This bug was fixed in the package linux - 6.8.0-78.78
---------------
linux (6.8.0-78.78) noble; urgency=medium
* noble/linux: 6.8.0-78.78 -proposed tracker (LP: #2120405)
* Incorrect backport for CVE-2025-21861 causes kernel hangs
(LP: #2120330) // CVE-2025-21861
- mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
* Incorrect backport for CVE-2025-21861 causes kernel hangs (LP: #2120330)
- SAUCE: Revert "mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()"
- mm: migrate_device: use more folio in migrate_device_finalize()
linux (6.8.0-72.72) noble; urgency=medium
* noble/linux: 6.8.0-72.72 -proposed tracker (LP: #2117691)
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
- [Packaging] debian.master/dkms-versions -- update from kernel-versions
(main/2025.07.14)
* NVMe namespace ID mismatch on repeated map/unmap (LP: #2115209)
- nvme: requeue namespace scan on missed AENs
- nvme: re-read ANA log page after ns scan completes
- nvme: fixup scan failure for non-ANA multipath controllers
* integrated I219-LM network adapter appears to be running too fast, causing
synchronization issues when using the I219-LM PTP feature (LP: #2116072)
- e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13
* intel_rapl: support ARL-H hardware (LP: #2115652)
- powercap: intel_rapl_msr: Add PL4 support for ArrowLake-H
* Ubuntu 24.04+ arm64: screen resolution fixed to 1024x768 with last kernel
update (LP: #2115068)
- [Config] Replace FB_HYPERV with DRM_HYPERV
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212)
- arm64: mte: Do not allow PROT_MTE on MAP_HUGETLB user mappings
- xfs: assert a valid limit in xfs_rtfind_forw
- xfs: validate inumber in xfs_iget
- xfs: fix a sloppy memory handling bug in xfs_iroot_realloc
- xfs: fix a typo
- xfs: skip background cowblock trims on inodes open for write
- xfs: don't free cowblocks from under dirty pagecache on unshare
- xfs: merge xfs_attr_leaf_try_add into xfs_attr_leaf_addname
- xfs: return bool from xfs_attr3_leaf_add
- xfs: distinguish extra split from real ENOSPC from xfs_attr3_leaf_split
- xfs: distinguish extra split from real ENOSPC from
xfs_attr_node_try_addname
- xfs: fold xfs_bmap_alloc_userdata into xfs_bmapi_allocate
- xfs: don't ifdef around the exact minlen allocations
- xfs: call xfs_bmap_exact_minlen_extent_alloc from xfs_bmap_btalloc
- xfs: support lowmode allocations in xfs_bmap_exact_minlen_extent_alloc
- xfs: Use try_cmpxchg() in xlog_cil_insert_pcp_aggregate()
- xfs: Remove empty declartion in header file
- xfs: pass the exact range to initialize to xfs_initialize_perag
- xfs: update the file system geometry after recoverying superblock
buffers
- xfs: error out when a superblock buffer update reduces the agcount
- xfs: don't use __GFP_RETRY_MAYFAIL in xfs_initialize_perag
- xfs: update the pag for the last AG at recovery time
- xfs: Reduce unnecessary searches when searching for the best extents
- xfs: streamline xfs_filestream_pick_ag
- xfs: Check for delayed allocations before setting extsize
- md/md-bitmap: replace md_bitmap_status() with a new helper
md_bitmap_get_stats()
- md/md-cluster: fix spares warnings for __le64
- md/md-bitmap: add 'sync_size' into struct md_bitmap_stats
- mm: update mark_victim tracepoints fields
- cpufreq: dt-platdev: add missing MODULE_DESCRIPTION() macro
- cpufreq: fix using cpufreq-dt as module
- Bluetooth: qca: Support downloading board id specific NVM for WCN7850
- Bluetooth: qca: Update firmware-name to support board specific nvm
- Bluetooth: qca: Fix poor RF performance for WCN6855
- Input: serio - define serio_pause_rx guard to pause and resume serio
ports
- ASoC: renesas: rz-ssi: Add a check for negative sample_space
- ASoC: rockchip: i2s-tdm: fix shift config for SND_SOC_DAIFMT_DSP_[AB]
- powerpc/64s/mm: Move __real_pte stubs into hash-4k.h
- powerpc/64s: Rewrite __real_pte() and __rpte_to_hidx() as static inline
- ALSA: seq: Drop UMP events when no UMP-conversion is set
- ibmvnic: Return error code on TX scrq flush fail
- ibmvnic: Introduce send sub-crq direct
- ibmvnic: Add stat for tx direct vs tx batched
- vsock/bpf: Warn on socket without transport
- tcp: adjust rcvq_space after updating scaling ratio
- geneve: Suppress list corruption splat in geneve_destroy_tunnels().
