Bug #1987430 “Ubuntu 22.04 kernel 5.15.0-46-generic leaks kernel...” : Bugs : linux package : Ubuntu

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-08-23: Missing required logs.

#1

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1987430

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Revision history for this message

Chris Siebenmann (cks) wrote on 2022-08-23:

#2

This is happening on a server and I cannot persuade it to run apport-collect in any useful way; it fails both with and without forwarded X (where lynx is started but apparently is incompatible with Launchpad for authorizing machines). I can attach specific information if necessary.

As an update, we have some systems that without the kernel update but with our recent change to explicitly disable AppArmor on the kernel command line, and they seem to also have the symptoms of this problem. So this issue may be a general one with disabling AppArmor in the Ubuntu kernel.

Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Chris Siebenmann (cks) wrote on 2022-08-23:

#3

I would be happy to attach logs or other information from this system or any of our other systems, many of which are still being affected by this bug until we reboot them.

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2022-08-24:

#4

Hi Chris,

I stood up a Jammy VM, and tried with and without apparmor=0 on the kernel command line, for a few hours at a time.

The /proc/slabinfo for kmalloc-2k and /proc/meminfo for unreclaimable slabs were stable and did not grow, so it must be related to your workload.

What sort of workloads are running on your servers?

If you stand up a fresh VM and minimally configure it, can you still see the kernel memory leak? Or do you need your workload to provoke it?

If you do have a set of commands to reproduce the issue, please list them here.

Thanks,
Matthew

Revision history for this message

Chris Siebenmann (cks) wrote on 2022-08-24:

#5

We've seen this on a wide variety of workloads, including general user logins with NFS mounts, SLURM head and cluster nodes, a Prometheus/Grafana server, a Grafana Loki server, two Exim servers, a Samba server, LDAP servers, Matlab license servers, and a monitoring machine that just runs conserver. It seems to be correlated with the amount of processes and activity that happens on a machine, as the two machines that leaked the most are our primary general use login server and our Prometheus server (which is constantly running a churn of monitoring and probe activity). As a result of this, I don't currently have any particular commands that reproduce this.

It may be relevant that we are auditing some system calls. The generated /etc/audit/audit.rules on our servers has:
-D
-b 8192
-f 1
--backlog_wait_time 60000
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

We also have audit log only to files by masking systemd-journald-audit.socket.

I will see if I can reproduce this in a VM by generating random activity (I'm going to try repeatedly compiling something over and over), first in our standard configuration and then in a more minimal one. It will likely take at least a day or two to know one way or another.

Revision history for this message

Chris Siebenmann (cks) wrote on 2022-08-24:

#6

It appears that the combination of our audit rules being enabled and apparmor=0 is what triggers the leak. My test case is repeatedly compiling Go from source and running its self tests (cloning https://go.googlesource.com/go, then 'cd go/src; while true; do ./all.bash; done'). On a VM configured as one of our machines (with audit rules), this leaks visibly. On a basically stock 22.04 VM (and thus with no audit rules), this doesn't leak. If I disable auditd on our configuration, it stops leaking. On the stock configuration, if I install auditd and our rules, and enable auditd (and reboot), it immediately starts leaking with rapid growth in kmalloc-2k. Taken from slabtop on the stock VM + auditd:

OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME
81360 81355 99% 2.00K 5085 16 162720K kmalloc-2k
44010 39386 89% 1.15K 1630 27 52160K ext4_inode_cache
[...]

This is on a VM that's been up only 24 minutes so far; this is the top slab entry, far ahead of the second placed one I've also shown. And just in the process of writing this comment, it's grown to 206080K.

Stopping auditd on the our-setup VM seems to stop further kmalloc-2k slab growth but doesn't reduce the current size.

Revision history for this message

Chris Siebenmann (cks) wrote on 2022-08-24:

#7

I booted the "stock" VM with slub_nomerge and after two hours of uptime (and constant Go compilation and testing), the top counts in slabtop for active objects and memory use are:

OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME
536896 536869 99% 2.00K 33556 16 1073792K kmalloc-2k
536350 536350 100% 0.02K 3155 170 12620K audit_buffer
536320 536320 100% 0.25K 33520 16 134080K skbuff_head_cache
489099 489099 100% 0.10K 12541 39 50164K buffer_head
78057 75309 96% 0.19K 3717 21 14868K dentry
65110 59084 90% 0.02K 383 170 1532K lsm_inode_cache

OBJS ACTIVE USE OBJ SIZE SLABS OBJ/SLAB CACHE SIZE NAME
537104 537097 99% 2.00K 33569 16 1074208K kmalloc-2k
536528 536528 100% 0.25K 33533 16 134132K skbuff_head_cache
465348 397547 85% 0.10K 11932 39 47728K buffer_head
36936 36471 98% 1.15K 1368 27 43776K ext4_inode_cache
76839 56841 73% 0.19K 3659 21 14636K dentry
20988 19716 93% 0.62K 1749 12 13992K inode_cache
536520 536520 100% 0.02K 3156 170 12624K audit_buffer

It seems suggestive that the top three by count have almost the same count (and it's a large one).

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2022-08-25:

#8

Hi Chris,

I have some good news to share. Thanks to your detailed comments, I can reproduce the issue easily in my lab. Here is my reproducer:

Start a fresh VM, either Jammy or Kinetic, just needs to use the Ubuntu -generic kernel.

1. Edit /etc/default/grub and append apparmor=0 to GRUB_CMDLINE_LINUX_DEFAULT
2. sudo update-grub
3. sudo apt update
4. sudo apt install auditd
5. Append the following to /etc/audit/rules.d/audit.rules:
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
6. sudo reboot
7. sudo apt install stress-ng
8. stress-ng --exec $(nproc)
9. Check the following for memory leaks:
$ watch "sudo cat /proc/meminfo | grep SUnreclaim"
$ watch "sudo cat /proc/slabinfo | grep kmalloc-2k"
$ sudo slabtop

At this point SUnreclaim will grow rapidly, at a rate of 3mb or so per second. If you leave it for a few minutes, it will consume hundreds of megabytes.

I have been doing some testing, and the Jammy 5.15.0-46-generic and Kinetic 5.19.0-15-generic kernels are affected.

I tried 5.15.0-25-generic as well, and it had the same issue.

I tried mainline 5.15 and 5.19 from the Ubuntu mainline repo, but they did not reproduce the issue at all.

Interesting. It currently looks like a custom Ubuntu SAUCE patch to either apparmor or audit is causing the memory leak. I'm going to start investigating this more deeply.

For now, I think that you should run with apparmor=1 on the kernel command line as a workaround while we root cause and get this fixed.

I'll keep you updated on what I find.

Thanks,
Matthew

Changed in linux (Ubuntu Jammy):
status:	New → In Progress
Changed in linux (Ubuntu Kinetic):
status:	Confirmed → In Progress
Changed in linux (Ubuntu Jammy):
importance:	Undecided → Medium
Changed in linux (Ubuntu Kinetic):
importance:	Undecided → Medium
Changed in linux (Ubuntu Jammy):
assignee:	nobody → Matthew Ruffell (mruffell)
Changed in linux (Ubuntu Kinetic):
assignee:	nobody → Matthew Ruffell (mruffell)
tags:	added: jammy kinetic seg

Revision history for this message

JianlinLv (jianlinlv) wrote on 2023-02-13:

#9

hi Matthew,
Any update about this issue?
This issue also was happened with ubuntu 22.04 kernel 5.15.0-26.
Does the latest tag Ubuntu-5.15.0-66.73 fix this issue?

Revision history for this message

JianlinLv (jianlinlv) wrote on 2023-02-17:

#10

0001-UBUNTU-audit-fix-memory-leak-of-audit_log_lsm.patch Edit (3.3 KiB, text/plain)

Attach patch to fix this issue

Ubuntu Foundations Team Bug Bot (crichton) on 2023-02-17

tags:

added: patch

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2023-02-20:

#11

Hi JianlinLV,

I tried the latest 5.15.0-60-generic kernel from -updates, and I couldn't reproduce the issue anymore.

Can you try 5.15.0-60-generic and let me know?

I bisected it down to 5.15.0-52-generic being broken, and it being fixed in 5.15.0-53-generic.

Still trying to find the commit which fixed the issue.

I had a read of your patch, and it fixes a part of the Apparmor LSM Stacking patchset that Ubuntu carries out of tree. The upstream code has changed a bit from what is found in the 5.15.0-x-generic kernel in Jammy. https://<email address hidden>/

Let me know how 5.15.0-60-generic goes.

Thanks,
Matthew

Revision history for this message

JianlinLv (jianlinlv) wrote on 2023-02-22:

#12

hi Matthew,
I did some investigation in 5.15.0-66-generic, lsm_multiple_contexts()return 0 that make audit_log_lsm() return without malloc memory thus avoiding memory leaks.

audit_log_lsm()
->if (!lsm_multiple_contexts())
return;

I haven't found out which commit change the behavior of lsm_multiple_contexts().

Jianlin

Revision history for this message

Jacob Martin (jacobmartin) wrote on 2023-02-23:

#13

I am able to reproduce this issue on 5.15.0-52-generic. However, it seems to be hidden in 5.15.0-53-generic by this commit:

39cce16cfeed UBUNTU: SAUCE: LSM: Change Landlock from LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED

Applying this commit on its own on top of 5.15.0-52-generic stops the memory leak in the test case described by Matthew in #8. This is coincidental, since now with apparmor=0 no lsmblob slots are assigned. Thus as JianlinLv mentions in #12, lsm_multiple_contexts() will return false, and audit_log_lsm() will exit before any memory is allocated.

