This bug was fixed in the package linux - 6.8.0-86.87
---------------
linux (6.8.0-86.87) noble; urgency=medium
* noble/linux: 6.8.0-86.87 -proposed tracker (LP: #2125391)
- Fix FTBS caused by incorrect pick/backport of
"perf dso: fix dso__is_kallsyms() check"
* noble ubuntu_ftrace_smoke_test:mmiotrace timeout on aws:r5.metal
(LP: #2121673)
- mm: memcg: add NULL check to obj_cgroup_put()
- memcg: drain obj stock on cpu hotplug teardown
* [25.04 FEAT] [post announcement] [KRN2304] CPU-MF Counters for new IBM Z
hardware - perf part (LP: #2103415)
- perf list: Add IBM z17 event descriptions
* memory leaks when configuring a small rate limit in audit (LP: #2122554)
- audit: fix skb leak when audit rate limit is exceeded
* [UBUNTU 24.04] PAI/NNPA support for new IBM z17 (LP: #2121956)
- s390/pai: export number of sysfs attribute files
- s390/pai_crypto: Add support for MSA 10 and 11 pai counters
- s390/pai_ext: Update PAI extension 1 counters
* [UBUNTU 24.04] s390/pci: Don't abort recovery for user-space drivers
(LP: #2121150)
- s390/pci: Allow automatic recovery with minimal driver support
* [UBUNTU 24.04] s390/pci: Fix stale function handles in error handling
(LP: #2121149)
- s390/pci: Fix stale function handles in error handling
- s390/pci: Do not try re-enabling load/store if device is disabled
* [UBUNTU 24.04] vfio/pci: fix 8-byte PCI loads and stores (LP: #2121146)
- vfio/pci: Extract duplicated code into macro
- vfio/pci: Support 8-byte PCI loads and stores
- vfio/pci: Fix typo in macro to declare accessors
* x86 systems with PCIe BAR addresses located outside a certain range see
P2PDMA allocation failures and CUDA initialization errors (LP: #2120209)
- x86/kaslr: Reduce KASLR entropy on most x86 systems
- x86/mm/init: Handle the special case of device private pages in
add_pages(), to not increase max_pfn and trigger
dma_addressing_limited() bounce buffers
* sources list generation using dwarfdump takes up to 0.5hr in build process
(LP: #2104911)
- [Packaging] Don't generate list of source files
* [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces (LP: #2121257)
- apparmor: shift ouid when mediating hard links in userns
- apparmor: shift uid when mediating af_unix in userns
* UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:452:16
(LP: #2119713)
- EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller
* [IdeaPad Slim 5 13ARP10 , 83J2] Microphone on AMD Ryzen 7 7735HS does not
work (LP: #2102749)
- ASoC: amd: yc: update quirk data for new Lenovo model
* Fix compilation failure because of incomplete backport (LP: #2120561)
- SAUCE: netfilter: ctnetlink: Fix -Wuninitialized in
ctnetlink_secctx_size()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716)
- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
- cpufreq: scpi: compare kHz instead of Hz
- smack: dont compile ipv6 code unless ipv6 is configured
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
- EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald
Rapids
- x86/fpu: Fix guest FPU state buffer allocation size
- x86/fpu: Avoid copying dynamic FP state from init_task in
arch_dup_task_struct()
- x86/platform: Only allow CONFIG_EISA for 32-bit
- [Config] updateconfigs after disabling CONFIG_EISA for amd64
- x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()
- lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock
- PM: sleep: Adjust check before setting power.must_resume
- RISC-V: KVM: Disable the kernel perf counter during configure
- selinux: Chain up tool resolving errors in install_policy.sh
- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
- EDAC/ie31200: Fix the DIMM size mask for several SoCs
- EDAC/ie31200: Fix the error path order of ie31200_init()
- PM: sleep: Fix handling devices with direct_complete set on errors
- lockdep: Don't disable interrupts on RT in
disable_irq_nosync_lockdep.*()
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
- x86/traps: Make exc_double_fault() consistently noreturn
- x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures
- media: verisilicon: HEVC: Initialize start_bit field
- media: platform: allgro-dvt: unregister v4l2_device on the error path
- platform/x86: dell-ddv: Fix temperature calculation