- flow_dissector: Fix handling of mixed port and port-range keys
- flow_dissector: Fix port range key handling in BPF conversion
- net: Add non-RCU dev_getbyhwaddr() helper
- arp: switch to dev_getbyhwaddr() in arp_req_set_public()
- net: axienet: Set mac_managed_pm
- bpf: unify VM_WRITE vs VM_MAYWRITE use in BPF map mmaping logic
- strparser: Add read_sock callback
- bpf: Fix wrong copied_seq calculation
- bpf: Disable non stream socket for strparser
- power: supply: da9150-fg: fix potential overflow
- nouveau/svm: fix missing folio unlock + put after
make_device_exclusive_range()
- drm/msm: Avoid rounding up to one jiffy
- nvme/ioctl: add missing space in err message
- bpf: skip non exist keys in generic_map_lookup_batch
- drm/nouveau/pmu: Fix gp10b firmware guard
- drm/msm/dpu: Disable dither in phys encoder cleanup
- drm/i915: Make sure all planes in use by the joiner have their crtc
included
- drm/i915/dp: Fix error handling during 128b/132b link training
- soc: loongson: loongson2_guts: Add check for devm_kstrdup()
- lib/iov_iter: fix import_iovec_ubuf iovec management
- ASoC: fsl_micfil: Enable default case in micfil_set_quality()
- ALSA: hda: Add error check for snd_ctl_rename_id() in
snd_hda_create_dig_out_ctls()
- ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
- ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
- acct: block access to kernel internal filesystems
- mm,madvise,hugetlb: check for 0-length range after end address
adjustment
- mtd: rawnand: cadence: fix error code in cadence_nand_init()
- mtd: rawnand: cadence: use dma_map_resource for sdma address
- mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
- EDAC/qcom: Correct interrupt enable register configuration
- ftrace: Correct preemption accounting for function tracing.
- ftrace: Do not add duplicate entries in subops manager ops
- arm64: dts: rockchip: change eth phy mode to rgmii-id for orangepi r1
plus lts
- x86/cpu/kvm: SRSO: Fix possible missing IBPB on VM-Exit
- KVM: x86: Get vcpu->arch.apic_base directly and drop kvm_get_apic_base()
- KVM: x86: Inline kvm_get_apic_mode() in lapic.h
- KVM: Introduce vcpu->wants_to_run
- KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID
- drm/amd/display: Refactoring if and endif statements to enable DC_LOGGER
- arm64: dts: mt8183: add dpi node to mt8183
- arm64: dts: mt8183: Add port node to dpi node
- arm64: dts: mediatek: mt8183-kukui: Disable DPI display interface
- arm64: dts: mediatek: mt8183: Disable DPI display output by default
- arm64: dts: mediatek: mt8183-pumpkin: add HDMI support
- arm64: dts: mediatek: mt8183: Disable DSI display output by default
- accel/ivpu: Limit FW version string length
- accel/ivpu: Add coredump support
- accel/ivpu: Add FW state dump on TDR
- accel/ivpu: Fix error handling in recovery/reset
- ASoC: SOF: topology: dynamically allocate and store DAI widget->private
- ASoC: SOF: topology: Parse DAI type token for dspless mode
- ASoC: imx-audmix: remove cpu_mclk which is from cpu dai device
- vsock/virtio: fix variables initialization during resuming
- drm/msm/dpu: skip watchdog timer programming through TOP on >= SM8450
- drm/msm/dpu: Don't leak bits_per_component into random DSC_ENC fields
- drm/msm/dsi/phy: Protect PHY_CMN_CLK_CFG0 updated from driver side
- drm/msm/dsi/phy: Protect PHY_CMN_CLK_CFG1 against clock driver
- drm/msm/dsi/phy: Do not overwite PHY_CMN_CLK_CFG1 when choosing bitclk
source
- nvme: tcp: Fix compilation warning with W=1
- nvme-tcp: fix connect failure on receiving partial ICResp PDU
- drm: panel: jd9365da-h3: fix reset signal polarity
- io_uring/rw: forbid multishot async reads
- arm64: dts: rockchip: Fix broken tsadc pinctrl names for rk3588
- arm64: dts: rockchip: Move uart5 pin configuration to px30 ringneck SoM
- arm64: dts: rockchip: Disable DMA for uart5 on px30-ringneck
- s390/boot: Fix ESSA detection
- xfs: fix online repair probing when CONFIG_XFS_ONLINE_REPAIR=n
- smb: client: fix chmod(2) regression with ATTR_READONLY
- tracing: Fix using ret variable in tracing_set_tracer()
- selftests/mm: build with -O2
- Upstream stable to v6.6.80, v6.12.17
