Package "linux"

  linux (5.4.0-202.222) focal; urgency=medium

  * focal/linux: 5.4.0-202.222 -proposed tracker (LP: #2086451)
    - [Packaging] resync git-ubuntu-log

  * CVE-2021-47501
    - i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc

  * CVE-2024-46724
    - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

  * CVE-2024-42240
    - x86/bhi: Avoid warning in #DB handler due to BHI mitigation

  * CVE-2024-42077
    - ocfs2: fix DIO failure due to insufficient transaction credits

  * CVE-2024-42068
    - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()

  * CVE-2024-36968
    - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()

  * CVE-2024-35904
    - selinux: avoid dereference of garbage after mount failure

  * CVE-2023-52498
    - PM: sleep: Avoid calling put_device() under dpm_list_mtx
    - PM: sleep: Fix error handling in dpm_prepare()
    - async: Split async_schedule_node_domain()
    - async: Introduce async_schedule_dev_nocall()
    - PM: sleep: Fix possible deadlocks in core system-wide PM code

  * CVE-2023-52488
    - serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO

  * CVE-2022-48938
    - CDC-NCM: avoid overflow in sanity checking

  * CVE-2024-42156
    - s390/pkey: Wipe copies of clear-key structures on failure

  * CVE-2024-44942
    - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

  * CVE-2024-38538
    - net: bridge: xmit: make sure we have at least eth header len bytes

  * CVE-2021-47076
    - RDMA/rxe: Return CQE error if invalid lkey was supplied

  * CVE-2024-36938
    - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

  * CVE-2024-44940
    - fou: remove warn in gue_gro_receive on unsupported protocol

  * CVE-2024-35951
    - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()

  * CVE-2023-52497
    - erofs: fix lz4 inplace decompression

  * CVE-2024-36953
    - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()

  * CVE-2022-48943
    - KVM: x86/mmu: make apf token non-zero to fix bug

  * CVE-2024-26947
    - ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses

  * CVE-2022-48733
    - btrfs: fix use-after-free after failure to create a snapshot

  * CVE-2023-52639
    - KVM: s390: vsie: fix race during shadow creation

 -- Stefan Bader <email address hidden> Fri, 08 Nov 2024 15:14:23 +0100

  linux (5.4.0-200.220) focal; urgency=medium

  * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.master/dkms-versions -- update from kernel-versions
      (main/2024.09.30)

  * CVE-2024-26800
    - tls: rx: coalesce exit paths in tls_decrypt_sg()
    - tls: separate no-async decryption request handling from async
    - tls: fix use-after-free on failed backlog decryption

  * CVE-2024-26641
    - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

  * CVE-2021-47212
    - net/mlx5: Update error handler for UCTX and UMEM

  * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks
    (LP: #2081085)
    - bdi: use bdi_dev_name() to get device name

