Ubuntu
linux package

UAF on CAN BCM bcm_rx_handler

Bug #1931855 reported by Thadeu Lima de Souza Cascardo on 2021-06-14

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

[Impact]
bcm_rx_handler may run concurrently to can_rx_unregister on bcm_release, which will, then, free the bcm_op that is used by bcm_rx_handler, leading to a system crash.

[Potential regression]
CAN BCM sockets may stop working as expected.

[Test case]
Programs from can-utils were run, some of them concurrently.

See original description

Tags:

CVE References

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-06-22:

Download full text (65.9 KiB)

This bug was fixed in the package linux - 5.11.0-22.23

---------------
linux (5.11.0-22.23) hirsute; urgency=medium

* UAF on CAN J1939 j1939_can_recv (LP: #1932209)
- SAUCE: can: j1939: delay release of j1939_priv after synchronize_rcu

* UAF on CAN BCM bcm_rx_handler (LP: #1931855)
- SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu

linux (5.11.0-20.21) hirsute; urgency=medium

* hirsute/linux: 5.11.0-20.21 -proposed tracker (LP: #1930854)

* ath11k WIFI not working in proposed kernel 5.11.0-19-generic (LP: #1930637)
- bus: mhi: core: Download AMSS image from appropriate function

linux (5.11.0-19.20) hirsute; urgency=medium

* hirsute/linux: 5.11.0-19.20 -proposed tracker (LP: #1930075)

* Packaging resync (LP: #1786013)
- update dkms package versions

  * CVE-2021-33200
    - bpf: Wrap aux data inside bpf_sanitize_info container
    - bpf: Fix mask direction swap upon off reg sign change
    - bpf: No need to simulate speculative domain for immediates

* AX201 BT will cause system could not enter S0i3 (LP: #1928047)
- SAUCE: drm/i915: Tweaked Wa_14010685332 for all PCHs

  * CVE-2021-3490
    - SAUCE: Revert "UBUNTU: SAUCE: bpf: verifier: fix ALU32 bounds tracking with
      bitwise ops"
    - gpf: Fix alu32 const subreg bound tracking on bitwise operations

  * CVE-2021-3489
    - SAUCE: Revert "UBUNTU: SAUCE: bpf: prevent writable memory-mapping of read-
      only ringbuf pages"
    - bpf: Prevent writable memory-mapping of read-only ringbuf pages

* Select correct boot VGA when BIOS doesn't do it properly (LP: #1929217)
- vgaarb: Use ACPI HID name to find integrated GPU

  * Realtek USB hubs in Dell WD19SC/DC/TB fail to work after exiting s2idle
    (LP: #1928242)
    - USB: Verify the port status when timeout happens during port suspend

  * CVE-2020-26145
    - ath10k: drop fragments with multicast DA for SDIO
    - ath10k: add CCMP PN replay protection for fragmented frames for PCIe
    - ath10k: drop fragments with multicast DA for PCIe

* CVE-2020-26141
- ath10k: Fix TKIP Michael MIC verification for PCIe

* CVE-2020-24587
- ath11k: Clear the fragment cache during key install

  * CVE-2020-24588
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header
    - cfg80211: mitigate A-MSDU aggregation attacks
    - mac80211: drop A-MSDUs on old ciphers
    - ath10k: drop MPDU which has discard flag set by firmware for SDIO

* CVE-2020-26139
- mac80211: do not accept/forward invalid EAPOL frames

* CVE-2020-24586 // CVE-2020-24587 // CVE-2020-24587 for such cases.
- mac80211: extend protection against mixed key and fragment cache attacks

  * CVE-2020-24586 // CVE-2020-24587
    - mac80211: prevent mixed key and fragment cache attacks
    - mac80211: add fragment cache to sta_info
    - mac80211: check defrag PN against current frame
    - mac80211: prevent attacks on TKIP/WEP as well

* CVE-2020-26147
- mac80211: assure all fragments are encrypted

  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - ...

This bug was fixed in the package linux - 5.11.0-22.23

---------------
linux (5.11.0-22.23) hirsute; urgency=medium

* UAF on CAN J1939 j1939_can_recv (LP: #1932209)
    - SAUCE: can: j1939: delay release of j1939_priv after synchronize_rcu

* UAF on CAN BCM bcm_rx_handler (LP: #1931855)
    - SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu

linux (5.11.0-20.21) hirsute; urgency=medium

* hirsute/linux: 5.11.0-20.21 -proposed tracker (LP: #1930854)

* ath11k WIFI not working in proposed kernel 5.11.0-19-generic (LP: #1930637)
    - bus: mhi: core: Download AMSS image from appropriate function

linux (5.11.0-19.20) hirsute; urgency=medium

* hirsute/linux: 5.11.0-19.20 -proposed tracker (LP: #1930075)

* Packaging resync (LP: #1786013)
    - update dkms package versions

* AX201 BT will cause system could not enter S0i3 (LP: #1928047)
    - SAUCE: drm/i915: Tweaked Wa_14010685332 for all PCHs

* CVE-2021-3490
    - SAUCE: Revert "UBUNTU: SAUCE: bpf: verifier: fix ALU32 bounds tracking with
      bitwise ops"
    - gpf: Fix alu32 const subreg bound tracking on bitwise operations

* CVE-2021-3489
    - SAUCE: Revert "UBUNTU: SAUCE: bpf: prevent writable memory-mapping of read-
      only ringbuf pages"
    - bpf: Prevent writable memory-mapping of read-only ringbuf pages

* Select correct boot VGA when BIOS doesn't do it properly (LP: #1929217)
    - vgaarb: Use ACPI HID name to find integrated GPU

* Realtek USB hubs in Dell WD19SC/DC/TB fail to work after exiting s2idle
    (LP: #1928242)
    - USB: Verify the port status when timeout happens during port suspend

* CVE-2020-26141
    - ath10k: Fix TKIP Michael MIC verification for PCIe

* CVE-2020-24587
    - ath11k: Clear the fragment cache during key install

* CVE-2020-26139
    - mac80211: do not accept/forward invalid EAPOL frames

* CVE-2020-24586 // CVE-2020-24587 // CVE-2020-24587 for such cases.
    - mac80211: extend protection against mixed key and fragment cache attacks

* CVE-2020-26147
    - mac80211: assure all fragments are encrypted

* raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull the code that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout
    - dm raid: remove unnecessary discard limits for raid0 and raid10

* [SRU][OEM-5.10/H] Fix typec output on AMD Cezanne GPU (LP: #1929646)
    - drm/amd/display: use max lb for latency hiding

* kvm: properly tear down PV features on hibernate (LP: #1920944)
    - x86/kvm: Fix pr_info() for async PF setup/teardown
    - x86/kvm: Teardown PV features on boot CPU as well
    - x86/kvm: Disable kvmclock on all CPUs on shutdown
    - x86/kvm: Disable all PV features on crash
    - x86/kvm: Unify kvm_pv_guest_cpu_reboot() with kvm_guest_cpu_offline()

* Add support for AMD wireless button (LP: #1928820)
    - platform/x86: hp-wireless: add AMD's hardware id to the supported list

* Can't detect intel wifi 6235 (LP: #1920180)
    - SAUCE: iwlwifi: add new pci id for 6235

* Speed up resume time on HP laptops (LP: #1929048)
    - platform/x86: hp_accel: Avoid invoking _INI to speed up resume

* Fix kernel panic on Intel Bluetooth (LP: #1928838)
    - Bluetooth: Shutdown controller after workqueues are flushed or cancelled

* build module CONFIG_SND_SOC_INTEL_SOUNDWIRE_SOF_MACH=m for 5.11,  5.13-rc2
    and later (LP: #1921632)
    - [Config] enable soundwire audio mach driver

* [SRU] Patch for flicker and glitching on common LCD display panels, intel
    framebuffer (LP: #1925685)
    - drm/i915: Try to use fast+narrow link on eDP again and fall back to the old
      max strategy on failure
    - drm/i915/dp: Use slow and wide link training for everything

* Fix screen flickering when two 4K 60Hz monitors are connected to AMD Oland
    GFX (LP: #1928361)
    - drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors
      are connected

* Display abnormal on the TGL+4k panel machines (LP: #1922885)
    - drm/i915/display: Do not allow DC3CO if PSR SF is enabled
    - drm/i915/display/psr: Disable DC3CO when the PSR2 is used