Before this commit, landlock was assigned 3 lsmblob slots that did not use the task_getsecid_obj hook (from dmesg with lsm.debug=1):
[ 0.155733] LSM: landlock assigned lsmblob slot 0
[ 0.155733] LSM: landlock assigned lsmblob slot 1
[ 0.155733] LSM: landlock assigned lsmblob slot 2

Thus, before 5.15.0-53, lsm_multiple_contexts() would return true and there would be no early exit before memory allocation. With apparmor disabled, the only LSM modules registered to use lsmblob slots would be ones that did not implement the task_getsecid_subj hook, so the localblob variable would not get set by anyone. Hence, there would be this other early exit (post-allocation) in audit_log_lsm()...

    if (blob == NULL) {
        security_task_getsecid_subj(current, &localblob);
        if (!lsmblob_is_set(&localblob))
            return;
        ...
    }

... which is one of the two locations addressed by the patch.

The above commit introduced in 5.15.0-53 does not fix the underlying problem, but the underlying problem is resolved by JianlinLv's patch. The patch has received its two ACKs on the SRU mailing list and is pending application.

Stefan Bader (smb) on 2023-02-24

Changed in linux (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Jacob Martin (jacobmartin) wrote on 2023-02-27:

#14

For Kinetic, this was resolved in 5.19.0-17 by the apparmor and LSM stacking patchset described by this LP bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1989983.

Specifically, the underlying issue was fixed in Kinetic by these two commits:

4bd3e737cd45 Revert "UBUNTU: SAUCE: Audit: Add new record for multiple process LSM attributes"
dd547c837f7c UBUNTU: SAUCE: lsm stacking v37: Audit: Add record for multiple task security contexts

Together, these commits removed the affected function and replaced it with an implementation that does not have this memory leak.

Changed in linux (Ubuntu Kinetic):
status:	In Progress → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-03-02:

#15

This bug is awaiting verification that the linux/5.15.0-68.75 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux verification-needed-jammy

Revision history for this message

Matthew Ruffell (mruffell) wrote on 2023-03-15:

#16

Performing verification for Jammy.

I started a fresh Jammy VM, and installed 5.15.0-67-generic from -updates.

I appended apparmor=0 to GRUB_CMDLINE_LINUX_DEFAULT, updated grub, and rebooted.

From there, I installed auditd, and stress-ng. I edited /etc/audit/rules.d/audit.rules to include:

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

I then rebooted, and started stress-ng.

I checked the kmalloc-2k slab with:

$ watch "sudo cat /proc/meminfo | grep SUnreclaim"
$ watch "sudo cat /proc/slabinfo | grep kmalloc-2k"
$ sudo slabtop

Now, since this bug has been worked around by:

39cce16cfeed UBUNTU: SAUCE: LSM: Change Landlock from LSMBLOB_NEEDED to LSMBLOB_NOT_NEEDED

in 5.15.0-53-generic, the kmalloc-k slab did not uncontrollably increase, but
that is okay, it is just the leak isn't reachable with landlock not using the
task_getsecid_obj hook.

This means this verification is more of a smoke test than checking root cause.

I then enabled -proposed, and installed 5.15.0-68-generic, and rebooted.

I again ran stress-ng and checked the kmalloc-2k slab, and all was well, there
was no memory leak.

The core issue was fixed, but again, masked by the previous fix in
5.15.0-53-generic.

There was no smoke, and things ran as expected. Marking verified for Jammy.

tags:

added: verification-done-jammy
removed: verification-needed-jammy

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-27:

#17

Download full text (66.3 KiB)

This bug was fixed in the package linux - 5.15.0-69.76

---------------
linux (5.15.0-69.76) jammy; urgency=medium

* jammy/linux: 5.15.0-69.76 -proposed tracker (LP: #2012092)

* NFS deathlock with last Kernel 5.4.0-144.161 and 5.15.0-67.74 (LP: #2009325)
- NFS: Correct timing for assigning access cache timestamp

linux (5.15.0-68.75) jammy; urgency=medium

* jammy/linux: 5.15.0-68.75 -proposed tracker (LP: #2008349)

* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2023.02.27)

  * Ubuntu 22.04 kernel 5.15.0-46-generic leaks kernel memory in kmalloc-2k
    slabs (LP: #1987430)
    - SAUCE: audit: fix memory leak of audit_log_lsm()

  * [EGS] Backport intel_idle support for Eagle Stream Ubuntu 22.04 release
    (LP: #2003267)
    - intel_idle: add SPR support
    - intel_idle: add 'preferred_cstates' module argument
    - intel_idle: add core C6 optimization for SPR
    - cpuidle: intel_idle: Drop redundant backslash at line end
    - intel_idle: Fix the 'preferred_cstates' module parameter
    - intel_idle: Fix SPR C6 optimization
    - intel_idle: make SPR C1 and C1E be independent

* Fix speaker mute hotkey doesn't work on Dell G16 series (LP: #2003161)
- platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table

  * Fix the ACPI _CPC not found error from kernel dmesg on some dynamic SSDT
    table loaded firmwares (LP: #2006077)
    - ACPI: bus: Avoid using CPPC if not supported by firmware
    - ACPI: bus: Set CPPC _OSC bits for all and when CPPC_LIB is supported
    - ACPI: CPPC: Only probe for _CPC if CPPC v2 is acked

  * rtcpie in timers from ubuntu_kernel_selftests randomly failing
    (LP: #1814234)
    - SAUCE: selftest: rtcpie: Force passing unreliable subtest

  * Jammy update: v5.15.87 upstream stable release (LP: #2007441)
    - usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
    - cifs: fix oops during encryption
    - nvme-pci: fix doorbell buffer value endianness
    - nvme-pci: fix mempool alloc size
    - nvme-pci: fix page size checks
    - ACPI: resource: do IRQ override on LENOVO IdeaPad
    - ACPI: resource: do IRQ override on XMG Core 15
    - ACPI: resource: do IRQ override on Lenovo 14ALC7
    - block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
    - ata: ahci: Fix PCS quirk application for suspend
    - nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
    - nvmet: don't defer passthrough commands with trivial effects to the
      workqueue
    - fs/ntfs3: Validate BOOT record_size
    - fs/ntfs3: Add overflow check for attribute size
    - fs/ntfs3: Validate data run offset
    - fs/ntfs3: Add null pointer check to attr_load_runs_vcn
    - fs/ntfs3: Fix memory leak on ntfs_fill_super() error path
    - fs/ntfs3: Add null pointer check for inode operations
    - fs/ntfs3: Validate attribute name offset
    - fs/ntfs3: Validate buffer length while parsing index
    - fs/ntfs3: Validate resident attribute name
    - fs/ntfs3: Fix slab-out-of-bounds read in run_unpack
    - soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15
    - fs/ntfs3: Validate index root when initialize NTFS security
    - fs/ntfs3: Use __G...

This bug was fixed in the package linux - 5.15.0-69.76

---------------
linux (5.15.0-69.76) jammy; urgency=medium

* jammy/linux: 5.15.0-69.76 -proposed tracker (LP: #2012092)

* NFS deathlock with last Kernel 5.4.0-144.161 and 5.15.0-67.74 (LP: #2009325)
    - NFS: Correct timing for assigning access cache timestamp

linux (5.15.0-68.75) jammy; urgency=medium

* jammy/linux: 5.15.0-68.75 -proposed tracker (LP: #2008349)

* Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2023.02.27)

* Ubuntu 22.04 kernel 5.15.0-46-generic leaks kernel memory in kmalloc-2k
    slabs (LP: #1987430)
    - SAUCE: audit: fix memory leak of audit_log_lsm()

* [EGS] Backport intel_idle support for Eagle Stream Ubuntu 22.04 release
    (LP: #2003267)
    - intel_idle: add SPR support
    - intel_idle: add 'preferred_cstates' module argument
    - intel_idle: add core C6 optimization for SPR
    - cpuidle: intel_idle: Drop redundant backslash at line end
    - intel_idle: Fix the 'preferred_cstates' module parameter
    - intel_idle: Fix SPR C6 optimization
    - intel_idle: make SPR C1 and C1E be independent

* Fix speaker mute hotkey doesn't work on Dell G16 series (LP: #2003161)
    - platform/x86: dell-wmi: Add a keymap for KEY_MUTE in type 0x0010 table

* Fix the ACPI _CPC not found error from kernel dmesg on some dynamic SSDT
    table loaded firmwares (LP: #2006077)
    - ACPI: bus: Avoid using CPPC if not supported by firmware
    - ACPI: bus: Set CPPC _OSC bits for all and when CPPC_LIB is supported
    - ACPI: CPPC: Only probe for _CPC if CPPC v2 is acked

* rtcpie in timers from ubuntu_kernel_selftests randomly failing
    (LP: #1814234)
    - SAUCE: selftest: rtcpie: Force passing unreliable subtest

