This bug was fixed in the package linux-gcp - 6.14.0-1014.15
---------------
linux-gcp (6.14.0-1014.15) plucky; urgency=medium
* plucky/linux-gcp: 6.14.0-1014.15 -proposed tracker (LP: #2117633)
* Packaging resync (LP: #1786013)
- [Packaging] debian.gcp/dkms-versions -- update from kernel-versions
(main/2025.07.14)
* linux-gcp: NVIDIA Grace platform support (LP: #2111859)
- arch_topology: init capacity_freq_ref to 0
- cpufreq: Allow arch_freq_get_on_cpu to return an error
- cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry
- arm64: Provide an AMU-based version of arch_freq_get_on_cpu
- arm64: Update AMU-based freq scale factor on entering idle
- arm64: Utilize for_each_cpu_wrap for reference lookup
- [Packaging] gcp: enable CONFIG_CPUFREQ_ARCH_CUR_FREQ
- [Packaging] gcp: enable CONFIG_ARM64_CONTPTE
* linux-gcp: move ptp_kvm to linux-modules in GCP kernels (LP: #2110241)
- [Packaging] gcp: Move ptp_kvm module to linux-modules
[ Ubuntu: 6.14.0-28.28 ]
* plucky/linux: 6.14.0-28.28 -proposed tracker (LP: #2117649)
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
- [Packaging] debian.master/dkms-versions -- update from kernel-versions
(main/2025.07.14)
* Dell AIO backlight is not working, dell_uart_backlight module is missing
(LP: #2083800)
- [Config] enable CONFIG_DELL_UART_BACKLIGHT
* integrated I219-LM network adapter appears to be running too fast, causing
synchronization issues when using the I219-LM PTP feature (LP: #2116072)
- e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13
* Audio broken on ThinkPad X13s (LP: #2115898)
- SAUCE: Revert "UBUNTU: SAUCE: Change: cracking sound fix"
* Ubuntu 24.04+ arm64: screen resolution fixed to 1024x768 with last kernel
update (LP: #2115068)
- [Config] Replace FB_HYPERV with DRM_HYPERV
* [SRU][HPE 24.04] Patch Request for HPE iLO7 VGA device for Gen12 Servers
(LP: #2114516)
- drm/mgag200: Added support for the new device G200eH5
* A process exiting with an open /dev/snapshot fd causes a NULL pointer
dereference caught by ubuntu_stress_smoke_test:sut-scan (LP: #2113990)
- libfs: export find_next_child()
- efivarfs: support freeze/thaw
* [SRU] Add support for new hotkey of F9 on Thinkpad X9 (LP: #2115022)
- platform/x86: thinkpad-acpi: Add support for new hotkey for camera
shutter switch
* [SRU] Fix GT0: Engine reset when suspend on Intel LNL (LP: #2114697)
- drm/xe/sched: stop re-submitting signalled jobs
* CVE-2025-38056
- devres: Introduce devm_kmemdup_array()
- ASoC: SOF: Intel: hda: Fix UAF when reloading module
* Handle IOMMU IVRS entries with mismatched UID on AMD Strix or newer
platforms (LP: #2115174)
- iommu/amd: Allow matching ACPI HID devices without matching UIDs
* [UBUNTU 22.04] kernel: Fix z17 elf platform recognition (LP: #2114450)
- s390: Add z17 elf platform
* [UBUNTU 24.04] Kernel: Add CPUMF extended counter set for z17
(LP: #2114258)
- s390/cpumf: Update CPU Measurement facility extended counter set support
* Plucky update: v6.14.8 upstream stable release (LP: #2115266)
- arm64: dts: rockchip: Assign RT5616 MCLK rate on rk3588-friendlyelec-
cm3588
- fs/xattr.c: fix simple_xattr_list to always include security.* xattrs
- drivers/platform/x86/amd: pmf: Check for invalid sideloaded Smart PC
Policies
- drivers/platform/x86/amd: pmf: Check for invalid Smart PC Policies
- x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through AMD_NODE
- platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive
drivers
- arm64: dts: rockchip: fix Sige5 RTC interrupt pin
- riscv: dts: sophgo: fix DMA data-width configuration for CV18xx
- binfmt_elf: Move brk for static PIE even if ASLR disabled
- platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie
14XA (GX4HRXL)
- platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
- arm64: dts: imx8mp-var-som: Fix LDO5 shutdown causing SD card timeout
- cgroup/cpuset: Extend kthread_is_per_cpu() check to all
PF_NO_SETAFFINITY tasks
- tracing: fprobe: Fix RCU warning message in list traversal
- tracing: probes: Fix a possible race in trace_probe_log APIs
- tpm: tis: Double the timeout B to 4s
- iio: adc: ad7606: move the software mode configuration
- iio: adc: ad7606: move software functions into common file
- HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
- spi: loopback-test: Do not split 1024-byte hexdumps
- Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags
- drm/meson: Use 1000ULL when operating with mode->clock
- tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing
- tests/ncdevmem: Fix double-free of queue array
- net: mctp: Ensure keys maintain only one ref to corresponding dev
- ALSA: seq: Fix delivery of UMP events to group ports
- ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info
- net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
- net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING
- nvme-pci: make nvme_pci_npages_prp() __always_inline
- nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
- ALSA: sh: SND_AICA should depend on SH_DMA_API
- net: dsa: b53: prevent standalone from trying to forward to other ports
- vsock/test: Fix occasional failure in SIOCOUTQ tests
- qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()
- octeontx2-pf: Fix ethtool support for SDP representors
- drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value
- netlink: specs: tc: fix a couple of attribute names
- netlink: specs: tc: all actions are indexed arrays
- octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy
- net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW
capability
- octeontx2-af: Fix CGX Receive counters
- octeontx2-pf: Do not reallocate all ntuple filters
- tsnep: fix timestamping with a stacked DSA driver
- ublk: fix dead loop when canceling io command
- NFSv4/pnfs: Reset the layout state after a layoutreturn
- dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when
interrupted"
- Revert "kbuild, rust: use -fremap-path-prefix to make paths relative"
- udf: Make sure i_lenExtents is uptodate on inode eviction
- HID: amd_sfh: Fix SRA sensor when it's the only sensor
- LoongArch: Prevent cond_resched() occurring within kernel-fpu
- LoongArch: Move __arch_cpu_idle() to .cpuidle.text section
- LoongArch: Save and restore CSR.CNTC for hibernation
- LoongArch: Fix MAX_REG_OFFSET calculation
- LoongArch: uprobes: Remove user_{en,dis}able_single_step()
- LoongArch: uprobes: Remove redundant code about resume_era
- btrfs: fix discard worker infinite loop after disabling discard
- btrfs: fix folio leak in submit_one_async_extent()
- btrfs: add back warning for mount option commit values exceeding 300
- Revert "drm/amd/display: Hardware cursor changes color when switched to
software cursor"
- drm/tiny: panel-mipi-dbi: Use drm_client_setup_with_fourcc()
- drm/amdgpu: fix incorrect MALL size for GFX1151
- drm/amd/display: Correct the reply value when AUX write incomplete
- drm/amd/display: Avoid flooding unnecessary info messages
- MAINTAINERS: Update Alexey Makhalov's email address
- gpio: pca953x: fix IRQ storm on system wake up
- ACPI: PPTT: Fix processor subtable walk
- ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()
- ALSA: usb-audio: Add sample rate quirk for Audioengine D1
- ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera
- dma-buf: insert memory barrier before updating num_fences
- arm64: dts: amlogic: dreambox: fix missing clkc_audio node
- arm64: dts: rockchip: Allow Turing RK1 cooling fan to spin down
- arm64: dts: rockchip: Remove overdrive-mode OPPs from RK3588J SoC dtsi
- hv_netvsc: Use vmbus_sendpacket_mpb_desc() to send VMBus messages
- hv_netvsc: Preserve contiguous PFN grouping in the page buffer array
- hv_netvsc: Remove rmsg_pgcnt
- Drivers: hv: Allow vmbus_sendpacket_mpb_desc() to create multiple ranges
- Drivers: hv: vmbus: Remove vmbus_sendpacket_pagebuffer()
- kbuild: Disable -Wdefault-const-init-unsafe
- i2c: designware: Fix an error handling path in i2c_dw_pci_probe()
- ftrace: Fix preemption accounting for stacktrace trigger command
- ftrace: Fix preemption accounting for stacktrace filter command
- x86/sev: Do not touch VMSA pages during SNP guest memory kdump
- x86/sev: Make sure pages are not skipped during kdump
- tracing: samples: Initialize trace_array_printk() with the correct
function
- phy: Fix error handling in tegra_xusb_port_init
- net: dsa: microchip: let phylink manage PHY EEE configuration on KSZ
switches
- net: phy: micrel: remove KSZ9477 EEE quirks now handled by phylink
- phy: renesas: rcar-gen3-usb2: Fix role detection on unbind/bind
- phy: renesas: rcar-gen3-usb2: Set timing registers only once
- scsi: sd_zbc: block: Respect bio vector limits for REPORT ZONES buffer
- smb: client: fix memory leak during error handling for POSIX mkdir
- spi: tegra114: Use value to check for invalid delays
- tpm: Mask TPM RC in tpm2_start_auth_session()
- wifi: mt76: mt7925: fix missing hdr_trans_tlv command for broadcast wtbl
- ring-buffer: Fix persistent buffer when commit page is the reader page
- net: qede: Initialize qede_ll_ops with designated initializer
- io_uring/memmap: don't use page_address() on a highmem page
- io_uring/uring_cmd: fix hybrid polling initialization issue
- mm: hugetlb: fix incorrect fallback for subpool
- mm: userfaultfd: correct dirty flags set for both present and swap pte
- dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure
instead of a local copy
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_wqs
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_engines
- dmaengine: idxd: fix memory leak in error handling path of
idxd_setup_groups
- dmaengine: idxd: Add missing cleanup for early error out in
idxd_setup_internals
- dmaengine: idxd: Add missing cleanups in cleanup internals
- dmaengine: idxd: Add missing idxd cleanup to fix memory leak in remove
call
- dmaengine: idxd: fix memory leak in error handling path of
idxd_pci_probe
- accel/ivpu: Use workqueue for IRQ handling
- accel/ivpu: Dump only first MMU fault from single context
- accel/ivpu: Move parts of MMU event IRQ handling to thread handler
- accel/ivpu: Fix missing MMU events from reserved SSID
- accel/ivpu: Fix missing MMU events if file_priv is unbound
- accel/ivpu: Flush pending jobs of device's workqueues
- drm/xe/gsc: do not flush the GSC worker from the reset path
- perf tools: Fix build error for LoongArch
- phy: tegra: xusb: remove a stray unlock
- Linux 6.14.8
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38008
- mm/page_alloc: fix race condition in unaccepted memory handling
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38014
- dmaengine: idxd: Refactor remove call with idxd_cleanup() helper
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38015
- dmaengine: idxd: fix memory leak in error handling path of idxd_alloc
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38005
- dmaengine: ti: k3-udma: Add missing locking
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38009
- wifi: mt76: disable napi on driver removal
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38010
- phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38011
- drm/amdgpu: csa unmap use uninterruptible lock
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38016
- HID: bpf: abort dispatch if device destroyed
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38012
- sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38018
- net/tls: fix kernel panic when alloc_page failed
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38019
- mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38013
- wifi: mac80211: Set n_channels after allocating struct
cfg80211_scan_request
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38002
- io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo()
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38027
- regulator: max20086: fix invalid memory access
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38020
- net/mlx5e: Disable MACsec offload for uplink representor profile
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38021
- drm/amd/display: Fix null check of pipe_ctx->plane_state for
update_dchubp_dpp
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38006
- net: mctp: Don't access ifa_index when missing
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-37992
- net_sched: Flush gso_skb list too during ->change()
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38022
- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device"
problem
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38028
- NFS/localio: Fix a race in nfs_local_open_fh()
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38023
- nfs: handle failure of nfs_get_lock_context in unlock path
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38007
- HID: uclogic: Add NULL check in uclogic_input_configured()
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38024
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
* Plucky update: v6.14.8 upstream stable release (LP: #2115266) //
CVE-2025-38025
- iio: adc: ad7606: check for NULL before calling sw_mode_config()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252)
- dm: add missing unlock on in dm_keyslot_evict()
- Revert "btrfs: canonicalize the device path before adding it"
- arm64: dts: imx8mm-verdin: Link reg_usdhc2_vqmmc to usdhc2
- firmware: arm_scmi: Fix timeout checks on polling path
- can: mcan: m_can_class_unregister(): fix order of unregistration calls
- vfio/pci: Align huge faults to order
- can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls
- can: rockchip_canfd: rkcanfd_remove(): fix order of unregistration calls
- s390/entry: Fix last breaking event handling in case of stack corruption
- SAUCE: Revert "sch_htb: make htb_deactivate() idempotent"
- sch_htb: make htb_deactivate() idempotent
- virtio-net: don't re-enable refill work too early when NAPI is disabled
- gre: Fix again IPv6 link-local address generation.