* Hirsute update: v5.11.21 upstream stable release (LP: #1929455)
    - Bluetooth: verify AMP hci_chan before amp_destroy
    - bluetooth: eliminate the potential race condition when removing the HCI
      controller
    - net/nfc: fix use-after-free llcp_sock_bind/connect
    - Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
    - usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode()
    - tty: moxa: fix TIOCSSERIAL jiffies conversions
    - tty: amiserial: fix TIOCSSERIAL permission check
    - USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
    - staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
    - USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
    - staging: fwserial: fix TIOCSSERIAL jiffies conversions
    - tty: moxa: fix TIOCSSERIAL permission check
    - staging: fwserial: fix TIOCSSERIAL permission check
    - drm: bridge: fix LONTIUM use of mipi_dsi_() functions
    - usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply
    - usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply
    - usb: typec: tcpm: update power supply once partner accepts
    - usb: xhci-mtk: remove or operator for setting schedule parameters
    - usb: xhci-mtk: improve bandwidth scheduling with TT
    - ASoC: samsung: tm2_wm5110: check of of_parse return value
    - ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function
    - ASoC: tlv320aic32x4: Register clocks before registering component
    - ASoC: tlv320aic32x4: Increase maximum register in regmap
    - MIPS: pci-mt7620: fix PLL lock check
    - MIPS: pci-rt2880: fix slot 0 configuration
    - FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR
    - PCI: Allow VPD access for QLogic ISP2722
    - KVM: x86: Defer the MMU unload to the normal path on an global INVPCID
    - PCI: keystone: Let AM65 use the pci_ops defined in pcie-designware-host.c
    - PM / devfreq: Unlock mutex and free devfreq struct in error path
    - soc/tegra: regulators: Fix locking up when voltage-spread is out of range
    - iio: inv_mpu6050: Fully validate gyro and accel scale writes
    - iio: sx9310: Fix write_.._debounce()
    - iio:accel:adis16201: Fix wrong axis assignment that prevents loading
    - iio:adc:ad7476: Fix remove handling
    - iio: sx9310: Fix access to variable DT array
    - sc16is7xx: Defer probe if device read fails
    - phy: cadence: Sierra: Fix PHY power_on sequence
    - misc: lis3lv02d: Fix false-positive WARN on various HP models
    - phy: ti: j721e-wiz: Invoke wiz_init() before of_platform_device_create()
    - misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
    - misc: vmw_vmci: explicitly initialize vmci_datagram payload
    - selinux: add proper NULL termination to the secclass_map permissions
    - x86, sched: Treat Intel SNC topology as default, COD as exception
    - async_xor: increase src_offs when dropping destination page
    - md/bitmap: wait for external bitmap writes to complete during tear down
    - md-cluster: fix use-after-free issue when removing rdev
    - md: split mddev_find
    - md: factor out a mddev_find_locked helper from mddev_find
    - md: md_open returns -EBUSY when entering racing area
    - md: Fix missing unused status line of /proc/mdstat
    - MIPS: generic: Update node names to avoid unit addresses
    - mt76: mt7615: use ieee80211_free_txskb() in mt7615_tx_token_put()
    - ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
    - cfg80211: scan: drop entry from hidden_list on overflow
    - rtw88: Fix array overrun in rtw_get_tx_power_params()
    - mt76: fix potential DMA mapping leak
    - FDDI: defxx: Make MMIO the configuration default except for EISA
    - drm/qxl: use ttm bo priorities
    - drm/ingenic: Fix non-OSD mode
    - drm/panfrost: Clear MMU irqs before handling the fault
    - drm/panfrost: Don't try to map pages that are already mapped
    - drm/radeon: fix copy of uninitialized variable back to userspace
    - drm/dp_mst: Revise broadcast msg lct & lcr
    - drm/dp_mst: Set CLEAR_PAYLOAD_ID_TABLE as broadcast
    - drm: bridge: fix ANX7625 use of mipi_dsi_() functions
    - drm: bridge/panel: Cleanup connector on bridge detach
    - drm/amd/display: Reject non-zero src_y and src_x for video planes
    - drm/amdgpu: fix concurrent VM flushes on Vega/Navi v2
    - drm/amdgpu: add new MC firmware for Polaris12 32bit ASIC
    - drm/amdgpu: Init GFX10_ADDR_CONFIG for VCN v3 in DPG mode.
    - ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries
    - ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 HP quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries
    - ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries
    - ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries
    - ALSA: hda/realtek: Re-order ALC662 quirk table entries
    - ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices
    - ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable
    - ALSA: hda/realtek: Fix speaker amp on HP Envy AiO 32
    - KVM: s390: VSIE: correctly handle MVPG when in VSIE
    - KVM: s390: split kvm_s390_logical_to_effective
    - KVM: s390: fix guarded storage control register handling
    - s390: fix detection of vector enhancements facility 1 vs. vector packed
      decimal facility
    - KVM: s390: VSIE: fix MVPG handling for prefixing and MSO
    - KVM: s390: split kvm_s390_real_to_abs
    - KVM: s390: extend kvm_s390_shadow_fault to return entry pointer
    - KVM: x86/mmu: Alloc page for PDPTEs when shadowing 32-bit NPT with 64-bit
    - KVM: X86: Fix failure to boost kernel lock holder candidate in SEV-ES guests
    - KVM: x86: Remove emulator's broken checks on CR0/CR3/CR4 loads
    - KVM: nSVM: Set the shadow root level to the TDP level for nested NPT
    - KVM: SVM: Don't strip the C-bit from CR2 on #PF interception
    - KVM: SVM: Use online_vcpus, not created_vcpus, to iterate over vCPUs
    - KVM: SVM: Do not set sev->es_active until KVM_SEV_ES_INIT completes
    - KVM: SVM: Do not allow SEV/SEV-ES initialization after vCPUs are created
    - KVM: SVM: Inject #GP on guest MSR_TSC_AUX accesses if RDTSCP unsupported
    - KVM: nVMX: Defer the MMU reload to the normal path on an EPTP switch
    - KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit
    - KVM: nVMX: Truncate base/index GPR value on address calc in !64-bit
    - KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read
    - KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
    - KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
    - KVM: arm64: Fully zero the vcpu state on reset
    - KVM: arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST_REGION read
    - KVM: selftests: Sync data verify of dirty logging with guest sync
    - KVM: selftests: Always run vCPU thread with blocked SIG_IPI
    - Revert "drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit"
    - Revert "i3c master: fix missing destroy_workqueue() on error in
      i3c_master_register"
    - mfd: stmpe: Revert "Constify static struct resource"
    - ovl: fix missing revert_creds() on error path
    - usb: gadget: pch_udc: Revert d3cb25a12138 completely
    - Revert "tools/power turbostat: adjust for temperature offset"
    - firmware: xilinx: Fix dereferencing freed memory
    - firmware: xilinx: Remove zynqmp_pm_get_eemi_ops() in
      IS_REACHABLE(CONFIG_ZYNQMP_FIRMWARE)
    - x86/vdso: Use proper modifier for len's format specifier in extract()
    - fpga: fpga-mgr: xilinx-spi: fix error messages on -EPROBE_DEFER
    - crypto: keembay-ocs-aes - Fix error return code in kmb_ocs_aes_probe()
    - crypto: sun8i-ss - fix result memory leak on error path
    - memory: gpmc: fix out of bounds read and dereference on gpmc_cs[]
    - ARM: dts: exynos: correct fuel gauge interrupt trigger level on GT-I9100
    - ARM: dts: exynos: correct fuel gauge interrupt trigger level on P4 Note
      family
    - ARM: dts: exynos: correct fuel gauge interrupt trigger level on Midas family
    - ARM: dts: exynos: correct MUIC interrupt trigger level on Midas family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Midas family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on P4 Note family
    - ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250
    - ARM: dts: exynos: correct PMIC interrupt trigger level on Snow
    - ARM: dts: s5pv210: correct fuel gauge interrupt trigger level on Fascinate
      family
    - ARM: dts: renesas: Add mmc aliases into R-Car Gen2 board dts files
    - arm64: dts: renesas: Add mmc aliases into board dts files
    - bus: ti-sysc: Fix initializing module_pa for modules without sysc register
    - x86/platform/uv: Set section block size for hubless architectures
    - serial: stm32: fix code cleaning warnings and checks
    - serial: stm32: add "_usart" prefix in functions name
    - serial: stm32: fix probe and remove order for dma
    - serial: stm32: Use of_device_get_match_data()
    - serial: stm32: fix startup by enabling usart for reception
    - serial: stm32: fix incorrect characters on console
    - serial: stm32: fix TX and RX FIFO thresholds
    - serial: stm32: fix a deadlock condition with wakeup event
    - serial: stm32: fix wake-up flag handling
    - serial: stm32: fix a deadlock in set_termios
    - serial: liteuart: fix return value check in liteuart_probe()
