Package "linux-modules-iwlwifi-5.15.0-140-generic"

 linux (5.15.0-140.150) jammy; urgency=medium
 .
   * jammy/linux: 5.15.0-140.150 -proposed tracker (LP: #2106996)
 .
   * Packaging resync (LP: #1786013)
     - [Packaging] debian.master/dkms-versions -- update from kernel-versions
       (main/2025.04.14)
 .
   * NFS, overlay, fstab issue after update to kernel 5.15.0-133-generic and -134
     (LP: #2103598)
     - udf: Fix directory iteration for longer tail extents
 .
   * Remove floppy kernel module causes null pointer deference (LP: #2104326)
     - floppy: fix add_disk() assumption on exit due to new developments
 .
   * CVE-2025-21971
     - net_sched: Prevent creation of classes with TC_H_ROOT
 .
   * CVE-2024-56599
     - wifi: ath10k: avoid NULL pointer error during sdio remove
 .
   * CVE-2024-56721
     - x86/CPU/AMD: Terminate the erratum_1386_microcode array
 .
   * Jammy update: v5.15.179 upstream stable release (LP: #2106026)
     - afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
     - afs: Fix directory format encoding struct
     - hung_task: move hung_task sysctl interface to hung_task.c
     - sysctl: use const for typically used max/min proc sysctls
     - sysctl: share unsigned long const values
     - fs: move inode sysctls to its own file
     - fs: move fs stat sysctls to file_table.c
     - fs: fix proc_handler for sysctl_nr_open
     - block: deprecate autoloading based on dev_t
     - block: retry call probe after request_module in blk_request_module
     - pstore/blk: trivial typo fixes
     - nvme: Add error check for xa_store in nvme_get_effects_log
     - partitions: ldm: remove the initial kernel-doc notation
     - select: Fix unbalanced user_access_end()
     - afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
     - sched/psi: Use task->psi_flags to clear in CPU migration
     - sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat
     - drm/etnaviv: Fix page property being used for non writecombine buffers
     - genirq: Make handle_enforce_irqctx() unconditionally available
     - wifi: rtlwifi: do not complete firmware loading needlessly
     - wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step
     - wifi: rtlwifi: wait for firmware loading before releasing memory
     - wifi: rtlwifi: fix init_sw_vars leak when probe fails
     - wifi: rtlwifi: usb: fix workqueue leak when probe fails
     - spi: zynq-qspi: Add check for clk_enable()
     - dt-bindings: mmc: controller: clarify the address-cells description
     - spi: dt-bindings: add schema listing peripheral-specific properties
     - dt-bindings: Another pass removing cases of 'allOf' containing a '$ref'
     - dt-bindings: leds: Add Qualcomm Light Pulse Generator binding
     - dt-bindings: leds: Optional multi-led unit address
     - dt-bindings: leds: Add multicolor PWM LED bindings
     - dt-bindings: leds: class-multicolor: reference class directly in multi-led
       node
     - dt-bindings: leds: class-multicolor: Fix path to color definitions
     - rtlwifi: replace usage of found with dedicated list iterator variable
     - wifi: rtlwifi: remove unused timer and related code
     - wifi: rtlwifi: remove unused dualmac control leftovers
     - wifi: rtlwifi: destroy workqueue at rtl_deinit_core
     - wifi: rtlwifi: pci: wait for firmware loading before releasing memory
     - HID: multitouch: Add support for lenovo Y9000P Touchpad
     - Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
     - HID: multitouch: fix support for Goodix PID 0x01e9
     - regulator: dt-bindings: mt6315: Drop regulator-compatible property
     - ACPI: fan: cleanup resources in the error path of .probe()
     - cpupower: fix TSC MHz calculation
     - dt-bindings: mfd: bd71815: Fix rsense and typos
     - leds: netxbig: Fix an OF node reference leak in netxbig_leds_get_of_pdata()
     - cpufreq: schedutil: Fix superfluous updates caused by need_freq_update
     - clk: imx8mp: Fix clkout1/2 support
     - regulator: of: Implement the unwind path of of_regulator_match()
     - samples/landlock: Fix possible NULL dereference in parse_path()
     - wifi: wlcore: fix unbalanced pm_runtime calls
     - net/smc: fix data error when recvmsg with MSG_PEEK flag
     - landlock: Move filesystem helpers and add a new one
     - wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO
     - cpufreq: ACPI: Fix max-frequency computation
     - selftests: harness: fix printing of mismatch values in __EXPECT()
     - wifi: cfg80211: Handle specific BSSID in 6GHz scanning
     - wifi: cfg80211: adjust allocation of colocated AP data
     - clk: analogbits: Fix incorrect calculation of vco rate delta
     - selftests/landlock: Fix error message
     - net/mlxfw: Drop hard coded max FW flash image size
     - netfilter: nft_flow_offload: update tcp state flags under lock
     - tcp_cubic: fix incorrect HyStart round start detection
     - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
     - libbpf: Fix segfault due to libelf functions not setting errno
     - ASoC: sun4i-spdif: Add clock multiplier settings
     - perf header: Fix one memory leakage in process_bpf_btf()
     - perf header: Fix one memory leakage in process_bpf_prog_info()
     - perf bpf: Fix two memory leakages when calling
       perf_env__insert_bpf_prog_info()
     - ASoC: renesas: rz-ssi: Use only the proper amount of dividers
     - ktest.pl: Remove unused declarations in run_bisect_test function
     - crypto: hisilicon/sec - add some comments for soft fallback
     - crypto: hisilicon/sec - delete redundant blank lines
     - crypto: hisilicon/sec2 - optimize the error return process
     - crypto: hisilicon/sec2 - fix for aead icv error
     - crypto: hisilicon/sec2 - fix for aead invalid authsize
     - crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto()
     - padata: fix sysfs store callback check
     - perf top: Don't complain about lack of vmlinux w

 linux (5.15.0-138.148) jammy; urgency=medium
 .