- ASoC: cs35l41: check the return value from spi_setup()
- HID: remove superfluous (and wrong) Makefile entry for
CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
- dt-bindings: vendor-prefixes: add GOcontroll
- ALSA: hda/realtek: Always honor no_shutup_pins
- ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
compatible
- drm/bridge: ti-sn65dsi86: Fix multiple instances
- drm/dp_mst: Fix drm RAD print
- drm: xlnx: zynqmp: Fix max dma segment size
- PCI: Use downstream bridges for distributing resources
- drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
- drm/msm/dpu: don't use active in atomic_check()
- drm/msm/dsi: Use existing per-interface slice count in DSC timing
- drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host
- drm/amdkfd: Fix Circular Locking Dependency in
'svm_range_cpu_invalidate_pagetables'
- PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
payload
- PCI: brcmstb: Use internal register to change link capability
- PCI: brcmstb: Fix potential premature regulator disabling
- PCI/portdrv: Only disable pciehp interrupts early when needed
- drm/amd/display: fix type mismatch in
CalculateDynamicMetadataParameters()
- PCI: Remove stray put_device() in pci_register_host_bridge()
- PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
- drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
- drm/amd/display: avoid NPD when ASIC does not support DMUB
- PCI: histb: Fix an error handling path in histb_pcie_probe()
- PCI: pciehp: Don't enable HPIE when resuming in poll mode
- fbdev: au1100fb: Move a variable assignment behind a null pointer check
- mdacon: rework dependency list
- fbdev: sm501fb: Add some geometry checks.
- clk: amlogic: gxbb: drop incorrect flag on 32k clock
- crypto: hisilicon/sec2 - fix for aead authsize alignment
- crypto: hisilicon/sec2 - fix for sec spec check
- of: property: Increase NR_FWNODE_REFERENCE_ARGS
- remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
- libbpf: Fix hypothetical STT_SECTION extern NULL deref case
- selftests/bpf: Fix string read in strncmp benchmark
- clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
- RDMA/mana_ib: Ensure variable err is initialized
- remoteproc: qcom_q6v5_pas: Use resource with CX PD for MSM8226
- bpf: Use preempt_count() directly in bpf_send_signal_common()
- lib: 842: Improve error handling in sw842_compress()
- pinctrl: renesas: rza2: Fix missing of_node_put() call
- pinctrl: renesas: rzg2l: Fix missing of_node_put() call
- clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
- RDMA/mlx5: Fix calculation of total invalidated pages
- remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
- IB/mad: Check available slots before posting receive WRs
- pinctrl: tegra: Set SFIO mode to Mux Register
- clk: amlogic: g12b: fix cluster A parent data
- clk: amlogic: gxbb: drop non existing 32k clock parent
- selftests/bpf: Select NUMA_NO_NODE to create map
- clk: clk-imx8mp-audiomix: fix dsp/ocram_a clock parents
- clk: amlogic: g12a: fix mmc A peripheral clock
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
- power: supply: max77693: Fix wrong conversion of charge input threshold
value
- crypto: nx - Fix uninitialised hv_nxc on error
- pinctrl: renesas: rzv2m: Fix missing of_node_put() call
- mfd: sm501: Switch to BIT() to mitigate integer overflows
- leds: Fix LED_OFF brightness race
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
misplaced assignment
- crypto: hisilicon/sec2 - fix for aead auth key length
- pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm()
- clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
- perf stat: Fix find_stat for mixed legacy/non-legacy events
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
- soundwire: slave: fix an OF node reference leak in soundwire slave
device
- coresight: catu: Fix number of pages while using 64k pages
- coresight-etm4x: add isb() before reading the TRCSTATR
- perf pmu: Don't double count common sysfs and json events
- ucsi_ccg: Don't show failed to get FW build information error
- iio: accel: mma8452: Ensure error return on failure to matching
oversampling ratio
- iio: accel: msa311: Fix failure to release runtime pm if direct mode
claim fails.
