Skipped (already applied): - mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN (bug #2125444) - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (CVE-2025-39964) - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx (CVE-2025-39964)
** CVE added: https://cve.org/CVERecord?id=CVE-2025-39964 ** Changed in: linux (Ubuntu Jammy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2127866 Title: Jammy update: v5.15.194 upstream stable release Status in linux package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Bug description: SRU Justification Impact: The upstream process for stable tree updates is quite similar in scope to the Ubuntu SRU process, e.g., each patch has to demonstrably fix a bug, and each patch is vetted by upstream by originating either directly from a mainline/stable Linux tree or a minimally backported form of that patch. The following upstream stable patches should be included in the Ubuntu kernel: v5.15.194 upstream stable release from git://git.kernel.org/ Revert "fbdev: Disable sysfb device registration when removing conflicting FBs" xfs: short circuit xfs_growfs_data_private() if delta is zero kunit: kasan_test: disable fortify string checker on kasan_strings() test mm: introduce and use {pgd,p4d}_populate_kernel() media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning media: i2c: imx214: Fix link frequency validation net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. tracing: Do not add length to print format in synthetic events mm/rmap: reject hugetlb folios in folio_make_device_exclusive() flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read NFSv4: Don't clear capabilities that won't be reset NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server tracing: Fix tracing_marker may trigger page fault during preempt_disable NFSv4/flexfiles: Fix layout merge mirror check. tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() KVM: SVM: Set synthesized TSA CPUID flags EDAC/altera: Delete an inappropriate dma_free_coherent() call compiler-clang.h: define __SANITIZE_*__ macros only when undefined mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN ocfs2: fix recursive semaphore deadlock in fiemap call mtd: rawnand: stm32_fmc2: fix ECC overwrite fuse: check if copy_file_range() returns larger than requested size fuse: prevent overflow in copy_file_range return value libceph: fix invalid accesses to ceph_connection_v1_info mm/khugepaged: fix the address passed to notifier on testing young mtd: nand: raw: atmel: Fix comment in timings preparation mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table tty: hvc_console: Call hvc_kick in hvc_write unconditionally dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks USB: serial: option: add Telit Cinterion FN990A w/audio compositions USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() tunnels: reset the GSO metadata before reusing the skb igb: fix link test skipping when interface is admin down genirq: Provide new interfaces for affinity hints i40e: Use irq_update_affinity_hint() i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB net: hsr: Disable promiscuous mode in offload mode net: hsr: Add support for MC filtering at the slave device net: hsr: Add VLAN CTAG filter support hsr: use rtnl lock when iterating over ports hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr dmaengine: ti: edma: Fix memory allocation size for queue_priority_map regulator: sy7636a: fix lifecycle of power good gpio hrtimer: Remove unused function hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() hrtimers: Unconditionally update target CPU base after offline timer migration dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees phy: tegra: xusb: fix device and OF node leak at probe phy: ti-pipe3: fix device leak at unbind soc: qcom: mdt_loader: Deal with zero e_shentsize drm/amdgpu: fix a memory leak in fence cleanup when unloading drm/i915/power: fix size for for_each_set_bit() in abox iteration mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory net: hsr: hsr_slave: Fix the promiscuous mode in offload mode ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported wifi: mac80211: fix incorrect type for ret pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch cgroup: split cgroup_destroy_wq into 3 workqueues um: virtio_uml: Fix use-after-free after put_device in probe dpaa2-switch: fix buffer pool seeding for control traffic qed: Don't collect too many protection override GRC elements net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure i40e: remove redundant memory barrier when cleaning Tx descs tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" net: liquidio: fix overflow in octeon_init_instr_queue() cnic: Fix use-after-free bugs in cnic_delete_task nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery power: supply: bq27xxx: restrict no-battery detection to bq27000 btrfs: tree-checker: fix the incorrect inode ref size check mmc: mvsdio: Fix dma_unmap_sg() nents value KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active rds: ib: Increment i_fastreg_wrs before bailing out ASoC: wm8940: Correct typo in control name ASoC: wm8974: Correct PLL rate rounding ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path serial: sc16is7xx: fix bug in flow control levels init xhci: dbc: decouple endpoint allocation from initialization xhci: dbc: Fix full DbC transfer ring after several reconnects usb: gadget: dummy_hcd: remove usage of list iterator past the loop body USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning phy: Use device_get_match_data() phy: ti: omap-usb2: fix device leak at unbind mptcp: set remote_deny_join_id0 on SYN recv ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer mptcp: propagate shutdown to subflows when possible net: rfkill: gpio: add DT support net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer ALSA: usb-audio: Fix block comments in mixer_quirks ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks ALSA: usb-audio: Avoid multiple assignments in mixer_quirks ALSA: usb-audio: Simplify NULL comparison in mixer_quirks ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 ALSA: usb-audio: Convert comma to semicolon ALSA: usb-audio: Fix build with CONFIG_INPUT=n usb: core: Add 0x prefix to quirks debug output IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions arm64: dts: imx8mp: Correct thermal sensor index cpufreq: Initialize cpufreq-based invariance before subsys can: rcar_can: rcar_can_resume(): fix s2ram with PSCI bpf: Reject bpf_timer for PREEMPT_RT can: bittiming: allow TDC{V,O} to be zero and add can_tdc_const::tdc{v,o,f}_min can: bittiming: replace CAN units with the generic ones from linux/units.h can: dev: add generic function can_ethtool_op_get_ts_info_hwts() can: dev: add generic function can_eth_ioctl_hwts() can: etas_es58x: advertise timestamping capabilities and add ioctl support can: etas_es58x: sort the includes by alphabetic order can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow can: hi311x: populate ndo_change_mtu() to prevent buffer overflow can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow can: peak_usb: fix shift-out-of-bounds issue ethernet: rvu-af: Remove slash from the driver name bnxt_en: correct offset handling for IPv6 destination address nexthop: Forbid FDB status change while nexthop is in a group selftests: fib_nexthops: Fix creation of non-FDB nexthops net: dsa: lantiq_gswip: do also enable or disable cpu port net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port drm/gma500: Fix null dereference in hdmi teardown crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto: af_alg - Fix incorrect boolean values in af_alg_ctx i40e: fix idx validation in i40e_validate_queue_map i40e: fix input validation logic for action_meta i40e: add max boundary check for VF filters i40e: add mask to apply valid bits for itr_idx tracing: dynevent: Add a missing lockdown check on dynevent fbcon: fix integer overflow in fbcon_do_set_font fbcon: Fix OOB access in font allocation af_unix: Don't leave consecutive consumed OOB skbs. mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() mm/hugetlb: fix folio is still mapped when deleted i40e: fix validation of VF state in get resources i40e: fix idx validation in config queues msg i40e: increase max descriptors for XL710 i40e: add validation for ring_len param drm/i915/backlight: Return immediately when scale() finds invalid parameters Linux 5.15.194 UBUNTU: Upstream stable to v5.15.194 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2127866/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