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21861
- mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21868
- net: allow small head cache usage with large MAX_SKB_FRAGS values
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21869
- powerpc/code-patching: Disable KASAN report during patching via
temporary mm
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21870
- ASoC: SOF: ipc4-topology: Harden loops for looking up ALH copiers
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21844
- smb: client: Add check for next_buffer in receive_encrypted_standard()
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21846
- acct: perform last write from workqueue
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21847
- ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21848
- nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21862
- drop_monitor: fix incorrect initialization order
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21871
- tee: optee: Fix supplicant wait loop
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21863
- io_uring: prevent opcode speculation
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2024-58088
- bpf: Fix deadlock when freeing cgroup storage
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21853
- bpf: avoid holding freeze_mutex during mmap operation
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21867
- bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21864
- tcp: drop secpath at the same time as we currently drop dst
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21854
- sockmap, vsock: For connectible sockets allow only connected
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21855
- ibmvnic: Don't reference skb after sending to VIOS
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21856
- s390/ism: add release function for struct device
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21857
- net/sched: cls_api: fix error handling causing NULL dereference
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21858
- geneve: Fix use-after-free in geneve_find_dev().
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21866
- powerpc/code-patching: Fix KASAN hit by not flagging text patching area
as VM_ALLOC
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21859
- USB: gadget: f_midi: f_midi_complete to call queue_work
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21746
- Input: synaptics - fix crash when enabling pass-through port
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2024-57977
- memcg: fix soft lockup in the OOM process
* Noble update: upstream stable patchset 2025-07-09 (LP: #2116212) //
CVE-2025-21712
- md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime
* CVE-2024-58093
- PCI/ASPM: Fix link state exit during switch upstream function removal
* [SRU]Request E825-C driver into latest LTS of Ubuntu OS 24.04
(LP: #2114785)
- ice: add support for 3k signing DDP sections for E825C
- ice: Add helper function ice_is_generic_mac
- ice: introduce new E825C devices family
* [UBUNTU 22.04] kernel: Fix z17 elf platform recognition (LP: #2114450)
- s390: Add z17 elf platform
* [UBUNTU 24.04] Kernel: Add CPUMF extended counter set for z17
(LP: #2114258)
- s390/cpumf: Update CPU Measurement facility extended counter set support
* Noble update: upstream stable patchset 2025-06-29 (LP: #2115616)
- nfsd: clear acl_access/acl_default after releasing them
- NFSD: fix hang in nfsd4_shutdown_callback
- pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware
- HID: multitouch: Add NULL check in mt_input_configured
- HID: hid-thrustmaster: fix stack-out-of-bounds read in
usb_check_int_endpoints()
- spi: sn-f-ospi: Fix division by zero
- ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt
- ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
- vrf: use RCU protection in l3mdev_l3_out()
- vxlan: check vxlan_vnigroup_init() return value
- LoongArch: Fix idle VS timer enqueue
- LoongArch: csum: Fix OoB access in IP checksum code for negative lengths
- team: better TEAM_OPTION_TYPE_STRING validation
- arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
- cgroup: Remove steal time from usage_usec
- drm/i915/selftests: avoid using uninitialized context
- gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
- gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
- gpio: bcm-kona: Add missing newline to dev_err format string
- drm/amdgpu: bail out when failed to load fw in psp_init_cap_microcode()
- xen/swiotlb: relax alignment requirements
- x86/xen: allow larger contiguous memory regions in PV guests
- block: cleanup and fix batch completion adding conditions
- gpiolib: Fix crash on error in gpiochip_get_ngpios()
- tools: fix annoying "mkdir -p ..." logs when building tools in parallel
- RDMA/efa: Reset device on probe failure
- fbdev: omap: use threaded IRQ for LCD DMA
- soc/tegra: fuse: Update Tegra234 nvmem keepout list
- media: cxd2841er: fix 64-bit division on gcc-9
- media: i2c: ds90ub913: Add error handling to ub913_hw_init()
- media: i2c: ds90ub953: Add error handling for i2c reads/writes
- media: uvcvideo: Implement dual stream quirk to fix loss of usb packets
- media: uvcvideo: Add new quirk definition for the Sonix Technology Co.
292a camera
- media: uvcvideo: Add Kurokesu C1 PRO camera
- media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
- PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
- PCI: switchtec: Add Microchip PCI100X device IDs
- scsi: ufs: bsg: Set bsg_queue to NULL after removal
- rtla/timerlat_hist: Abort event processing on second signal
- rtla/timerlat_top: Abort event processing on second signal
- vfio/pci: Enable iowrite64 and ioread64 for vfio pci
- NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()
- Grab mm lock before grabbing pt lock
- selftests: gpio: gpio-sim: Fix missing chip disablements
- ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V
- x86/mm/tlb: Only trim the mm_cpumask once a second
- orangefs: fix a oob in orangefs_debug_write
- ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet 5V
- batman-adv: fix panic during interface removal
- batman-adv: Ignore neighbor throughput metrics in error case
- batman-adv: Drop unmanaged ELP metric worker
- drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()
- KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-
kernel
- KVM: nSVM: Enter guest mode before initializing nested NPT MMU
- perf/x86/intel: Ensure LBRs are disabled when a CPU is starting
- usb: gadget: f_midi: Fixing wMaxPacketSize exceeded issue during MIDI
bind retries
- usb: dwc3: Fix timeout issue during controller enter/exit from halt
state
- usb: roles: set switch registered flag early on
- usb: gadget: udc: renesas_usb3: Fix compiler warning
- usb: dwc2: gadget: remove of_node reference upon udc_stop
- USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI
- usb: core: fix pipe creation for get_bMaxPacketSize0
- USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist
- USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone
- usb: gadget: f_midi: fix MIDI Streaming descriptor lengths
- USB: hub: Ignore non-compliant devices with too many configs or
interfaces
- USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk
- usb: cdc-acm: Check control transfer buffer size before access
- usb: cdc-acm: Fix handling of oversized fragments
- USB: serial: option: add MeiG Smart SLM828
- USB: serial: option: add Telit Cinterion FN990B compositions
- USB: serial: option: fix Telit Cinterion FN990A name
- USB: serial: option: drop MeiG Smart defines
- can: ctucanfd: handle skb allocation failure
- can: c_can: fix unbalanced runtime PM disable in error path
- can: j1939: j1939_sk_send_loop(): fix unable to send messages with data
length zero
- can: etas_es58x: fix potential NULL pointer dereference on udev->serial
- alpha: make stack 16-byte aligned (most cases)
- wifi: ath12k: fix handling of 6 GHz rules
- kbuild: userprogs: fix bitsize and target detection on clang
- efi: Avoid cold plugged memory for placing the kernel
- cgroup: fix race between fork and cgroup.kill
- serial: port: Assign ->iotype correctly when ->iobase is set