* Jammy update: v5.15.87 upstream stable release (LP: #2007441)
    - usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
    - cifs: fix oops during encryption
    - nvme-pci: fix doorbell buffer value endianness
    - nvme-pci: fix mempool alloc size
    - nvme-pci: fix page size checks
    - ACPI: resource: do IRQ override on LENOVO IdeaPad
    - ACPI: resource: do IRQ override on XMG Core 15
    - ACPI: resource: do IRQ override on Lenovo 14ALC7
    - block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq
    - ata: ahci: Fix PCS quirk application for suspend
    - nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
    - nvmet: don't defer passthrough commands with trivial effects to the
      workqueue
    - fs/ntfs3: Validate BOOT record_size
    - fs/ntfs3: Add overflow check for attribute size
    - fs/ntfs3: Validate data run offset
    - fs/ntfs3: Add null pointer check to attr_load_runs_vcn
    - fs/ntfs3: Fix memory leak on ntfs_fill_super() error path
    - fs/ntfs3: Add null pointer check for inode operations
    - fs/ntfs3: Validate attribute name offset
    - fs/ntfs3: Validate buffer length while parsing index
    - fs/ntfs3: Validate resident attribute name
    - fs/ntfs3: Fix slab-out-of-bounds read in run_unpack
    - soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15
    - fs/ntfs3: Validate index root when initialize NTFS security
    - fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init()
    - fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super()
    - fs/ntfs3: Delete duplicate condition in ntfs_read_mft()
    - fs/ntfs3: Fix slab-out-of-bounds in r_page
    - objtool: Fix SEGFAULT
    - powerpc/rtas: avoid device tree lookups in rtas_os_term()
    - powerpc/rtas: avoid scheduling in rtas_os_term()
    - HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint
    - HID: plantronics: Additional PIDs for double volume key presses quirk
    - pstore: Properly assign mem_type property
    - pstore/zone: Use GFP_ATOMIC to allocate zone buffer
    - hfsplus: fix bug causing custom uid and gid being unable to be assigned with
      mount
    - binfmt: Fix error return code in load_elf_fdpic_binary()
    - ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
    - ALSA: line6: correct midi status byte when receiving data from podxt
    - ALSA: line6: fix stack overflow in line6_midi_transmit
    - pnode: terminate at peers of source
    - mfd: mt6360: Add bounds checking in Regmap read/write call-backs
    - md: fix a crash in mempool_free
    - mm, compaction: fix fast_isolate_around() to stay within boundaries
    - f2fs: should put a page when checking the summary info
    - f2fs: allow to read node block after shutdown
    - mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
    - tpm: acpi: Call acpi_put_table() to fix memory leak
    - tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
    - tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
    - SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
    - kcsan: Instrument memcpy/memset/memmove with newer Clang
    - ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio
    - ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire
    - rcu-tasks: Simplify trc_read_check_handler() atomic operations
    - net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
    - net/af_packet: make sure to pull mac header
    - media: stv0288: use explicitly signed char
    - soc: qcom: Select REMAP_MMIO for LLCC driver
    - kest.pl: Fix grub2 menu handling for rebooting
    - ktest.pl minconfig: Unset configs instead of just removing them
    - jbd2: use the correct print format
    - perf/x86/intel/uncore: Disable I/O stacks to PMU mapping on ICX-D
    - perf/x86/intel/uncore: Clear attr_update properly
    - arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength
    - mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K
    - btrfs: fix resolving backrefs for inline extent followed by prealloc
    - ARM: ux500: do not directly dereference __iomem
    - arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength
    - selftests: Use optional USERCFLAGS and USERLDFLAGS
    - PM/devfreq: governor: Add a private governor_data for governor
    - cpufreq: Init completion before kobject_init_and_add()
    - ALSA: patch_realtek: Fix Dell Inspiron Plus 16
    - ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops
    - fs: dlm: fix sock release if listen fails
    - fs: dlm: retry accept() until -EAGAIN or error returns
    - mptcp: mark ops structures as ro_after_init
    - mptcp: remove MPTCP 'ifdef' in TCP SYN cookies
    - dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
    - dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
    - dm thin: Use last transaction's pmd->root when commit failed
    - dm thin: resume even if in FAIL mode
    - dm thin: Fix UAF in run_timer_softirq()
    - dm integrity: Fix UAF in dm_integrity_dtr()
    - dm clone: Fix UAF in clone_dtr()
    - dm cache: Fix UAF in destroy()
    - dm cache: set needs_check flag after aborting metadata
    - tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
    - perf/core: Call LSM hook after copying perf_event_attr
    - of/kexec: Fix reading 32-bit "linux,initrd-{start,end}" values
    - KVM: VMX: Resume guest immediately when injecting #GP on ECREATE
    - KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails
    - KVM: nVMX: Properly expose ENABLE_USR_WAIT_PAUSE control to L1
    - x86/microcode/intel: Do not retry microcode reloading on the APs
    - ftrace/x86: Add back ftrace_expected for ftrace bug reports
    - x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK
    - x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK
    - tracing: Fix race where eprobes can be called before the event
    - tracing: Fix complicated dependency of CONFIG_TRACER_MAX_TRACE
    - tracing/hist: Fix wrong return value in parse_action_params()
    - tracing/probes: Handle system names with hyphens
    - tracing: Fix infinite loop in tracing_read_pipe on overflowed
      print_trace_line
    - staging: media: tegra-video: fix chan->mipi value on error
    - staging: media: tegra-video: fix device_node use after free
    - ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
    - media: dvb-core: Fix double free in dvb_register_device()
    - cifs: fix confusing debug message
    - cifs: fix missing display of three mount options
    - rtc: ds1347: fix value written to century register
    - block: mq-deadline: Do not break sequential write streams to zoned HDDs
    - md/bitmap: Fix bitmap chunk size overflow issues
    - efi: Add iMac Pro 2017 to uefi skip cert quirk
    - wifi: wilc1000: sdio: fix module autoloading
    - ASoC: jz4740-i2s: Handle independent FIFO flush bits
    - ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()
    - ipmi: fix long wait in unload when IPMI disconnect
    - mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
    - ima: Fix a potential NULL pointer access in ima_restore_measurement_list
    - ipmi: fix use after free in _ipmi_destroy_user()
    - PCI: Fix pci_device_is_present() for VFs by checking PF
    - PCI/sysfs: Fix double free in error path
    - riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument
    - riscv: mm: notify remote harts about mmu cache updates
    - crypto: n2 - add missing hash statesize
    - driver core: Fix bus_type.match() error handling in __driver_attach()
    - phy: qcom-qmp-combo: fix sc8180x reset
    - iommu/amd: Fix ivrs_acpihid cmdline parsing code
    - remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
    - parisc: led: Fix potential null-ptr-deref in start_task()
    - device_cgroup: Roll back to original exceptions after copy failure
    - drm/connector: send hotplug uevent on connector cleanup
    - drm/vmwgfx: Validate the box size for the snooped cursor
    - drm/i915/dsi: fix VBT send packet port selection for dual link DSI
    - drm/ingenic: Fix missing platform_driver_unregister() call in
      ingenic_drm_init()
    - ext4: silence the warning when evicting inode with dioread_nolock
    - ext4: add inode table check in __ext4_get_inode_loc to aovid possible
      infinite loop
    - ext4: remove trailing newline from ext4_msg() message
    - fs: ext4: initialize fsdata in pagecache_write()
    - ext4: fix use-after-free in ext4_orphan_cleanup
    - ext4: fix undefined behavior in bit shift for ext4_check_flag_values
    - ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode
    - ext4: add helper to check quota inums
    - ext4: fix bug_on in __es_tree_search caused by bad quota inode
    - ext4: fix reserved cluster accounting in __es_remove_extent()
    - ext4: check and assert if marking an no_delete evicting inode dirty
    - ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
    - ext4: fix leaking uninitialized memory in fast-commit journal
    - ext4: fix uninititialized value in 'ext4_evict_inode'
    - ext4: init quota for 'old.inode' in 'ext4_rename'
    - ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline
    - ext4: fix error code return to user-space in ext4_get_branch()
    - ext4: avoid BUG_ON when creating xattrs
    - ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
    - ext4: fix inode leak in ext4_xattr_inode_create() on an error path
    - ext4: initialize quota before expanding inode in setproject ioctl
    - ext4: avoid unaccounted block allocation when expanding inode
    - ext4: allocate extended attribute value in vmalloc area
    - drm/amdgpu: handle polaris10/11 overlap asics (v2)
    - block: mq-deadline: Fix dd_finish_request() for zoned devices
    - tracing: Fix issue of missing one synthetic field
    - ext4: remove unused enum EXT4_FC_COMMIT_FAILED
    - ext4: use ext4_debug() instead of jbd_debug()
    - ext4: introduce EXT4_FC_TAG_BASE_LEN helper
    - ext4: factor out ext4_fc_get_tl()
    - ext4: fix potential out of bound read in ext4_fc_replay_scan()
    - ext4: disable fast-commit of encrypted dir operations
    - ext4: don't set up encryption key during jbd2 transaction
    - ext4: add missing validation of fast-commit record lengths
    - ext4: fix unaligned memory access in ext4_fc_reserve_space()
    - ext4: fix off-by-one errors in fast-commit block filling
    - ARM: renumber bits related to _TIF_WORK_MASK
    - phy: qcom-qmp-combo: fix out-of-bounds clock access
    - btrfs: replace strncpy() with strscpy()
    - btrfs: move missing device handling in a dedicate function
    - btrfs: fix extent map use-after-free when handling missing device in
      read_one_chunk
    - x86/mce: Get rid of msr_ops
    - x86/MCE/AMD: Clear DFR errors found in THR handler
    - media: s5p-mfc: Fix to handle reference queue during finishing
    - media: s5p-mfc: Clear workbit to handle error condition
    - media: s5p-mfc: Fix in register read and write for H264
    - perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
    - perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged
      data
    - ravb: Fix "failed to switch device to config mode" message during unbind
    - ext4: goto right label 'failed_mount3a'
    - ext4: correct inconsistent error msg in nojournal mode
    - mbcache: automatically delete entries from cache on freeing
    - ext4: fix deadlock due to mbcache entry corruption
    - drm/i915/migrate: don't check the scratch page
    - drm/i915/migrate: fix offset calculation
    - drm/i915/migrate: fix length calculation
    - SUNRPC: ensure the matching upcall is in-flight upon downcall
    - btrfs: fix an error handling path in btrfs_defrag_leaves()
    - bpf: pull before calling skb_postpull_rcsum()
    - drm/panfrost: Fix GEM handle creation ref-counting
    - netfilter: nf_tables: consolidate set description
    - netfilter: nf_tables: add function to create set stateful expressions
    - netfilter: nf_tables: perform type checking for existing sets
    - vmxnet3: correctly report csum_level for encapsulated packet
    - netfilter: nf_tables: honor set timeout and garbage collection updates
    - veth: Fix race with AF_XDP exposing old or uninitialized descriptors
    - nfsd: shut down the NFSv4 state objects before the filecache
    - net: hns3: add interrupts re-initialization while doing VF FLR
    - net: hns3: refactor hns3_nic_reuse_page()
    - net: hns3: extract macro to simplify ring stats update code
    - net: hns3: fix miss L3E checking for rx packet
    - net: hns3: fix VF promisc mode not update when mac table full
    - net: sched: fix memory leak in tcindex_set_parms
    - qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
    - net: dsa: mv88e6xxx: depend on PTP conditionally
    - nfc: Fix potential resource leaks
    - vdpa_sim: fix possible memory leak in vdpasim_net_init() and
      vdpasim_blk_init()
    - vhost/vsock: Fix error handling in vhost_vsock_init()
    - vringh: fix range used in iotlb_translate()
    - vhost: fix range used in translate_desc()
    - vdpa_sim: fix vringh initialization in vdpasim_queue_ready()
    - net/mlx5: E-Switch, properly handle ingress tagged packets on VST
    - net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path
    - net/mlx5: Avoid recovery in probe flows
    - net/mlx5e: IPoIB, Don't allow CQE compression to be turned on by default
    - net/mlx5e: TC, Refactor mlx5e_tc_add_flow_mod_hdr() to get flow attr
    - net/mlx5e: Always clear dest encap in neigh-update-del
    - net/mlx5e: Fix hw mtu initializing at XDP SQ allocation
    - net: amd-xgbe: add missed tasklet_kill
    - net: ena: Fix toeplitz initial hash value
    - net: ena: Don't register memory info on XDP exchange
    - net: ena: Account for the number of processed bytes in XDP
    - net: ena: Use bitmask to indicate packet redirection
    - net: ena: Fix rx_copybreak value update
    - net: ena: Set default value for RX interrupt moderation
    - net: ena: Update NUMA TPH hint register upon NUMA node update
    - net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
    - RDMA/mlx5: Fix mlx5_ib_get_hw_stats when used for device
    - RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
    - drm/meson: Reduce the FIFO lines held when AFBC is not used
    - filelock: new helper: vfs_inode_has_locks
    - ceph: switch to vfs_inode_has_locks() to fix file lock bug
    - gpio: sifive: Fix refcount leak in sifive_gpio_probe
    - net: sched: atm: dont intepret cls results when asked to drop
    - net: sched: cbq: dont intepret cls results when asked to drop
    - net: sparx5: Fix reading of the MAC address
    - netfilter: ipset: fix hash:net,port,net hang with /0 subnet
    - netfilter: ipset: Rework long task execution when adding/deleting entries
    - perf tools: Fix resources leak in perf_data__open_dir()
    - drm/imx: ipuv3-plane: Fix overlay plane width
    - fs/ntfs3: don't hold ni_lock when calling truncate_setsize()
    - drivers/net/bonding/bond_3ad: return when there's no aggregator
    - octeontx2-pf: Fix lmtst ID used in aura free
    - usb: rndis_host: Secure rndis_query check against int overflow
    - perf stat: Fix handling of --for-each-cgroup with --bpf-counters to match
      non BPF mode
    - drm/i915: unpin on error in intel_vgpu_shadow_mm_pin()
    - caif: fix memory leak in cfctrl_linkup_request()
    - udf: Fix extension of the last extent in the file
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet
    - nvme: fix multipath crash caused by flush request when blktrace is enabled
    - io_uring: check for valid register opcode earlier
    - nvmet: use NVME_CMD_EFFECTS_CSUPP instead of open coding it
    - nvme: also return I/O command effects from nvme_command_effects
    - btrfs: check superblock to ensure the fs was not modified at thaw time
    - x86/kexec: Fix double-free of elf header buffer
    - nfsd: fix handling of readdir in v4root vs. mount upcall timeout
    - fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB
    - block: don't allow splitting of a REQ_NOWAIT bio
    - io_uring: fix CQ waiting timeout handling
    - thermal: int340x: Add missing attribute for data rate base
    - riscv: uaccess: fix type of 0 variable on error in get_user()
    - riscv, kprobes: Stricter c.jr/c.jalr decoding
    - drm/i915/gvt: fix gvt debugfs destroy
    - drm/i915/gvt: fix vgpu debugfs clean in remove
    - hfs/hfsplus: use WARN_ON for sanity check
    - hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
    - ksmbd: fix infinite loop in ksmbd_conn_handler_loop()
    - ksmbd: check nt_len to be at least CIFS_ENCPWD_SIZE in
      ksmbd_decode_ntlmssp_auth_blob
    - Revert "ACPI: PM: Add support for upcoming AMD uPEP HID AMDI007"
    - mptcp: dedicated request sock for subflow in v6
    - mptcp: use proper req destructor for IPv6
    - ext4: don't allow journal inode to have encrypt flag
    - selftests: set the BUILD variable to absolute path
    - btrfs: make thaw time super block check to also verify checksum
    - net: hns3: fix return value check bug of rx copybreak
    - mbcache: Avoid nesting of cache->c_list_lock under bit locks
    - efi: random: combine bootloader provided RNG seed with RNG protocol output
    - io_uring: Fix unsigned 'res' comparison with zero in io_fixup_rw_res()
    - drm/mgag200: Fix PLL setup for G200_SE_A rev >=4
    - Linux 5.15.87

