all platforms
- platform/x86/intel/pmc: Remove simple init functions
- platform/x86/intel/pmc: Add Arrow Lake U/H support to intel_pmc_core
driver
- platform/x86/intel/pmc: Fix Arrow Lake U/H NPU PCI ID
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174)
- s390/pci: Remove redundant bus removal and disable from
zpci_release_device()
- s390/pci: Prevent self deletion in disable_slot()
- s390/pci: Allow re-add of a reserved but not yet removed device
- s390/pci: Serialize device addition and removal
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174) // CVE-2025-37946
- s390/pci: Fix duplicate pci_dev_put() in disable_slot() when PF has
child VFs
* [UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after remove
(LP: #2114174) // CVE-2025-37974
- s390/pci: Fix missing check for zpci_create_device() error return
* HW accelerated video playback causes VCN timeout on VCN 4.0.5 (AMD Strix)
(LP: #2112582)
- drm/amdgpu: read back register after written for VCN v4.0.5
* kvmppc_set_passthru_irq_hv: Could not assign IRQ map traces are seen when
pci device is attached to kvm guest when "xive=off" is set (LP: #2109951)
- KVM: PPC: Book3S HV: Fix IRQ map warnings with XICS on pSeries KVM Guest
* System will restart while resuming with SATA HDD or nvme installed with
password set (LP: #2110090)
- PCI: Explicitly put devices into D0 when initializing
* VM boots slowly with large-BAR GPU Passthrough (Root Cause Fix SRU)
(LP: #2111861)
- mm: Provide address mask in struct follow_pfnmap_args
- vfio/type1: Convert all vaddr_get_pfns() callers to use vfio_batch
- vfio/type1: Catch zero from pin_user_pages_remote()
- vfio/type1: Use vfio_batch for vaddr_get_pfns()
- vfio/type1: Use consistent types for page counts
- vfio/type1: Use mapping page mask for pfnmaps
* Plucky update: v6.14.6 upstream stable release (LP: #2113881)
- Revert "rndis_host: Flag RNDIS modems as WWAN devices"
- ALSA: hda/realtek - Add more HP laptops which need mute led fixup
- ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()
- ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
- ASoC: renesas: rz-ssi: Use NOIRQ_SYSTEM_SLEEP_PM_OPS()
- btrfs: fix COW handling in run_delalloc_nocow()
- cpufreq: intel_pstate: Unchecked MSR aceess in legacy mode
- drm/fdinfo: Protect against driver unbind
- EDAC/altera: Test the correct error reg offset
- EDAC/altera: Set DDR and SDMMC interrupt mask before registration
- i2c: imx-lpi2c: Fix clock count when probe defers
- pinctrl: airoha: fix wrong PHY LED mapping and PHY2 LED defines
- perf/x86/intel: Only check the group flag for X86 leader
- amd-xgbe: Fix to ensure dependent features are toggled with RX checksum
offload
- mm/memblock: pass size instead of end to memblock_set_node()
- mm/memblock: repeat setting reserved region nid if array is doubled
- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
- spi: tegra114: Don't fail set_cs_timing when delays are zero
- tracing: Do not take trace_event_sem in print_event_fields()
- x86/boot/sev: Support memory acceptance in the EFI stub under SVSM
- dm-integrity: fix a warning on invalid table line
- dm: always update the array size in realloc_argv on success
- drm/amdgpu: Fix offset for HDP remap in nbio v7.11
- drm: Select DRM_KMS_HELPER from DRM_DEBUG_DP_MST_TOPOLOGY_REFS
- iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream
ids
- iommu/arm-smmu-v3: Fix pgsize_bit for sva domains
- iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
- platform/x86/amd: pmc: Require at least 2.5 seconds between HW sleep
cycles
- platform/x86/intel-uncore-freq: Fix missing uncore sysfs during CPU
hotplug
- smb: client: fix zero length for mkdir POSIX create context
- cpufreq: Avoid using inconsistent policy->min and policy->max
- cpufreq: Fix setting policy limits when frequency tables are used
- bcachefs: Remove incorrect __counted_by annotation
- drm/amd/display: Default IPS to RCG_IN_ACTIVE_IPS2_IN_OFF
- ASoC: soc-core: Stop using of_property_read_bool() for non-boolean
properties
- ASoC: cs-amp-lib-test: Don't select SND_SOC_CS_AMP_LIB
- firmware: cs_dsp: tests: Depend on FW_CS_DSP rather then enabling it
- ASoC: soc-pcm: Fix hw_params() and DAPM widget sequence
- Revert "UBUNTU: SAUCE: powerpc64/ftrace: fix module loading without
patchable function entries"
- pinctrl: imx: Return NULL if no group is matched and found
- powerpc/boot: Check for ld-option support
- ASoC: Intel: sof_sdw: Add NULL check in asoc_sdw_rt_dmic_rtd_init()
- iommu/arm-smmu-v3: Add missing S2FWB feature detection
- ALSA: hda/realtek - Enable speaker for HP platform