    - serial: stm32: fix tx dma completion, release channel
    - serial: stm32: call stm32_transmit_chars locked
    - serial: stm32: fix FIFO flush in startup and set_termios
    - serial: stm32: add FIFO flush when port is closed
    - serial: stm32: fix tx_empty condition
    - usb: typec: tcpm: Handle vbus shutoff when in source mode
    - usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS
    - usb: typec: tps6598x: Fix return value check in tps6598x_probe()
    - usb: typec: stusb160x: fix return value check in stusb160x_probe()
    - mfd: intel_pmt: Fix nuisance messages and handling of disabled capabilities
    - regmap: set debugfs_name to NULL after it is freed
    - spi: rockchip: avoid objtool warning
    - mtd: rawnand: fsmc: Fix error code in fsmc_nand_probe()
    - mtd: rawnand: brcmnand: fix OOB R/W with Hamming ECC
    - mtd: Handle possible -EPROBE_DEFER from parse_mtd_partitions()
    - mtd: rawnand: qcom: Return actual error code instead of -ENODEV
    - mtd: don't lock when recursively deleting partitions
    - mtd: maps: fix error return code of physmap_flash_remove()
    - ARM: dts: stm32: fix usart 2 & 3 pinconf to wake up with flow control
    - arm64: dts: ti: k3-j721e-main: Update the speed modes supported and their
      itap delay values for MMCSD subsystems
    - iio: adis16480: fix pps mode sampling frequency math
    - arm64: dts: qcom: sc7180: trogdor: Fix trip point config of charger thermal
      zone
    - arm64: dts: qcom: sm8250: Fix level triggered PMU interrupt polarity
    - arm64: dts: qcom: sm8250: Fix timer interrupt to specify EL2 physical timer
    - arm64: dts: qcom: sc7180: Avoid glitching SPI CS at bootup on trogdor
    - arm64: dts: qcom: sdm845: fix number of pins in 'gpio-ranges'
    - arm64: dts: qcom: sm8150: fix number of pins in 'gpio-ranges'
    - arm64: dts: qcom: sm8250: fix number of pins in 'gpio-ranges'
    - arm64: dts: qcom: db845c: fix correct powerdown pin for WSA881x
    - crypto: sun8i-ss - Fix memory leak of object d when dma_iv fails to map
    - spi: stm32: drop devres version of spi_register_master
    - regulator: bd9576: Fix return from bd957x_probe()
    - arm64: dts: renesas: r8a77980: Fix vin4-7 endpoint binding
    - selftests/x86: Add a missing .note.GNU-stack section to thunks_32.S
    - spi: stm32: Fix use-after-free on unbind
    - Drivers: hv: vmbus: Drop error message when 'No request id available'
    - x86/microcode: Check for offline CPUs before requesting new microcode
    - devtmpfs: fix placement of complete() call
    - usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits()
    - usb: gadget: pch_udc: Check if driver is present before calling ->setup()
    - usb: gadget: pch_udc: Check for DMA mapping error
    - usb: gadget: pch_udc: Initialize device pointer before use
    - usb: gadget: pch_udc: Provide a GPIO line used on Intel Minnowboard (v1)
    - crypto: ccp - fix command queuing to TEE ring buffer
    - crypto: qat - don't release uninitialized resources
    - crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init
    - fotg210-udc: Fix DMA on EP0 for length > max packet size
    - fotg210-udc: Fix EP0 IN requests bigger than two packets
    - fotg210-udc: Remove a dubious condition leading to fotg210_done
    - fotg210-udc: Mask GRP2 interrupts we don't handle
    - fotg210-udc: Don't DMA more than the buffer can take
    - fotg210-udc: Complete OUT requests on short packets
    - usb: gadget: s3c: Fix incorrect resources releasing
    - usb: gadget: s3c: Fix the error handling path in 's3c2410_udc_probe()'
    - dt-bindings: serial: stm32: Use 'type: object' instead of false for
      'additionalProperties'
    - mtd: require write permissions for locking and badblock ioctls
    - arm64: dts: renesas: r8a779a0: Fix PMU interrupt
    - arm64: dts: mt8183: Add gce client reg for display subcomponents
    - arm64: dts: mt8173: fix wrong power-domain phandle of pmic
    - bus: qcom: Put child node before return
    - soundwire: bus: Fix device found flag correctly
    - phy: ti: j721e-wiz: Delete "clk_div_sel" clk provider during cleanup
    - phy: ralink: phy-mt7621-pci: fix XTAL bitmask
    - phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y,
      unconditionally
    - phy: ralink: phy-mt7621-pci: fix return value check in
      mt7621_pci_phy_probe()
    - phy: ingenic: Fix a typo in ingenic_usb_phy_probe()
    - arm64: dts: mediatek: fix reset GPIO level on pumpkin
    - NFSv4.2: fix copy stateid copying for the async copy
    - crypto: poly1305 - fix poly1305_core_setkey() declaration
    - crypto: qat - fix error path in adf_isr_resource_alloc()
    - usb: gadget: aspeed: fix dma map failure
    - USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR()
    - drivers: nvmem: Fix voltage settings for QTI qfprom-efuse
    - driver core: platform: Declare early_platform_cleanup() prototype
    - ARM: dts: qcom: msm8974-lge-nexus5: correct fuel gauge interrupt trigger
      level
    - ARM: dts: qcom: msm8974-samsung-klte: correct fuel gauge interrupt trigger
      level
    - memory: pl353: fix mask of ECC page_size config register
    - soundwire: stream: fix memory leak in stream config error path
    - m68k: mvme147,mvme16x: Don't wipe PCC timer config bits
    - firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool
    - firmware: qcom_scm: Reduce locking section for __get_convention()
    - firmware: qcom_scm: Workaround lack of "is available" call on SC7180
    - iio: adc: Kconfig: make AD9467 depend on ADI_AXI_ADC symbol
    - [Config] updateconfigs for AD9467
    - mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init
    - irqchip/gic-v3: Fix OF_BAD_ADDR error handling
    - staging: comedi: tests: ni_routes_test: Fix compilation error
    - staging: rtl8192u: Fix potential infinite loop
    - staging: fwserial: fix TIOCSSERIAL implementation
    - staging: fwserial: fix TIOCGSERIAL implementation
    - staging: greybus: uart: fix unprivileged TIOCCSERIAL
    - platform/x86: dell-wmi-sysman: Make init_bios_attributes() ACPI object
      parsing more robust
    - soc: qcom: pdr: Fix error return code in pdr_register_listener
    - PM / devfreq: Use more accurate returned new_freq as resume_freq
    - clocksource/drivers/timer-ti-dm: Fix posted mode status check order
    - clocksource/drivers/timer-ti-dm: Add missing set_state_oneshot_stopped
    - clocksource/drivers/ingenic_ost: Fix return value check in
      ingenic_ost_probe()
    - spi: Fix use-after-free with devm_spi_alloc_*
    - spi: fsl: add missing iounmap() on error in of_fsl_spi_probe()
    - soc: qcom: mdt_loader: Validate that p_filesz < p_memsz
    - soc: qcom: mdt_loader: Detect truncated read of segments
    - PM: runtime: Replace inline function pm_runtime_callbacks_present()
    - cpuidle: Fix ARM_QCOM_SPM_CPUIDLE configuration
    - ACPI: CPPC: Replace cppc_attr with kobj_attribute
    - crypto: allwinner - add missing CRYPTO_ prefix
    - crypto: sun8i-ss - Fix memory leak of pad
    - crypto: sa2ul - Fix memory leak of rxd
    - crypto: qat - Fix a double free in adf_create_ring
    - cpufreq: armada-37xx: Fix setting TBG parent for load levels
    - clk: mvebu: armada-37xx-periph: remove .set_parent method for CPU PM clock
    - cpufreq: armada-37xx: Fix the AVS value for load L1
    - clk: mvebu: armada-37xx-periph: Fix switching CPU freq from 250 Mhz to 1 GHz
    - clk: mvebu: armada-37xx-periph: Fix workaround for switching from L1 to L0
    - cpufreq: armada-37xx: Fix driver cleanup when registration failed
    - cpufreq: armada-37xx: Fix determining base CPU frequency
    - spi: spi-zynqmp-gqspi: use wait_for_completion_timeout to make
      zynqmp_qspi_exec_op not interruptible
    - spi: spi-zynqmp-gqspi: add mutex locking for exec_op
    - spi: spi-zynqmp-gqspi: transmit dummy circles by using the controller's
      internal functionality
    - spi: spi-zynqmp-gqspi: fix incorrect operating mode in zynqmp_qspi_read_op
    - spi: fsl-lpspi: Fix PM reference leak in lpspi_prepare_xfer_hardware()
    - usb: gadget: r8a66597: Add missing null check on return from
      platform_get_resource
    - USB: cdc-acm: fix unprivileged TIOCCSERIAL
    - USB: cdc-acm: fix TIOCGSERIAL implementation
    - tty: fix return value for unsupported ioctls
    - tty: fix return value for unsupported termiox ioctls
    - serial: core: return early on unsupported ioctls
    - firmware: qcom-scm: Fix QCOM_SCM configuration
    - node: fix device cleanups in error handling code
    - crypto: chelsio - Read rxchannel-id from firmware
    - usbip: vudc: fix missing unlock on error in usbip_sockfd_store()
    - m68k: Add missing mmap_read_lock() to sys_cacheflush()
    - spi: spi-zynqmp-gqspi: Fix missing unlock on error in zynqmp_qspi_exec_op()
    - memory: renesas-rpc-if: fix possible NULL pointer dereference of resource
    - memory: samsung: exynos5422-dmc: handle clk_set_parent() failure
    - security: keys: trusted: fix TPM2 authorizations
    - platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with
      critclk_systems DMI table
    - ARM: dts: aspeed: Rainier: Fix humidity sensor bus address
    - Drivers: hv: vmbus: Use after free in __vmbus_open()