  * Focal update: v5.4.284 upstream stable release (LP: #2081278)
    - drm: panel-orientation-quirks: Add quirk for OrangePi Neo
    - i2c: Fix conditional for substituting empty ACPI functions
    - net: usb: qmi_wwan: add MeiG Smart SRM825L
    - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
    - drm/amdgpu: fix overflowed array index read warning
    - drm/amd/display: Check gpio_id before used as array index
    - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
    - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
    - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
      dal_gpio_service_create
    - drm/amdgpu: fix ucode out-of-bounds read warning
    - drm/amdgpu: fix mc_data out-of-bounds read warning
    - drm/amdkfd: Reconcile the definition and use of oem_id in struct
      kfd_topology_device
    - apparmor: fix possible NULL pointer dereference
    - ionic: fix potential irq name truncation
    - usbip: Don't submit special requests twice
    - usb: typec: ucsi: Fix null pointer dereference in trace
    - smack: tcp: ipv4, fix incorrect labeling
    - wifi: cfg80211: make hash table duplicates more survivable
    - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
    - media: uvcvideo: Enforce alignment of frame and interval
    - block: initialize integrity buffer to zero before writing it to media
    - net: set SOCK_RCU_FREE before inserting socket into hashtable
    - virtio_net: Fix napi_skb_cache_put warning
    - udf: Limit file size to 4TB
    - i2c: Use IS_REACHABLE() for substituting empty ACPI functions
    - sch/netem: fix use after free in netem_dequeue
    - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
    - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius
      devices
    - ata: libata: Fix memory leak for error path in ata_host_alloc()
    - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
    - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
    - mmc: sdhci-of-aspeed: fix module autoloading
    - fuse: update stats for pages in dropped aux writeback list
    - fuse: use unsigned type for getxattr/listxattr size truncation
    - reset: hi6220: Add support for AO reset controller
    - clk: hi6220: use CLK_OF_DECLARE_DRIVER
    - clk: qcom: clk-alpha-pll: Fix the pll post div mask
    - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
    - ila: call nf_unregister_net_hooks() sooner
    - sched: sch_cake: fix bulk flow accounting logic for host fairness
    - nilfs2: fix missing cleanup on rollforward recovery error
    - nilfs2: fix state management in error path of log writing function
    - ALSA: hda: Add input value sanity checks to HDMI channel map controls
    - smack: unix sockets: fix accept()ed socket label
    - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
    - af_unix: Remove put_pid()/put_cred() in copy_peercred().
    - netfilter: nf_conncount: fix wrong variable type
    - udf: Avoid excessive partition lengths
    - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
    - usb: uas: set host status byte on data completion error
    - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
    - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
    - pcmcia: Use resource_size function on resource object
    - can: bcm: Remove proc entry when dev is unregistered.
    - igb: Fix not clearing TimeSync interrupts for 82580
    - platform/x86: dell-smbios: Fix error path in dell_smbios_init()
    - tcp_bpf: fix return value of tcp_bpf_sendmsg()
    - cx82310_eth: re-enable ethernet mode after router reboot
    - drivers/net/usb: Remove all strcpy() uses
    - net: usb: don't write directly to netdev->dev_addr
    - usbnet: modern method to get random MAC
    - net: bridge: fdb: convert is_local to bitops
    - net: bridge: fdb: convert is_static to bitops
    - net: bridge: fdb: convert is_sticky to bitops
    - net: bridge: fdb: convert added_by_user to bitops
    - net: bridge: fdb: convert added_by_external_learn to use bitops
    - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
    - net: dsa: vsc73xx: fix possible subblocks range of CAPT block
    - ASoC: topology: Properly initialize soc_enum values
    - dm init: Handle minors larger than 255
    - iommu/vt-d: Handle volatile descriptor status read
    - cgroup: Protect css->cgroup write under css_set_lock
    - um: line: always fill *error_out in setup_one_line()
    - devres: Initialize an uninitialized struct member
    - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
    - hwmon: (adc128d818) Fix underflows seen when writing limit attributes
    - hwmon: (lm95234) Fix underflows seen when writing limit attributes
    - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
    - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
    - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
    - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
    - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
    - btrfs: replace BUG_ON with ASSERT in walk_down_pro

  linux (5.4.0-195.215) focal; urgency=medium

  * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)

  * Focal update: v5.4.280 upstream stable release (LP: #2075175)
    - Compiler Attributes: Add __uninitialized macro
    - drm/lima: fix shared irq handling on driver remove
    - media: dvb: as102-fe: Fix as10x_register_addr packing
    - media: dvb-usb: dib0700_devices: Add missing release_firmware()
    - IB/core: Implement a limit on UMAD receive List
    - scsi: qedf: Make qedf_execute_tmf() non-preemptible
    - drm/amdgpu: Initialize timestamp for some legacy SOCs
    - drm/amd/display: Skip finding free audio for unknown engine_id
    - media: dw2102: Don't translate i2c read into write
    - sctp: prefer struct_size over open coded arithmetic
    - firmware: dmi: Stop decoding on broken entry
    - Input: ff-core - prefer struct_size over open coded arithmetic
    - net: dsa: mv88e6xxx: Correct check for empty list
    - media: dvb-frontends: tda18271c2dd: Remove casting during div
    - media: s2255: Use refcount_t instead of atomic_t for num_channels
    - media: dvb-frontends: tda10048: Fix integer overflow
    - i2c: i801: Annotate apanel_addr as __ro_after_init
    - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    - orangefs: fix out-of-bounds fsid access
    - powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    - jffs2: Fix potential illegal address access in jffs2_free_inode
    - s390/pkey: Wipe sensitive data on failure
    - tcp: tcp_mark_head_lost is only valid for sack-tcp
    - tcp: add ece_ack flag to reno sack functions
    - net: tcp better handling of reordering then loss cases
    - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    - tcp_metrics: validate source addr length
    - wifi: wilc1000: fix ies_len type in connect path
    - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
    - selftests: fix OOM in msg_zerocopy selftest
    - selftests: make order checking verbose in msg_zerocopy selftest
    - inet_diag: Initialize pad field in struct inet_diag_req_v2
    - nilfs2: fix inode number range checks
    - nilfs2: add missing check for inode numbers on directory entries
    - mm: optimize the redundant loop of mm_update_owner_next()
    - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct
    - fsnotify: Do not generate events for O_PATH file descriptors
    - Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),
      again"
    - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
    - drm/amdgpu/atomfirmware: silence UBSAN warning
    - media: dw2102: fix a potential buffer overflow
    - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
    - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
    - nvme-multipath: find NUMA path only for online numa-node
    - nilfs2: fix incorrect inode allocation from reserved inodes
    - filelock: fix potential use-after-free in posix_lock_inode
    - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading
    - vfs: don't mod negative dentry count when on shrinker list
    - tcp: add TCP_INFO status for failed client TFO
    - tcp: fix incorrect undo caused by DSACK of TLP retransmit
    - octeontx2-af: Fix incorrect value output on error path in
      rvu_check_rsrc_availability()
    - net: lantiq_etop: add blank line after declaration
    - net: ethernet: lantiq_etop: fix double free in detach
    - ppp: reject claimed-as-LCP but actually malformed packets
    - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
    - s390: Mark psw in __load_psw_mask() as __unitialized
    - ARM: davinci: Convert comma to semicolon
    - octeontx2-af: fix detection of IP layer
    - USB: serial: option: add Telit generic core-dump composition
    - USB: serial: option: add Telit FN912 rmnet compositions
    - USB: serial: option: add Fibocom FM350-GL
    - USB: serial: option: add support for Foxconn T99W651
    - USB: serial: option: add Netprisma LCUK54 series modules
    - USB: serial: option: add Rolling RW350-GL variants
    - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
    - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
    - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the
      descriptor
    - hpet: Support 32-bit userspace
    - nvmem: meson-efuse: Fix return value of nvmem callbacks
    - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX
    - libceph: fix race between delayed_work() and ceph_monc_stop()
    - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
    - tcp: refactor tcp_retransmit_timer()
    - net: tcp: fix unexcepted socket die when snd_wnd is 0
    - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
    - tcp: avoid too many retransmit packets
    - nilfs2: fix kernel bug on rename operation of broken directory
    - i2c: rcar: bring hardware to known state when probing
    - Linux 5.4.280

  * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:
    v5.4.280 upstream stable release (LP: #2075175)
    - bnx2x: Fix multiple UBSAN array-index-out-of-bounds

  * Focal update: v5.4.279 upstream stable release (LP: #2073621)
    - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
    - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
    - wifi: cfg80211: pmsr: use correct nla_get_uX functions
    - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
    - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
    - wifi: iwlwifi: mvm: don't read past the mfuart notifcation
    - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
    - net: sched: sch_multiq: fix possible OOB write in multiq_tune()
    - vxlan: Fix regression when dropping packets due to invalid src addresses
    - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
 

  linux (5.4.0-192.212) focal; urgency=medium

  * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)

  * Focal update: v5.4.278 upstream stable release (LP: #2071668)
    - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
    - speakup: Fix sizeof() vs ARRAY_SIZE() bug
    - ring-buffer: Fix a race between readers and resize checks
    - net: smc91x: Fix m68k kernel compilation for ColdFire CPU
    - nilfs2: fix unexpected freezing of nilfs_segctor_sync()
    - nilfs2: fix potential hang in nilfs_detach_log_writer()
    - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt
      class
    - net: usb: qmi_wwan: add Telit FN920C04 compositions
    - drm/amd/display: Set color_mgmt_changed to true on unsuspend
    - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
    - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
    - ASoC: da7219-aad: fix usage of device_get_named_child_node()
    - drm/amdkfd: Flush the process wq before creating a kfd_process
    - nvme: find numa distance only if controller has valid numa id
    - openpromfs: finish conversion to the new mount API
    - crypto: bcm - Fix pointer arithmetic
    - firmware: raspberrypi: Use correct device for DMA mappings
    - ecryptfs: Fix buffer size for tag 66 packet
    - nilfs2: fix out-of-range warning
    - parisc: add missing export of __cmpxchg_u8()
    - crypto: ccp - drop platform ifdef checks
    - s390/cio: fix tracepoint subchannel type field
    - jffs2: prevent xattr node from overflowing the eraseblock
    - null_blk: Fix missing mutex_destroy() at module removal
    - md: fix resync softlockup when bitmap size is less than array size
    - wifi: ath10k: poll service ready message before failing
    - x86/boot: Ignore relocations in .notes sections in walk_relocs() too
    - qed: avoid truncating work queue length
    - scsi: ufs: qcom: Perform read back after writing reset bit
    - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
    - scsi: ufs: core: Perform read back after disabling interrupts
    - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
    - irqchip/alpine-msi: Fix off-by-one in allocation error path
    - ACPI: disable -Wstringop-truncation
    - cpufreq: Reorganize checks in cpufreq_offline()
    - cpufreq: Split cpufreq_offline()
    - cpufreq: Rearrange locking in cpufreq_remove_dev()
    - cpufreq: exit() callback is optional
    - scsi: libsas: Fix the failure of adding phy with zero-address to port
    - scsi: hpsa: Fix allocation size for Scsi_Host private data
    - x86/purgatory: Switch to the position-independent small code model
    - wifi: ath10k: Fix an error code problem in
      ath10k_dbg_sta_write_peer_debug_trigger()
    - wifi: ath10k: populate board data for WCN3990
    - tcp: minor optimization in tcp_add_backlog()
    - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
    - tcp: avoid premature drops in tcp_add_backlog()
    - macintosh/via-macii: Fix "BUG: sleeping function called from invalid
      context"
    - wifi: carl9170: add a proper sanity check for endpoints
    - wifi: ar5523: enable proper endpoint verification
    - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
    - Revert "sh: Handle calling csum_partial with misaligned data"
    - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
    - scsi: bfa: Ensure the copied buf is NUL terminated
    - scsi: qedf: Ensure the copied buf is NUL terminated
    - wifi: mwl8k: initialize cmd->addr[] properly
    - usb: aqc111: stop lying about skb->truesize
    - net: usb: sr9700: stop lying about skb->truesize
    - m68k: Fix spinlock race in kernel thread creation
    - m68k: mac: Fix reboot hang on Mac IIci
    - net: ethernet: cortina: Locking fixes
    - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
    - net: usb: smsc95xx: stop lying about skb->truesize
    - net: openvswitch: fix overwriting ct original tuple for ICMPv6
    - ipv6: sr: add missing seg6_local_exit
    - ipv6: sr: fix incorrect unregister order
    - ipv6: sr: fix invalid unregister error path
    - drm/amd/display: Fix potential index out of bounds in color transformation
      function
    - mtd: rawnand: hynix: fixed typo
    - fbdev: shmobile: fix snprintf truncation
    - drm/mediatek: Add 0 size check to mtk_drm_gem_obj
    - powerpc/fsl-soc: hide unused const variable
    - fbdev: sisfb: hide unused variables
    - media: ngene: Add dvb_ca_en50221_init return value check
    - media: radio-shark2: Avoid led_names truncations
    - platform/x86: wmi: Make two functions static
    - fbdev: sh7760fb: allow modular build
    - drm/arm/malidp: fix a possible null pointer dereference
    - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
    - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
    - RDMA/hns: Use complete parentheses in macros
    - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
    - ext4: avoid excessive credit estimate in ext4_tmpfile()
    - sunrpc: removed redundant procp check
    - SUNRPC: Fix gss_free_in_token_pages()
    - selftests/kcmp: Make the test output consistent and clear
    - selftests/kcmp: remove unused open mode
    - RDMA/IPoIB: Fix format truncation compilation errors
    - netrom: fix possible dead-lock in nr_rt_ioctl()
    - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
    - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
    - sched/fair: Allow disabling sched_balance_newidle with
      sched_relax_domain_level
    - greybus: lights: check return of get_channel_from_mode
    - soundwire: cadence/intel: simplify PDI/port mapping
    - soundwire: intel: don't filter out PDI0/1
    - soundwire: cadence_master: improve PDI allocation
    - soundwire: cadence: fix invalid PDI offset
    - dmaengine: idma64: Add check for dma_set_max_s

  linux (5.4.0-189.209) focal; urgency=medium

  * focal/linux: 5.4.0-189.209 -proposed tracker (LP: #2068454)

