Package "linux"

  linux (5.15.0-170.180) jammy; urgency=medium

  * jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)

  * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)
    - SAUCE increase socat timeout in gre_gso.sh

  * CVE-2025-40256
    - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that
      were never added

  * CVE-2025-40215
    - xfrm: delete x->tunnel as we delete x

  * CVE-2025-38248
    - bridge: mcast: Fix use-after-free during router port configuration

  * selftests: net: veth: fix compatibility with older ethtool versions
    (LP: #2136734)
    - SAUCE: selftests: net: veth: use short form gro for ethtool -K
    - SAUCE: selftests: net: veth: accept 0 for unsupported combined channels

  * veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp
    attached - gro flag) (LP: #2065369)
    - selftests: net: veth: test the ability to independently manipulate GRO
      and XDP

  * Jammy update: v5.15.196 upstream stable release (LP: #2134182)
    - r8152: add error handling in rtl8152_driver_init
    - jbd2: ensure that all ongoing I/O complete before freeing blocks
    - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already
      running
    - media: s5p-mfc: remove an unused/uninitialized variable
    - media: rc: Directly use ida_free()
    - media: lirc: Fix error handling in lirc_register()
    - blk-crypto: fix missing blktrace bio split events
    - drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in
      functions
    - drm/exynos: exynos7_drm_decon: properly clear channels during bind
    - drm/exynos: exynos7_drm_decon: remove ctx->suspended
    - crypto: rockchip - Fix dma_unmap_sg() nents value
    - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
    - HID: multitouch: fix sticky fingers
    - dax: skip read lock assertion for read-only filesystems
    - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()
    - net: dlink: handle dma_map_single() failure properly
    - doc: fix seg6_flowlabel path
    - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H
    - amd-xgbe: Avoid spurious link down messages during interface toggle
    - tcp: fix tcp_tso_should_defer() vs large RTT
    - tg3: prevent use of uninitialized remote_adv and local_adv variables
    - splice, net: Add a splice_eof op to file-ops and socket-ops
    - net: tls: wait for async completion on last message
    - tls: wait for async encrypt in case of error during latter iterations of
      sendmsg
    - tls: always set record_type in tls_process_cmsg
    - tls: don't rely on tx_work during send()
    - net: usb: use eth_hw_addr_set() instead of ether_addr_copy()
    - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address
    - net: usb: lan78xx: fix use of improperly initialized dev->chipid in
      lan78xx_reset
    - riscv: kprobes: Fix probe address validation
    - drm/amd/powerplay: Fix CIK shutdown temperature
    - sched/balancing: Rename newidle_balance() => sched_balance_newidle()
    - sched/fair: Fix pelt lost idle time detection
    - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
    - PCI/sysfs: Ensure devices are powered for config reads (part 2)
    - exec: Fix incorrect type for ret
    - nios2: ensure that memblock.current_limit is set when setting pfn limits
    - hfs: clear offset and space out of valid records in b-tree node
    - hfs: make proper initalization of struct hfs_find_data
    - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
    - hfs: validate record offset in hfsplus_bmap_alloc
    - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
    - dlm: check for defined force value in dlm_lockspace_release
    - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
    - hfsplus: return EIO when type of hidden directory mismatch in
      hfsplus_fill_super()
    - m68k: bitops: Fix find_*_bit() signatures
    - net: rtnetlink: add helper to extract msg type's kind
    - net: rtnetlink: use BIT for flag values
    - net: netlink: add NLM_F_BULK delete request modifier
    - net: rtnetlink: add bulk delete support flag
    - net: add ndo_fdb_del_bulk
    - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
    - rtnetlink: Allow deleting FDB entries in user namespace
    - net: enetc: correct the value of ENETC_RXB_TRUESIZE
    - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path
    - arm64, mm: avoid always making PTE dirty in pte_mkwrite()
    - sctp: avoid NULL dereference when chunk data buffer is missing
    - net: bonding: fix possible peer notify event loss or dup issue
    - Revert "cpuidle: menu: Avoid discarding useful information"
    - MIPS: Malta: Fix keyboard resource preventing i8042 driver from
      registering
    - ocfs2: clear extent cache after moving/defragmenting extents
    - vsock: fix lock inversion in vsock_assign_transport()
    - net: usb: rtl8150: Fix frame padding
    - net: ravb: Ensure memory write completes before ringing TX doorbell
    - USB: serial: option: add UNISOC UIS7720
    - USB: serial: option: add Quectel RG255C
    - USB: serial: option: add Telit FN920C04 ECM compositions
    - usb/core/quirks: Add Huawei ME906S to wakeup quirk
    - usb: raw-gadget: do not limit transfer length
    - xhci: dbc: enable back DbC in resume if it was enabled before suspend
    - binder: remove "invalid inc weak" check
    - mei: me: add wildcat lake P DID
    - most: usb: Fix use-after-free in hdm_disconnect
    - most: usb: hdm_probe: Fix calling put_device() before device
      initialization
    - serial: 8250_exar: add support for Advantech 2 port card with Device ID
      0x0018
    - arm64: cputype: Add Neoverse-V3AE definitions
    - arm64: errata: Apply workarounds for Neoverse-V3AE
    - s390/cio: Update purge function to unregister the unused subchannels
    - xfs: rename the old_crc variable in xlog_recover_process
    - xfs