   * jammy/linux: 5.15.0-138.148 -proposed tracker (LP: #2102587)
 .
   * ipsec_offload in rtnetlink.sh from ubunsu_kselftests_net fails on O/J
     (LP: #2096976)
     - SAUCE: selftest: netfilter: fix null IP field in kci_test_ipsec_offload
 .
   * CVE-2025-21756
     - vsock: Keep the binding until socket destruction
     - vsock: Orphan socket after transport release
 .
   * CVE-2024-50256
     - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
 .
   * CVE-2025-21702
     - pfifo_tail_enqueue: Drop new packet when sch->limit == 0
 .
   * CVE-2025-21703
     - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
 .
   * CVE-2025-21700
     - net: sched: Disallow replacing of child qdisc from one parent to another
 .
   * CVE-2024-46826
     - ELF: fix kernel.randomize_va_space double read
 .
   * CVE-2024-56651
     - can: hi311x: hi3110_can_ist(): fix potential use-after-free
 .
   * iBFT iSCSI out-of-bounds shift UBSAN warning (LP: #2097824)
     - iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
 .
   * CVE-2024-50248
     - ntfs3: Add bounds checking to mi_enum_attr()
     - fs/ntfs3: Sequential field availability check in mi_enum_attr()
 .
   * CVE-2022-0995
     - watch_queue: Use the bitmap API when applicable
 .
   * CVE-2024-26837
     - net: bridge: switchdev: Skip MDB replays of deferred events on offload
 .
   * CVE-2025-21701
     - net: avoid race between device unregistration and ethnl ops
 .
   * CVE-2024-57798
     - drm/dp_mst: Skip CSN if topology probing is not done yet
     - drm/dp_mst: Ensure mst_primary pointer is valid in
       drm_dp_mst_handle_up_req()
 .
   * CVE-2024-56658
     - net: defer final 'struct net' free in netns dismantle
 .
   * CVE-2024-35864
     - smb: client: fix potential UAF in smb2_is_valid_lease_break()
 .
   * CVE-2024-35864/CVE-2024-26928
     - smb: client: fix potential UAF in cifs_debug_files_proc_show()

 linux (5.15.0-135.146) jammy; urgency=medium
 .
   * jammy/linux: 5.15.0-135.146 -proposed tracker (LP: #2098300)
 .
   * Packaging resync (LP: #1786013)
     - [Packaging] debian.master/dkms-versions -- update from kernel-versions
       (main/2025.02.10)
 .
   * Jammy update: v5.15.178 upstream stable release (LP: #2098441)
     - ASoC: wm8994: Add depends on MFD core
     - ASoC: samsung: Add missing selects for MFD_WM8994
     - seccomp: Stub for !CONFIG_SECCOMP
     - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
     - irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
     - ASoC: samsung: Add missing depends on I2C
     - regmap: detach regmap from dev on regmap_exit
     - mptcp: don't always assume copied data in mptcp_cleanup_rbuf()
     - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
     - net: sched: fix ets qdisc OOB Indexing
     - vfio/platform: check the bounds of read/write syscalls
     - fs/ntfs3: Additional check in ntfs_file_release
     - platform/chrome: cros_ec_typec: Check for EC driver
     - ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
     - scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
     - wifi: iwlwifi: add a few rate index validity checks
     - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
     - ALSA: usb-audio: Add delay quirk for USB Audio Device
     - Input: atkbd - map F23 key to support default copilot shortcut
     - Input: xpad - add unofficial Xbox 360 wireless receiver clone
     - Input: xpad - add support for wooting two he (arm)
     - drm/v3d: Assign job pointer to NULL before signaling the fence
     - Linux 5.15.178
 .
