Public bug reported:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
v7.0.7 upstream stable release
from git://git.kernel.org/
scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
ipmi: Add limits to event and receive message requests
ipmi: Check event message buffer response for bad data
ipmi:si: Return state to normal if message allocation fails
fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states
ACPI: scan: Use acpi_dev_put() in object add error paths
ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
ACPI: video: force native backlight on HP OMEN 16 (8A44)
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
iommufd: Fix a race with concurrent allocation and unmap
ASoC: SOF: Don't allow pointer operations on unconfigured streams
wifi: mt76: mt7925: fix incorrect TLV length in CLC command
spi: rockchip: fix controller deregistration
ksmbd: rewrite stop_sessions() with restartable iteration
KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
flow_dissector: do not dissect PPPoE PFC frames
smb: client/smbdirect: fix MR registration for coalesced SG lists
net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
exit: prevent preemption of oopsing TASK_DEAD task
wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
wifi: mt76: mt7925: fix incorrect length field in txpower command
wifi: mt76: mt7921: fix a potential clc buffer length underflow
wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
wifi: b43legacy: enforce bounds check on firmware key index in RX path
wifi: mac80211: drop stray 'static' from fast-RX rx_result
wifi: rsi: fix kthread lifetime race between self-exit and external-stop
wifi: mac80211: use safe list iteration in radar detect work
wifi: ath5k: do not access array OOB
wifi: mac80211: remove station if connection prep fails
wifi: b43: enforce bounds check on firmware key index in b43_rx()
wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
usb: usblp: fix heap leak in IEEE 1284 device ID via short response
usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
ALSA: usb-audio: midi2: Restart output URBs on resume
ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
ALSA: usb-audio: Fix UAC3 cluster descriptor size check
usb: dwc3: Move GUID programming after PHY initialization
USB: omap_udc: DMA: Don't enable burst 4 mode
USB: serial: option: add Telit Cinterion LE910Cx compositions
usb: ulpi: fix memory leak on ulpi_register() error paths
usb: typec: tcpm: fix debug accessory mode detection for sink ports
ALSA: hda: cs35l56: Propagate ASP TX source control errors
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro
15
ALSA: firewire-tascam: Do not drop unread control events
ALSA: core: Serialize deferred fasync state checks
ALSA: seq: Fix UMP group 16 filtering
powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
x86/efi: Restore IRQ state in EFI page fault handler
sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
xfrm: provide message size for XFRM_MSG_MAPPING
xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
xfrm: ah: account for ESN high bits in async callbacks
selinux: fix avdcache auditing
selinux: use sk blob accessor in socket permission helpers
selinux: don't reserve xattr slot when we won't fill it
selinux: shrink critical section in sel_write_load()
selinux: prune /sys/fs/selinux/checkreqprot
selinux: prune /sys/fs/selinux/disable
selinux: prune /sys/fs/selinux/user
selinux: allow multiple opens of /sys/fs/selinux/policy
io_uring/kbuf: support min length left for incremental buffers
io_uring/tw: serialize ctx->retry_llist with ->uring_lock
LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
Bluetooth: virtio_bt: clamp rx length before skb_put
Bluetooth: virtio_bt: validate rx pkt_type header length
Bluetooth: btmtk: validate WMT event SKB length before struct access
Bluetooth: hci_conn: fix potential UAF in create_big_sync
Bluetooth: hci_event: Fix OOB read and infinite loop in
hci_le_create_big_complete_evt
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
rust: drm: gem: clean up GEM state in init failure case
rust: allow `clippy::collapsible_match` globally
rust: allow `clippy::collapsible_if` globally
rust: pin-init: internal: move alignment check to `make_field_check`
spi: syncuacer: fix controller deregistration
spi: sun4i: fix controller deregistration
spi: zynq-qspi: fix controller deregistration
spi: ti-qspi: fix controller deregistration
spi: sun6i: fix controller deregistration
spi: tegra114: fix controller deregistration
spi: zynqmp-gqspi: fix controller deregistration
spi: tegra20-sflash: fix controller deregistration
spi: s3c64xx: fix NULL-deref on driver unbind
staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc
staging: vme_user: fix root device leak on init failure
fanotify: fix false positive on permission events
KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
arm64: signal: Preserve POR_EL0 if poe_context is missing
mm/hugetlb_cma: round up per_node before logging it
LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
LoongArch: KVM: Compile switch.S directly into the kernel
net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo
mptcp: pm: ADD_ADDR rtx: skip inactive subflows
perf/x86/intel: Improve validation and configuration of ACR masks
selftests/rseq: Don't run tests with runner scripts outside of the scripts
rseq: Set rseq::cpu_id_start to 0 on unregistration
rseq: Protect rseq_reset() against interrupts
rseq: Don't advertise time slice extensions if disabled
selftests/rseq: Make registration flexible for legacy and optimized mode
selftests/rseq: Skip tests if time slice extensions are not available
selftests/rseq: Validate legacy behavior
selftests/rseq: Expand for optimized RSEQ ABI v2
accel/ivpu: Disallow re-exporting imported GEM objects
sound: ua101: fix division by zero at probe
pseries/papr-hvpipe: Fix race with interrupt handler
pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
pseries/papr-hvpipe: Fix the usage of copy_to_user()
net: libwx: fix VF illegal register access
ip6_gre: Use cached t->net in ip6erspan_changelink().