- drm/i915/pxp: fix undefined reference to
`intel_pxp_gsccs_is_ready_for_sessions'
- wifi: iwlwifi: back off on continuous errors
- wifi: iwlwifi: don't warn if the NIC is gone in resume
- wifi: iwlwifi: fix the check for the SCRATCH register upon resume
- powerpc/boot: Fix dash warning
- xsk: Fix offset calculation in unaligned mode
- net/mlx5e: Use custom tunnel header for vxlan gbp
- net/mlx5: E-Switch, Initialize MAC Address for Default GID
- net/mlx5e: TC, Continue the attr process even if encap entry is invalid
- net/mlx5e: Fix lock order in mlx5e_tx_reporter_ptpsq_unhealthy_recover
- net/mlx5: E-switch, Fix error handling for enabling roce
- accel/ivpu: Correct DCT interrupt handling
- cpufreq: Introduce policy->boost_supported flag
- cpufreq: acpi: Set policy->boost_supported
- cpufreq: ACPI: Re-sync CPU boost state on system resume
- Bluetooth: hci_conn: Fix not setting conn_timeout for Broadcast Receiver
- Bluetooth: hci_conn: Fix not setting timeout for BIG Create Sync
- Bluetooth: btintel_pcie: Avoid redundant buffer allocation
- Bluetooth: btintel_pcie: Add additional to checks to clear TX/RX paths
- Bluetooth: L2CAP: copy RX timestamp to new fragments
- net: mscc: ocelot: delete PVID VLAN when readding it as non-PVID
- octeon_ep_vf: Resolve netdevice usage count issue
- bnxt_en: improve TX timestamping FIFO configuration
- rtase: Modify the condition used to detect overflow in
rtase_calc_time_mitigation
- net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when
advised
- net: ethernet: mtk_eth_soc: sync mtk_clks_source_name array
- pds_core: make pdsc_auxbus_dev_del() void
- pds_core: specify auxiliary_device to be created
- ice: Don't check device type when checking GNSS presence
- ice: Remove unnecessary ice_is_e8xx() functions
- ice: fix Get Tx Topology AQ command error on E830
- idpf: fix offloads support for encapsulated packets
- scsi: ufs: core: Remove redundant query_complete trace
- drm/xe/guc: Fix capture of steering registers
- pinctrl: qcom: Fix PINGROUP definition for sm8750
- nvme-pci: fix queue unquiesce check on slot_reset
- drm/tests: shmem: Fix memleak
- drm/mipi-dbi: Fix blanking for non-16 bit formats
- net: dlink: Correct endianness handling of led_mode
- net: mdio: mux-meson-gxl: set reversed bit when using internal phy
- idpf: fix potential memory leak on kcalloc() failure
- idpf: protect shutdown from reset
- igc: fix lock order in igc_ptp_reset
- net: dsa: felix: fix broken taprio gate states after clock jump
- net: ipv6: fix UDPv6 GSO segmentation with NAT
- ALSA: hda/realtek: Fix built-mic regression on other ASUS models
- bnxt_en: Fix ethtool selftest output in one of the failure cases
- bnxt_en: Add missing skb_mark_for_recycle() in bnxt_rx_vlan()
- bnxt_en: call pci_alloc_irq_vectors() after bnxt_reserve_rings()
- bnxt_en: Fix coredump logic to free allocated buffer
- bnxt_en: Fix ethtool -d byte order for 32-bit values
- nvme-tcp: fix premature queue removal and I/O failover
- nvme-tcp: select CONFIG_TLS from CONFIG_NVME_TCP_TLS
- nvmet-tcp: select CONFIG_TLS from CONFIG_NVME_TARGET_TCP_TLS
- ASoC: stm32: sai: skip useless iterations on kernel rate loop
- ASoC: stm32: sai: add a check on minimal kernel frequency
- bnxt_en: fix module unload sequence
- net: fec: ERR007885 Workaround for conventional TX
- net: hns3: store rx VLAN tag offload state for VF
- net: hns3: fix an interrupt residual problem
- net: hns3: fixed debugfs tm_qset size
- net: hns3: defer calling ptp_clock_register()
- net: vertexcom: mse102x: Fix possible stuck of SPI interrupt
- net: vertexcom: mse102x: Fix LEN_MASK
- net: vertexcom: mse102x: Add range check for CMD_RTS
- net: vertexcom: mse102x: Fix RX error handling
- accel/ivpu: Abort all jobs after command queue unregister
- accel/ivpu: Add handling of VPU_JSM_STATUS_MVNCI_CONTEXT_VIOLATION_HW
- drm/xe: Invalidate L3 read-only cachelines for geometry streams too
- platform/x86: alienware-wmi-wmax: Add support for Alienware m15 R7
- ublk: add helper of ublk_need_map_io()
- ublk: properly serialize all FETCH_REQs
- ublk: move device reset into ublk_ch_release()
- ublk: improve detection and handling of ublk server exit
- ublk: remove __ublk_quiesce_dev()
- ublk: simplify aborting ublk request
- firmware: arm_ffa: Skip Rx buffer ownership release if not acquired
- arm64: dts: imx95: Correct the range of PCIe app-reg region
- ARM: dts: opos6ul: add ksz8081 phy properties
- arm64: dts: st: Adjust interrupt-controller for stm32mp25 SoCs
- arm64: dts: st: Use 128kB size for aliased GIC400 register access on