    - spi: spi-zynqmp-gqspi: fix clk_enable/disable imbalance issue
    - spi: spi-zynqmp-gqspi: fix hang issue when suspend/resume
    - spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op
    - spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails
    - x86/platform/uv: Fix !KEXEC build failure
    - hwmon: (pmbus/pxe1610) don't bail out when not all pages are active
    - PM: hibernate: x86: Use crc32 instead of md5 for hibernation e820 integrity
      check
    - usb: dwc2: Fix host mode hibernation exit with remote wakeup flow.
    - usb: dwc2: Fix hibernation between host and device modes.
    - ttyprintk: Add TTY hangup callback.
    - serial: omap: don't disable rs485 if rts gpio is missing
    - serial: omap: fix rs485 half-duplex filtering
    - xen-blkback: fix compatibility bug with single page rings
    - soc: aspeed: fix a ternary sign expansion bug
    - drm/tilcdc: send vblank event when disabling crtc
    - drm/stm: Fix bus_flags handling
    - drm/amd/display: Fix off by one in hdmi_14_process_transaction()
    - drm/mcde/panel: Inverse misunderstood flag
    - scsi: lpfc: Fix null pointer dereference in lpfc_prep_els_iocb()
    - sched/fair: Fix shift-out-of-bounds in load_balance()
    - printk: limit second loop of syslog_print_all
    - afs: Fix updating of i_mode due to 3rd party change
    - rcu: Remove spurious instrumentation_end() in rcu_nmi_enter()
    - media: vivid: fix assignment of dev->fbuf_out_flags
    - media: saa7134: use sg_dma_len when building pgtable
    - media: saa7146: use sg_dma_len when building pgtable
    - media: omap4iss: return error code when omap4iss_get() failed
    - media: rkisp1: rsz: crash fix when setting src format
    - media: aspeed: fix clock handling logic
    - drm/probe-helper: Check epoch counter in output_poll_execute()
    - media: venus: core: Fix some resource leaks in the error path of
      'venus_probe()'
    - media: platform: sunxi: sun6i-csi: fix error return code of
      sun6i_video_start_streaming()
    - media: m88ds3103: fix return value check in m88ds3103_probe()
    - media: docs: Fix data organization of MEDIA_BUS_FMT_RGB101010_1X30
    - media: [next] staging: media: atomisp: fix memory leak of object flash
    - media: atomisp: Fixed error handling path
    - media: m88rs6000t: avoid potential out-of-bounds reads on arrays
    - media: atomisp: Fix use after free in atomisp_alloc_css_stat_bufs()
    - drm/amdkfd: fix build error with AMD_IOMMU_V2=m
    - of: overlay: fix for_each_child.cocci warnings
    - x86/kprobes: Fix to check non boostable prefixes correctly
    - selftests: fix prepending $(OUTPUT) to $(TEST_PROGS)
    - pata_arasan_cf: fix IRQ check
    - pata_ipx4xx_cf: fix IRQ check
    - sata_mv: add IRQ checks
    - ata: libahci_platform: fix IRQ check
    - seccomp: Fix CONFIG tests for Seccomp_filters
    - nvme-tcp: block BH in sk state_change sk callback
    - nvmet-tcp: fix incorrect locking in state_change sk callback
    - clk: imx: Fix reparenting of UARTs not associated with stdout
    - power: supply: bq25980: Move props from battery node
    - nvme: retrigger ANA log update if group descriptor isn't found
    - media: ccs: Fix sub-device function
    - media: ipu3-cio2: Fix pixel-rate derived link frequency
    - media: i2c: imx219: Move out locking/unlocking of vflip and hflip controls
      from imx219_set_stream
    - media: i2c: imx219: Balance runtime PM use-count
    - media: v4l2-ctrls.c: fix race condition in hdl->requests list
    - media: rkvdec: Do not require all controls to be present in every request
    - vfio/fsl-mc: Re-order vfio_fsl_mc_probe()
    - vfio/pci: Move VGA and VF initialization to functions
    - vfio/pci: Re-order vfio_pci_probe()
    - drm/msm: Fix debugfs deadlock
    - vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer
    - clk: zynqmp: move zynqmp_pll_set_mode out of round_rate callback
    - clk: zynqmp: pll: add set_pll_mode to check condition in zynqmp_pll_enable
    - drm: xlnx: zynqmp: fix a memset in zynqmp_dp_train()
    - clk: qcom: a53-pll: Add missing MODULE_DEVICE_TABLE
    - clk: qcom: apss-ipq-pll: Add missing MODULE_DEVICE_TABLE
    - drm/amd/display: use GFP_ATOMIC in dcn20_resource_construct
    - drm/amd/display: check fb of primary plane
    - drm/radeon: Fix a missing check bug in radeon_dp_mst_detect()
    - clk: uniphier: Fix potential infinite loop
    - scsi: pm80xx: Increase timeout for pm80xx mpi_uninit_check()
    - scsi: pm80xx: Fix potential infinite loop
    - scsi: ufs: ufshcd-pltfrm: Fix deferred probing
    - scsi: hisi_sas: Fix IRQ checks
    - scsi: jazz_esp: Add IRQ check
    - scsi: sun3x_esp: Add IRQ check
    - scsi: sni_53c710: Add IRQ check
    - scsi: ibmvfc: Fix invalid state machine BUG_ON()
    - mailbox: sprd: Introduce refcnt when clients requests/free channels
    - mfd: stm32-timers: Avoid clearing auto reload register
    - nvmet-tcp: fix a segmentation fault during io parsing error
    - nvme-pci: don't simple map sgl when sgls are disabled
    - media: meson-ge2d: fix rotation parameters
    - media: cedrus: Fix H265 status definitions
    - HSI: core: fix resource leaks in hsi_add_client_from_dt()
    - x86/events/amd/iommu: Fix sysfs type mismatch
    - perf/amd/uncore: Fix sysfs type mismatch
    - block/rnbd-clt-sysfs: Remove copy buffer overlap in rnbd_clt_get_path_name
    - sched/debug: Fix cgroup_path[] serialization
    - kthread: Fix PF_KTHREAD vs to_kthread() race
    - ataflop: potential out of bounds in do_format()
    - ataflop: fix off by one in ataflop_probe()
    - drivers/block/null_blk/main: Fix a double free in null_init.
    - xsk: Respect device's headroom and tailroom on generic xmit path
    - HID: plantronics: Workaround for double volume key presses
    - perf symbols: Fix dso__fprintf_symbols_by_name() to return the number of
      printed chars
    - ASoC: Intel: boards: sof-wm8804: add check for PLL setting
    - ASoC: Intel: Skylake: Compile when any configuration is selected
    - RDMA/mlx5: Fix mlx5 rates to IB rates map
    - wilc1000: write value to WILC_INTR2_ENABLE register
    - KVM: x86/mmu: Retry page faults that hit an invalid memslot
    - Bluetooth: avoid deadlock between hci_dev->lock and socket lock
    - net: lapbether: Prevent racing when checking whether the netif is running
    - libbpf: Add explicit padding to bpf_xdp_set_link_opts
    - bpftool: Fix maybe-uninitialized warnings
    - iommu: Check dev->iommu in iommu_dev_xxx functions
    - dma-iommu: use static-key to minimize the impact in the fast-path
    - iommu/dma: Resurrect the "forcedac" option
    - iommu/vt-d: Reject unsupported page request modes
    - selftests/bpf: Re-generate vmlinux.h and BPF skeletons if bpftool changed
    - libbpf: Add explicit padding to btf_dump_emit_type_decl_opts
    - powerpc/mm: Move the linear_mapping_mutex to the ifdef where it is used
    - powerpc/fadump: Mark fadump_calculate_reserve_size as __init
    - powerpc/prom: Mark identical_pvr_fixup as __init
    - MIPS: fix local_irq_{disable,enable} in asmmacro.h
    - ima: Fix the error code for restoring the PCR value
    - inet: use bigger hash table for IP ID generation
    - pinctrl: pinctrl-single: remove unused parameter
    - pinctrl: pinctrl-single: fix pcs_pin_dbg_show() when bits_per_mux is not
      zero
    - MIPS: loongson64: fix bug when PAGE_SIZE > 16KB
    - ASoC: wm8960: Remove bitclk relax condition in wm8960_configure_sysclk
    - iommu/arm-smmu-v3: add bit field SFM into GERROR_ERR_MASK
    - RDMA/mlx5: Fix drop packet rule in egress table
    - IB/isert: Fix a use after free in isert_connect_request
    - powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration
    - MIPS/bpf: Enable bpf_probe_read{, str}() on MIPS again
    - gpio: guard gpiochip_irqchip_add_domain() with GPIOLIB_IRQCHIP
    - fs: dlm: fix missing unlock on error in accept_from_sock()
    - ASoC: q6afe-clocks: fix reprobing of the driver
    - ALSA: core: remove redundant spin_lock pair in snd_card_disconnect
    - net: phy: lan87xx: fix access to wrong register of LAN87xx
    - udp: never accept GSO_FRAGLIST packets
    - powerpc/pseries: Only register vio drivers if vio bus exists
    - net/tipc: fix missing destroy_workqueue() on error in tipc_crypto_start()
    - bug: Remove redundant condition check in report_bug
    - RDMA/core: Fix corrupted SL on passive side
    - nfc: pn533: prevent potential memory corruption
    - net: hns3: Limiting the scope of vector_ring_chain variable
    - mips: bmips: fix syscon-reboot nodes
    - KVM: arm64: Fix error return code in init_hyp_mode()
    - iommu/vt-d: Don't set then clear private data in prq_event_thread()
    - iommu: Fix a boundary issue to avoid performance drop
    - iommu/vt-d: Report right snoop capability when using FL for IOVA
    - iommu/vt-d: Report the right page fault address
    - iommu/vt-d: Preset Access/Dirty bits for IOVA over FL
    - iommu/vt-d: Remove WO permissions on second-level paging entries
    - iommu/vt-d: Invalidate PASID cache when root/context entry changed
    - ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls
    - HID: lenovo: Use brightness_set_blocking callback for setting LEDs
      brightness
    - HID: lenovo: Fix lenovo_led_set_tp10ubkbd() error handling