net: libwx: use request_irq for VF misc interrupt
netpoll: pass buffer size to egress_dev() to avoid MAC truncation
net/rds: handle zerocopy send cleanup before the message is queued
net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler
ovl: fix verity lazy-load guard broken by fsverity_active() semantic change
platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
parisc: Fix IRQ leak in LASI driver
x86/efi: Fix graceful fault handling after FPU softirq changes
hwmon: (ltc2992) Clamp threshold writes to hardware range
hwmon: (ltc2992) Fix u32 overflow in power read path
clk: rk808: fix OF node reference imbalance
hwmon: (corsair-psu) Close HID device on probe errors
af_unix: Reject SIOCATMARK on non-stream sockets
arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
block: add pgmap check to biovec_phys_mergeable
block: fix zone write plug removal
block: only read from sqe on initial invocation of blkdev_uring_cmd()
cifs: abort open_cached_dir if we don't request leases
cifs: change_conf needs to be called for session setup
extcon: ptn5150: handle pending IRQ events during system resume
fbcon: Avoid OOB font access if console rotation fails
gpio: of: clear OF_POPULATED on hog nodes in remove path
hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
hv_sock: fix ARM64 support
hv_sock: Report EOF instead of -EIO for FIN
hv_sock: Return -EIO for malformed/short packets
ibmveth: Disable GSO for packets with small MSS
ice: fix double free in ice_sf_eth_activate() error path
spi: microchip-core-qspi: fix controller deregistration
spi: microchip-core-spi: fix controller deregistration
spi: microchip-core-qspi: don't attempt to transmit during emulated read-only
dual/quad operations
spi: microchip-core-qspi: control built-in cs manually
tracefs: Fix default permissions not being applied on initial mount
udf: reject descriptors with oversized CRC length
x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
thermal: core: Free thermal zone ID later during removal
thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
spi: topcliff-pch: fix controller deregistration
spi: topcliff-pch: fix use-after-free on unbind
tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
tracing/fprobe: Remove fprobe from hash in failure path
tracing/fprobe: Unregister fprobe even if memory allocation fails
tracing/probes: Limit size of event probe to 3K
tracing/fprobe: Check the same type fprobe on table as the unregistered one
clk: imx: imx8-acm: fix flags for acm clocks
clk: microchip: mpfs-ccc: fix out of bounds access during output registration
cpuidle: powerpc: avoid double clear when breaking snooze
ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
ASoC: ES8389: convert to devm_clk_get_optional() to get clock
ASoC: fsl_easrc: fix comment typo
ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
ASoC: qcom: q6apm: remove child devices when apm is removed
btrfs: do not mark inode incompressible after inline attempt fails
btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak
btrfs: fix double free in create_space_info() error path
btrfs: fix double free in create_space_info_sub_group() error path
btrfs: fix missing last_unlink_trans update when removing a directory
dm-thin: fix metadata refcount underflow
dm: don't report warning when doing deferred remove
dm: fix a buffer overflow in ioctl processing
eventfs: Hold eventfs_mutex and SRCU when remount walks events
dm-verity-fec: correctly reject too-small FEC devices
dm-verity-fec: correctly reject too-small hash devices
dm-verity-fec: fix corrected block count stat
dm-verity-fec: fix reading parity bytes split across blocks (take 3)
dm-verity-fec: fix the size of dm_verity_fec_io::erasures
isofs: validate Rock Ridge CE continuation extent against volume size
isofs: validate block number from NFS file handle in isofs_export_iget
iommufd: Fix return value of iommufd_fault_fops_write()
iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
lib/crc: tests: Make crc_kunit test only the enabled CRC variants
lib/scatterlist: fix length calculations in extract_kvec_to_sg
lib/scatterlist: fix temp buffer in extract_user_to_sg()
libceph: Fix slab-out-of-bounds access in auth message processing
md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
nvme-apple: drop invalid put of admin queue reference count
nvmet-tcp: fix race between ICReq handling and queue teardown
nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
openvswitch: vport: fix self-deadlock on release of tunnel ports
pmdomain: core: Fix detach procedure for virtual devices in genpd
psp: strip variable-length PSP header in psp_dev_rcv()
RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
riscv: kvm: fix vector context allocation leak
s390/debug: Reject zero-length input in debug_input_flush_fn()
s390/debug: Reject zero-length input before trimming a newline
scsi: mpt3sas: Limit NVMe request size to 2 MiB
smb/client: fix out-of-bounds read in smb2_compound_op()
smb/client: fix out-of-bounds read in symlink_data()
smb: client: use kzalloc to zero-initialize security descriptor buffer
smb: client: validate dacloffset before building DACL pointers
KVM: x86: check for nEPT/nNPT in slow flush hypercalls
KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
mm/damon/stat: detect and use fresh enabled value
mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
PCI: Update saved_config_space upon resource assignment
PCI/AER: Clear only error bits in PCIe Device Status
PCI/AER: Stop ruling out unbound devices as error source
PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
power: supply: max17042: avoid overflow when determining health
powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
perf/x86/intel: Always reprogram ACR events to prevent stale masks
perf/x86/intel: Disable PMI for self-reloaded ACR events
perf/x86/intel: Enable auto counter reload for DMR
RDMA/ionic: bound node_desc sysfs read with %.64s
RDMA/ionic: Fix typo in format string
RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
RDMA/mana: Validate rx_hash_key_len
RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
RDMA/rxe: Reject unknown opcodes before ICRC processing
RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()
remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()
sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
sched_ext: Use dsq->first_task instead of list_empty() in dispatch_enqueue()
FIFO-tail
selftests: mptcp: check output: catch cmd errors
selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl
mptcp: fastclose msk when linger time is 0
mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
mptcp: sockopt: set timestamp flags on subflow socket, not msk
mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
mptcp: fix rx timestamp corruption on fastopen
mptcp: fix scheduling with atomic in timestamp sockopt
mptcp: pm: prio: skip closed subflows
mptcp: pm: kernel: reset fullmesh counter after flush
mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
mptcp: pm: ADD_ADDR rtx: allow ID 0
mptcp: pm: ADD_ADDR rtx: fix potential data-race
mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
mptcp: pm: ADD_ADDR rtx: free sk if last
mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
mptcp: pm: ADD_ADDR rtx: return early if no retrans
f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
f2fs: fix false alarm of lockdep on cp_global_sem lock
f2fs: fix fiemap boundary handling when read extent cache is incomplete
f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
f2fs: fix incorrect file address mapping when inline inode is unwritten
f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
f2fs: fix node_cnt race between extent node destroy and writeback
f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
f2fs: refactor f2fs_move_node_folio function
f2fs: fix inline data not being written to disk in writeback path
f2fs: fix fsck inconsistency caused by FGGC of node block
KVM: arm64: Wake-up from WFI when iqrchip is in userspace
KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
LoongArch: KVM: Move unconditional delay into timer clear scenery
LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
bpf: Fix use-after-free in arena_vm_close on fork
octeon_ep_vf: add NULL check for napi_build_skb()
mmc: core: Adjust MDT beyond 2025
mmc: core: Add quirk for incorrect manufacturing date
mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
crypto: qat - fix indentation of macros in qat_hal.c
crypto: qat - fix firmware loading failure for GEN6 devices
hfsplus: fix uninit-value by validating catalog record size
hfsplus: fix held lock freed on hfsplus_fill_super()
8021q: use RCU for egress QoS mappings
8021q: delete cleared egress QoS mappings
printk: add print_hex_dump_devel()
crypto: caam - guard HMAC key hex dumps in hash_digest_key
net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
net: stmmac: Prevent NULL deref when RX memory exhausted
rust: pin-init: fix incorrect accessor reference lifetime
x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
ksmbd: validate inherited ACE SID length
Linux 7.0.7
UBUNTU: Upstream stable to v7.0.7
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: linux (Ubuntu Resolute)
Importance: Medium
Assignee: Noah Wager (nwager)
Status: In Progress
** Tags: kernel-stable-tracking-bug
** Changed in: linux (Ubuntu)
Status: New => Confirmed
** Also affects: linux (Ubuntu Resolute)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu)
Status: Confirmed => Invalid
** Changed in: linux (Ubuntu Resolute)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Resolute)
Status: New => In Progress
** Changed in: linux (Ubuntu Resolute)
Assignee: (unassigned) => Noah Wager (nwager)
** Description changed:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
v7.0.7 upstream stable release
from git://git.kernel.org/
-
+ scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
+ ipmi: Add limits to event and receive message requests
+ ipmi: Check event message buffer response for bad data
+ ipmi:si: Return state to normal if message allocation fails
+ fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
+ ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states
+ ACPI: scan: Use acpi_dev_put() in object add error paths
+ ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
+ ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
+ ACPI: video: force native backlight on HP OMEN 16 (8A44)
+ tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
+ iommufd: Fix a race with concurrent allocation and unmap
+ ASoC: SOF: Don't allow pointer operations on unconfigured streams
+ wifi: mt76: mt7925: fix incorrect TLV length in CLC command
+ spi: rockchip: fix controller deregistration
+ ksmbd: rewrite stop_sessions() with restartable iteration
+ KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
+ flow_dissector: do not dissect PPPoE PFC frames
+ smb: client/smbdirect: fix MR registration for coalesced SG lists
+ net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