  linux (5.15.0-168.178) jammy; urgency=medium

  * jammy/linux: 5.15.0-168.178 -proposed tracker (LP: #2138043)

  * CVE-2025-40019
    - crypto: essiv - Check ssize for decryption and in-place encryption

  * Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /
    Renoir / Rembrandt) (LP: #2128729)
    - SAUCE: drm/amd/display: Fix incorrect code path taken in
      amdgpu_dm_atomic_check()

  * CVE-2025-38561
    - ksmbd: fix Preauh_HashValue race condition

 -- Manuel Diewald <email address hidden> Fri, 09 Jan 2026 16:59:15 +0100

  linux (5.15.0-164.174) jammy; urgency=medium

  * jammy/linux: 5.15.0-164.174 -proposed tracker (LP: #2131429)

  * CVE-2024-53218
    - f2fs: fix race in concurrent f2fs_stop_gc_thread

  * CVE-2024-47691
    - f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

  * CVE-2025-39993
    - media: rc: fix races with imon_disconnect()

  * i40e driver is triggering VF resets on every link state change
    (LP: #2130552)
    - i40e: avoid redundant VF link state updates

  * CVE-2025-40018
    - ipvs: Defer ip_vs_ftp unregister during netns cleanup

  * CVE-2025-21855
    - ibmvnic: Don't reference skb after sending to VIOS

  * CVE-2024-50067
    - uprobes: encapsulate preparation of uprobe args buffer
    - uprobe: avoid out-of-bounds memory access of fetching args

  * CVE-2024-53090
    - afs: Fix lock recursion

  * CVE-2025-39964
    - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
    - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

  * CVE-2022-49390
    - macsec: fix UAF bug for real_dev

 -- Manuel Diewald <email address hidden> Fri, 14 Nov 2025 17:49:39 +0100

  linux (5.15.0-163.173) jammy; urgency=medium

  * jammy/linux: 5.15.0-163.173 -proposed tracker (LP: #2127867)

  * Add pvpanic kernel modules to linux-modules (LP: #2126659)
    - [Packaging] Add pvpanic kernel modules to linux-modules

  * Ubuntu 24.04.2: error in audit_log_object_context keep printing in the
    kernel and console (LP: #2123815)
    - SAUCE: fix: apparmor4.0.0 [26/90]: LSM stacking v39: Audit: Add record
      for multiple object contexts

  * Hung task when heavily accessing kernfs files (LP: #2125142)
    - kernfs: switch global kernfs_rwsem lock to per-fs lock
    - kernfs: dont take i_lock on inode attr read
    - kernfs: move struct kernfs_root out of the public view.
    - kernfs: Introduce separate rwsem to protect inode attributes.
    - kernfs: Use a per-fs rwsem to protect per-fs list of kernfs_super_info.
    - kernfs: change kernfs_rename_lock into a read-write lock.
    - kernfs: prevent early freeing of root node
    - kernfs: remove redundant kernfs_rwsem declaration.
    - kernfs: fix NULL dereferencing in kernfs_remove
    - kernfs: fix potential NULL dereference in __kernfs_remove
    - kernfs: fix missing kernfs_iattr_rwsem locking

  * ensure mptcp keepalives are honored when set (LP: #2125444)
    - mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN

  * UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer
    dereference (LP: #2125053)
    - SAUCE: fan: vxlan: check memory allocation for map

  * Jammy update: v5.15.193 upstream stable release (LP: #2127112)
    - [Config] enable CONFIG_MITIGATION_VMSCAPE
    - Linux 5.15.193