- serial: port: Always update ->iotype in __uart_read_properties()
- serial: 8250: Fix fifo underflow on flush
- alpha: align stack for page fault and user unaligned trap handlers
- gpiolib: acpi: Add a quirk for Acer Nitro ANV14
- gpio: stmpe: Check return value of stmpe_reg_read in
stmpe_gpio_irq_sync_unlock
- partitions: mac: fix handling of bogus partition table
- regulator: qcom_smd: Add l2, l5 sub-node to mp5496 regulator
- regmap-irq: Add missing kfree()
- arm64: Handle .ARM.attributes section in linker scripts
- mmc: mtk-sd: Fix register settings for hs400(es) mode
- igc: Set buffer type for empty frames in igc_init_empty_frame
- mlxsw: Add return value check for mlxsw_sp_port_get_stats_raw()
- btrfs: fix hole expansion when writing at an offset beyond EOF
- clocksource: Use pr_info() for "Checking clocksource synchronization"
message
- clocksource: Use migrate_disable() to avoid calling get_random_u32() in
atomic context
- ipv4: add RCU protection to ip4_dst_hoplimit()
- net: add dev_net_rcu() helper
- ipv4: use RCU protection in ipv4_default_advmss()
- ipv4: use RCU protection in rt_is_expired()
- ipv4: use RCU protection in inet_select_addr()
- net: ipv4: Cache pmtu for all packet paths if multipath enabled
- ipv4: use RCU protection in __ip_rt_update_pmtu()
- ipv4: icmp: convert to dev_net_rcu()
- flow_dissector: use RCU protection to fetch dev_net()
- ipv6: use RCU protection in ip6_default_advmss()
- ipv6: icmp: convert to dev_net_rcu()
- HID: hid-steam: Add Deck IMU support
- HID: hid-steam: Make sure rumble work is canceled on removal
- HID: hid-steam: Move hidraw input (un)registering to work
- ndisc: use RCU protection in ndisc_alloc_skb()
- neighbour: delete redundant judgment statements
- neighbour: use RCU protection in __neigh_notify()
- arp: use RCU protection in arp_xmit()
- openvswitch: use RCU protection in ovs_vport_cmd_fill_info()
- ndisc: extend RCU protection in ndisc_send_skb()
- ipv6: mcast: extend RCU protection in igmp6_send()
- ipv6: mcast: add RCU protection to mld_newpack()
- drm/tidss: Fix issue in irq handling causing irq-flood issue
- drm/tidss: Clear the interrupt status for interrupts being disabled
- drm/rcar-du: dsi: Fix PHY lock bit check
- drm/v3d: Stop active perfmon if it is being destroyed
- netdevsim: print human readable IP address
- selftests: rtnetlink: update netdevsim ipsec output format
- md/md-bitmap: factor behind write counters out from
bitmap_{start/end}write()
- md/md-bitmap: remove the last parameter for bimtap_ops->endwrite()
- md/md-bitmap: move bitmap_{start, end}write to md upper layer
- mm: gup: fix infinite loop within __get_longterm_locked
- alpha: replace hardcoded stack offsets with autogenerated ones
- HID: hid-steam: Don't use cancel_delayed_work_sync in IRQ context
- io_uring/kbuf: reallocate buf lists on upgrade
- x86/i8253: Disable PIT timer 0 when not in use
- pinctrl: cy8c95x0: Rename PWMSEL to SELPWM
- pinctrl: pinconf-generic: print hex value
- pinctrl: pinconf-generic: Print unsigned value if a format is registered
- idpf: fix handling rsc packet with a single segment
- idpf: call set_real_num_queues in idpf_open
- igc: Fix HW RX timestamp when passed by ZC XDP
- LoongArch: KVM: Fix typo issue about GCFG feature detection
- workqueue: Put the pwq after detaching the rescuer from the pool
- perf/x86/intel: Clean up PEBS-via-PT on hybrid
- drm/xe/client: bo->client does not need bos_lock
- io_uring/waitid: don't abuse io_tw_state
- drm: Fix DSC BPP increment decoding
- i3c: mipi-i3c-hci: Add Intel specific quirk to ring resuming
- i3c: mipi-i3c-hci: Add support for MIPI I3C HCI on PCI bus
- [Config] updateconfigs for MIPI_I3C_HCI_PCI
- serial: 8250_pci: Resolve WCH vendor ID ambiguity
- serial: 8250_pci: Share WCH IDs with parport_serial driver
- fs/ntfs3: Unify inode corruption marking with _ntfs_bad_inode()
- kbuild: suppress stdout from merge_config for silent builds
- KVM: x86: Load DR6 with guest value only before entering .vcpu_run()
loop
- perf/x86/intel: Fix ARCH_PERFMON_NUM_COUNTER_LEAF
- USB: gadget: core: create sysfs link between udc and gadget