+ exit: prevent preemption of oopsing TASK_DEAD task
+ wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
+ wifi: mt76: mt7925: fix incorrect length field in txpower command
+ wifi: mt76: mt7921: fix a potential clc buffer length underflow
+ wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
+ wifi: b43legacy: enforce bounds check on firmware key index in RX path
+ wifi: mac80211: drop stray 'static' from fast-RX rx_result
+ wifi: rsi: fix kthread lifetime race between self-exit and external-stop
+ wifi: mac80211: use safe list iteration in radar detect work
+ wifi: ath5k: do not access array OOB
+ wifi: mac80211: remove station if connection prep fails
+ wifi: b43: enforce bounds check on firmware key index in b43_rx()
+ wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
+ usb: usblp: fix heap leak in IEEE 1284 device ID via short response
+ usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
+ ALSA: usb-audio: midi2: Restart output URBs on resume
+ ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
+ ALSA: usb-audio: Fix UAC3 cluster descriptor size check
+ usb: dwc3: Move GUID programming after PHY initialization
+ USB: omap_udc: DMA: Don't enable burst 4 mode
+ USB: serial: option: add Telit Cinterion LE910Cx compositions
+ usb: ulpi: fix memory leak on ulpi_register() error paths
+ usb: typec: tcpm: fix debug accessory mode detection for sink ports
+ ALSA: hda: cs35l56: Propagate ASP TX source control errors
+ ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
+ ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop
Pro 15
+ ALSA: firewire-tascam: Do not drop unread control events
+ ALSA: core: Serialize deferred fasync state checks
+ ALSA: seq: Fix UMP group 16 filtering
+ powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
+ x86/efi: Restore IRQ state in EFI page fault handler
+ sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
+ xfrm: provide message size for XFRM_MSG_MAPPING
+ xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
+ ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
+ xfrm: ah: account for ESN high bits in async callbacks
+ selinux: fix avdcache auditing
+ selinux: use sk blob accessor in socket permission helpers
+ selinux: don't reserve xattr slot when we won't fill it
+ selinux: shrink critical section in sel_write_load()
+ selinux: prune /sys/fs/selinux/checkreqprot
+ selinux: prune /sys/fs/selinux/disable
+ selinux: prune /sys/fs/selinux/user
+ selinux: allow multiple opens of /sys/fs/selinux/policy
+ io_uring/kbuf: support min length left for incremental buffers
+ io_uring/tw: serialize ctx->retry_llist with ->uring_lock
+ LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
+ Bluetooth: virtio_bt: clamp rx length before skb_put
+ Bluetooth: virtio_bt: validate rx pkt_type header length
+ Bluetooth: btmtk: validate WMT event SKB length before struct access
+ Bluetooth: hci_conn: fix potential UAF in create_big_sync
+ Bluetooth: hci_event: Fix OOB read and infinite loop in
hci_le_create_big_complete_evt
+ Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
+ Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
+ Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
+ rust: drm: gem: clean up GEM state in init failure case
+ rust: allow `clippy::collapsible_match` globally
+ rust: allow `clippy::collapsible_if` globally
+ rust: pin-init: internal: move alignment check to `make_field_check`
+ spi: syncuacer: fix controller deregistration
+ spi: sun4i: fix controller deregistration
+ spi: zynq-qspi: fix controller deregistration
+ spi: ti-qspi: fix controller deregistration
+ spi: sun6i: fix controller deregistration
+ spi: tegra114: fix controller deregistration
+ spi: zynqmp-gqspi: fix controller deregistration
+ spi: tegra20-sflash: fix controller deregistration
+ spi: s3c64xx: fix NULL-deref on driver unbind
+ staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc
+ staging: vme_user: fix root device leak on init failure
+ fanotify: fix false positive on permission events
+ KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
+ mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
+ arm64: signal: Preserve POR_EL0 if poe_context is missing
+ mm/hugetlb_cma: round up per_node before logging it
+ LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
+ LoongArch: KVM: Compile switch.S directly into the kernel
+ net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo
+ mptcp: pm: ADD_ADDR rtx: skip inactive subflows
+ perf/x86/intel: Improve validation and configuration of ACR masks
+ selftests/rseq: Don't run tests with runner scripts outside of the scripts
+ rseq: Set rseq::cpu_id_start to 0 on unregistration
+ rseq: Protect rseq_reset() against interrupts
+ rseq: Don't advertise time slice extensions if disabled
+ selftests/rseq: Make registration flexible for legacy and optimized mode
+ selftests/rseq: Skip tests if time slice extensions are not available
+ selftests/rseq: Validate legacy behavior
+ selftests/rseq: Expand for optimized RSEQ ABI v2
+ accel/ivpu: Disallow re-exporting imported GEM objects
+ sound: ua101: fix division by zero at probe
+ pseries/papr-hvpipe: Fix race with interrupt handler
+ pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
+ pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
+ pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
+ pseries/papr-hvpipe: Fix the usage of copy_to_user()
+ net: libwx: fix VF illegal register access
+ ip6_gre: Use cached t->net in ip6erspan_changelink().