- perf arm-spe: Fix load-store operation checking
- perf bench: Fix perf bench syscall loop count
- usb: xhci: correct debug message page size calculation
- dmaengine: fsl-edma: cleanup chan after dma_async_device_unregister
- iio: adc: ad4130: Fix comparison of channel setups
- iio: adc: ad7124: Fix comparison of channel configs
- perf evlist: Add success path to evlist__create_syswide_maps
- perf units: Fix insufficient array space
- kernel/events/uprobes: handle device-exclusive entries correctly in
__replace_page()
- kexec: initialize ELF lowest address to ULONG_MAX
- arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig
- NFSv4: Don't trigger uneccessary scans for return-on-close delegations
- fuse: fix dax truncate/punch_hole fault path
- selftests/mm/cow: fix the incorrect error handling
- um: remove copy_from_kernel_nofault_allowed
- um: hostfs: avoid issues on inode number reuse by host
- i3c: master: svc: Fix missing the IBI rules
- perf python: Fixup description of sample.id event member
- perf python: Decrement the refcount of just created event on failure
- perf python: Don't keep a raw_data pointer to consumed ring buffer space
- perf python: Check if there is space to copy all the event
- staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES
- tty: n_tty: use uint for space returned by tty_write_room()
- fs/procfs: fix the comment above proc_pid_wchan()
- perf tools: annotate asm_pure_loop.S
- NFS: Shut down the nfs_client only after all the superblocks
- exfat: fix the infinite loop in exfat_find_last_cluster()
- ksmbd: fix multichannel connection failure
- net/mlx5e: SHAMPO, Make reserved size independent of page size
- ring-buffer: Fix bytes_dropped calculation issue
- objtool: Fix segfault in ignore_unreachable_insn()
- LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig
- LoongArch: Rework the arch_kgdb_breakpoint() implementation
- ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states
are invalid
- octeontx2-af: Fix mbox INTR handler when num VFs > 64
- octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
- objtool: Fix verbose disassembly if CROSS_COMPILE isn't set
- sched/smt: Always inline sched_smt_active()
- context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()
- rcu-tasks: Always inline rcu_irq_work_resched()
- wifi: iwlwifi: fw: allocate chained SG tables for dump
- wifi: iwlwifi: mvm: use the right version of the rate API
- nvme-tcp: fix possible UAF in nvme_tcp_poll
- nvme-pci: clean up CMBMSC when registering CMB fails
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
- wifi: brcmfmac: keep power during suspend if board requires it
- affs: generate OFS sequence numbers starting at 1
- affs: don't write overlarge OFS data block size fields
- ALSA: hda/realtek: Fix Asus Z13 2025 audio
- ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0
- perf/core: Fix perf_pmu_register() vs. perf_init_event()
- cifs: fix incorrect validation for num_aces field of smb_acl
- platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4
tablet
- platform/x86/intel/vsec: Add Diamond Rapids support
- HID: i2c-hid: improve i2c_hid_get_report error message
- ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using
CS35L41 HDA
- sched/deadline: Use online cpus for validating runtime
- x86/hyperv/vtl: Stop kernel from probing VTL0 low memory
- wifi: mac80211: flush the station before moving it to UN-AUTHORIZED
state
- locking/semaphore: Use wake_q to wake up processes outside lock critical
section
- x86/hyperv: Fix output argument to hypercall that changes page
visibility
- x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
- nvme-pci: fix stuck reset on concurrent DPC and HP
- ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
- can: statistics: use atomic access in hot path
- memory: omap-gpmc: drop no compatible check
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
- riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and
make_call_ra
- ntb: intel: Fix using link status DB's
- firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success
- RISC-V: errata: Use medany for relocatable builds
- x86/uaccess: Improve performance by aligning writes to 8 bytes in
copy_user_generic(), on non-FSRM/ERMS CPUs
- ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe()
- riscv: Fix hugetlb retrieval of number of ptes in case of !present pte
- netfilter: nft_set_hash: GC reaps elements with conncount for dynamic
sets only
- vsock: avoid timeout during connect() if the socket is closing
- tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
- ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
- net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy
- ipv6: Start path selection from the first nexthop
- ipv6: Do not consider link down nexthops in path selection
- drm/amdgpu/gfx11: fix num_mec
- perf/core: Fix child_total_time_enabled accounting bug at task exit
- tracing: Switch trace_events_hist.c code over to use guard()
- tracing/hist: Add poll(POLLIN) support on hist file
- tracing/hist: Support POLLPRI event for poll on histogram
- tracing: Correct the refcount if the hist/hist_debug file fails to open
- LoongArch: Increase ARCH_DMA_MINALIGN up to 16
- LoongArch: BPF: Fix off-by-one error in build_prologue()
- LoongArch: BPF: Don't override subprog's return value
- LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC
- x86/hyperv: Fix check of return value from snp_set_vmsa()
- x86/microcode/AMD: Fix __apply_microcode_amd()'s return value
- ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers
- platform/x86: ISST: Correct command storage data length
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in
perf_copy_chunk()
- perf/x86/intel: Apply static call for drain_pebs
- perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read
- x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
- mmc: omap: Fix memory leak in mmc_omap_new_slot
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
- mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD
- tracing: Ensure module defining synth event cannot be unloaded while
tracing
- tracing: Fix synth event printk format for str fields
- tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
- ext4: don't over-report free space or inodes in statvfs
- jfs: add index corruption check to DT_GETPAGE()
- exec: fix the racy usage of fs_struct->in_exec
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
- tracing: Do not use PERF enums when perf is not defined
- smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label
- sched: Cancel the slice protection of the idle entity
- cpufreq: tegra194: Allow building for Tegra234
- kunit/stackinit: Use fill byte different from Clang i386 pattern
- watchdog/hardlockup/perf: Fix perf_event memory leak
- x86/entry: Add __init to ia32_emulation_override_cmdline()
- regulator: pca9450: Fix enable register for LDO5
- auxdisplay: panel: Fix an API misuse in panel.c
- ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry
- drm/ssd130x: Set SPI .id_table to prevent an SPI core warning
- drm/ssd130x: fix ssd132x encoding
- drm/ssd130x: ensure ssd132x pitch is correct
- gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines
- drm/panel: ilitek-ili9882t: fix GPIO name in error message
- drm/msm/dsi/phy: Program clock inverters in correct register
- PCI: brcmstb: Set generation limit before PCIe link up
- drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump
- powerpc/kexec: fix physical address calculation in clear_utlb_entry()
- drm/mediatek: Fix config_updating flag never false when no mbox channel
- PCI: dwc: ep: Return -ENOMEM for allocation failures
- PCI/sysfs: Demacrofy pci_dev_resource_resize_attr(n) functions
- PCI: Fix BAR resizing when VF BARs are assigned
- dummycon: fix default rows/cols
- crypto: iaa - Test the correct request flag
- crypto: qat - set parity error mask for qat_420xx
- pinctrl: renesas: rzg2l: Suppress binding attributes
- clk: renesas: r8a08g045: Check the source of the CPU PLL settings
- remoteproc: qcom: pas: add minidump_id to SC7280 WPSS
- pinctrl: nuvoton: npcm8xx: Fix error handling in npcm8xx_gpio_fw()
- s390: Remove ioremap_wt() and pgprot_writethrough()
- clk: qcom: gcc-x1e80100: Unregister GCC_GPU_CFG_AHB_CLK/GCC_DISP_XO_CLK
- RDMA/mlx5: Fix MR cache initialization error flow
- power: supply: bq27xxx_battery: do not update cached flags prematurely
- pinctrl: npcm8xx: Fix incorrect struct npcm8xx_pincfg assignment
- crypto: qat - remove access to parity register for QAT GEN4
- clk: qcom: gcc-sm8650: Do not turn off USB GDSCs during gdsc_disable()
- perf report: Switch data file correctly in TUI
- perf debug: Avoid stack overflow in recursive error message
- NFSv4: Avoid unnecessary scans of filesystems for returning delegations
- NFSv4: Avoid unnecessary scans of filesystems for expired delegations
- NFSv4: Avoid unnecessary scans of filesystems for delayed delegations
- um: Pass the correct Rust target and options with gcc
- perf dso: fix dso__is_kallsyms() check
- staging: vchiq_arm: Register debugfs after cdev
- perf vendor events arm64 AmpereOneX: Fix frontend_bound calculation
- LoongArch: Fix device node refcount leak in fdt_cpu_clk_init()
- net: phy: broadcom: Correct BCM5221 PHY model detection
- wifi: mac80211: Cleanup sta TXQs on flush
- wifi: mac80211: remove debugfs dir for virtual monitor