* Jammy update: v5.15.87 upstream stable release (LP: #2007441) //
    CVE-2022-41218 is assigned to those bugs above.
    - media: dvb-core: Fix UAF due to refcount races at releasing

* RaptorLake: Fix the Screen is shaking by onboard HDMI port in mirror mode
    (LP: #1993561)
    - drm/i915/display: Drop check for doublescan mode in modevalid
    - drm/i915/display: Prune Interlace modes for Display >=12

* CVE-2023-0266 // CVE-2023-0266 was assigned for this issue.
    - ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF

* CVE-2022-4382
    - USB: gadgetfs: Fix race between mounting and unmounting

* CVE-2022-2196
    - KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

* ubuntu_kernel_selftests: net:udpgso_bench.sh failed (LP: #1951447)
    - selftests: net: udpgso_bench: Fix racing bug between the rx/tx programs

* net:fcnal-test.sh didn't return a non-zero value even with some sub-tests
    failed (LP: #2006692)
    - selftests: net/fcnal-test.sh: add exit code

* LXD containers using shiftfs on ZFS or TMPFS broken on 5.15.0-48.54
    (LP: #1990849)
    - SAUCE: shiftfs: always rely on init_user_ns
    - [SAUCE] shiftfs: fix -EOVERFLOW inside the container

* Regression in ext4 during online resize (LP: #2003816)
    - ext4: fix bad checksum after online resize
    - ext4: fix corruption when online resizing a 1K bigalloc fs
    - SAUCE: Export ext4_superblock_csum function
    - ext4: fix corrupt backup group descriptors after online resize