+ net: libwx: use request_irq for VF misc interrupt
+ netpoll: pass buffer size to egress_dev() to avoid MAC truncation
+ net/rds: handle zerocopy send cleanup before the message is queued
+ net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler
+ ovl: fix verity lazy-load guard broken by fsverity_active() semantic change
+ platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
+ parisc: Fix IRQ leak in LASI driver
+ x86/efi: Fix graceful fault handling after FPU softirq changes
+ hwmon: (ltc2992) Clamp threshold writes to hardware range
+ hwmon: (ltc2992) Fix u32 overflow in power read path
+ clk: rk808: fix OF node reference imbalance
+ hwmon: (corsair-psu) Close HID device on probe errors
+ af_unix: Reject SIOCATMARK on non-stream sockets
+ arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
+ pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
+ block: add pgmap check to biovec_phys_mergeable
+ block: fix zone write plug removal
+ block: only read from sqe on initial invocation of blkdev_uring_cmd()
+ cifs: abort open_cached_dir if we don't request leases
+ cifs: change_conf needs to be called for session setup
+ extcon: ptn5150: handle pending IRQ events during system resume
+ fbcon: Avoid OOB font access if console rotation fails
+ gpio: of: clear OF_POPULATED on hog nodes in remove path
+ hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
+ hv_sock: fix ARM64 support
+ hv_sock: Report EOF instead of -EIO for FIN
+ hv_sock: Return -EIO for malformed/short packets
+ ibmveth: Disable GSO for packets with small MSS
+ ice: fix double free in ice_sf_eth_activate() error path
+ spi: microchip-core-qspi: fix controller deregistration
+ spi: microchip-core-spi: fix controller deregistration
+ spi: microchip-core-qspi: don't attempt to transmit during emulated read-only
dual/quad operations
+ spi: microchip-core-qspi: control built-in cs manually
+ tracefs: Fix default permissions not being applied on initial mount
+ udf: reject descriptors with oversized CRC length
+ x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
+ thermal: core: Free thermal zone ID later during removal
+ thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
+ thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
+ spi: topcliff-pch: fix controller deregistration
+ spi: topcliff-pch: fix use-after-free on unbind
+ tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
+ tracing/fprobe: Remove fprobe from hash in failure path
+ tracing/fprobe: Unregister fprobe even if memory allocation fails
+ tracing/probes: Limit size of event probe to 3K
+ tracing/fprobe: Check the same type fprobe on table as the unregistered one
+ clk: imx: imx8-acm: fix flags for acm clocks
+ clk: microchip: mpfs-ccc: fix out of bounds access during output registration
+ cpuidle: powerpc: avoid double clear when breaking snooze
+ ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
+ ASoC: ES8389: convert to devm_clk_get_optional() to get clock
+ ASoC: fsl_easrc: fix comment typo
+ ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
+ ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
+ ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
+ ASoC: qcom: q6apm: remove child devices when apm is removed
+ btrfs: do not mark inode incompressible after inline attempt fails
+ btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak
+ btrfs: fix double free in create_space_info() error path
+ btrfs: fix double free in create_space_info_sub_group() error path
+ btrfs: fix missing last_unlink_trans update when removing a directory
+ dm-thin: fix metadata refcount underflow
+ dm: don't report warning when doing deferred remove
+ dm: fix a buffer overflow in ioctl processing
+ eventfs: Hold eventfs_mutex and SRCU when remount walks events
+ dm-verity-fec: correctly reject too-small FEC devices
+ dm-verity-fec: correctly reject too-small hash devices
+ dm-verity-fec: fix corrected block count stat
+ dm-verity-fec: fix reading parity bytes split across blocks (take 3)
+ dm-verity-fec: fix the size of dm_verity_fec_io::erasures
+ isofs: validate Rock Ridge CE continuation extent against volume size
+ isofs: validate block number from NFS file handle in isofs_export_iget
+ iommufd: Fix return value of iommufd_fault_fops_write()
+ iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
+ iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
+ lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
+ lib/crc: tests: Make crc_kunit test only the enabled CRC variants
+ lib/scatterlist: fix length calculations in extract_kvec_to_sg
+ lib/scatterlist: fix temp buffer in extract_user_to_sg()
+ libceph: Fix slab-out-of-bounds access in auth message processing
+ md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
+ nvme-apple: drop invalid put of admin queue reference count
+ nvmet-tcp: fix race between ICReq handling and queue teardown
+ nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
+ openvswitch: vport: fix self-deadlock on release of tunnel ports
+ pmdomain: core: Fix detach procedure for virtual devices in genpd
+ psp: strip variable-length PSP header in psp_dev_rcv()
+ RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
+ riscv: kvm: fix vector context allocation leak
+ s390/debug: Reject zero-length input in debug_input_flush_fn()
+ s390/debug: Reject zero-length input before trimming a newline
+ scsi: mpt3sas: Limit NVMe request size to 2 MiB
+ smb/client: fix out-of-bounds read in smb2_compound_op()
+ smb/client: fix out-of-bounds read in symlink_data()
+ smb: client: use kzalloc to zero-initialize security descriptor buffer
+ smb: client: validate dacloffset before building DACL pointers
+ KVM: x86: check for nEPT/nNPT in slow flush hypercalls
+ KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
+ mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
+ mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
+ mm/damon/stat: detect and use fresh enabled value
+ mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
+ mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
+ PCI: Update saved_config_space upon resource assignment
+ PCI/AER: Clear only error bits in PCIe Device Status
+ PCI/AER: Stop ruling out unbound devices as error source
+ PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
+ power: supply: max17042: avoid overflow when determining health
+ powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
+ perf/x86/intel: Always reprogram ACR events to prevent stale masks
+ perf/x86/intel: Disable PMI for self-reloaded ACR events
+ perf/x86/intel: Enable auto counter reload for DMR
+ RDMA/ionic: bound node_desc sysfs read with %.64s
+ RDMA/ionic: Fix typo in format string
+ RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
+ RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
+ RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
+ RDMA/mana: Validate rx_hash_key_len
+ RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
+ RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
+ RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
+ RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
+ RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