- net: ethernet: mtk_eth_soc: reset all TX queues on DMA free
- net: ethernet: mtk_eth_soc: do not reset PSE when setting FE
- can: mcp251xfd: fix TDC setting for low data bit rates
- can: gw: fix RCU/BH usage in cgw_create_job()
- wifi: mac80211: fix the type of status_code for negotiated TID to Link
Mapping
- ice: use DSN instead of PCI BDF for ice_adapter index
- erofs: ensure the extra temporary copy is valid for shortened bvecs
- net: dsa: b53: allow leaky reserved multicast
- net: dsa: b53: keep CPU port always tagged again
- net: dsa: b53: fix clearing PVID of a port
- net: dsa: b53: fix flushing old pvid VLAN on pvid change
- net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave
- net: dsa: b53: always rejoin default untagged VLAN on bridge leave
- net: dsa: b53: do not allow to configure VLAN 0
- net: dsa: b53: do not program vlans when vlan filtering is off
- net: dsa: b53: fix toggling vlan_filtering
- net: dsa: b53: fix learning on VLAN unaware bridges
- net: dsa: b53: do not set learning and unicast/multicast on up
- fbnic: Fix initialization of mailbox descriptor rings
- fbnic: Gate AXI read/write enabling on FW mailbox
- fbnic: Actually flush_tx instead of stalling out
- fbnic: Cleanup handling of completions
- fbnic: Improve responsiveness of fbnic_mbx_poll_tx_ready
- fbnic: Pull fbnic_fw_xmit_cap_msg use out of interrupt context
- fbnic: Do not allow mailbox to toggle to ready outside
fbnic_mbx_poll_tx_ready
- net: export a helper for adding up queue stats
- virtio-net: fix total qstat values
- Input: cyttsp5 - ensure minimum reset pulse width
- Input: cyttsp5 - fix power control issue on wakeup
- Input: xpad - fix Share button on Xbox One controllers
- Input: xpad - add support for 8BitDo Ultimate 2 Wireless Controller
- Input: xpad - fix two controller table values
- Input: synaptics - enable InterTouch on Dynabook Portege X30-D
- Input: synaptics - enable InterTouch on Dynabook Portege X30L-G
- Input: synaptics - enable InterTouch on Dell Precision M3800
- Input: synaptics - enable SMBus for HP Elitebook 850 G1
- Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5
- rust: clean Rust 1.88.0's `unnecessary_transmutes` lint
- objtool/rust: add one more `noreturn` Rust function for Rust 1.87.0
- rust: clean Rust 1.88.0's warning about `clippy::disallowed_macros`
configuration
- uio_hv_generic: Fix sysfs creation path for ring buffer
- staging: iio: adc: ad7816: Correct conditional logic for store mode
- staging: axis-fifo: Remove hardware resets for user errors
- staging: axis-fifo: Correct handling of tx_fifo_depth for size
validation
- mm: fix folio_pte_batch() on XEN PV
- mm: vmalloc: support more granular vrealloc() sizing
- mm/userfaultfd: fix uninitialized output field for -EAGAIN race
- selftests/mm: compaction_test: support platform with huge mount of
memory
- selftests/mm: fix a build failure on powerpc
- selftests/mm: fix build break when compiling pkey_util.c
- KVM: x86/mmu: Prevent installing hugepages when mem attributes are
changing
- drm/amd/display: Shift DMUB AUX reply command if necessary
- io_uring: ensure deferred completions are flushed for multishot
- iio: adc: ad7768-1: Fix insufficient alignment of timestamp.
- iio: adc: ad7266: Fix potential timestamp alignment issue.
- iio: adc: ad7606: fix serial register access
- iio: adc: rockchip: Fix clock initialization sequence
- iio: adis16201: Correct inclinometer channel resolution
- iio: chemical: sps30: use aligned_s64 for timestamp
- iio: chemical: pms7003: use aligned_s64 for timestamp
- iio: hid-sensor-prox: Restore lost scale assignments
- iio: hid-sensor-prox: support multi-channel SCALE calculation
- iio: hid-sensor-prox: Fix incorrect OFFSET calculation
- iio: imu: inv_mpu6050: align buffer for timestamp
- iio: pressure: mprls0025pa: use aligned_s64 for timestamp
- Revert "drm/amd: Stop evicting resources on APUs in suspend"
- drm/xe: Add page queue multiplier
- drm/amdgpu: fix pm notifier handling
- drm/amdgpu/vcn: using separate VCN1_AON_SOC offset
- drm/amd/display: Fix the checking condition in dmub aux handling
- drm/amd/display: Remove incorrect checking in dmub aux handler
- drm/amd/display: Fix wrong handling for AUX_DEFER case
- drm/amd/display: Copy AUX read reply data whenever length > 0
- xhci: dbc: Avoid event polling busyloop if pending rx transfers are
inactive.