* Jammy update: v5.15.86 upstream stable release (LP: #2005113)
    - usb: musb: remove extra check in musb_gadget_vbus_draw
    - arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
    - arm64: dts: qcom: sm8250-sony-xperia-edo: fix touchscreen bias-disable
    - arm64: dts: qcom: msm8996: Add MSM8996 Pro support
    - arm64: dts: qcom: msm8996: fix supported-hw in cpufreq OPP tables
    - arm64: dts: qcom: msm8996: fix GPU OPP table
    - ARM: dts: qcom: apq8064: fix coresight compatible
    - arm64: dts: qcom: sdm630: fix UART1 pin bias
    - arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
    - arm64: dts: qcom: msm8916: Drop MSS fallback compatible
    - objtool, kcsan: Add volatile read/write instrumentation to whitelist
    - ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
    - ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
    - drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
    - arm64: dts: qcom: pm660: Use unique ADC5_VCOIN address in node name
    - arm64: dts: qcom: sm8250: correct LPASS pin pull down
    - soc: qcom: llcc: make irq truly optional
    - arm64: dts: qcom: Correct QMP PHY child node name
    - arm64: dts: qcom: sm8150: fix UFS PHY registers
    - arm64: dts: qcom: sm8250: fix UFS PHY registers
    - arm64: dts: qcom: sm8350: fix UFS PHY registers
    - arm64: dts: qcom: sm8250: drop bogus DP PHY clock
    - soc: qcom: apr: make code more reuseable
    - soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index
    - arm64: dts: qcom: sm6125: fix SDHCI CQE reg names
    - arm: dts: spear600: Fix clcd interrupt
    - soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of
      pm_runtime_get_sync
    - soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
    - soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
    - arm64: Treat ESR_ELx as a 64-bit register
    - arm64: mm: kfence: only handle translation faults
    - perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
    - perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init()
    - perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
    - arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
    - arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
    - ARM: dts: nuvoton: Remove bogus unit addresses from fixed-partition nodes
    - arm64: dts: mt6779: Fix devicetree build warnings
    - arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
    - arm64: dts: mt2712e: Fix unit address for pinctrl node
    - arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
    - arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
    - arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
    - arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
    - ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
    - ARM: dts: turris-omnia: Add ethernet aliases
    - ARM: dts: turris-omnia: Add switch port 6 node
    - arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
    - seccomp: Move copy_seccomp() to no failure path.
    - pstore/ram: Fix error return code in ramoops_probe()
    - ARM: mmp: fix timer_read delay
    - pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
    - tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
    - tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
    - ovl: store lower path in ovl_inode
    - ovl: use ovl_copy_{real,upper}attr() wrappers
    - ovl: remove privs in ovl_copyfile()
    - ovl: remove privs in ovl_fallocate()
    - sched/fair: Cleanup task_util and capacity type
    - sched/uclamp: Fix relationship between uclamp and migration margin
    - sched/uclamp: Make task_fits_capacity() use util_fits_cpu()
    - sched/uclamp: Make select_idle_capacity() use util_fits_cpu()
    - sched/fair: Removed useless update of p->recent_used_cpu
    - sched/core: Introduce sched_asym_cpucap_active()
    - sched/uclamp: Make asym_fits_capacity() use util_fits_cpu()
    - cpuidle: dt: Return the correct numbers of parsed idle states
    - alpha: fix TIF_NOTIFY_SIGNAL handling
    - alpha: fix syscall entry in !AUDUT_SYSCALL case
    - x86/sgx: Reduce delay and interference of enclave release
    - PM: hibernate: Fix mistake in kerneldoc comment
    - fs: don't audit the capability check in simple_xattr_list()
    - cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
    - selftests/ftrace: event_triggers: wait longer for test_event_enable
    - perf: Fix possible memleak in pmu_dev_alloc()
    - lib/debugobjects: fix stat count and optimize debug_objects_mem_init
    - platform/x86: huawei-wmi: fix return value calculation
    - timerqueue: Use rb_entry_safe() in timerqueue_getnext()
    - proc: fixup uptime selftest
    - lib/fonts: fix undefined behavior in bit shift for get_default_font
    - ocfs2: fix memory leak in ocfs2_stack_glue_init()
    - MIPS: vpe-mt: fix possible memory leak while module exiting
    - MIPS: vpe-cmp: fix possible memory leak while module exiting
    - selftests/efivarfs: Add checking of the test return value
    - PNP: fix name memory leak in pnp_alloc_dev()
    - perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()
    - perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
    - perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
    - perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box()
    - platform/chrome: cros_usbpd_notify: Fix error handling in
      cros_usbpd_notify_init()
    - thermal: core: fix some possible name leaks in error paths
    - irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
    - irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init()
    - EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
    - SUNRPC: Return true/false (not 1/0) from bool functions
    - NFSD: Finish converting the NFSv2 GETACL result encoder
    - nfsd: don't call nfsd_file_put from client states seqfile display
    - genirq/irqdesc: Don't try to remove non-existing sysfs files
    - cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
    - libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
    - lib/notifier-error-inject: fix error when writing -errno to debugfs file
    - debugfs: fix error when writing negative value to atomic_t debugfs file
    - rapidio: fix possible name leaks when rio_add_device() fails
    - rapidio: rio: fix possible name leak in rio_register_mport()
    - clocksource/drivers/sh_cmt: Access registers according to spec
    - mips: ralink: mt7621: define MT7621_SYSC_BASE with __iomem
    - mips: ralink: mt7621: soc queries and tests as functions
    - mips: ralink: mt7621: do not use kzalloc too early
    - futex: Move to kernel/futex/
    - futex: Resend potentially swallowed owner death notification
    - cpu/hotplug: Make target_store() a nop when target == state
    - cpu/hotplug: Do not bail-out in DYING/STARTING sections
    - clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in
      dmtimer_systimer_init_clock()
    - ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
    - uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
    - x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
    - x86/xen: Fix memory leak in xen_init_lock_cpu()
    - xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
    - PM: runtime: Do not call __rpm_callback() from rpm_idle()
    - platform/chrome: cros_ec_typec: Cleanup switch handle return paths
    - platform/chrome: cros_ec_typec: zero out stale pointers
    - platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
    - platform/x86: intel_scu_ipc: fix possible name leak in
      __intel_scu_ipc_register()
    - MIPS: BCM63xx: Add check for NULL for clk in clk_enable
    - MIPS: OCTEON: warn only once if deprecated link status is being used
    - lockd: set other missing fields when unlocking files
    - fs: sysv: Fix sysv_nblocks() returns wrong value
    - rapidio: fix possible UAF when kfifo_alloc() fails
    - eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
    - relay: fix type mismatch when allocating memory in relay_create_buf()
    - hfs: Fix OOB Write in hfs_asc2mac
    - rapidio: devices: fix missing put_device in mport_cdev_open
    - platform/mellanox: mlxbf-pmc: Fix event typo
    - wifi: ath9k: hif_usb: fix memory leak of urbs in
      ath9k_hif_usb_dealloc_tx_urbs()
    - wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
    - wifi: rtl8xxxu: Fix reading the vendor of combo chips
    - drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge
    - libbpf: Fix use-after-free in btf_dump_name_dups
    - libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
    - ata: libata: move ata_{port,link,dev}_dbg to standard pr_XXX() macros
    - ata: add/use ata_taskfile::{error|status} fields
    - ata: libata: fix NCQ autosense logic
    - ipmi: kcs: Poll OBF briefly to reduce OBE latency
    - drm/amdgpu/powerplay/psm: Fix memory leak in power state init
    - media: v4l2-ctrls: Fix off-by-one error in integer menu control check
    - media: coda: jpeg: Add check for kmalloc
    - media: adv748x: afe: Select input port when initializing AFE
    - media: i2c: ad5820: Fix error path
    - venus: pm_helpers: Fix error check in vcodec_domains_get()
    - soreuseport: Fix socket selection for SO_INCOMING_CPU.
    - media: exynos4-is: don't rely on the v4l2_async_subdev internals
    - libbpf: Btf dedup identical struct test needs check for nested
      structs/arrays
    - can: kvaser_usb: do not increase tx statistics when sending error message
      frames
    - can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
    - can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to
      {leaf,usbcan}_cmd_can_error_event
    - can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
    - can: kvaser_usb_leaf: Set Warning state even without bus errors
    - can: kvaser_usb: make use of units.h in assignment of frequency
    - can: kvaser_usb_leaf: Fix improved state not being reported
    - can: kvaser_usb_leaf: Fix wrong CAN state after stopping
    - can: kvaser_usb_leaf: Fix bogus restart events
    - can: kvaser_usb: Add struct kvaser_usb_busparams
    - can: kvaser_usb: Compare requested bittiming parameters with actual
      parameters in do_set_{,data}_bittiming
    - drm/rockchip: lvds: fix PM usage counter unbalance in poweron
    - clk: renesas: r9a06g032: Repair grave increment error
    - spi: Update reference to struct spi_controller
    - drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
    - drm/msm/hdmi: drop unused GPIO support
    - drm/msm/hdmi: use devres helper for runtime PM management
    - bpf: Fix slot type check in check_stack_write_var_off
    - media: vivid: fix compose size exceed boundary
    - media: platform: exynos4-is: fix return value check in fimc_md_probe()
    - bpf: propagate precision in ALU/ALU64 operations
    - bpf: Check the other end of slot_type for STACK_SPILL
    - bpf: propagate precision across all frames, not just the last one
    - clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
    - mtd: Fix device name leak when register device failed in add_mtd_device()
    - Input: joystick - fix Kconfig warning for JOYSTICK_ADC
    - wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
    - media: camss: Clean up received buffers on failed start of streaming
    - net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
    - rxrpc: Fix ack.bufferSize to be 0 when generating an ack
    - bfq: fix waker_bfqq inconsistency crash
    - drm/radeon: Add the missed acpi_put_table() to fix memory leak
    - drm/mediatek: Modify dpi power on/off sequence.
    - ASoC: pxa: fix null-pointer dereference in filter()
    - libbpf: Fix uninitialized warning in btf_dump_dump_type_data
    - nvmet: only allocate a single slab for bvecs
    - regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
    - amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
    - nvme: return err on nvme_init_non_mdts_limits fail
    - regulator: qcom-rpmh: Fix PMR735a S3 regulator spec
    - drm/fourcc: Add packed 10bit YUV 4:2:0 format
    - drm/fourcc: Fix vsub/hsub for Q410 and Q401
    - integrity: Fix memory leakage in keyring allocation error path
    - ima: Fix misuse of dereference of pointer in template_desc_init_fields()
    - block: clear ->slave_dir when dropping the main slave_dir reference
    - wifi: ath10k: Fix return value in ath10k_pci_init()
    - drm/msm/a6xx: Fix speed-bin detection vs probe-defer
    - mtd: lpddr2_nvm: Fix possible null-ptr-deref
    - Input: elants_i2c - properly handle the reset GPIO when power is off
    - media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
    - media: solo6x10: fix possible memory leak in solo_sysfs_init()
    - media: platform: exynos4-is: Fix error handling in fimc_md_init()
    - media: videobuf-dma-contig: use dma_mmap_coherent
    - inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict()
    - mtd: spi-nor: hide jedec_id sysfs attribute if not present
    - mtd: spi-nor: Fix the number of bytes for the dummy cycles
    - bpf: Move skb->len == 0 checks into __bpf_redirect
    - HID: hid-sensor-custom: set fixed size for custom attributes
    - pinctrl: k210: call of_node_put()
    - ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
    - ALSA: seq: fix undefined behavior in bit shift for
      SNDRV_SEQ_FILTER_USE_EVENT
    - regulator: core: use kfree_const() to free space conditionally
    - clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
    - drm/amdgpu: fix pci device refcount leak
    - bonding: fix link recovery in mode 2 when updelay is nonzero
    - mtd: maps: pxa2xx-flash: fix memory leak in probe
    - drbd: remove call to memset before free device/resource/connection
    - drbd: destroy workqueue when drbd device was freed
    - ASoC: qcom: Add checks for devm_kcalloc
    - media: vimc: Fix wrong function called when vimc_init() fails
    - media: imon: fix a race condition in send_packet()
    - clk: imx8mn: rename vpu_pll to m7_alt_pll
    - clk: imx: replace osc_hdmi with dummy
    - clk: imx8mn: fix imx8mn_sai2_sels clocks list
    - clk: imx8mn: fix imx8mn_enet_phy_sels clocks list
    - pinctrl: pinconf-generic: add missing of_node_put()
    - media: dvb-core: Fix ignored return value in dvb_register_frontend()
    - media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
    - media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
    - drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
    - ASoC: dt-bindings: wcd9335: fix reset line polarity in example
    - ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
    - NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
    - NFSv4.2: Fix a memory stomp in decode_attr_security_label