   * CVE-2024-49925
     - fbdev: efifb: Register sysfs groups through driver core
 .
   * Jammy update: v5.15.177 upstream stable release (LP: #2097298)
     - ceph: give up on paths longer than PATH_MAX
     - jbd2: flush filesystem device before updating tail sequence
     - dm array: fix releasing a faulty array block twice in dm_array_cursor_end
     - dm array: fix unreleased btree blocks on closing a faulty array cursor
     - dm array: fix cursor index when skipping across block boundaries
     - exfat: fix the infinite loop in exfat_readdir()
     - exfat: fix the infinite loop in __exfat_free_cluster()
     - ASoC: mediatek: disable buffer pre-allocation
     - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
     - net: 802: LLC+SNAP OID:PID lookup on start of skb data
     - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
     - tcp/dccp: allow a connection when sk_max_ack_backlog is zero
     - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
     - bnxt_en: Fix possible memory leak when hwrm_req_replace fails
     - cxgb4: Avoid removal of uninserted tid
     - tls: Fix tls_sw_sendmsg error handling
     - netfilter: nf_tables: imbalance in flowtable binding
     - netfilter: conntrack: clamp maximum hashtable size to INT_MAX
     - drm/mediatek: Add support for 180-degree rotation in the display driver
     - ksmbd: fix a missing return value check bug
     - afs: Fix the maximum cell name length
     - dm thin: make get_first_thin use rcu-safe list first function
     - dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
     - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
     - sctp: sysctl: rto_min/max: avoid using current->nsproxy
     - sctp: sysctl: auth_enable: avoid using current->nsproxy
     - sctp: sysctl: udp_port: avoid using current->nsproxy
     - sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
     - drm/amd/display: Add check for granularity in dml ceil/floor helpers
     - riscv: Fix sleeping in invalid context in die()
     - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
     - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
     - drm/amd/display: increase MAX_SURFACES to the value supported by hw
     - scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity
     - USB: serial: option: add MeiG Smart SRM815
     - USB: serial: option: add Neoway N723-EA support
     - staging: iio: ad9834: Correct phase range check
     - staging: iio: ad9832: Correct phase range check
     - usb-storage: Add max sectors quirk for Nokia 208
     - USB: serial: cp210x: add Phoenix Contact UPS Device
     - usb: dwc3: gadget: fix writing NYET threshold
     - topology: Keep the cpumask unchanged when printing cpumap
     - USB: usblp: return error when setting unsupported protocol
     - USB: core: Disable LPM only for non-suspended ports
     - usb: fix reference leak in usb_new_device()
     - usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
     - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
     - iio: pressure: zpa2326: fix information leak in triggered buffer
     - iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered
       buffer
     - iio: light: vcnl4035: fix information leak in triggered buffer
     - iio: imu: kmx61: fix information leak in triggered buffer
     - iio: adc: ti-ads8688: fix information leak in triggered buffer
     - iio: gyro: fxas21002c: Fix missing data update in trigger handler
     - iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
     - iio: adc: at91: call input_free_device() on allocated iio_dev
     - iio: inkern: call iio_device_put() only on mapped devices
     - iio: adc: ad7124: Disable all channels at probe time
     - block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
     - arm64: dts: rockchip: add hevc power domain clock to rk3328
     - of: unittest: Add bus address range parsing tests
     - of/address: Add support for 3 address cell bus
     - of: address: Fix address translation when address-size is greater than 2
     - of: address: Remove duplicated functions
     - of: address: Store number of bus flag cells rather than

 linux (5.15.0-133.144) jammy; urgency=medium
 .
   * CVE-2025-0927
     - SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key
 .

 linux (5.15.0-132.143) jammy; urgency=medium
 .
   * jammy/linux: 5.15.0-132.143 -proposed tracker (LP: #2093735)
 .
   * Packaging resync (LP: #1786013)
     - [Packaging] debian.master/dkms-versions -- update from kernel-versions
       (main/2025.01.13)
 .
   * KVM: Cache CPUID at KVM.ko module init to reduce latency of VM-Enter and VM-
     Exit (LP: #2093146)
     - kvm: x86: Fix xstate_required_size() to follow XSTATE alignment rule
     - KVM: x86: Cache CPUID.0xD XSTATE offsets+sizes during module init
 .