    - HID: lenovo: Check hid_get_drvdata() returns non NULL in lenovo_event()
    - HID: lenovo: Map mic-mute button to KEY_F20 instead of KEY_MICMUTE
    - KVM: arm64: Initialize VCPU mdcr_el2 before loading it
    - ASoC: simple-card: fix possible uninitialized single_cpu local variable
    - liquidio: Fix unintented sign extension of a left shift of a u16
    - IB/hfi1: Use kzalloc() for mmu_rb_handler allocation
    - powerpc/64s: Fix pte update for kernel memory on radix
    - powerpc/pseries: Add key to flags in pSeries_lpar_hpte_updateboltedpp()
    - powerpc/64s: Use htab_convert_pte_flags() in hash__mark_rodata_ro()
    - powerpc/perf: Fix PMU constraint check for EBB events
    - powerpc: iommu: fix build when neither PCI or IBMVIO is set
    - mac80211: bail out if cipher schemes are invalid
    - perf vendor events amd: Fix broken L2 Cache Hits from L2 HWPF metric
    - RDMA/hns: Fix missing assignment of max_inline_data
    - xfs: fix return of uninitialized value in variable error
    - rtw88: Fix an error code in rtw_debugfs_set_rsvd_page()
    - mt7601u: fix always true expression
    - mt76: mt7615: fix tx skb dma unmap
    - mt76: mt7915: fix tx skb dma unmap
    - mt76: mt7915: fix aggr len debugfs node
    - mt76: mt7615: fix mib stats counter reporting to mac80211
    - mt76: mt7915: fix mib stats counter reporting to mac80211
    - mt76: reduce q->lock hold time
    - mt76: check return value of mt76_txq_send_burst in mt76_txq_schedule_list
    - mt76: mt7915: fix rxrate reporting
    - mt76: mt7915: fix txrate reporting
    - mt76: mt7663: fix when beacon filter is being applied
    - mt76: mt7663s: make all of packets 4-bytes aligned in sdio tx aggregation
    - mt76: mt7663s: fix the possible device hang in high traffic
    - mt76: mt7615: cleanup mcu tx queue in mt7615_dma_reset()
    - mt76: mt7915: bring up the WA event rx queue for band1
    - mt76: mt7915: cleanup mcu tx queue in mt7915_dma_reset()
    - KVM: PPC: Book3S HV P9: Restore host CTRL SPR after guest exit
    - ovl: show "userxattr" in the mount data
    - ovl: invalidate readdir cache on changes to dir with origin
    - RDMA/qedr: Fix error return code in qedr_iw_connect()
    - IB/hfi1: Fix error return code in parse_platform_config()
    - RDMA/bnxt_re: Fix error return code in bnxt_qplib_cq_process_terminal()
    - cxgb4: Fix unintentional sign extension issues
    - net: thunderx: Fix unintentional sign extension issue
    - RDMA/srpt: Fix error return code in srpt_cm_req_recv()
    - RDMA/rtrs-clt: destroy sysfs after removing session from active list
    - i2c: cadence: fix reference leak when pm_runtime_get_sync fails
    - i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
    - i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails
    - i2c: imx: fix reference leak when pm_runtime_get_sync fails
    - i2c: omap: fix reference leak when pm_runtime_get_sync fails
    - i2c: sprd: fix reference leak when pm_runtime_get_sync fails
    - i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails
    - i2c: xiic: fix reference leak when pm_runtime_get_sync fails
    - i2c: cadence: add IRQ check
    - i2c: emev2: add IRQ check
    - i2c: jz4780: add IRQ check
    - i2c: mlxbf: add IRQ check
    - i2c: rcar: make sure irq is not threaded on Gen2 and earlier
    - i2c: rcar: protect against supurious interrupts on V3U
    - i2c: rcar: add IRQ check
    - i2c: sh7760: add IRQ check
    - iwlwifi: rs-fw: don't support stbc for HE 160
    - iwlwifi: dbg: disable ini debug in 9000 family and below
    - powerpc/xive: Drop check on irq_data in xive_core_debug_show()
    - powerpc/xive: Fix xmon command "dxi"
    - powerpc/syscall: Rename syscall_64.c into interrupt.c
    - powerpc/syscall: Change condition to check MSR_RI
    - ASoC: ak5558: correct reset polarity
    - net/mlx5: Fix bit-wise and with zero
    - net/packet: remove data races in fanout operations
    - drm/i915/gvt: Fix error code in intel_gvt_init_device()
    - iommu/amd: Put newline after closing bracket in warning
    - perf beauty: Fix fsconfig generator
    - drm/amdgpu: fix an error code in init_pmu_entry_by_type_and_add()
    - drm/amd/pm: fix error code in smu_set_power_limit()
    - MIPS: pci-legacy: stop using of_pci_range_to_resource
    - powerpc/pseries: extract host bridge from pci_bus prior to bus removal
    - mptcp: fix format specifiers for unsigned int
    - powerpc/smp: Reintroduce cpu_core_mask
    - KVM: x86: dump_vmcs should not assume GUEST_IA32_EFER is valid
    - rtlwifi: 8821ae: upgrade PHY and RF parameters
    - wlcore: fix overlapping snprintf arguments in debugfs
    - i2c: sh7760: fix IRQ error path
    - i2c: mediatek: Fix wrong dma sync flag
    - mwl8k: Fix a double Free in mwl8k_probe_hw
    - netfilter: nft_payload: fix C-VLAN offload support
    - netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector
    - netfilter: nftables_offload: special ethertype handling for VLAN
    - vsock/vmci: log once the failed queue pair allocation
    - libbpf: Initialize the bpf_seq_printf parameters array field by field
    - net: ethernet: ixp4xx: Set the DMA masks explicitly
    - gro: fix napi_gro_frags() Fast GRO breakage due to IP alignment check
    - RDMA/cxgb4: add missing qpid increment
    - RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails
    - ALSA: usb: midi: don't return -ENOMEM when usb_urb_ep_type_check fails
    - sfc: ef10: fix TX queue lookup in TX event handling
    - vsock/virtio: free queued packets when closing socket
    - net: marvell: prestera: fix port event handling on init
    - net: davinci_emac: Fix incorrect masking of tx and rx error channel
    - mt76: mt7615: fix memleak when mt7615_unregister_device()
    - mt76: mt7915: fix memleak when mt7915_unregister_device()
    - powerpc/pseries/iommu: Fix window size for direct mapping with pmem
    - crypto: ccp: Detect and reject "invalid" addresses destined for PSP
    - net: dsa: mv88e6xxx: Fix off-by-one in VTU devlink region size
    - nfp: devlink: initialize the devlink port attribute "lanes"
    - net: stmmac: fix TSO and TBS feature enabling during driver open
    - net: renesas: ravb: Fix a stuck issue when a lot of frames are received
    - net: phy: intel-xway: enable integrated led functions
    - RDMA/rxe: Fix a bug in rxe_fill_ip_info()
    - RDMA/core: Add CM to restrack after successful attachment to a device
    - powerpc/64: Fix the definition of the fixmap area
    - ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices
    - ath10k: Fix a use after free in ath10k_htc_send_bundle
    - ath10k: Fix ath10k_wmi_tlv_op_pull_peer_stats_info() unlock without lock
    - wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
    - powerpc/perf: Fix the threshold event selection for memory events in power10
    - powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of 'add')
    - net: phy: marvell: fix m88e1011_set_downshift
    - net: phy: marvell: fix m88e1111_set_downshift
    - net: enetc: fix link error again
    - bnxt_en: fix ternary sign extension bug in bnxt_show_temp()
    - ARM: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for
      RTL8211E
    - arm64: dts: uniphier: Change phy-mode to RGMII-ID to enable delay pins for
      RTL8211E
    - net: geneve: modify IP header check in geneve6_xmit_skb and geneve_xmit_skb
    - selftests: net: mirror_gre_vlan_bridge_1q: Make an FDB entry static
    - selftests: mlxsw: Remove a redundant if statement in tc_flower_scale test
    - bnxt_en: Fix RX consumer index logic in the error path.
    - KVM: VMX: Intercept FS/GS_BASE MSR accesses for 32-bit KVM
    - KVM: SVM: Zero out the VMCB array used to track SEV ASID association
    - KVM: SVM: Free sev_asid_bitmap during init if SEV setup fails
    - KVM: SVM: Disable SEV/SEV-ES if NPT is disabled
    - net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
    - selftests/bpf: Fix BPF_CORE_READ_BITFIELD() macro
    - selftests/bpf: Fix field existence CO-RE reloc tests
    - selftests/bpf: Fix core_reloc test runner
    - bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds
    - RDMA/siw: Fix a use after free in siw_alloc_mr
    - RDMA/bnxt_re: Fix a double free in bnxt_qplib_alloc_res
    - net: bridge: mcast: fix broken length + header check for MRDv6 Adv.
    - net: dsa: mv88e6xxx: Fix 6095/6097/6185 ports in non-SERDES CMODE
    - net:nfc:digital: Fix a double free in digital_tg_recv_dep_req
    - perf tools: Change fields type in perf_record_time_conv
    - perf jit: Let convert_timestamp() to be backwards-compatible
    - perf session: Add swap operation for event TIME_CONV
    - ia64: fix EFI_DEBUG build
    - kfifo: fix ternary sign extension bugs
    - mm/sl?b.c: remove ctor argument from kmem_cache_flags
    - mm: memcontrol: slab: fix obtain a reference to a freeing memcg
    - mm/sparse: add the missing sparse_buffer_fini() in error branch
    - mm/memory-failure: unnecessary amount of unmapping
    - afs: Fix speculative status fetches
    - net: Only allow init netns to set default tcp cong to a restricted algo
    - smp: Fix smp_call_function_single_async prototype
    - Revert "net/sctp: fix race condition in sctp_destroy_sock"
    - sctp: delay auto_asconf init until binding the first addr
    - Linux 5.11.21