    - NFSv4.2: Fix initialisation of struct nfs4_label
    - NFSv4: Fix a credential leak in _nfs4_discover_trunking()
    - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
    - NFS: Fix an Oops in nfs_d_automount()
    - ALSA: asihpi: fix missing pci_disable_device()
    - wifi: iwlwifi: mvm: fix double free on tx path.
    - ASoC: mediatek: mt8173: Fix debugfs registration for components
    - ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
    - drm/amd/pm/smu11: BACO is supported when it's in BACO state
    - drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
    - drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
    - drm/amdkfd: Fix memory leakage
    - ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
    - netfilter: conntrack: set icmpv6 redirects as RELATED
    - Input: wistron_btns - disable on UML
    - bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
    - bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes
    - bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
    - bonding: uninitialized variable in bond_miimon_inspect()
    - spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
    - wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys()
      fails
    - mt76: stop the radar detector after leaving dfs channel
    - wifi: mt76: mt7921: fix reporting of TX AGGR histogram
    - wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
    - regulator: core: fix module refcount leak in set_supply()
    - clk: qcom: lpass-sc7180: Fix pm_runtime usage
    - clk: qcom: clk-krait: fix wrong div2 functions
    - hsr: Add a rcu-read lock to hsr_forward_skb().
    - hsr: Avoid double remove of a node.
    - hsr: Disable netpoll.
    - hsr: Synchronize sending frames to have always incremented outgoing seq nr.
    - hsr: Synchronize sequence number updates.
    - configfs: fix possible memory leak in configfs_create_dir()
    - regulator: core: fix resource leak in regulator_register()
    - hwmon: (jc42) Convert register access and caching to regmap/regcache
    - hwmon: (jc42) Restore the min/max/critical temperatures on resume
    - bpf, sockmap: fix race in sock_map_free()
    - ALSA: pcm: Set missing stop_operating flag at undoing trigger start
    - media: saa7164: fix missing pci_disable_device()
    - ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
    - xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
    - SUNRPC: Fix missing release socket in rpc_sockname()
    - NFSv4.x: Fail client initialisation if state manager thread can't run
    - riscv, bpf: Emit fixed-length instructions for BPF_PSEUDO_FUNC
    - mmc: alcor: fix return value check of mmc_add_host()
    - mmc: moxart: fix return value check of mmc_add_host()
    - mmc: mxcmmc: fix return value check of mmc_add_host()
    - mmc: pxamci: fix return value check of mmc_add_host()
    - mmc: rtsx_pci: fix return value check of mmc_add_host()
    - mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
    - mmc: toshsd: fix return value check of mmc_add_host()
    - mmc: vub300: fix return value check of mmc_add_host()
    - mmc: wmt-sdmmc: fix return value check of mmc_add_host()
    - mmc: atmel-mci: fix return value check of mmc_add_host()
    - mmc: omap_hsmmc: fix return value check of mmc_add_host()
    - mmc: meson-gx: fix return value check of mmc_add_host()
    - mmc: via-sdmmc: fix return value check of mmc_add_host()
    - mmc: wbsd: fix return value check of mmc_add_host()
    - mmc: mmci: fix return value check of mmc_add_host()
    - mmc: renesas_sdhi: alway populate SCC pointer
    - memstick: ms_block: Add error handling support for add_disk()
    - memstick/ms_block: Add check for alloc_ordered_workqueue
    - mmc: core: Normalize the error handling branch in sd_read_ext_regs()
    - regulator: qcom-labibb: Fix missing of_node_put() in
      qcom_labibb_regulator_probe()
    - media: c8sectpfe: Add of_node_put() when breaking out of loop
    - media: coda: Add check for dcoda_iram_alloc
    - media: coda: Add check for kmalloc
    - clk: samsung: Fix memory leak in _samsung_clk_register_pll()
    - spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
    - wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
    - wifi: rtl8xxxu: Fix the channel width reporting
    - wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
    - blktrace: Fix output non-blktrace event when blk_classic option enabled
    - bpf: Do not zero-extend kfunc return values
    - clk: socfpga: Fix memory leak in socfpga_gate_init()
    - net: vmw_vsock: vmci: Check memcpy_from_msg()
    - net: defxx: Fix missing err handling in dfx_init()
    - net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
    - net: stmmac: fix possible memory leak in stmmac_dvr_probe()
    - drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
    - of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry()
      and find_dup_cset_prop()
    - ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
    - net: farsync: Fix kmemleak when rmmods farsync
    - net/tunnel: wait until all sk_user_data reader finish before releasing the
      sock
    - net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
    - net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
    - net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
    - net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
    - hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
    - net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
    - af_unix: call proto_unregister() in the error path in af_unix_init()
    - net: amd-xgbe: Fix logic around active and passive cables
    - net: amd-xgbe: Check only the minimum speed for active/passive cables
    - can: tcan4x5x: Remove invalid write in clear_interrupts
    - can: m_can: Call the RAM init directly from m_can_chip_config
    - can: tcan4x5x: Fix use of register error status mask
    - net: lan9303: Fix read error execution path
    - ntb_netdev: Use dev_kfree_skb_any() in interrupt context
    - sctp: sysctl: make extra pointers netns aware
    - Bluetooth: MGMT: Fix error report for ADD_EXT_ADV_PARAMS
    - Bluetooth: btintel: Fix missing free skb in btintel_setup_combined()
    - Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
    - Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
    - stmmac: fix potential division by 0
    - i40e: Fix the inability to attach XDP program on downed interface
    - net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error
      path
    - apparmor: fix a memleak in multi_transaction_new()
    - apparmor: fix lockdep warning when removing a namespace
    - apparmor: Fix abi check to include v8 abi
    - crypto: hisilicon/qm - fix missing destroy qp_idr
    - crypto: sun8i-ss - use dma_addr instead u32
    - crypto: nitrox - avoid double free on error path in nitrox_sriov_init()
    - scsi: core: Fix a race between scsi_done() and scsi_timeout()
    - apparmor: Use pointer to struct aa_label for lbs_cred
    - PCI: dwc: Fix n_fts[] array overrun
    - RDMA/core: Fix order of nldev_exit call
    - PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled
    - f2fs: Fix the race condition of resize flag between resizefs
    - crypto: rockchip - do not do custom power management
    - crypto: rockchip - do not store mode globally
    - crypto: rockchip - add fallback for cipher
    - crypto: rockchip - add fallback for ahash
    - crypto: rockchip - better handle cipher key
    - crypto: rockchip - remove non-aligned handling
    - crypto: rockchip - rework by using crypto_engine
    - apparmor: Fix memleak in alloc_ns()
    - f2fs: fix to invalidate dcc->f2fs_issue_discard in error path
    - f2fs: fix normal discard process
    - f2fs: fix to destroy sbi->post_read_wq in error path of f2fs_fill_super()
    - RDMA/irdma: Report the correct link speed
    - scsi: qla2xxx: Fix set-but-not-used variable warnings
    - RDMA/siw: Fix immediate work request flush to completion queue
    - IB/mad: Don't call to function that might sleep while in atomic context
    - RDMA/restrack: Release MR restrack when delete
    - RDMA/core: Make sure "ib_port" is valid when access sysfs node
    - RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
    - RDMA/siw: Set defined status for work completion with undefined status
    - scsi: scsi_debug: Fix a warning in resp_write_scat()
    - crypto: ccree - Remove debugfs when platform_driver_register failed
    - crypto: cryptd - Use request context instead of stack for sub-request
    - crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
    - RDMA/hns: Repacing 'dseg_len' by macros in fill_ext_sge_inl_data()
    - RDMA/hns: Fix ext_sge num error when post send
    - PCI: Check for alloc failure in pci_request_irq()
    - RDMA/hfi: Decrease PCI device reference count in error path
    - crypto: ccree - Make cc_debugfs_global_fini() available for module init
      function
    - RDMA/hns: fix memory leak in hns_roce_alloc_mr()
    - RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create
      failed
    - dt-bindings: imx6q-pcie: Fix clock names for imx6sx and imx8mq
    - dt-bindings: visconti-pcie: Fix interrupts array max constraints
    - scsi: hpsa: Fix possible memory leak in hpsa_init_one()
    - crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
    - padata: Always leave BHs disabled when running ->parallel()
    - padata: Fix list iterator in padata_do_serial()
    - scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
    - scsi: hpsa: Fix error handling in hpsa_add_sas_host()
    - scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
    - scsi: efct: Fix possible memleak in efct_device_init()
    - scsi: scsi_debug: Fix a warning in resp_verify()
    - scsi: scsi_debug: Fix a warning in resp_report_zones()
    - scsi: fcoe: Fix possible name leak when device_register() fails
    - scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
    - scsi: ipr: Fix WARNING in ipr_init()
    - scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
    - scsi: snic: Fix possible UAF in snic_tgt_create()
    - RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
    - f2fs: avoid victim selection from previous victim section
    - RDMA/nldev: Fix failure to send large messages
    - crypto: amlogic - Remove kcalloc without check
    - crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
    - riscv/mm: add arch hook arch_clear_hugepage_flags
    - RDMA/hfi1: Fix error return code in parse_platform_config()
    - RDMA/srp: Fix error return code in srp_parse_options()
    - PCI: mt7621: Rename mt7621_pci_ to mt7621_pcie_
    - PCI: mt7621: Add sentinel to quirks table
    - orangefs: Fix sysfs not cleanup when dev init failed
    - RDMA/hns: Fix AH attr queried by query_qp
    - RDMA/hns: Fix PBL page MTR find
    - RDMA/hns: Fix page size cap from firmware
    - RDMA/hns: Fix error code of CMD
    - crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
    - hwrng: amd - Fix PCI device refcount leak
    - hwrng: geode - Fix PCI device refcount leak
    - IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
    - RISC-V: Align the shadow stack
    - drivers: dio: fix possible memory leak in dio_init()
    - serial: tegra: Read DMA status before terminating
    - serial: 8250_bcm7271: Fix error handling in brcmuart_init()
    - class: fix possible memory leak in __class_register()
    - vfio: platform: Do not pass return buffer to ACPI _RST method
    - uio: uio_dmem_genirq: Fix missing unlock in irq configuration
    - uio: uio_dmem_genirq: Fix deadlock between irq config and handling
    - usb: fotg210-udc: Fix ages old endianness issues
    - staging: vme_user: Fix possible UAF in tsi148_dma_list_add
    - usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
    - usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
    - usb: typec: tipd: Cleanup resources if devm_tps6598_psy_register fails
    - usb: typec: tipd: Fix spurious fwnode_handle_put in error path
    - extcon: usbc-tusb320: Add support for mode setting and reset
    - extcon: usbc-tusb320: Add support for TUSB320L
    - usb: typec: Factor out non-PD fwnode properties
    - extcon: usbc-tusb320: Factor out extcon into dedicated functions
    - extcon: usbc-tusb320: Add USB TYPE-C support
    - extcon: usbc-tusb320: Update state on probe even if no IRQ pending
    - serial: amba-pl011: avoid SBSA UART accessing DMACR register
    - serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
    - serial: stm32: move dma_request_chan() before clk_prepare_enable()
    - serial: pch: Fix PCI device refcount leak in pch_request_dma()
    - tty: serial: clean up stop-tx part in altera_uart_tx_chars()
    - tty: serial: altera_uart_{r,t}x_chars() need only uart_port
    - serial: altera_uart: fix locking in polling mode
    - serial: sunsab: Fix error handling in sunsab_init()
    - test_firmware: fix memory leak in test_firmware_init()
    - misc: ocxl: fix possible name leak in ocxl_file_register_afu()
    - ocxl: fix pci device refcount leak when calling get_function_0()
    - misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
    - misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault
      and gru_handle_user_call_os
    - firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
    - cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
    - cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
    - iio: temperature: ltc2983: make bulk write buffer DMA-safe
    - iio: adis: handle devices that cannot unmask the drdy pin
    - iio: adis: stylistic changes
    - iio:imu:adis: Move exports into IIO_ADISLIB namespace
    - iio: adis: add '__adis_enable_irq()' implementation
    - counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
    - coresight: trbe: remove cpuhp instance node before remove cpuhp state
    - usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
    - usb: gadget: f_hid: fix f_hidg lifetime vs cdev
    - usb: gadget: f_hid: fix refcount leak on error path
    - drivers: mcb: fix resource leak in mcb_probe()
    - mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
    - chardev: fix error handling in cdev_device_add()
    - i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
    - staging: rtl8192u: Fix use after free in ieee80211_rx()
    - staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
    - vme: Fix error not catched in fake_init()
    - gpiolib: Get rid of redundant 'else'
    - gpiolib: cdev: fix NULL-pointer dereferences
    - gpiolib: make struct comments into real kernel docs
    - gpiolib: protect the GPIO device against being dropped while in use by user-