- smb: common: change the data type of num_aces to le16
- platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-
TA
- exfat: add a check for invalid data size
- ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41
HDA
- ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using
CS35L41 HDA
- wifi: mac80211: fix SA Query processing in MLO
- riscv/kexec_file: Handle R_RISCV_64 in purgatory relocator
- riscv/purgatory: 4B align purgatory_start
- nvme/ioctl: don't warn on vectorized uring_cmd with fixed buffer
- spi: bcm2835: Do not call gpiod_put() on invalid descriptor
- spi: bcm2835: Restore native CS probing when pinctrl-bcm2835 is absent
- kbuild: deb-pkg: don't set KBUILD_BUILD_VERSION unconditionally
- tty: serial: fsl_lpuart: Use u32 and u8 for register variables
- tty: serial: fsl_lpuart: use port struct directly to simply code
- tty: serial: fsl_lpuart: Fix unused variable 'sport' build warning
- tty: serial: lpuart: only disable CTS instead of overwriting the whole
UARTMODIR register
- wifi: mac80211: Fix sparse warning for monitor_sdata
- LoongArch: Increase MAX_IO_PICS up to 8
- x86/tdx: Fix arch_safe_halt() execution for TDX VMs
- x86/Kconfig: Add cmpxchg8b support back to Geode CPUs
- wifi: mt76: mt7925: remove unused acpi function for clc
- media: omap3isp: Handle ARM dma_iommu_mapping
- Remove unnecessary firmware version check for gc v9_4_2
- exfat: fix potential wrong error return from get_block
- media: subdev: Fix use of sd->enabled_streams in call_s_stream()
- media: subdev: Improve v4l2_subdev_enable/disable_streams_fallback
- media: subdev: Add v4l2_subdev_is_streaming()
- NFSD: nfsd_unlink() clobbers non-zero status returned from
fh_fill_pre_attrs()
- NFSD: Never return NFS4ERR_FILE_OPEN when removing a directory
- platform/x86/amd/pmf: fix cleanup in amd_pmf_init_smart_pc()
- Upstream stable to v6.6.87, v6.12.23
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22028
- media: vimc: skip .s_stream() for stopped entities
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22036
- exfat: fix random stack corruption after get_block
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22039
- ksmbd: fix overflow in dacloffset bounds check
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22062
- sctp: add mutual exclusion in proc_sctp_do_udp_port()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22065
- idpf: fix adapter NULL pointer dereference on reboot
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22068
- ublk: make sure ubq->canceling is set when queue is frozen
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22070
- fs/9p: fix NULL pointer dereference on mkdir
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-40114
- iio: light: Add check for array bounds in veml6075_read_int_time_ms
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22025
- nfsd: put dl_stid if fail to queue dl_recall
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22027
- media: streamzap: fix race between device disconnection and urb callback
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-39735
- jfs: fix slab-out-of-bounds read in ea_get()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22033
- arm64: Don't call NULL in do_compat_alignment_fixup()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22035
- tracing: Fix use-after-free in print_graph_function_flags during tracer
switching
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22038
- ksmbd: validate zero num_subauth before sub_auth is accessed
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22040
- ksmbd: fix session use-after-free in multichannel connection
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22041
- ksmbd: fix use-after-free in ksmbd_sessions_deregister()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22042
- ksmbd: add bounds check for create lease context
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22044
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22045
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22050
- usbnet:fix NPE during rx_complete
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22053
- net: ibmveth: make veth_pool_store stop hanging
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22054
- arcnet: Add NULL check in com20020pci_probe()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22055
- net: fix geneve_opt length integer overflow
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22056
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22057
- net: decrease cached dst counters in dst_release
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22058
- udp: Fix memory accounting leak.