stm32mp25 SoCs
- block: introduce zone capacity helper
- btrfs: zoned: skip reporting zone for new block group
- kernel: param: rename locate_module_kobject
- kernel: globalize lookup_or_create_module_kobject()
- drivers: base: handle module_kobject creation
- btrfs: expose per-inode stable writes flag
- btrfs: pass struct btrfs_inode to btrfs_read_locked_inode()
- btrfs: pass struct btrfs_inode to btrfs_iget_locked()
- drm/amd/display: Add scoped mutexes for amdgpu_dm_dhcp
- bcachefs: Change btree_insert_node() assertion to error
- dm: fix copying after src array boundaries
- Linux 6.14.6
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37903
- drm/amd/display: Fix slab-use-after-free in hdcp
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37904
- btrfs: fix the inode leak in btrfs_iget()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37905
- firmware: arm_scmi: Balance device refcount when destroying devices
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37906
- ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37907
- accel/ivpu: Fix locking order in ivpu_job_submit
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37908
- mm, slab: clean up slab->obj_exts always
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37933
- octeon_ep: Fix host hang issue during device reboot
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37909
- net: lan743x: Fix memleak issue when GSO enabled
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37910
- ptp: ocp: Fix NULL dereference in Adva board SMA sysfs operations
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37894
- net: use sock_gen_put() when sk_state is TCP_TIME_WAIT
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37934
- ASoC: simple-card-utils: Fix pointer check in
graph_util_parse_link_direction
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37911
- bnxt_en: Fix out-of-bound memcpy() during ethtool -w
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37895
- bnxt_en: Fix error handling path in bnxt_init_chip()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37935
- net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37891
- ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37912
- ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37913
- net_sched: qfq: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37914
- net_sched: ets: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37915
- net_sched: drr: Fix double list add in class with netem as child qdisc
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37916
- pds_core: remove write-after-free of client_id
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37917
- net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx
poll
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37918
- Bluetooth: btusb: avoid NULL pointer dereference in skb_dequeue()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37919
- ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37896
- spi: spi-mem: Add fix to avoid divide error
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37920
- xsk: Fix race condition in AF_XDP generic RX path
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37921
- vxlan: vnifilter: Fix unlocked deletion of default FDB entry
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37897
- wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37898
- powerpc64/ftrace: fix module loading without patchable function entries
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37922
- book3s64/radix : Align section vmemmap start address to PAGE_SIZE
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37923
- tracing: Fix oob write in trace_seq_to_buffer()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37899
- ksmbd: fix use-after-free in session logoff
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37924
- ksmbd: fix use-after-free in kerberos authentication
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37926
- ksmbd: fix use-after-free in ksmbd_session_rpc_open
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37900
- iommu: Fix two issues in iommu_copy_struct_from_user()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37927
- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37928
- dm-bufio: don't schedule in atomic context
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37990
- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37901
- irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37936
- perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's
value.