      space
    - i2c: mux: reg: check return value after calling platform_get_resource()
    - i2c: ismt: Fix an out-of-bounds bug in ismt_access()
    - usb: storage: Add check for kcalloc
    - tracing/hist: Fix issue of losting command info in error_log
    - ksmbd: Fix resource leak in ksmbd_session_rpc_open()
    - samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
    - thermal/drivers/imx8mm_thermal: Validate temperature range
    - thermal/drivers/qcom/temp-alarm: Fix inaccurate warning for gen2
    - thermal/drivers/qcom/lmh: Fix irq handler return value
    - fbdev: ssd1307fb: Drop optional dependency
    - fbdev: pm2fb: fix missing pci_disable_device()
    - fbdev: via: Fix error in via_core_init()
    - fbdev: vermilion: decrease reference count in error path
    - fbdev: ep93xx-fb: Add missing clk_disable_unprepare in ep93xxfb_probe()
    - fbdev: geode: don't build on UML
    - fbdev: uvesafb: don't build on UML
    - fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
    - HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
    - HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
    - power: supply: fix residue sysfs file in error handle route of
      __power_supply_register()
    - perf trace: Return error if a system call doesn't exist
    - perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
    - perf trace: Handle failure when trace point folder is missed
    - perf symbol: correction while adjusting symbol
    - power: supply: z2_battery: Fix possible memleak in z2_batt_probe()
    - HSI: omap_ssi_core: Fix error handling in ssi_init()
    - power: supply: ab8500: Fix error handling in ab8500_charger_init()
    - power: supply: fix null pointer dereferencing in
      power_supply_get_battery_info
    - perf stat: Refactor __run_perf_stat() common code
    - perf stat: Do not delay the workload with --delay
    - RDMA/siw: Fix pointer cast warning
    - fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst()
    - overflow: Implement size_t saturating arithmetic helpers
    - fs/ntfs3: Harden against integer overflows
    - iommu/sun50i: Fix reset release
    - iommu/sun50i: Consider all fault sources for reset
    - iommu/sun50i: Fix R/W permission check
    - iommu/sun50i: Fix flush size
    - iommu/rockchip: fix permission bits in page table entries v2
    - phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
    - include/uapi/linux/swab: Fix potentially missing __always_inline
    - pwm: tegra: Improve required rate calculation
    - fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs
    - dmaengine: idxd: Fix crc_val field for completion record
    - rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0
    - rtc: cmos: Fix event handler registration ordering issue
    - rtc: cmos: Fix wake alarm breakage
    - rtc: cmos: fix build on non-ACPI platforms
    - rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
    - rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
    - rtc: cmos: Eliminate forward declarations of some functions
    - rtc: cmos: Rename ACPI-related functions
    - rtc: cmos: Disable ACPI RTC event on removal
    - rtc: snvs: Allow a time difference on clock register read
    - rtc: pcf85063: Fix reading alarm
    - iommu/amd: Fix pci device refcount leak in ppr_notifier()
    - iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
    - macintosh: fix possible memory leak in macio_add_one_device()
    - macintosh/macio-adb: check the return value of ioremap()
    - powerpc/52xx: Fix a resource leak in an error handling path
    - cxl: Fix refcount leak in cxl_calc_capp_routing
    - powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
    - powerpc/xive: add missing iounmap() in error path in
      xive_spapr_populate_irq_data()
    - powerpc/perf: callchain validate kernel stack pointer bounds
    - powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in
      of_fsl_spi_probe()
    - powerpc/hv-gpci: Fix hv_gpci event list
    - selftests/powerpc: Fix resource leaks
    - iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
    - pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
    - pwm: mtk-disp: Fix the parameters calculated by the enabled flag of disp_pwm
    - pwm: mediatek: always use bus clock for PWM on MT7622
    - remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
    - remoteproc: qcom: q6v5: Fix potential null-ptr-deref in
      q6v5_wcss_init_mmio()
    - remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
    - remoteproc: qcom_q6v5_pas: detach power domains on remove
    - remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in
      adsp_alloc_memory_region()
    - remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in
      q6v5_wcss_qcs404_power_on()
    - powerpc/eeh: Drop redundant spinlock initialization
    - powerpc/pseries/eeh: use correct API for error log size
    - mfd: bd957x: Fix Kconfig dependency on REGMAP_IRQ
    - mfd: qcom_rpm: Fix an error handling path in qcom_rpm_probe()
    - mfd: pm8008: Remove driver data structure pm8008_data
    - mfd: pm8008: Fix return value check in pm8008_probe()
    - netfilter: flowtable: really fix NAT IPv6 offload
    - rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
    - rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
    - rtc: pcf85063: fix pcf85063_clkout_control
    - nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
    - net: macsec: fix net device access prior to holding a lock
    - mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under
      spin_lock_irqsave()
    - mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under
      spin_lock_irqsave()
    - mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under
      spin_lock_irqsave()
    - block, bfq: fix possible uaf for 'bfqq->bic'
    - net: enetc: avoid buffer leaks on xdp_do_redirect() failure
    - nfc: pn533: Clear nfc_target before being used
    - unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg()
    - r6040: Fix kmemleak in probe and remove
    - igc: Enhance Qbv scheduling by using first flag bit
    - igc: Use strict cycles for Qbv scheduling
    - igc: Add checking for basetime less than zero
    - igc: allow BaseTime 0 enrollment for Qbv
    - igc: recalculate Qbv end_time by considering cycle time
    - igc: Lift TAPRIO schedule restriction
    - igc: Set Qbv start_time and end_time to end_time if not being configured in
      GCL
    - rtc: mxc_v2: Add missing clk_disable_unprepare()
    - selftests: devlink: fix the fd redirect in dummy_reporter_test
    - openvswitch: Fix flow lookup to use unmasked key
    - soc: mediatek: pm-domains: Fix the power glitch issue
    - arm64: dts: mt8183: Fix Mali GPU clock
    - skbuff: Account for tail adjustment during pull operations
    - mailbox: mpfs: read the system controller's status
    - mailbox: arm_mhuv2: Fix return value check in mhuv2_probe()
    - mailbox: zynq-ipi: fix error handling while device_register() fails
    - net_sched: reject TCF_EM_SIMPLE case for complex ematch module
    - rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
    - myri10ge: Fix an error handling path in myri10ge_probe()
    - net: stream: purge sk_error_queue in sk_stream_kill_queues()
    - HID: amd_sfh: Add missing check for dma_alloc_coherent
    - rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
    - arm64: make is_ttbrX_addr() noinstr-safe
    - video: hyperv_fb: Avoid taking busy spinlock on panic path
    - x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
    - binfmt_misc: fix shift-out-of-bounds in check_special_flags
    - fs: jfs: fix shift-out-of-bounds in dbAllocAG
    - udf: Avoid double brelse() in udf_rename()
    - jfs: Fix fortify moan in symlink
    - fs: jfs: fix shift-out-of-bounds in dbDiscardAG
    - ACPICA: Fix error code path in acpi_ds_call_control_method()
    - nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
    - nilfs2: fix shift-out-of-bounds due to too large exponent of block size
    - acct: fix potential integer overflow in encode_comp_t()
    - hfs: fix OOB Read in __hfs_brec_find
    - drm/etnaviv: add missing quirks for GC300
    - media: imx-jpeg: Disable useless interrupt to avoid kernel panic
    - brcmfmac: return error when getting invalid max_flowrings from dongle
    - wifi: ath9k: verify the expected usb_endpoints are present
    - wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
    - ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
    - ipmi: fix memleak when unload ipmi driver
    - drm/amd/display: prevent memory leak
    - Revert "drm/amd/display: Limit max DSC target bpp for specific monitors"
    - qed (gcc13): use u16 for fid to be big enough
    - bpf: make sure skb->len != 0 when redirecting to a tunneling device
    - net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
    - hamradio: baycom_epp: Fix return type of baycom_send_packet()
    - wifi: brcmfmac: Fix potential shift-out-of-bounds in
      brcmf_fw_alloc_request()
    - igb: Do not free q_vector unless new one was allocated
    - drm/amdgpu: Fix type of second parameter in trans_msg() callback
    - drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
    - s390/ctcm: Fix return type of ctc{mp,}m_tx()
    - s390/netiucv: Fix return type of netiucv_tx()
    - s390/lcs: Fix return type of lcs_start_xmit()
    - drm/msm: Use drm_mode_copy()
    - drm/rockchip: Use drm_mode_copy()
    - drm/sti: Use drm_mode_copy()
    - drm/mediatek: Fix return type of mtk_hdmi_bridge_mode_valid()
    - drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
    - md/raid1: stop mdx_raid1 thread when raid1 array run failed
    - drm/amd/display: fix array index out of bound error in bios parser
    - net: add atomic_long_t to net_device_stats fields
    - ipv6/sit: use DEV_STATS_INC() to avoid data-races
    - mrp: introduce active flags to prevent UAF when applicant uninit
    - ppp: associate skb with a device at tx
    - bpf: Prevent decl_tag from being referenced in func_proto arg
    - ethtool: avoiding integer overflow in ethtool_phys_id()
    - media: dvb-frontends: fix leak of memory fw
    - media: dvbdev: adopts refcnt to avoid UAF
    - media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
    - blk-mq: fix possible memleak when register 'hctx' failed
    - drm/amd/display: Use the largest vready_offset in pipe group
    - libbpf: Avoid enum forward-declarations in public API in C++ mode
    - regulator: core: fix use_count leakage when handling boot-on
    - wifi: mt76: do not run mt76u_status_worker if the device is not running
    - mmc: f-sdh30: Add quirks for broken timeout clock capability
    - mmc: renesas_sdhi: better reset from HS400 mode
    - media: si470x: Fix use-after-free in si470x_int_in_callback()
    - clk: st: Fix memory leak in st_of_quadfs_setup()
    - crypto: hisilicon/hpre - fix resource leak in remove process
    - scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs
    - scsi: ufs: Reduce the START STOP UNIT timeout
    - scsi: elx: libefc: Fix second parameter type in state callbacks
    - hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
    - drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
    - drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
    - orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
    - orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
    - tools/include: Add _RET_IP_ and math definitions to kernel.h
    - KVM: selftests: Fix build regression by using accessor function
    - hwmon: (jc42) Fix missing unlock on error in jc42_write()
    - ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c
    - ALSA: hda: add snd_hdac_stop_streams() helper
    - ASoC: Intel: Skylake: Fix driver hang during shutdown
    - ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in
      mt8173_rt5650_rt5514_dev_probe()
    - ASoC: audio-graph-card: fix refcount leak of cpu_ep in
      __graph_for_each_link()
    - ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in
      rockchip_pdm_runtime_resume()
    - ASoC: mediatek: mt8183: fix refcount leak in
      mt8183_mt6358_ts3a227_max98357_dev_probe()
    - ASoC: wm8994: Fix potential deadlock
    - ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in
      rk_spdif_runtime_resume()
    - ASoC: rt5670: Remove unbalanced pm_runtime_put()
    - drm/i915/display: Don't disable DDI/Transcoder when setting phy test pattern
    - LoadPin: Ignore the "contents" argument of the LSM hooks
    - pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
    - perf debug: Set debug_peo_args and redirect_to_stderr variable to correct
      values in perf_quiet_option()
    - afs: Fix lost servers_outstanding count
    - pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
    - ALSA: usb-audio: add the quirk for KT0206 device
    - ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
    - ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
    - usb: cdnsp: fix lack of ZLP for ep0
    - usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq
    - arm64: dts: qcom: sm8250: fix USB-DP PHY registers
    - usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
    - usb: dwc3: core: defer probe on ulpi_read_id timeout
    - xhci: Prevent infinite loop in transaction errors recovery for streams
    - HID: wacom: Ensure bootloader PID is usable in hidraw mode
    - HID: mcp2221: don't connect hidraw
    - loop: Fix the max_loop commandline argument treatment when it is set to 0
    - 9p: set req refcount to zero to avoid uninitialized usage
    - security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6
    - reiserfs: Add missing calls to reiserfs_security_free()
    - iio: fix memory leak in iio_device_register_eventset()
    - iio: adc: ad_sigma_delta: do not use internal iio_dev lock
    - iio: adc128s052: add proper .data members in adc128_of_match table
    - regulator: core: fix deadlock on regulator enable
    - floppy: Fix memory leak in do_floppy_init()
    - gcov: add support for checksum field
    - fbdev: fbcon: release buffer when fbcon_do_set_font() failed
    - ovl: fix use inode directly in rcu-walk mode
    - btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range
    - scsi: qla2xxx: Fix crash when I/O abort times out
    - net: stmmac: fix errno when create_singlethread_workqueue() fails
    - media: dvbdev: fix build warning due to comments
    - media: dvbdev: fix refcnt bug
    - extcon: usbc-tusb320: Call the Type-C IRQ handler only if a port is
      registered
    - mfd: qcom_rpm: Use devm_of_platform_populate() to simplify code
    - pwm: tegra: Fix 32 bit build
    - Linux 5.15.86