- usb: uhci-platform: Make the clock really optional
- xen: swiotlb: Use swiotlb bouncing if kmalloc allocation demands it
- accel/ivpu: Increase state dump msg timeout
- arm64: cpufeature: Move arm64_use_ng_mappings to the .data section to
prevent wrong idmap generation
- clocksource/i8253: Use raw_spinlock_irqsave() in
clockevent_i8253_disable()
- x86/microcode: Consolidate the loader enablement checking
- ocfs2: fix the issue with discontiguous allocation in the global_bitmap
- ocfs2: switch osb->disable_recovery to enum
- ocfs2: implement handshaking with ocfs2 recovery thread
- ocfs2: stop quota recovery before disabling quotas
- usb: dwc3: gadget: Make gadget_wakeup asynchronous
- usb: cdnsp: Fix issue with resuming from L1
- usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version
- usb: gadget: f_ecm: Add get_status callback
- usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN
- usb: gadget: Use get_status callback to set remote wakeup capability
- usb: host: tegra: Prevent host controller crash when OTG port is used
- usb: misc: onboard_usb_dev: fix support for Cypress HX3 hubs
- usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition
- USB: usbtmc: use interruptible sleep in usbtmc_read
- usb: usbtmc: Fix erroneous get_stb ioctl error returns
- usb: usbtmc: Fix erroneous wait_srq ioctl return
- usb: usbtmc: Fix erroneous generic_read ioctl return
- iio: imu: bmi270: fix initial sampling frequency configuration
- iio: accel: adxl367: fix setting odr for activity time update
- iio: temp: maxim-thermocouple: Fix potential lack of DMA safe buffer.
- iio: accel: adxl355: Make timestamp 64-bit aligned using aligned_s64
- iio: adc: dln2: Use aligned_s64 for timestamp
- timekeeping: Prevent coarse clocks going backwards
- accel/ivpu: Separate DB ID and CMDQ ID allocations from CMDQ allocation
- accel/ivpu: Correct mutex unlock order in job submission
- MIPS: Fix MAX_REG_OFFSET
- riscv: misaligned: Add handling for ZCB instructions
- loop: factor out a loop_assign_backing_file helper
- loop: Add sanity check for read/write_iter
- drm/panel: simple: Update timings for AUO G101EVN010
- nvme: unblock ctrl state transition for firmware update
- riscv: misaligned: factorize trap handling
- riscv: misaligned: enable IRQs while handling misaligned accesses
- riscv: Disallow PR_GET_TAGGED_ADDR_CTRL without Supm
- drm/xe/tests/mocs: Hold XE_FORCEWAKE_ALL for LNCF regs
- drm/xe: Release force wake first then runtime power
- io_uring/sqpoll: Increase task_work submission batch size
- do_umount(): add missing barrier before refcount checks in sync case
- rust: allow Rust 1.87.0's `clippy::ptr_eq` lint
- rust: clean Rust 1.88.0's `clippy::uninlined_format_args` lint
- io_uring: always arm linked timeouts prior to issue
- Bluetooth: btmtk: Remove the resetting step before downloading the fw
- mm: page_alloc: don't steal single pages from biggest buddy
- mm: page_alloc: speed up fallbacks in rmqueue_bulk()
- arm64: insn: Add support for encoding DSB
- arm64: proton-pack: Expose whether the platform is mitigated by firmware
- arm64: proton-pack: Expose whether the branchy loop k value
- arm64: proton-pack: Add new CPUs 'k' values for branch mitigation
- x86/bpf: Call branch history clearing sequence on exit
- x86/bpf: Add IBHF call at end of classic BPF
- x86/bhi: Do not set BHI_DIS_S in 32-bit mode
- Documentation: x86/bugs/its: Add ITS documentation
- x86/its: Enumerate Indirect Target Selection (ITS) bug
- x86/its: Add support for ITS-safe indirect thunk
- x86/its: Add support for ITS-safe return thunk
- x86/its: Enable Indirect Target Selection mitigation
- [Config] enable MITIGATION_ITS
- x86/its: Add "vmexit" option to skip mitigation on some CPUs
- x86/its: Add support for RSB stuffing mitigation
- x86/its: Align RETs in BHB clear sequence to avoid thunking
- x86/ibt: Keep IBT disabled during alternative patching
- x86/its: Use dynamic thunks for indirect branches
- selftest/x86/bugs: Add selftests for ITS
- x86/its: Fix build errors when CONFIG_MODULES=n
- x86/its: FineIBT-paranoid vs ITS
- Linux 6.14.7
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37963
- arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37948
- arm64: bpf: Add BHB mitigation to the epilogue for cBPF programs
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37994
- usb: typec: ucsi: displayport: Fix NULL pointer access
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37967
- usb: typec: ucsi: displayport: Fix deadlock
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37950