- usb: gadget: core: flush gadget workqueue after device removal
- include: net: add static inline dst_dev_overhead() to dst.h
- net: ipv6: ioam6_iptunnel: mitigate 2-realloc issue
- net: ipv6: seg6_iptunnel: mitigate 2-realloc issue
- net: ipv6: rpl_iptunnel: mitigate 2-realloc issue
- net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels
- scsi: ufs: core: Introduce ufshcd_has_pending_tasks()
- scsi: ufs: core: Prepare to introduce a new clock_gating lock
- scsi: ufs: core: Introduce a new clock_gating lock
- scsi: ufs: Fix toggling of clk_gating.state when clock gating is not
allowed
- ipv4: use RCU protection in ip_dst_mtu_maybe_forward()
- drm/tidss: Fix race condition while handling interrupt registers
- drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()
- wifi: rtw89: pci: disable PCIE wake bit when PCIE deinit
- net: ipv6: fix dst refleaks in rpl, seg6 and ioam6 lwtunnels
- scsi: ufs: core: Ensure clk_gating.lock is used only after
initialization
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
- x86/mm: Eliminate window where TLB flushes may be inadvertently skipped
- HID: hid-steam: Fix use-after-free when detaching device
- block: change blk_mq_add_to_batch() third argument type to bool
- nvme: move error logging from nvme_end_req() to __nvme_end_req()
- Upstream stable to v6.6.79, v6.12.16
* Noble update: upstream stable patchset 2025-06-17 (LP: #2114849)
- ice: Add check for devm_kzalloc()
- io_uring/rw: commit provided buffer state on async
- mptcp: pm: only set fullmesh for subflow endp
- selftests: mptcp: join: fix AF_INET6 variable
- xfs: don't lose solo dquot update transactions
- Upstream stable to v6.6.78, v6.12.15
* [Regression Updates] "PCI: Explicitly put devices into D0 when
initializing" breaks pci-pass-through in QEMU/KVM (LP: #2117494)
- PCI/PM: Set up runtime PM even for devices without PCI PM
* CVE-2025-38083
- net_sched: prio: fix a race in prio_tune()
* CVE-2025-37797
- net_sched: hfsc: Fix a UAF vulnerability in class handling
-- Stefan Bader <[email protected]> Tue, 12 Aug 2025 11:44:16
+0200
** Changed in: linux (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2024-57977
** CVE added: https://cve.org/CVERecord?id=CVE-2024-58088
** CVE added: https://cve.org/CVERecord?id=CVE-2024-58093
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21712
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21746
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21844
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21846
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21847
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21848
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21853
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21854
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21855
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21856
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21857
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21858
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21859
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21861
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21862
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21863
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21864
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21866
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21867
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21868
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21869
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21870
** CVE added: https://cve.org/CVERecord?id=CVE-2025-21871
** CVE added: https://cve.org/CVERecord?id=CVE-2025-37797
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38083
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2120330
Title:
Incorrect backport for CVE-2025-21861 causes kernel hangs
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Noble:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2120330
[Impact]
The patch for CVE-2025-21861 was incorrectly backported to the noble 6.8
kernel, leading to hangs when freeing device memory.
commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf
Author: David Hildenbrand <[email protected]>
Date: Mon Feb 10 17:13:17 2025 +0100
Subject: mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=41cddf83d8b00f29fd105e7a0777366edc69a5cf
ubuntu-noble:
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/commit/?id=3858edb1146374f3240d1ec769ba857186531b17
An incorrect backport was performed, causing the old page to be placed
back instead of the new page, e.g.:
src = page_folio(page);
dst = page_folio(newpage);
+ if (!is_zone_device_page(page))
+ putback_lru_page(page);
when in 41cddf83d8b00f29fd105e7a0777366edc69a5cf we have:
+ if (!folio_is_zone_device(dst))
+ folio_add_lru(dst);
in which case, we should really have had the backport as:
+ if (!folio_is_zone_device(newpage))
+ folio_add_lru(newpage);
This keeps references alive to the old memory pages, preventing them from
being
released and freed.
Stack traces of stuck processes:
ID: 871438 TASK: ffff007d4d668200 CPU: 95 COMMAND: "nvbandwidth"
#0 [ffff80010e8ef840] __switch_to at ffffc0f22798c550
#1 [ffff80010e8ef8a0] __schedule at ffffc0f22798c89c
#2 [ffff80010e8ef900] schedule at ffffc0f22798cd40
#3 [ffff80010e8ef930] schedule_preempt_disabled at ffffc0f22798d388
#4 [ffff80010e8ef9c0] rwsem_down_write_slowpath at ffffc0f227990dc8
#5 [ffff80010e8efa20] down_write at ffffc0f2279912d0
#6 [ffff80010e8efaa0] uvm_va_space_mm_shutdown at ffffc0f1c2a451ec
[nvidia_uvm]
#7 [ffff80010e8efb00] uvm_va_space_mm_unregister at ffffc0f1c2a457a0
[nvidia_uvm]
#8 [ffff80010e8efb30] uvm_release at ffffc0f1c2a226d4 [nvidia_uvm]
#9 [ffff80010e8efc00] uvm_release_entry.part.0 at ffffc0f1c2a227dc
[nvidia_uvm]
#10 [ffff80010e8efc20] uvm_release_entry at ffffc0f1c2a22850 [nvidia_uvm]
#11 [ffff80010e8efc30] __fput at ffffc0f2269a5760
#12 [ffff80010e8efc70] ____fput at ffffc0f2269a5a80
#13 [ffff80010e8efc80] task_work_run at ffffc0f2265ceedc
#14 [ffff80010e8efcc0] do_exit at ffffc0f2265a0bc8
#15 [ffff80010e8efcf0] do_group_exit at ffffc0f2265a0fec
#16 [ffff80010e8efd50] get_signal at ffffc0f2265b8750
#17 [ffff80010e8efe10] do_signal at ffffc0f22650166c
#18 [ffff80010e8efe40] do_notify_resume at ffffc0f2265018f0
#19 [ffff80010e8efe70] el0_interrupt at ffffc0f227985564
#20 [ffff80010e8efe90] __el0_irq_handler_common at ffffc0f2279855f0
#21 [ffff80010e8efea0] el0t_64_irq_handler at ffffc0f227986080
#22 [ffff80010e8effe0] el0t_64_irq at ffffc0f2264f17fc
PID: 871467 TASK: ffff007f6aa66000 CPU: 66 COMMAND: "UVM GPU4 BH"
#0 [ffff80015ddef580] __switch_to at ffffc0f22798c550
#1 [ffff80015ddef5e0] __schedule at ffffc0f22798c89c
#2 [ffff80015ddef640] schedule at ffffc0f22798cd40
#3 [ffff80015ddef670] io_schedule at ffffc0f22798cec4
#4 [ffff80015ddef6e0] migration_entry_wait_on_locked at ffffc0f22686e3f0
#5 [ffff80015ddef740] migration_entry_wait at ffffc0f22695a6d4
#6 [ffff80015ddef750] do_swap_page at ffffc0f2268d6378
#7 [ffff80015ddef7d0] handle_pte_fault at ffffc0f2268da688
#8 [ffff80015ddef870] __handle_mm_fault at ffffc0f2268da7f8
#9 [ffff80015ddef8b0] handle_mm_fault at ffffc0f2268dab48
#10 [ffff80015ddef910] handle_fault at ffffc0f1c2aace18 [nvidia_uvm]