+ RDMA/rxe: Reject unknown opcodes before ICRC processing
+ RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
+ remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()
+ remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()
+ sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
+ sched_ext: Use dsq->first_task instead of list_empty() in dispatch_enqueue()
FIFO-tail
+ selftests: mptcp: check output: catch cmd errors
+ selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl
+ mptcp: fastclose msk when linger time is 0
+ mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
+ mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
+ mptcp: sockopt: set timestamp flags on subflow socket, not msk
+ mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
+ mptcp: fix rx timestamp corruption on fastopen
+ mptcp: fix scheduling with atomic in timestamp sockopt
+ mptcp: pm: prio: skip closed subflows
+ mptcp: pm: kernel: reset fullmesh counter after flush
+ mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
+ mptcp: pm: ADD_ADDR rtx: allow ID 0
+ mptcp: pm: ADD_ADDR rtx: fix potential data-race
+ mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
+ mptcp: pm: ADD_ADDR rtx: free sk if last
+ mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
+ mptcp: pm: ADD_ADDR rtx: return early if no retrans
+ f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
+ f2fs: fix false alarm of lockdep on cp_global_sem lock
+ f2fs: fix fiemap boundary handling when read extent cache is incomplete
+ f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
+ f2fs: fix incorrect file address mapping when inline inode is unwritten
+ f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
+ f2fs: fix node_cnt race between extent node destroy and writeback
+ f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
+ f2fs: refactor f2fs_move_node_folio function
+ f2fs: fix inline data not being written to disk in writeback path
+ f2fs: fix fsck inconsistency caused by FGGC of node block
+ KVM: arm64: Wake-up from WFI when iqrchip is in userspace
+ KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
+ KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
+ KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
+ KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
+ KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
+ LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
+ LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
+ LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
+ LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
+ LoongArch: KVM: Move unconditional delay into timer clear scenery
+ LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
+ LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
+ bpf: Fix use-after-free in arena_vm_close on fork
+ octeon_ep_vf: add NULL check for napi_build_skb()
+ mmc: core: Adjust MDT beyond 2025
+ mmc: core: Add quirk for incorrect manufacturing date
+ mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
+ crypto: qat - fix indentation of macros in qat_hal.c
+ crypto: qat - fix firmware loading failure for GEN6 devices
+ hfsplus: fix uninit-value by validating catalog record size
+ hfsplus: fix held lock freed on hfsplus_fill_super()
+ 8021q: use RCU for egress QoS mappings
+ 8021q: delete cleared egress QoS mappings
+ printk: add print_hex_dump_devel()
+ crypto: caam - guard HMAC key hex dumps in hash_digest_key
+ net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
+ net: stmmac: Prevent NULL deref when RX memory exhausted
+ rust: pin-init: fix incorrect accessor reference lifetime
+ x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
+ ksmbd: validate inherited ACE SID length
Linux 7.0.7
- ksmbd: validate inherited ACE SID length
- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
- rust: pin-init: fix incorrect accessor reference lifetime
- net: stmmac: Prevent NULL deref when RX memory exhausted
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
- crypto: caam - guard HMAC key hex dumps in hash_digest_key
- printk: add print_hex_dump_devel()
- 8021q: delete cleared egress QoS mappings
- 8021q: use RCU for egress QoS mappings
- hfsplus: fix held lock freed on hfsplus_fill_super()
- hfsplus: fix uninit-value by validating catalog record size
- crypto: qat - fix firmware loading failure for GEN6 devices
- crypto: qat - fix indentation of macros in qat_hal.c
- mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
- mmc: core: Add quirk for incorrect manufacturing date
- mmc: core: Adjust MDT beyond 2025
- octeon_ep_vf: add NULL check for napi_build_skb()
- bpf: Fix use-after-free in arena_vm_close on fork
- LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
- LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
- LoongArch: KVM: Move unconditional delay into timer clear scenery
- LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software
- LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry
- LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
- LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
- KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu()
- KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
- KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
- KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
- KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
- KVM: arm64: Wake-up from WFI when iqrchip is in userspace
- f2fs: fix fsck inconsistency caused by FGGC of node block
- f2fs: fix inline data not being written to disk in writeback path
- f2fs: refactor f2fs_move_node_folio function
- f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
- f2fs: fix node_cnt race between extent node destroy and writeback
- f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
- f2fs: fix fiemap boundary handling when read extent cache is incomplete
- f2fs: fix false alarm of lockdep on cp_global_sem lock
- f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
- mptcp: pm: ADD_ADDR rtx: return early if no retrans
- mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
- mptcp: pm: ADD_ADDR rtx: free sk if last
- mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
- mptcp: pm: ADD_ADDR rtx: fix potential data-race
- mptcp: pm: ADD_ADDR rtx: allow ID 0
- mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
- mptcp: pm: kernel: reset fullmesh counter after flush
- mptcp: pm: prio: skip closed subflows
- mptcp: fix scheduling with atomic in timestamp sockopt
- mptcp: fix rx timestamp corruption on fastopen
- mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
- mptcp: sockopt: set timestamp flags on subflow socket, not msk
- mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
- mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
- mptcp: fastclose msk when linger time is 0
- selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl
- selftests: mptcp: check output: catch cmd errors
- sched_ext: Use dsq->first_task instead of list_empty() in dispatch_enqueue()
FIFO-tail
- sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
- remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()
- remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