- ocfs2: fix panic in failed foilio allocation
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37995
- module: ensure that kobject_put() is safe for module type kobjects
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37960
- memblock: Accept allocated memory before use in memblock_double_array()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37996
- KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37949
- xenbus: Use kref to track req lifetime
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37954
- smb: client: Avoid race in open_cached_dir with lease breaks
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37965
- drm/amd/display: Fix invalid context error in dml helper
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37951
- drm/v3d: Add job to pending list if the reset was skipped
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37968
- iio: light: opt3001: fix deadlock due to concurrent flag access
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37969
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37970
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37966
- riscv: Fix kernel crash due to PR_SET_TAGGED_ADDR_CTRL
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37957
- KVM: SVM: Forcibly leave SMM mode on SHUTDOWN interception
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37958
- mm/huge_memory: fix dereferencing invalid pmd migration entry
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37964
- x86/mm: Eliminate window where TLB flushes may be inadvertently skipped
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37971
- staging: bcm2835-camera: Initialise dev in v4l2_dev
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37972
- Input: mtk-pmic-keys - fix possible null pointer dereference
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37959
- bpf: Scrub packet on bpf_redirect_peer
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37961
- ipvs: fix uninit-value for saddr in do_output_route4
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37993
- can: m_can: m_can_class_allocate_dev(): initialize spin lock on device
probe
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37955
- virtio-net: free xsk_buffs on error in virtnet_xsk_pool_enable()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37962
- ksmbd: fix memory leak in parse_lease_state()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37998
- openvswitch: Fix unsafe attribute parsing in output_userspace()
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37952
- ksmbd: Fix UAF in __close_file_table_ids
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37947
- ksmbd: prevent out-of-bounds stream writes by validating *pos
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37956
- ksmbd: prevent rename with empty string
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37973
- wifi: cfg80211: fix out-of-bounds access during multi-link element
defragmentation
* Plucky update: v6.14.7 upstream stable release (LP: #2115252) //
CVE-2025-37999
- fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()
* Creating a VXLAN interface with a Fan mapping causes a NULL pointer
dereference caught by ubuntu_fan_smoke_test:sut-scan (LP: #2113992)
- SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP attribute ID
* [Regression Updates] "PCI: Explicitly put devices into D0 when
initializing" breaks pci-pass-through in QEMU/KVM (LP: #2117494)
- PCI/PM: Set up runtime PM even for devices without PCI PM
* [UBUNTU 25.04] lszcrypt output shows no cards because ap module has to be
loaded manually (LP: #2116061)
- [Config] s390: Build ap driver into the kernel
* CVE-2025-38083
- net_sched: prio: fix a race in prio_tune()
-- Tim Whisonant <[email protected]> Fri, 25 Jul 2025
10:38:12 -0700
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113990
Title:
A process exiting with an open /dev/snapshot fd causes a NULL pointer
dereference caught by ubuntu_stress_smoke_test:sut-scan
Status in linux package in Ubuntu:
Invalid
Status in linux-gcp package in Ubuntu:
Invalid
Status in linux source package in Plucky:
Fix Released
Status in linux-gcp source package in Plucky:
Fix Released
Bug description:
SRU Justification:
[Impact]
When a process exits while still holding an open file descriptor to
/dev/snapshot, a NULL pointer dereference occurs in
efivarfs_pm_notify().
[ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
[ 166.830942] #PF: supervisor read access in kernel mode
[ 166.831702] #PF: error_code(0x0000) - not-present page
...