* Fix kdump failures (LP: #1927518)
    - video: hyperv_fb: Add ratelimit on error message
    - Drivers: hv: vmbus: Increase wait time for VMbus unload
    - Drivers: hv: vmbus: Initialize unload_event statically

* Hirsute update: v5.11.20 upstream stable release (LP: #1928857)
    - bus: mhi: core: Fix check for syserr at power_up
    - bus: mhi: core: Clear configuration from channel context during reset
    - bus: mhi: core: Sanity check values from remote device before use
    - bus: mhi: core: Add missing checks for MMIO register entries
    - bus: mhi: pci_generic: Remove WQ_MEM_RECLAIM flag from state workqueue
    - nitro_enclaves: Fix stale file descriptors on failed usercopy
    - dyndbg: fix parsing file query without a line-range suffix
    - s390/disassembler: increase ebpf disasm buffer size
    - s390/zcrypt: fix zcard and zqueue hot-unplug memleak
    - s390/vfio-ap: fix circular lockdep when setting/clearing crypto masks
    - vhost-vdpa: fix vm_flags for virtqueue doorbell mapping
    - tpm: acpi: Check eventlog signature before using it
    - ACPI: custom_method: fix potential use-after-free issue
    - ACPI: custom_method: fix a possible memory leak
    - ftrace: Handle commands when closing set_ftrace_filter file
    - ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld
    - arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node
    - arm64: dts: mt8173: fix property typo of 'phys' in dsi node
    - ecryptfs: fix kernel panic with null dev_name
    - fs/epoll: restore waking from ep_done_scan()
    - reset: add missing empty function reset_control_rearm()
    - mtd: spi-nor: core: Fix an issue of releasing resources during read/write
    - Revert "mtd: spi-nor: macronix: Add support for mx25l51245g"
    - mtd: spinand: core: add missing MODULE_DEVICE_TABLE()
    - mtd: rawnand: atmel: Update ecc_stats.corrected counter
    - mtd: physmap: physmap-bt1-rom: Fix unintentional stack access
    - erofs: add unsupported inode i_format check
    - spi: stm32-qspi: fix pm_runtime usage_count counter
    - spi: spi-ti-qspi: Free DMA resources
    - libceph: allow addrvecs with a single NONE/blank address
    - scsi: qla2xxx: Reserve extra IRQ vectors
    - scsi: lpfc: Fix rmmod crash due to bad ring pointers to abort_iotag
    - scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()
    - scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES
    - scsi: mpt3sas: Block PCI config access from userspace during reset
    - mmc: uniphier-sd: Fix an error handling path in uniphier_sd_probe()
    - mmc: uniphier-sd: Fix a resource leak in the remove function
    - mmc: sdhci: Check for reset prior to DMA address unmap
    - mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based
      controllers
    - mmc: block: Update ext_csd.cache_ctrl if it was written
    - mmc: block: Issue a cache flush only when it's enabled
    - mmc: core: Do a power cycle when the CMD11 fails
    - mmc: core: Set read only for SD cards with permanent write protect bit
    - mmc: core: Fix hanging on I/O during system suspend for removable cards
    - irqchip/gic-v3: Do not enable irqs when handling spurious interrups
    - cifs: Return correct error code from smb2_get_enc_key
    - cifs: fix out-of-bound memory access when calling smb3_notify() at mount
      point
    - cifs: fix leak in cifs_smb3_do_mount() ctx
    - cifs: detect dead connections only when echoes are enabled.
    - cifs: fix regression when mounting shares with prefix paths
    - smb2: fix use-after-free in smb2_ioctl_query_info()
    - btrfs: handle remount to no compress during compression
    - x86/build: Disable HIGHMEM64G selection for M486SX
    - btrfs: fix metadata extent leak after failure to create subvolume
    - intel_th: pci: Add Rocket Lake CPU support
    - btrfs: fix race between transaction aborts and fsyncs leading to use-after-
      free
    - posix-timers: Preserve return value in clock_adjtime32()
    - fbdev: zero-fill colormap in fbcmap.c
    - cpuidle: tegra: Fix C7 idling state on Tegra114
    - bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first
    - staging: wimax/i2400m: fix byte-order issue
    - spi: ath79: always call chipselect function
    - spi: ath79: remove spi-master setup and cleanup assignment
    - bus: mhi: core: Destroy SBL devices when moving to mission mode
    - bus: mhi: core: Process execution environment changes serially
    - crypto: api - check for ERR pointers in crypto_destroy_tfm()
    - crypto: qat - fix unmap invalid dma address
    - usb: gadget: uvc: add bInterval checking for HS mode
    - usb: webcam: Invalid size of Processing Unit Descriptor
    - x86/sev: Do not require Hypervisor CPUID bit for SEV guests
    - crypto: hisilicon/sec - fixes a printing error
    - genirq/matrix: Prevent allocation counter corruption
    - usb: gadget: f_uac2: validate input parameters
    - usb: gadget: f_uac1: validate input parameters
    - usb: dwc3: gadget: Ignore EP queue requests during bus reset
    - usb: xhci: Fix port minor revision
    - kselftest/arm64: mte: Fix compilation with native compiler
    - ARM: tegra: acer-a500: Rename avdd to vdda of touchscreen node
    - PCI: PM: Do not read power state in pci_enable_device_flags()
    - kselftest/arm64: mte: Fix MTE feature detection
    - ARM: dts: BCM5301X: fix "reg" formatting in /memory node
    - ARM: dts: ux500: Fix up TVK R3 sensors
    - x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS)
    - x86/boot: Add $(CLANG_FLAGS) to compressed KBUILD_CFLAGS
    - efi/libstub: Add $(CLANG_FLAGS) to x86 flags
    - soc/tegra: pmc: Fix completion of power-gate toggling
    - arm64: dts: imx8mq-librem5-r3: Mark buck3 as always on
    - tee: optee: do not check memref size on return from Secure World
    - soundwire: cadence: only prepare attached devices on clock stop
    - perf/arm_pmu_platform: Use dev_err_probe() for IRQ errors
    - perf/arm_pmu_platform: Fix error handling
    - random: initialize ChaCha20 constants with correct endianness
    - usb: xhci-mtk: support quirk to disable usb2 lpm
    - fpga: dfl: pci: add DID for D5005 PAC cards
    - xhci: check port array allocation was successful before dereferencing it
    - xhci: check control context is valid before dereferencing it.
    - xhci: fix potential array out of bounds with several interrupters
    - bus: mhi: core: Clear context for stopped channels from remove()
    - ARM: dts: at91: change the key code of the gpio key
    - tools/power/x86/intel-speed-select: Increase string size
    - platform/x86: ISST: Account for increased timeout in some cases
    - clocksource/drivers/dw_apb_timer_of: Add handling for potential memory leak
    - resource: Prevent irqresource_disabled() from erasing flags
    - spi: dln2: Fix reference leak to master
    - spi: omap-100k: Fix reference leak to master
    - spi: qup: fix PM reference leak in spi_qup_remove()
    - usb: gadget: tegra-xudc: Fix possible use-after-free in tegra_xudc_remove()
    - usb: musb: fix PM reference leak in musb_irq_work()
    - usb: core: hub: Fix PM reference leak in usb_port_resume()
    - usb: dwc3: gadget: Check for disabled LPM quirk
    - tty: n_gsm: check error while registering tty devices
    - intel_th: Consistency and off-by-one fix
    - phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove()
    - crypto: sun8i-ss - Fix PM reference leak when pm_runtime_get_sync() fails
    - crypto: sun8i-ce - Fix PM reference leak in sun8i_ce_probe()
    - crypto: stm32/hash - Fix PM reference leak on stm32-hash.c
    - crypto: stm32/cryp - Fix PM reference leak on stm32-cryp.c
    - crypto: sa2ul - Fix PM reference leak in sa_ul_probe()
    - crypto: omap-aes - Fix PM reference leak on omap-aes.c
    - platform/x86: intel_pmc_core: Don't use global pmcdev in quirks
    - spi: sync up initial chipselect state
    - btrfs: do proper error handling in create_reloc_root
    - btrfs: do proper error handling in btrfs_update_reloc_root
    - btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s
    - regulator: da9121: automotive variants identity fix
    - drm: Added orientation quirk for OneGX1 Pro
    - drm/qxl: release shadow on shutdown
    - drm/ast: Fix invalid usage of AST_MAX_HWC_WIDTH in cursor atomic_check
    - drm/amd/display: changing sr exit latency
    - drm/amd/display: Fix MPC OGAM power on/off sequence
    - drm/ast: fix memory leak when unload the driver
    - drm/amd/display: Check for DSC support instead of ASIC revision
    - drm/amd/display: Don't optimize bandwidth before disabling planes
    - drm/amd/display: Return invalid state if GPINT times out
    - drm/amdgpu/display: buffer INTERRUPT_LOW_IRQ_CONTEXT interrupt work
    - drm/amd/display/dc/dce/dce_aux: Remove duplicate line causing 'field
      overwritten' issue
    - scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe
    - scsi: lpfc: Fix pt2pt connection does not recover after LOGO
    - scsi: lpfc: Fix status returned in lpfc_els_retry() error exit path
    - scsi: lpfc: Fix PLOGI ACC to be transmit after REG_LOGIN
    - scsi: lpfc: Fix ADISC handling that never frees nodes
    - drm/amdgpu: Fix some unload driver issues
    - sched/pelt: Fix task util_est update filtering
    - sched/topology: fix the issue groups don't span domain->span for NUMA
      diameter > 2
    - kvfree_rcu: Use same set of GFP flags as does single-argument
    - drm/virtio: fix possible leak/unlock virtio_gpu_object_array
    - scsi: target: pscsi: Fix warning in pscsi_complete_cmd()
    - media: ite-cir: check for receive overflow
    - media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB
    - media: drivers/media/usb: fix memory leak in zr364xx_probe
    - media: cx23885: add more quirks for reset DMA on some AMD IOMMU
    - media: imx: capture: Return -EPIPE from __capture_legacy_try_fmt()
    - atomisp: don't let it go past pipes array
    - power: supply: bq27xxx: fix power_avg for newer ICs
    - extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has
      been unplugged
    - extcon: arizona: Fix various races on driver unbind
    - media: media/saa7164: fix saa7164_encoder_register() memory leak bugs
    - media: gspca/sq905.c: fix uninitialized variable
    - media: v4l2-ctrls.c: initialize flags field of p_fwht_params
    - power: supply: Use IRQF_ONESHOT
    - backlight: qcom-wled: Use sink_addr for sync toggle
    - backlight: qcom-wled: Fix FSC update issue for WLED5
    - drm/amdgpu: mask the xgmi number of hops reported from psp to kfd
    - drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
    - drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f
    - drm/amd/pm: fix workload mismatch on vega10