- RDMA/rxe: Reject unknown opcodes before ICRC processing
- RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
- RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
- RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
- RDMA/mana: Validate rx_hash_key_len
- RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
- RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
- RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
- RDMA/ionic: Fix typo in format string
- RDMA/ionic: bound node_desc sysfs read with %.64s
- perf/x86/intel: Enable auto counter reload for DMR
- perf/x86/intel: Disable PMI for self-reloaded ACR events
- perf/x86/intel: Always reprogram ACR events to prevent stale masks
- powerpc/xive: fix kmemleak caused by incorrect chip_data lookup
- power: supply: max17042: avoid overflow when determining health
- PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
- PCI/AER: Stop ruling out unbound devices as error source
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI: Update saved_config_space upon resource assignment
- mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
- mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
- mm/damon/stat: detect and use fresh enabled value
- mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
- mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
- KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty
- KVM: x86: check for nEPT/nNPT in slow flush hypercalls
- smb: client: validate dacloffset before building DACL pointers
- smb: client: use kzalloc to zero-initialize security descriptor buffer
- smb/client: fix out-of-bounds read in symlink_data()
- smb/client: fix out-of-bounds read in smb2_compound_op()
- scsi: mpt3sas: Limit NVMe request size to 2 MiB
- s390/debug: Reject zero-length input before trimming a newline
- s390/debug: Reject zero-length input in debug_input_flush_fn()
- riscv: kvm: fix vector context allocation leak
- RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
- psp: strip variable-length PSP header in psp_dev_rcv()
- pmdomain: core: Fix detach procedure for virtual devices in genpd
- openvswitch: vport: fix self-deadlock on release of tunnel ports
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
- nvmet-tcp: fix race between ICReq handling and queue teardown
- nvme-apple: drop invalid put of admin queue reference count
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
- libceph: Fix slab-out-of-bounds access in auth message processing
- lib/scatterlist: fix temp buffer in extract_user_to_sg()
- lib/scatterlist: fix length calculations in extract_kvec_to_sg
- lib/crc: tests: Make crc_kunit test only the enabled CRC variants
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
- iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
- iommu/vt-d: Block PASID attachment to nested domain with dirty tracking
- iommufd: Fix return value of iommufd_fault_fops_write()
- isofs: validate block number from NFS file handle in isofs_export_iget
- isofs: validate Rock Ridge CE continuation extent against volume size
- dm-verity-fec: fix the size of dm_verity_fec_io::erasures
- dm-verity-fec: fix reading parity bytes split across blocks (take 3)
- dm-verity-fec: fix corrected block count stat
- dm-verity-fec: correctly reject too-small hash devices
- dm-verity-fec: correctly reject too-small FEC devices
- eventfs: Hold eventfs_mutex and SRCU when remount walks events
- dm: fix a buffer overflow in ioctl processing
- dm: don't report warning when doing deferred remove
- dm-thin: fix metadata refcount underflow
- btrfs: fix missing last_unlink_trans update when removing a directory
- btrfs: fix double free in create_space_info_sub_group() error path
- btrfs: fix double free in create_space_info() error path
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak
- btrfs: do not mark inode incompressible after inline attempt fails
- ASoC: qcom: q6apm: remove child devices when apm is removed
- ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
- ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
- ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
- ASoC: fsl_easrc: fix comment typo
- ASoC: ES8389: convert to devm_clk_get_optional() to get clock
- ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table
- cpuidle: powerpc: avoid double clear when breaking snooze
- clk: microchip: mpfs-ccc: fix out of bounds access during output registration
- clk: imx: imx8-acm: fix flags for acm clocks
- tracing/fprobe: Check the same type fprobe on table as the unregistered one
- tracing/probes: Limit size of event probe to 3K
- tracing/fprobe: Unregister fprobe even if memory allocation fails
- tracing/fprobe: Remove fprobe from hash in failure path
- tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
- spi: topcliff-pch: fix use-after-free on unbind
- spi: topcliff-pch: fix controller deregistration
- thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp
- thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
- thermal: core: Free thermal zone ID later during removal
- x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
- udf: reject descriptors with oversized CRC length
- tracefs: Fix default permissions not being applied on initial mount
- spi: microchip-core-qspi: control built-in cs manually
- spi: microchip-core-qspi: don't attempt to transmit during emulated read-only
dual/quad operations
- spi: microchip-core-spi: fix controller deregistration
- spi: microchip-core-qspi: fix controller deregistration
- ice: fix double free in ice_sf_eth_activate() error path
- ibmveth: Disable GSO for packets with small MSS
- hv_sock: Return -EIO for malformed/short packets
- hv_sock: Report EOF instead of -EIO for FIN
- hv_sock: fix ARM64 support
- hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
- gpio: of: clear OF_POPULATED on hog nodes in remove path
- fbcon: Avoid OOB font access if console rotation fails
- extcon: ptn5150: handle pending IRQ events during system resume
- cifs: change_conf needs to be called for session setup
- cifs: abort open_cached_dir if we don't request leases
- block: only read from sqe on initial invocation of blkdev_uring_cmd()
- block: fix zone write plug removal
- block: add pgmap check to biovec_phys_mergeable
- pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy()
- arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
- af_unix: Reject SIOCATMARK on non-stream sockets
- hwmon: (corsair-psu) Close HID device on probe errors
- clk: rk808: fix OF node reference imbalance
- hwmon: (ltc2992) Fix u32 overflow in power read path
- hwmon: (ltc2992) Clamp threshold writes to hardware range
- x86/efi: Fix graceful fault handling after FPU softirq changes
- parisc: Fix IRQ leak in LASI driver
- platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration
- ovl: fix verity lazy-load guard broken by fsverity_active() semantic change
- net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler
- net/rds: handle zerocopy send cleanup before the message is queued
- netpoll: pass buffer size to egress_dev() to avoid MAC truncation
- net: libwx: use request_irq for VF misc interrupt
- ip6_gre: Use cached t->net in ip6erspan_changelink().