[ 166.861222] vfs_kern_mount+0x13/0x40
[ 166.861797] efivarfs_pm_notify+0xfe/0x130
[ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
[ 166.863098] notifier_call_chain+0x5e/0xe0
[ 166.863723] blocking_notifier_call_chain+0x41/0x70
[ 166.864474] pm_notifier_call_chain+0x1a/0x30
[ 166.865053] snapshot_release+0x71/0xb0
...
This issue was introduced by commit 11092db5b573 ("efivarfs: fix NULL
dereference on resume") in 6.14, which was an effort to fix a bug
introduced by b5d1e6ee761a ("efivarfs: add variable resync after
hibernation") in 6.14.
[Fix]
This issue affects plucky:linux only. It is resolved by cherry picking
commit 0e4f9483959b ("efivarfs: support freeze/thaw") from upstream,
with a simple backport of its dependency 33445d6fc520 ("libfs: export
find_next_child()").
[Test Plan]
The issue is triggered with a simple C reproducer:
root@plucky:~# cat test.c
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
int main() {
int fd;
fd = open("/dev/snapshot", O_RDONLY);
if (!fd)
perror("open");
return 0;
}
root@plucky:~# gcc -o test test.c
root@plucky:~# ./test
This can be used to verify the issue has been resolved. With these two
patches, it is expected that a NULL pointer dereference does not
occur, as it does without them.
[What could go wrong]
These changes primarily affect the EFI variable filesystem
implementation. Errors could manifest as misbehavior of the EFI
variable sysfs nodes, particularly during system suspend and resume.
--------------- above SRU justification added by ~jacobmartin
---------------
SRU cycle 2025.05.19 regression test results showed a kernel panic
caused by test ubuntu_stress_smoke_test:sut-scan for plucky:linux-gcp
6.14.0-1008.8
The failure was subsequently determined to affect the generic kernel
as well.
R2IP: 0010:alloc_fs_context+0x98/0x2c0
[ 657.299494] Code: 49 89 47 28 48 8b 82 80 0c 00 00 48 85 c0 74 0f c7 80 a8
00 00 00 00 00 00 00 f0 48 83 00 01 49 89 47 58 48 8b 82 e8 0c 00 00 <4c> 8b 70
28 b8 01 00 00 00 49 8d be 8c 00 00 00 f0 41 0f c1 86 8c
148T36212]: 3R0:SP: 0018:ff3ecfe6c0e2f9e8 EFLAGS: 00010202
[ 657.323687] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
0000000000000000
93+009201:0]0 R DX: ff2f619768b20000 RSI: 0000000000000000 RDI:
0000000000000000
[ 657.338157] RBP: ff3ecfe6c0e2fa18 R08: 0000000000000000 R09:
0000000000000000
4c5p3-960-]1 4R-10: 0000000000000000 R11: 0000000000000000 R12:
ffffffff99cae940
[ 657.352621] R13: 0000000000000000 R14: 0000000000000000 R15:
ff2f6196c030f480
5-9s9t4r1e]s sF-S: 0000000000000000(0000) GS:ff2f6199b0c80000(0000)
knlGS:0000000000000000
[ 657.368129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
7k3e9r8n9e]l :CR2: 0000000000000028 CR3: 000000024c840001 CR4:
0000000000371ef0
[ 657.381315] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
8 8r5e4p7e]a tDeR3: 0000000000000000 DR6: 00000000fffe07f0 DR7:
0000000000000400
[ 657.395782] Call Trace:
s9:8 3[3 1d]e v <TASK>
ice-mapper: ioct[ 657.400532] fs_context_for_mount+0x17/0x30
[ 657.406199] vfs_kern_mount.part.0+0x19/0xd0
i1d05 d7a6t]a vfs_kern_mount+0x13/0x40
[ 657.414338] efivarfs_pm_notify+0xfe/0x130
1t8h5e3 6i]o c t? __pfx_efivarfs_actor+0x10/0x10
[ 657.422994] notifier_call_chain+0x5e/0xc0
u2r7e1:9 44]2 9blocking_notifier_call_chain+0x41/0x70
[ 657.432171] pm_notifier_call_chain+0x1a/0x30
3
62604255]- 0 snapshot_release+0x71/0xb0