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37991
- parisc: Fix double SIGFPE crash
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37929
- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37930
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
* Plucky update: v6.14.6 upstream stable release (LP: #2113881) //
CVE-2025-37931
- btrfs: adjust subpage bit start based on sectorsize
* Support Sony IMX471 camera sensor for Intel IPU7 platforms (LP: #2107320)
- SAUCE: media: ipu-bridge: Support imx471 sensor
* deadlock on cpu_hotplug_lock in __accept_page() (LP: #2109543)
- mm/page_alloc: fix deadlock on cpu_hotplug_lock in __accept_page()
* Plucky fails to boot on (older) Macs (LP: #2105402)
- SAUCE: hack: efi/libstub: enable t14s boot failure hack only on arm64
* CVE-2025-37798
- sch_htb: make htb_qlen_notify() idempotent
- sch_htb: make htb_deactivate() idempotent
- sch_drr: make drr_qlen_notify() idempotent
- sch_hfsc: make hfsc_qlen_notify() idempotent
- sch_qfq: make qfq_qlen_notify() idempotent
- sch_ets: make est_qlen_notify() idempotent
- selftests/tc-testing: Add a test case for FQ_CODEL with HTB parent
- selftests/tc-testing: Add a test case for FQ_CODEL with QFQ parent
- selftests/tc-testing: Add a test case for FQ_CODEL with HFSC parent
- selftests/tc-testing: Add a test case for FQ_CODEL with DRR parent
- selftests/tc-testing: Add a test case for FQ_CODEL with ETS parent
* CVE-2025-37997
- netfilter: ipset: fix region locking in hash types
* CVE-2025-37890
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
qdisc
- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
-- Mehmet Basaran <[email protected]> Sun, 15 Jun 2025
12:04:06 +0300
** Changed in: linux (Ubuntu Plucky)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37798
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37890
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37891
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37894
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37895
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37896
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37897
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37898
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37899
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37900
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37901
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37903
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37904
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37905
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37906
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37907
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37908
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37909
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37910
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37911
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37912
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37913
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37914
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37915
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37916
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37917
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37918
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37919
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37920
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37921
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37922
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37923
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37924
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37926
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37927
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37928
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37929
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37930
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37931
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37933
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37934
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37935
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37936
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37946
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37974
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37990
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-37997
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2114174
Title:
[UBUNTU 24.04] s390/pci: Fix immediate re-add of PCI function after
remove
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Noble:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
[ Impact ]
s390/pci: Fix immediate re-add of PCI function after remove
A PCI function may be reserved directly after being
deconfigured. If it subsequently returns back in the standby
state Linux may not be able to use the new instance generating
a kernel warning about trying to create an already existing
sysfs file for the IOMMU.
The problem occurs because the new instance of the same
underlying device is created before the prior instance is
completely torn down. This happens because the lifetime of the
PCI device representation in Linux is determined by reference
counts. A driver, the network stack, or even user-space
(including via vfio-pci) may be holding onto the device
represenation even after the underlying device is gone.