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22060
- net: mvpp2: Prevent parser TCAM memory corruption
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-38637
- net_sched: skbprio: Remove overly strict queue assertions
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22063
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22064
- netfilter: nf_tables: don't unregister hook when table is dormant
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22066
- ASoC: imx-card: Add NULL check in imx_card_probe()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2023-53034
- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22071
- spufs: fix a leak in spufs_create_context()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22072
- spufs: fix gang directory lifetimes
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22073
- spufs: fix a leak on spufs_new_file() failure
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-38575
- ksmbd: use aead_request_free to match aead_request_alloc
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22075
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-37937
- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22079
- ocfs2: validate l_tree_depth to avoid out-of-bounds access
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22080
- fs/ntfs3: Prevent integer overflow in hdr_first_de()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22081
- fs/ntfs3: Fix a couple integer overflows on 32bit systems
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22083
- vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22086
- RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22089
- RDMA/core: Don't expose hw_counters outside of init net namespace
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-39728
- clk: samsung: Fix UBSAN panic in samsung_clk_init()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22090
- x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-38152
- remoteproc: core: Clear table_sz when rproc_shutdown
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-38240
- drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22095
- PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-22097
- drm/vkms: Fix use after free and double free on init error
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-23136
- thermal: int340x: Add NULL check for adev
* Noble update: upstream stable patchset 2025-09-01 (LP: #2121716) //
CVE-2025-23138
- watch_queue: fix pipe accounting mismatch
* Noble update: upstream stable patchset 2025-08-18 (LP: #2120877)
- ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
- atm: Fix NULL pointer dereference
- ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
- ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
- ARM: Remove address checking for MMUless devices
- drm/dp_mst: Factor out function to queue a topology probe work
- drm/dp_mst: Add a helper to queue a topology probe
- drm/amd/display: Don't write DP_MSTM_CTRL after LT
- mm/page_alloc: fix memory accept before watermarks gets initialized
- netfilter: socket: Lookup orig tuple for IPv6 SNAT
- ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
- counter: stm32-lptimer-cnt: fix error handling when enabling
- counter: microchip-tcb-capture: Fix undefined counter channel state on
probe
- tty: serial: 8250: Add some more device IDs
- tty: serial: 8250: Add Brainboxes XC devices
- tty: serial: fsl_lpuart: disable transmitter before changing RS485
related registers
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
- net: usb: usbnet: restore usb%d name exception for local mac addresses
- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
- nfsd: fix legacy client tracking initialization
- tty: serial: 8250: Add some more device IDs
- tty: serial: 8250: Add Brainboxes XC devices
- perf tools: Fix up some comments and code to properly use the
event_source bus
- bcachefs: bch2_ioctl_subvolume_destroy() fixes
- Upstream stable to v6.6.86, v6.12.22
* CVE-2025-39682
- tls: fix handling of zero-length records on the rx_list
* CVE-2025-38500
- xfrm: interface: fix use-after-free after changing collect_md xfrm
interface
* TLS socket disconnection causes various issues (LP: #2120516) //
CVE-2025-37756
- net: tls: explicitly disallow disconnect
* CVE-2025-38477
- net/sched: sch_qfq: Fix race condition on qfq_aggregate
- net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in
qfq_delete_class
* CVE-2025-38618
- vsock: Do not allow binding to VMADDR_PORT_ANY
* CVE-2025-38617
- net/packet: fix a race in packet_set_ring() and packet_notifier()
* CVE-2025-37785
- ext4: fix OOB read when checking dotdot dir
* Packaging resync (LP: #1786013)
- [Packaging] resync git-ubuntu-log
-- Stefan Bader <[email protected]> Mon, 22 Sep 2025 17:42:28
+0200
** Changed in: linux (Ubuntu Noble)
Status: Fix Committed => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2023-53034
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22025
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22027
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22028
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22033
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22035
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22036
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22038
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22039
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22040
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22041
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22042
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22044
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22045
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22050
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22053
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22054
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22055
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22056
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22057
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22058
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22060
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22062
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22063
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22064
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22065
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22066
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22068
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22070
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22071
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22072
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22073
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22075
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22079
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22080
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22081
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22083
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22086
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22089
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22090
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22095
** CVE added: https://cve.org/CVERecord?id=CVE-2025-22097
** CVE added: https://cve.org/CVERecord?id=CVE-2025-23136
** CVE added: https://cve.org/CVERecord?id=CVE-2025-23138
** CVE added: https://cve.org/CVERecord?id=CVE-2025-37756
** CVE added: https://cve.org/CVERecord?id=CVE-2025-37785
** CVE added: https://cve.org/CVERecord?id=CVE-2025-37937
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38152
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38240
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38477
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38500
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38575
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38617
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38618
** CVE added: https://cve.org/CVERecord?id=CVE-2025-38637
** CVE added: https://cve.org/CVERecord?id=CVE-2025-39682
** CVE added: https://cve.org/CVERecord?id=CVE-2025-39728
** CVE added: https://cve.org/CVERecord?id=CVE-2025-39735
** CVE added: https://cve.org/CVERecord?id=CVE-2025-40114
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2120209
Title:
x86 systems with PCIe BAR addresses located outside a certain range
see P2PDMA allocation failures and CUDA initialization errors
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Won't Fix
Status in linux source package in Noble:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
SRU Justification
[Impact]
On some x86 systems, it is possible for PCIe device BAR addresses to exceed
the
range reserved by KASLR for direct mappings. This causes attempts to map the
impacted BAR region using devm_memremap_pages() to fail. These memmap-backed
mappings are required for multiple use-cases, including P2PDMA, and CUDA with
Heterogeneous Memory Management (HMM) enabled.