[ 657.440577] __fput+0xea/0x2d0
43307:3331]. 9 2____fput+0x15/0x20
[ 657.447148] task_work_run+0x61/0xb0
0500 8p2-5l]g cdo_exit+0x26e/0x4b0
[ 657.454153] ? do_syscall_64+0x8a/0x170
1548-0c940s]t d do_group_exit+0x34/0x90
[ 657.461766] __x64_sys_exit_group+0x18/0x20
s6s6-0s6m6k]- t x64_sys_call+0x141e/0x2310
[ 657.470019] do_syscall_64+0x7e/0x170
e7l3:7 8e0f]i v ? do_read_fault+0xeb/0x1e0
[ 657.477715] ? do_fault+0x151/0x210
s8y1n3c4i1n]g ? handle_pte_fault+0x97/0x1f0
[ 657.485541] ? __handle_mm_fault+0x3d2/0x7a0
8s9t9a1t0e]
? __count_memcg_events+0xd8/0x1a0
[ 657.494454] ? count_memcg_events.constprop.0+0x2a/0x50
90947T7292]: 3 0? handle_mm_fault+0x1b1/0x2d0
[ 657.503978] ? do_user_addr_fault+0x5af/0x7b0
0098+40306:] 00 ? arch_exit_to_user_mode_prepare.isra.0+0x22/0xd0
[ 657.515410] ? irqentry_exit_to_user_mode+0x2d/0x1d0
2g0c4p75-6] - 14? irqentry_exit+0x21/0x40
[ 657.524324] ? clear_bhb_loop+0x15/0x70
2u-8s2t6r4e]s s ? clear_bhb_loop+0x15/0x70
[ 657.532199] ? clear_bhb_loop+0x15/0x70
3t6 1k3e4r]n e lentry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 657.541287] RIP: 0033:0x7676cf8f668d
4e4r9n7e9l] NCUode: Unable to access opcode bytes at 0x7676cf8f6663.
[ 657.551257] RSP: 002b:00007ffd4c78a648 EFLAGS: 00000246 ORIG_RAX:
00000000000000e7
5e8r9 2d7e]r eRfAX: ffffffffffffffda RBX: 0000000000000800 RCX:
00007676cf8f668d
[ 657.566178] RDX: 00000000000000e7 RSI: ffffffffffffff80 RDI:
0000000000000000
,4 1a3d]d rRess:BP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[ 657.580649] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000059682f00
070808020]0 0R0213: 0000000000000001 R14: 00006373fc42ac80 R15:
00007676cfbb43b0
[ 657.595119] </TASK>
8
2025-06-04T22[ 657.597402] Modules linked in: vfio_iommu_type1 vfio iommufd
vhost_vsock vhost_net snd_seq vhost snd_seq_device snd_timer snd vhost_iotlb
tap soundcore zfs(PO) spl(O) cuse dccp_ipv4 dccp atm sm3_generic sm3_avx_x86_64
sm3 poly1305_generic poly1305_x86_64 nhpoly1305_avx2 nhpoly1305_sse2 nhpoly1305
libpoly1305 michael_mic md4 streebog_generic rmd160 crc32_generic cmac
algif_rng twofish_generic twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64
twofish_common serpent_avx2 serpent_avx_x86_64 serpent_sse2_x86_64
serpent_generic fcrypt cast6_avx_x86_64 cast6_generic cast5_avx_x86_64
cast5_generic cast_common camellia_generic camellia_aesni_avx2
camellia_aesni_avx_x86_64 camellia_x86_64 blowfish_generic blowfish_x86_64
blowfish_common ecrdsa_generic algif_skcipher algif_hash
aria_gfni_avx512_x86_64 aria_aesni_avx2_x86_64 aria_aesni_avx_x86_64
aria_generic sm4_generic sm4_aesni_avx2_x86_64 sm4_aesni_avx_x86_64 sm4 ccm
des3_ede_x86_64 des_generic libdes authenc aegis128 aegis128_aesni algif_aead
af_alg binfmt_misc 8021q
:30:31.928010+00[ 657.597470] garp mrp stp llc nls_iso8859_1 input_leds
sch_fq_codel nvme_fabrics efi_pstore dm_multipath vsock_loopback
vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci
dmi_sysfs ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1
raid0 linear polyval_clmulni polyval_generic ghash_clmulni_intel sha256_ssse3
psmouse sha1_ssse3 serio_raw gve virtio_rng aesni_intel crypto_simd cryptd
:00 p-lgcp-gcp-6[ 657.734115] CR2: 0000000000000028
[ 657.738915] ---[ end trace 0000000000000000 ]---
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113990/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