  * Focal update: v5.4.275 upstream stable release (LP: #2067865)
    - batman-adv: Avoid infinite loop trying to resize local TT
    - Bluetooth: Fix memory leak in hci_req_sync_complete()
    - nouveau: fix function cast warning
    - net: openvswitch: fix unwanted error log on timeout policy probing
    - u64_stats: fix u64_stats_init() for lockdep when used repeatedly in one file
    - geneve: fix header validation in geneve[6]_xmit_skb
    - ipv6: fib: hide unused 'pn' variable
    - ipv4/route: avoid unused-but-set-variable warning
    - ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
    - net/mlx5: Properly link new fs rules into the tree
    - net: ena: Fix potential sign extension issue
    - btrfs: qgroup: correctly model root qgroup rsv in convert
    - drm/client: Fully protect modes[] with dev->mode_config.mutex
    - vhost: Add smp_rmb() in vhost_vq_avail_empty()
    - selftests: timers: Fix abs() warning in posix_timers test
    - x86/apic: Force native_apic_mem_read() to use the MOV instruction
    - btrfs: record delayed inode root in transaction
    - selftests/ftrace: Limit length in subsystem-enable tests
    - kprobes: Fix possible use-after-free issue on kprobe registration
    - Revert "tracing/trigger: Fix to return error if failed to alloc snapshot"
    - netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
    - tun: limit printing rate when illegal packet received by tun dev
    - RDMA/rxe: Fix the problem "mutex_destroy missing"
    - RDMA/mlx5: Fix port number for counter query in multi-port configuration
    - drm: nv04: Fix out of bounds access
    - clk: Remove prepare_lock hold assertion in __clk_release()
    - clk: Mark 'all_lists' as const
    - clk: remove extra empty line
    - clk: Print an info line before disabling unused clocks
    - clk: Initialize struct clk_core kref earlier
    - clk: Get runtime PM before walking tree during disable_unused
    - x86/cpufeatures: Fix dependencies for GFNI, VAES, and VPCLMULQDQ
    - comedi: vmk80xx: fix incomplete endpoint checking
    - serial/pmac_zilog: Remove flawed mitigation for rx irq flood
    - USB: serial: option: add Fibocom FM135-GL variants
    - USB: serial: option: add support for Fibocom FM650/FG650
    - USB: serial: option: add Lonsung U8300/U9300 product
    - USB: serial: option: support Quectel EM060K sub-models
    - USB: serial: option: add Rolling RW101-GL and RW135-GL support
    - USB: serial: option: add Telit FN920C04 rmnet compositions
    - usb: dwc2: host: Fix dereference issue in DDMA completion flow.
    - speakup: Avoid crash on very long word
    - fs: sysfs: Fix reference leak in sysfs_break_active_protection()
    - nouveau: fix instmem race condition around ptr stores
    - nilfs2: fix OOB in nilfs_set_de_type
    - KVM: async_pf: Cleanup kvm_setup_async_pf()
    - arm64: dts: rockchip: fix alphabetical ordering RK3399 puma
    - arm64: dts: rockchip: enable internal pull-up on PCIE_WAKE# for RK3399 Puma
    - arm64: dts: mediatek: mt7622: fix IR nodename
    - arm64: dts: mediatek: mt7622: fix ethernet controller "compatible"
    - arm64: dts: mediatek: mt7622: drop "reset-names" from thermal block
    - arm64: dts: mt2712: add ethernet device node
    - arm64: dts: mediatek: mt2712: fix validation errors
    - ARC: [plat-hsdk]: Remove misplaced interrupt-cells property
    - vxlan: drop packets from invalid src-address
    - mlxsw: core: Unregister EMAD trap using FORWARD action
    - NFC: trf7970a: disable all regulators on removal
    - net: usb: ax88179_178a: stop lying about skb->truesize
    - net: gtp: Fix Use-After-Free in gtp_dellink
    - ipvs: Fix checksumming on GSO of SCTP packets
    - net: openvswitch: Fix Use-After-Free in ovs_ct_exit
    - mlxsw: spectrum_acl_tcam: Fix race during rehash delayed work
    - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update
    - mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
    - mlxsw: spectrum_acl_tcam: Rate limit error message
    - mlxsw: spectrum_acl_tcam: Fix memory leak during rehash
    - mlxsw: spectrum_acl_tcam: Fix warning during rehash
    - mlxsw: spectrum_acl_tcam: Fix incorrect list API usage
    - mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work
    - i40e: Do not use WQ_MEM_RECLAIM flag for workqueue
    - iavf: Fix TC config comparison with existing adapter TC config
    - af_unix: Suppress false-positive lockdep splat for spin_lock() in
      __unix_gc().
    - serial: core: Provide port lock wrappers
    - serial: mxs-auart: add spinlock around changing cts state
    - Revert "crypto: api - Disallow identical driver names"
    - net/mlx5e: Fix a race in command alloc flow
    - tracing: Show size of requested perf buffer
    - tracing: Increase PERF_MAX_TRACE_SIZE to handle Sentinel1 and docker
      together
    - Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
    - btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
    - arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
    - drm/amdgpu: Fix leak when GPU memory allocation fails
    - irqchip/gic-v3-its: Prevent double free on error
    - ethernet: Add helper for assigning packet type when dest address does not
      match device address
    - net: b44: set pause params only when interface is up
    - stackdepot: respect __GFP_NOLOCKDEP allocation flag
    - mtd: diskonchip: work around ubsan link failure
    - tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
    - tcp: Fix NEW_SYN_RECV handling in inet_twsk_purge()
    - dmaengine: owl: fix register access functions
    - idma64: Don't try to serve interrupts when device is powered off
    - i2c: smbus: fix NULL function pointer dereference
    - HID