[Fix]
This is resolved upstream by commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR
entropy on most x86 systems"). It changes the behavior of KASLR to not shrink
direct mapping space when CONFIG_PCI_P2PDMA is enabled. The consequence of
this
is that there is less room for KASLR to maneuver, and thus the amount of
entropy in the randomized layout is reduced. In discussion on the upstream
patch submission [1], it is noted that on the submitter's system this reduces
entropy from 16 bits down to 15 bits.
Cherry-picking the mentioned commit allows CUDA with HMM enabled and
P2PDMA to function on the systems described above, as with it the direct
mapping space is not shrunk, so all BAR regions fall within its bounds,
and thus the devm_memremap_pages() operation succeeds.
Additionally, the commit 7170130e4c72 ("x86/mm/init: Handle the special
case of device private pages in add_pages(), to not increase max_pfn and
trigger dma_addr essing_limited() bounce buffers") addresses a
performance regression revealed by applying commit 7ffb791423c7
("x86/kaslr: Reduce KASLR entropy on most x86 systems").
Jammy 5.15 has CONFIG_PCI_P2PDMA set to n, so a cherry-pick alone will
not resolve the issue. Additionally, Jammy is missing a dependency of
7170130e4c72: e3246d8f5217 ("mm/sparse-vmemmap: add a pgmap argument to
section activation"), which has its own set of dependencies. As there
does not appear to be significant demand for this in Jammy, and risk of
regression is higher, a fix for Jammy is omitted for this submission.
Jammy: 7ffb791423c7 already in-tree. Cherry-pick of 7170130e4c72,
e3246d8f5217, and CONFIG_PCI_P2PDMA=y needed. Skipped for this
submission for regression risk noted above.
Noble: Cherry-pick of both commits mentioned above needed.
Plucky: Not affected, fix commits already in tree and
CONFIG_PCI_P2PDMA=y.
Questing: Not affected, fix commits already in tree and config set and
CONFIG_PCI_P2PDMA=y.
[Test Case]
The issue only occurs on systems with PCIe BAR addresses located outside of
the
current minimum address range of [0, ceil(max_pfn / 1TiB) +
CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING (10 TiB)].
With the NVIDIA Container Toolkit installed and enabled for Docker, the
following reproduces the issue on affected systems where one or more NVIDIA
GPUs have BAR addresses outside of the current minimum range:
$ sudo docker run --runtime nvidia --rm -it nvcr.io/nvidia/pytorch:25.03-py3
ERROR: The NVIDIA Driver is present, but CUDA failed to initialize. GPU
functionality will not be available.
[[ Initialization error (error 3) ]]
[Where things could go wrong]
This reduces the entropy of the memory layouts KASLR generates on most x86
systems. A bug would likely show up as misbehavior of KASLR.
[Other Notes]
[1] https://lore.kernel.org/lkml/202502061145.8AFAF053E4@keescook/
[2] https://bugs.launchpad.net/bugs/1987394
v2: drop patches for Jammy due to greater regression risk as noted in Fix
section.
Balbir Singh (2):
x86/kaslr: Reduce KASLR entropy on most x86 systems
x86/mm/init: Handle the special case of device private pages in
add_pages(), to not increase max_pfn and trigger
dma_addressing_limited() bounce buffers
arch/x86/mm/init_64.c | 15 ++++++++++++---
arch/x86/mm/kaslr.c | 10 ++++++++--
drivers/pci/Kconfig | 6 ++++++
3 files changed, 26 insertions(+), 5 deletions(-)
--
2.43.0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2120209/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