- net: libwx: fix VF illegal register access
- pseries/papr-hvpipe: Fix the usage of copy_to_user()
- pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init()
- pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
- pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace
- pseries/papr-hvpipe: Fix race with interrupt handler
- sound: ua101: fix division by zero at probe
- accel/ivpu: Disallow re-exporting imported GEM objects
- selftests/rseq: Expand for optimized RSEQ ABI v2
- selftests/rseq: Validate legacy behavior
- selftests/rseq: Skip tests if time slice extensions are not available
- selftests/rseq: Make registration flexible for legacy and optimized mode
- rseq: Don't advertise time slice extensions if disabled
- rseq: Protect rseq_reset() against interrupts
- rseq: Set rseq::cpu_id_start to 0 on unregistration
- selftests/rseq: Don't run tests with runner scripts outside of the scripts
- perf/x86/intel: Improve validation and configuration of ACR masks
- mptcp: pm: ADD_ADDR rtx: skip inactive subflows
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo
- LoongArch: KVM: Compile switch.S directly into the kernel
- LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
- mm/hugetlb_cma: round up per_node before logging it
- arm64: signal: Preserve POR_EL0 if poe_context is missing
- mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
- KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
- fanotify: fix false positive on permission events
- staging: vme_user: fix root device leak on init failure
- staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc
- spi: s3c64xx: fix NULL-deref on driver unbind
- spi: tegra20-sflash: fix controller deregistration
- spi: zynqmp-gqspi: fix controller deregistration
- spi: tegra114: fix controller deregistration
- spi: sun6i: fix controller deregistration
- spi: ti-qspi: fix controller deregistration
- spi: zynq-qspi: fix controller deregistration
- spi: sun4i: fix controller deregistration
- spi: syncuacer: fix controller deregistration
- rust: pin-init: internal: move alignment check to `make_field_check`
- rust: allow `clippy::collapsible_if` globally
- rust: allow `clippy::collapsible_match` globally
- rust: drm: gem: clean up GEM state in init failure case
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
- Bluetooth: hci_event: Fix OOB read and infinite loop in
hci_le_create_big_complete_evt
- Bluetooth: hci_conn: fix potential UAF in create_big_sync
- Bluetooth: btmtk: validate WMT event SKB length before struct access
- Bluetooth: virtio_bt: validate rx pkt_type header length
- Bluetooth: virtio_bt: clamp rx length before skb_put
- LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
- io_uring/tw: serialize ctx->retry_llist with ->uring_lock
- io_uring/kbuf: support min length left for incremental buffers
- selinux: allow multiple opens of /sys/fs/selinux/policy
- selinux: prune /sys/fs/selinux/user
- selinux: prune /sys/fs/selinux/disable
- selinux: prune /sys/fs/selinux/checkreqprot
- selinux: shrink critical section in sel_write_load()
- selinux: don't reserve xattr slot when we won't fill it
- selinux: use sk blob accessor in socket permission helpers
- selinux: fix avdcache auditing
- xfrm: ah: account for ESN high bits in async callbacks
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
- xfrm: provide message size for XFRM_MSG_MAPPING
- sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
- x86/efi: Restore IRQ state in EFI page fault handler
- powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
- ALSA: seq: Fix UMP group 16 filtering
- ALSA: core: Serialize deferred fasync state checks
- ALSA: firewire-tascam: Do not drop unread control events
- ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop
Pro 15
- ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
- ALSA: hda: cs35l56: Propagate ASP TX source control errors
- usb: typec: tcpm: fix debug accessory mode detection for sink ports
- usb: ulpi: fix memory leak on ulpi_register() error paths
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- USB: omap_udc: DMA: Don't enable burst 4 mode
- usb: dwc3: Move GUID programming after PHY initialization
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
- ALSA: usb-audio: midi2: Restart output URBs on resume
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
- wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
- wifi: mac80211: remove station if connection prep fails
- wifi: ath5k: do not access array OOB
- wifi: mac80211: use safe list iteration in radar detect work
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
- wifi: mac80211: drop stray 'static' from fast-RX rx_result
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
- wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
- wifi: mt76: mt7921: fix a potential clc buffer length underflow
- wifi: mt76: mt7925: fix incorrect length field in txpower command
- wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
- exit: prevent preemption of oopsing TASK_DEAD task
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
- smb: client/smbdirect: fix MR registration for coalesced SG lists
- flow_dissector: do not dissect PPPoE PFC frames
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
- ksmbd: rewrite stop_sessions() with restartable iteration
- spi: rockchip: fix controller deregistration
- wifi: mt76: mt7925: fix incorrect TLV length in CLC command
- ASoC: SOF: Don't allow pointer operations on unconfigured streams
- iommufd: Fix a race with concurrent allocation and unmap
- tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
- ACPI: video: force native backlight on HP OMEN 16 (8A44)
- ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
- ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
- ACPI: scan: Use acpi_dev_put() in object add error paths
- ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
- ipmi:si: Return state to normal if message allocation fails
- ipmi: Check event message buffer response for bad data
- ipmi: Add limits to event and receive message requests
- scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
+ UBUNTU: Upstream stable to v7.0.7
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155988
Title:
Resolute update: v7.0.7 upstream stable release
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2155988/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