  * Jammy update: v5.15.192 upstream stable release (LP: #2126782)
    - bpf: Add cookie object to bpf maps
    - bpf: Move cgroup iterator helpers to bpf.h
    - bpf: Move bpf map owner out of common struct
    - bpf: Fix oob access in cgroup local storage
    - drm/amd/display: Don't warn when missing DCE encoder caps
    - fs: writeback: fix use-after-free in __mark_inode_dirty()
    - tee: fix NULL pointer dereference in tee_shm_put
    - arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro
    - wifi: cfg80211: fix use-after-free in cmp_bss()
    - netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in()
      after confirm
    - netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
    - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
    - xirc2ps_cs: fix register access when enabling FullDuplex
    - mISDN: Fix memory leak in dsp_hwec_enable()
    - icmp: fix icmp_ndo_send address translation for reply direction
    - i40e: Fix potential invalid access when MAC list is empty
    - net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets
    - wifi: cw1200: cap SSID length in cw1200_do_join()
    - wifi: libertas: cap SSID len in lbs_associate()
    - net: thunder_bgx: add a missing of_node_put
    - net: thunder_bgx: decrement cleanup index before use
    - ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
    - ax25: properly unshare skbs in ax25_kiss_rcv()
    - net: atm: fix memory leak in atm_register_sysfs when device_register
      fail
    - ppp: fix memory leak in pad_compress_skb
    - ptp: Add generic PTP is_sync() function
    - net: phy: mscc: Fix memory leak when using one step timestamping
    - phy: mscc: Stop taking ts_lock for tx_queue and use its own lock
    - ALSA: usb-audio: Add mute TLV for playback volumes on some devices
    - pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
    - x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and
      arch_sync_kernel_mappings()
    - mm: move page table sync declarations to linux/pgtable.h
    - wifi: mwifiex: Initialize the chan_stats array to zero
    - drm/amdgpu: drop hw access in non-DC audio fini
    - scsi: lpfc: Fix buffer free/clear order in deferred receive path
    - batman-adv: fix OOB read/write in network-coding decode
    - e1000e: fix heap overflow in e1000_set_eeprom
    - mm/khugepaged: fix ->anon_vma race
    - cpufreq/sched: Explicitly synchronize limits_changed flag handling
    - KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
    - spi: tegra114: Remove unnecessary NULL-pointer checks
    - spi: tegra114: Don't fail set_cs_timing when delays are zero
    - iio: chemical: pms7003: use aligned_s64 for timestamp
    - iio: light: opt3001: fix deadlock due to concurrent flag access
    - gpio: pca953x: fix IRQ storm on system wake up
    - dma-buf: insert memory barrier before updating num_fences
    - dmaengine: mediatek: Fix a possible deadlock error in
      mtk_cqdma_tx_status()
    - net: dsa: microchip: update tag_ksz masks for KSZ9477 family
    - net: dsa: microchip: linearize skb for tail-tagging switches
    - vmxnet3: update MTU after device quiesce
    - arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs
    - randstruct: gcc-plugin: Remove bogus void member
    - randstruct: gcc-plugin: Fix attribute addition
    - mm/slub: avoid accessing metadata when pointer is invalid in
      object_err()
    - ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model
    - pcmcia: Add error handling for add_interval() in do_validate_mem()
    - spi: spi-fsl-lpspi: Fix transmissions when using CONT
    - spi: spi-fsl-lpspi: Set correct chip-select polarity bit
    - spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort
    - drm/bridge: ti-sn65dsi86: fix REFCLK setting
    - perf bpf-event: Fix use-after-free in synthesis
    - clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
    - spi: tegra114: Use value to check for invalid delays
    - dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()
    - Linux 5.15.192

  * Jammy update: v5.15.191 upstream stable release (LP: #2125626)
    - pinctrl: STMFX: add missing HAS_IOMEM dependency
    - ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
    - scsi: core: sysfs: Correct sy

  linux (5.15.0-161.171) jammy; urgency=medium

  * jammy/linux: 5.15.0-161.171 -proposed tracker (LP: #2127389)

  * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300
    - Documentation/hw-vuln: Add VMSCAPE documentation
    - x86/vmscape: Enumerate VMSCAPE bug
    - x86/vmscape: Add conditional IBPB mitigation
    - x86/vmscape: Enable the mitigation
    - x86/bugs: Move cpu_bugs_smt_update() down
    - x86/vmscape: Warn when STIBP is disabled with SMT
    - x86/vmscape: Add old Intel CPUs to affected list

  * VMSCAPE CVE-2025-40300 (LP: #2124105)
    - [Config] Enable MITIGATION_VMSCAPE config

 -- Manuel Diewald <email address hidden> Fri, 10 Oct 2025 20:13:58 +0200