    - drm/amd/display: Fix UBSAN warning for not a valid value for type '_Bool'
    - drm/amd/display: DCHUB underflow counter increasing in some scenarios
    - drm/amd/display: fix dml prefetch validation
    - scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats()
    - drm/vkms: fix misuse of WARN_ON
    - scsi: qla2xxx: Fix use after free in bsg
    - mmc: sdhci-esdhc-imx: validate pinctrl before use it
    - mmc: sdhci-pci: Add PCI IDs for Intel LKF
    - mmc: sdhci-brcmstb: Remove CQE quirk
    - ata: ahci: Disable SXS for Hisilicon Kunpeng920
    - drm/komeda: Fix bit check to import to value of proper type
    - nvmet: return proper error code from discovery ctrl
    - selftests/resctrl: Enable gcc checks to detect buffer overflows
    - selftests/resctrl: Fix compilation issues for global variables
    - selftests/resctrl: Fix compilation issues for other global variables
    - selftests/resctrl: Clean up resctrl features check
    - selftests/resctrl: Fix missing options "-n" and "-p"
    - selftests/resctrl: Use resctrl/info for feature detection
    - selftests/resctrl: Fix incorrect parsing of iMC counters
    - selftests/resctrl: Fix checking for < 0 for unsigned values
    - power: supply: cpcap-charger: Add usleep to cpcap charger to avoid usb plug
      bounce
    - scsi: smartpqi: Use host-wide tag space
    - scsi: smartpqi: Correct request leakage during reset operations
    - scsi: smartpqi: Add new PCI IDs
    - scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg()
    - media: em28xx: fix memory leak
    - media: vivid: update EDID
    - drm/msm/dp: Fix incorrect NULL check kbot warnings in DP driver
    - clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return
    - power: supply: generic-adc-battery: fix possible use-after-free in
      gab_remove()
    - power: supply: s3c_adc_battery: fix possible use-after-free in
      s3c_adc_bat_remove()
    - media: tc358743: fix possible use-after-free in tc358743_remove()
    - media: adv7604: fix possible use-after-free in adv76xx_remove()
    - media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove()
    - media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove()
    - media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
    - media: platform: sti: Fix runtime PM imbalance in regs_show
    - media: sun8i-di: Fix runtime PM imbalance in deinterlace_start_streaming
    - media: dvb-usb: fix memory leak in dvb_usb_adapter_init
    - media: gscpa/stv06xx: fix memory leak
    - sched/fair: Ignore percpu threads for imbalance pulls
    - drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal
    - drm/msm/mdp5: Do not multiply vclk line count by 100
    - drm/amdgpu/ttm: Fix memory leak userptr pages
    - drm/radeon/ttm: Fix memory leak userptr pages
    - drm/amd/display: Fix debugfs link_settings entry
    - drm/amd/display: Fix UBSAN: shift-out-of-bounds warning
    - drm/radeon: don't evict if not initialized
    - drm/amdkfd: Fix cat debugfs hang_hws file causes system crash bug
    - amdgpu: avoid incorrect %hu format string
    - drm/amdgpu/display: fix memory leak for dimgrey cavefish
    - drm/amdgpu: fix NULL pointer dereference
    - scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO
      response
    - scsi: lpfc: Fix reference counting errors in lpfc_cmpl_els_rsp()
    - scsi: lpfc: Fix error handling for mailboxes completed in MBX_POLL mode
    - scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic
    - mfd: intel-m10-bmc: Fix the register access range
    - mfd: da9063: Support SMBus and I2C mode
    - mfd: arizona: Fix rumtime PM imbalance on error
    - scsi: libfc: Fix a format specifier
    - perf: Rework perf_event_exit_event()
    - sched,fair: Alternative sched_slice()
    - block/rnbd-srv: Prevent a deadlock generated by accessing sysfs in parallel
    - block/rnbd-clt: Fix missing a memory free when unloading the module
    - s390/archrandom: add parameter check for s390_arch_random_generate
    - sched,psi: Handle potential task count underflow bugs more gracefully
    - power: supply: cpcap-battery: fix invalid usage of list cursor
    - ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer
    - ALSA: hda/conexant: Re-order CX5066 quirk table entries
    - ALSA: sb: Fix two use after free in snd_sb_qsound_build
    - ALSA: usb-audio: Explicitly set up the clock selector
    - ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset
      PC 8
    - ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G7
    - ALSA: hda/realtek: GA503 use same quirks as GA401
    - ALSA: hda/realtek: fix mic boost on Intel NUC 8
    - ALSA: hda/realtek - Headset Mic issue on HP platform
    - ALSA: hda/realtek: fix static noise on ALC285 Lenovo laptops
    - ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx
    - tools/power/turbostat: Fix turbostat for AMD Zen CPUs
    - btrfs: fix race when picking most recent mod log operation for an old root
    - arm64/vdso: Discard .note.gnu.property sections in vDSO
    - Makefile: Move -Wno-unused-but-set-variable out of GCC only block
    - fs: fix reporting supported extra file attributes for statx()
    - virtiofs: fix memory leak in virtio_fs_probe()
    - kcsan, debugfs: Move debugfs file creation out of early init
    - ubifs: Only check replay with inode type to judge if inode linked
    - f2fs: fix error handling in f2fs_end_enable_verity()
    - f2fs: fix to avoid out-of-bounds memory access
    - mlxsw: spectrum_mr: Update egress RIF list before route's action
    - openvswitch: fix stack OOB read while fragmenting IPv4 packets
    - net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets
    - NFS: fs_context: validate UDP retrans to prevent shift out-of-bounds
    - NFS: Don't discard pNFS layout segments that are marked for return
    - NFSv4: Don't discard segments marked for return in _pnfs_return_layout()
    - Input: ili210x - add missing negation for touch indication on ili210x
    - jffs2: Fix kasan slab-out-of-bounds problem
    - jffs2: Hook up splice_write callback
    - iommu/vt-d: Force to flush iotlb before creating superpage
    - powerpc/vdso: Separate vvar vma from vdso
    - powerpc/powernv: Enable HAIL (HV AIL) for ISA v3.1 processors
    - powerpc/eeh: Fix EEH handling for hugepages in ioremap space.
    - powerpc/kexec_file: Use current CPU info while setting up FDT
    - powerpc/32: Fix boot failure with CONFIG_STACKPROTECTOR
    - powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h
    - powerpc/kvm: Fix PR KVM with KUAP/MEM_KEYS enabled
    - powerpc/kvm: Fix build error when PPC_MEM_KEYS/PPC_PSERIES=n
    - intel_th: pci: Add Alder Lake-M support
    - tpm: efi: Use local variable for calculating final log size
    - tpm: vtpm_proxy: Avoid reading host log when using a virtual device
    - crypto: arm/curve25519 - Move '.fpu' after '.arch'
    - crypto: rng - fix crypto_rng_reset() refcounting when !CRYPTO_STATS
    - md/raid1: properly indicate failure when ending a failed write request
    - dm raid: fix inconclusive reshape layout on fast raid4/5/6 table reload
      sequences
    - fuse: fix write deadlock
    - mm: page_alloc: ignore init_on_free=1 for debug_pagealloc=1
    - exfat: fix erroneous discard when clear cluster bit
    - sfc: farch: fix TX queue lookup in TX flush done handling
    - sfc: farch: fix TX queue lookup in TX event handling
    - rcu/nocb: Fix missed nocb_timer requeue
    - security: commoncap: fix -Wstringop-overread warning
    - Fix misc new gcc warnings
    - jffs2: check the validity of dstlen in jffs2_zlib_compress()
    - smb3: when mounting with multichannel include it in requested capabilities
    - smb3: if max_channels set to more than one channel request multichannel
    - smb3: do not attempt multichannel to server which does not support it
    - Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op")
    - futex: Do not apply time namespace adjustment on FUTEX_LOCK_PI
    - x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported
    - kbuild: update config_data.gz only when the content of .config is changed
    - ext4: annotate data race in start_this_handle()
    - ext4: annotate data race in jbd2_journal_dirty_metadata()
    - ext4: fix check to prevent false positive report of incorrect used inodes
    - ext4: do not set SB_ACTIVE in ext4_orphan_cleanup()
    - ext4: always panic when errors=panic is specified
    - ext4: fix error code in ext4_commit_super
    - ext4: fix ext4_error_err save negative errno into superblock
    - ext4: fix error return code in ext4_fc_perform_commit()
    - ext4: allow the dax flag to be set and cleared on inline directories
    - ext4: Fix occasional generic/418 failure
    - media: dvbdev: Fix memory leak in dvb_media_device_free()
    - media: dvb-usb: Fix use-after-free access
    - media: dvb-usb: Fix memory leak at error in dvb_usb_device_init()
    - media: staging/intel-ipu3: Fix memory leak in imu_fmt
    - media: staging/intel-ipu3: Fix set_fmt error handling
    - media: staging/intel-ipu3: Fix race condition during set_fmt
    - media: v4l2-ctrls: fix reference to freed memory
    - media: coda: fix macroblocks count control usage
    - media: venus: hfi_parser: Don't initialize parser on v1
    - usb: gadget: dummy_hcd: fix gpf in gadget_setup
    - usb: gadget: Fix double free of device descriptor pointers
    - usb: gadget/function/f_fs string table fix for multiple languages
    - usb: dwc3: gadget: Remove FS bInterval_m1 limitation
    - usb: dwc3: gadget: Fix START_TRANSFER link state check
    - usb: dwc3: core: Do core softreset when switch mode
    - usb: dwc2: Fix session request interrupt handler
    - PCI: dwc: Move iATU detection earlier
    - tty: fix memory leak in vc_deallocate
    - rsi: Use resume_noirq for SDIO
    - tools/power turbostat: Fix offset overflow issue in index converting
    - tracing: Map all PIDs to command lines
    - tracing: Restructure trace_clock_global() to never block
    - dm persistent data: packed struct should have an aligned() attribute too
    - dm space map common: fix division bug in sm_ll_find_free_block()
    - dm integrity: fix missing goto in bitmap_flush_interval error handling
    - dm rq: fix double free of blk_mq_tag_set in dev remove after table load
      fails
    - pinctrl: Ingenic: Add support for read the pin configuration of X1830.
    - lib/vsprintf.c: remove leftover 'f' and 'F' cases from bstr_printf()
    - thermal/drivers/cpufreq_cooling: Fix slab OOB issue
    - thermal/core/fair share: Lock the thermal zone while looping over instances
    - Revert "UBUNTU: SAUCE: Revert "s390/cio: remove pm support from ccw bus
      driver""
    - s390/cio: remove invalid condition on IO_SCH_UNREG
    - Linux 5.11.20