   * Jammy update: v5.15.173 upstream stable release (LP: #2089541)
     - 9p: Avoid creating multiple slab caches with the same name
     - irqchip/ocelot: Fix trigger register address
     - block: Fix elevator_get_default() checking for NULL q->tag_set
     - HID: multitouch: Add support for B2402FVA track point
     - HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
     - bpf: use kvzmalloc to allocate BPF verifier environment
     - crypto: marvell/cesa - Disable hash algorithms
     - sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
     - drm/vmwgfx: Limit display layout ioctl array size to
       VMWGFX_NUM_DISPLAY_UNITS
     - powerpc/powernv: Free name on error in opal_event_init()
     - vDPA/ifcvf: Fix pci_read_config_byte() return code handling
     - fs: Fix uninitialized value issue in from_kuid and from_kgid
     - HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad
     - HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard
     - net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
     - md/raid10: improve code of mrdev in raid10_sync_request
     - mm/memory: add non-anonymous page check in the copy_present_page()
     - udf: Allocate name buffer in directory iterator on heap
     - udf: Avoid directory type conversion failure due to ENOMEM
     - 9p: fix slab cache name creation for real
     - Linux 5.15.173
 .
   * Jammy update: v5.15.173 upstream stable release (LP: #2089541) //
     CVE-2024-41080
     - io_uring: fix possible deadlock in io_register_iowq_max_workers()
 .
   * Jammy update: v5.15.172 upstream stable release (LP: #2089533)
     - arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-
       excavator
     - arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
     - arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
     - arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
     - arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
     - arm64: dts: imx8mp: correct sdhc ipg clk
     - ARM: dts: rockchip: fix rk3036 acodec node
     - ARM: dts: rockchip: drop grf reference from rk3036 hdmi
     - ARM: dts: rockchip: Fix the spi controller on rk3036
     - ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
     - NFSv3: only use NFS timeout for MOUNT when protocols are compatible
     - NFS: Add a tracepoint to show the results of nfs_set_cache_invalid()
     - NFSv3: handle out-of-order write replies.
     - nfs: avoid i_lock contention in nfs_clear_invalid_mapping
     - net: enetc: set MAC address to the VF net_device
     - can: c_can: fix {rx,tx}_errors statistics
     - net: phy: ti: add PHY_RST_AFTER_CLK_EN flag
     - net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case
     - Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown"
     - media: stb0899_algo: initialize cfr before using it
     - media: dvb_frontend: don't play tricks with underflow values
     - media: adv7604: prevent underflow condition when reporting colorspace
     - scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer
     - ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
     - media: pulse8-cec: fix data timestamp at pulse8_setup()
     - media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
     - pwm: imx-tpm: Use correct MODULO value for EPWM mode
     - drm/amdgpu: Adjust debugfs eviction and IB access permissions
     - drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
     - thermal/drivers/qcom/lmh: Remove false lockdep backtrace
     - dm cache: correct the number of origin blocks to match the target length
     - dm cache: optimize dirty bit checking with find_next_bit when resizing
     - dm-unstriped: cast an operand to sector_t to prevent potential uint32_t
       overflow
     - ALSA: usb-audio: Add quirk for HP 320 FHD Webcam
     - posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone
     - io_uring: rename kiocb_end_write() local helper
     - fs: create kiocb_{start,end}_write() helpers
     - io_uring: use kiocb_{start,end}_write() helpers
     - media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in
       uvc_parse_format
     - fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
     - usb: dwc3: fix fault at system suspend if device was already runtime
       suspended
     - USB: serial: qcserial: add support for Sierra Wireless EM86xx
     - USB: serial: option: add Fibocom FG132 0x0112 composition
     - USB: serial: option: add Quectel RG650V
     - irqchip/gic-v3: Force propagation of the active state with a read-back
     - ucounts: fix counter leak in inc_rlimit_get_ucounts()
     - ALSA: usb-audio: Support jack detection on Dell dock
     - ALSA: usb-audio: Add quirks for Dell WD19 dock
     - ACPI: PRM: Clean up guid type in struct prm_handler_info
     - ALSA: usb-audio: Add endianness annotations
     - Linux 5.15.172
 .
   * Jammy update: v5.15.172 upstream stable release (LP: #2089533) //
     CVE-2024-50265
     - ocfs2: remove entry once instead of null-ptr-dereference in
       ocfs2_xa_remove()
 .
   * Jammy update: v5.15.172 upstream stable release (LP: #2089533) //
     CVE-2024-50267
     - USB: serial: io_edgeport: fix use after free in debug printk
 .
   * Jammy update: v5.15.172 upstream stable release (LP: #2089533) //
     CVE-2024-50268
     - usb: typec: fix potential ou