The solution to this is twofold. Firstly allow re-using the
pre-existing struct zpci_dev and/or struct pci_dev for the newly
re-added instance of the underlying device up until the point
where the struct zpci_dev is fully removed. Secondly serialize
the addition and removal of PCI functions such that re-adding
a new instance, after the old one is already being removed, will
wait for the removal to finish before adding the new instance.
This fix also builds on prior upstream work of serializing state
transitions for PCI devices e.g. from configured to standby.
[ Fix ]
Backport from mainline:
- 0d48566d4b58 s390/pci: rename lock member in struct zpci_dev
- bcb5d6c76903 s390/pci: introduce lock to synchronize state of zpci_dev's
- 6ee600bfbe0f s390/pci: remove hotplug slot when releasing the device
- c4a585e952ca s390/pci: Fix potential double remove of hotplug slot
- 42420c50c68f s390/pci: Fix missing check for zpci_create_device() error
return
- 05a2538f2b48 s390/pci: Fix duplicate pci_dev_put() in disable_slot() when
PF has child VFs
- d76f96332967 s390/pci: Remove redundant bus removal and disable from
zpci_release_device()
- 47c397844869 s390/pci: Prevent self deletion in disable_slot()
- 4b1815a52d7e s390/pci: Allow re-add of a reserved but not yet removed device
- 774a1fa880bc s390/pci: Serialize device addition and removal
[ Test Plan ]
The issue can be reproduced looking at the behavior of the kernel wrt
to NETH PCI functions. In fact, IBM Z firmware temporarily reserves
NETH PCI functions to check for pending service when the last FID of a
PCHID is deconfigured. When nothing is pending the PCI function is
immediately returned in the standby state, thus triggering this issue
quite reliably.
[ Where Problems Could Occur ]
The fix affects the PCI function lifecycle management in the s390 PCI
hotplug infrastructure, specifically the serialization and reuse logic
of zpci_dev and pci_dev structures during rapid remove and re-add
cycles. An issue with this fix may introduce problems such as stale or
incorrectly reused device state, leading to improper reinitialization
of PCI functions.
---
Description: s390/pci: Fix immediate re-add of PCI function after
remove
Symptom: A PCI function may be reserved directly after being
deconfigured. If it subsequently returns back in the standby
state Linux may not be able to use the new instance generating
a kernel warning about trying to create an already existing
sysfs file for the IOMMU.
Problem: The problem occurs because the new instance of the same
underlying device is created before the prior instance is
completely torn down. This happens because the lifetime of the
PCI device representation in Linux is determined by reference
counts. A driver, the network stack, or even user-space
(including via vfio-pci) may be holding onto the device
represenation even after the underlying device is gone.
Solution: The solution to this is twofold. Firstly allow re-using the
pre-existing struct zpci_dev and/or struct pci_dev for the
newly
re-added instance of the underlying device up until the point
where the struct zpci_dev is fully removed. Secondly serialize
the addition and removal of PCI functions such that re-adding
a new instance, after the old one is already being removed,
will
wait for the removal to finish before adding the new instance.
This fix also builds on prior upstream work of serializing
state
transitions for PCI devices e.g. from configured to standby.
Reproduction: This problem was originally found with firmware which
temporarily reserves NETH PCI functions to check for pending
service when the last FID of a PCHID is deconfigured. When
nothing is pending the PCI function is immediately returned in
the standby state, thus triggering this issue quite reliably.
Upstream-ID: 0d48566d4b58946c8e1b0baac0347616060a81c9
bcb5d6c769039c8358a2359e7c3ea5d97ce93108
6ee600bfbe0f818ffb7748d99e9b0c89d0d9f02a
c4a585e952ca403a370586d3f16e8331a7564901
42420c50c68f3e95e90de2479464f420602229fc
05a2538f2b48500cf4e8a0a0ce76623cc5bafcf1
d76f9633296785343d45f85199f4138cb724b6d2
47c397844869ad0e6738afb5879c7492f4691122
4b1815a52d7eb03b3e0e6742c6728bc16a4b2d1d
774a1fa880bc949d88b5ddec9494a13be733dfa8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/2114174/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