* Hirsute update: v5.11.20 upstream stable release (LP: #1928857) //
    CVE-2021-20288).
    - libceph: bump CephXAuthenticate encoding version

* Hirsute update: v5.11.19 upstream stable release (LP: #1928850)
    - mips: Do not include hi and lo in clobber list for R6
    - netfilter: conntrack: Make global sysctls readonly in non-init netns
    - net: usb: ax88179_178a: initialize local variables before use
    - drm/i915: Disable runtime power management during shutdown
    - igb: Enable RSS for Intel I211 Ethernet Controller
    - bpf: Fix masking negation logic upon negative dst register
    - bpf: Fix leakage of uninitialized bpf stack under speculation
    - net: qrtr: Avoid potential use after free in MHI send
    - perf data: Fix error return code in perf_data__create_dir()
    - capabilities: require CAP_SETFCAP to map uid 0
    - perf ftrace: Fix access to pid in array when setting a pid filter
    - tools/cgroup/slabinfo.py: updated to work on current kernel
    - driver core: add a min_align_mask field to struct device_dma_parameters
    - swiotlb: add a IO_TLB_SIZE define
    - swiotlb: factor out an io_tlb_offset helper
    - swiotlb: factor out a nr_slots helper
    - swiotlb: clean up swiotlb_tbl_unmap_single
    - swiotlb: refactor swiotlb_tbl_map_single
    - swiotlb: don't modify orig_addr in swiotlb_tbl_sync_single
    - swiotlb: respect min_align_mask
    - nvme-pci: set min_align_mask
    - ovl: fix leaked dentry
    - ovl: allow upperdir inside lowerdir
    - ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX
    - ALSA: usb-audio: Fix implicit sync clearance at stopping stream
    - USB: Add reset-resume quirk for WD19's Realtek Hub
    - platform/x86: thinkpad_acpi: Correct thermal sensor allocation
    - perf/core: Fix unconditional security_locked_down() call
    - vfio: Depend on MMU
    - Linux 5.11.19

* r8152 tx status -71 (LP: #1922651) // Hirsute update: v5.11.19 upstream
    stable release (LP: #1928850)
    - USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet

* Hirsute update: v5.11.18 upstream stable release (LP: #1928849)
    - iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd()
    - drm/amd/display: Update modifier list for gfx10_3
    - mei: me: add Alder Lake P device id.
    - Linux 5.11.18

-- Thadeu Lima de Souza Cascardo <cascardo@canonical.com>  Wed, 16 Jun 2021 19:38:04 -0300

Changed in linux (Ubuntu):
status:	New → Fix Released

Thadeu Lima de Souza Cascardo (cascardo) on 2021-06-22

summary:	- placeholder bug + UAF on CAN BCM bcm_rx_handler
description:	updated
information type:	Private → Public Security

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-06-24:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-hirsute

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-07-01:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-focal

Stefan Bader (smb) on 2021-07-13

tags:

added: kernel-cve-tracking-bug
removed: verification-needed-focal verification-needed-hirsute

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

UAF on CAN BCM bcm_rx_handler

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package