#11 [ffff80015ddef950] uvm_populate_pageable_vma at ffffc0f1c2aacf24
[nvidia_uvm]
#12 [ffff80015ddef990] migrate_pageable_vma_populate_mask at ffffc0f1c2aad8c0
[nvidia_uvm]
#13 [ffff80015ddefab0] uvm_migrate_pageable at ffffc0f1c2ab0294 [nvidia_uvm]
#14 [ffff80015ddefb90] service_ats_requests at ffffc0f1c2abf828 [nvidia_uvm]
#15 [ffff80015ddefbb0] uvm_ats_service_faults at ffffc0f1c2ac02f0 [nvidia_uvm]
#16 [ffff80015ddefd40] uvm_parent_gpu_service_non_replayable_fault_buffer at
ffffc0f1c2a82e00 [nvidia_uvm]
#17 [ffff80015ddefda0] non_replayable_faults_isr_bottom_half at
ffffc0f1c2a3c3e4 [nvidia_uvm]
#18 [ffff80015ddefe00] non_replayable_faults_isr_bottom_half_entry at
ffffc0f1c2a3c590 [nvidia_uvm]
#19 [ffff80015ddefe20] _main_loop at ffffc0f1c2a207c8 [nvidia_uvm]
#20 [ffff80015ddefe70] kthread at ffffc0f2265d40dc
There is no workaround.
[Fix]
To make things less confusing, revert the incorrect backport, and backport
"mm: migrate_device: use more folio in migrate_device_finalize()" to use the
new upstream notations, and correctly backport "mm/migrate_device: don't add
folio to be freed to LRU in migrate_device_finalize()". This approach was
suggested and tested by Krister Johansen, and I think it is reasonable.
commit 58bf8c2bf47550bc94fea9cafd2bc7304d97102c
Author: Kefeng Wang <[email protected]>
Date: Mon Aug 26 14:58:12 2024 +0800
Subject: mm: migrate_device: use more folio in migrate_device_finalize()
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=58bf8c2bf47550bc94fea9cafd2bc7304d97102c
commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf
Author: David Hildenbrand <[email protected]>
Date: Mon Feb 10 17:13:17 2025 +0100
Subject: mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=41cddf83d8b00f29fd105e7a0777366edc69a5cf
The first patch landed in 6.12-rc1 and the second patch in 6.14-rc4. Both are
in plucky.
[Testcase]
There are a few ways to trigger the issue.
You can run the hmm selftests. Note, you need to build a new kernel and set
CONFIG_TEST_HMM=m first.
1) Check out a kernel git tree
2) cd tools/testing/selftests/mm/
3) make
4) sudo ./test_hmm.sh
You can also run nvidia tests like nvbandwidth, if your system has a Nvidia
GPU:
https://github.com/NVIDIA/nvbandwidth
$ git clone https://github.com/NVIDIA/nvbandwidth.git
$ cd nvbandwidth
$ sudo ./debian_install.sh
$ sudo ./nvbandwidth
A test package is available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf416039-test
If you install it, and run the hmm selftests, it should no longer
hang.
[Where problems can occur]
This changes some core mm code for device memory from standard pages to using
folios, and carries some additional risk because of this.
If a regression were to occur, it would primarily affect users of devices with
internal memory, such as graphics cards, and quite possibly high end network
cards.
The largest userbase affected by this regression is nvidia users, so it really
would be a bad idea to release with the broken implementation, and instead, to
respin and release with the fixed implementation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2120330/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