* Screen freeze after resuming from suspend (nvme0: I/O timeout)
    (LP: #1996048) // Jammy update: v5.15.86 upstream stable release
    (LP: #2005113)
    - PCI: vmd: Disable MSI remapping after suspend

* CVE-2023-23559
    - wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

* CVE-2023-0045
    - x86/bugs: Flush IBP in ib_prctl_set()

-- Kleber Sacilotto de Souza <kleber.souza@canonical.com>  Fri, 17 Mar 2023 17:56:55 +0100

Changed in linux (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-03-30:

#18

This bug is awaiting verification that the linux-azure/5.15.0-1036.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-azure verification-needed-jammy
removed: verification-done-jammy

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-03-30:

#19

This bug is awaiting verification that the linux-aws/5.15.0-1034.38 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-aws

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-05-10:

#20

This bug is awaiting verification that the linux-xilinx-zynqmp/5.15.0-1021.25 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-xilinx-zynqmp

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-09-09:

#21

This bug is awaiting verification that the linux-aws-5.15/5.15.0-1046.51~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-done-focal-linux-aws-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-failed-focal-linux-aws-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-aws-5.15-v2 verification-needed-focal-linux-aws-5.15

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2024-03-01:

#22

This bug is awaiting verification that the linux-mtk/5.15.0-1030.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-done-jammy-linux-mtk'. If the problem still exists, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-failed-jammy-linux-mtk'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-jammy-linux-mtk-v2 verification-needed-jammy-linux-mtk

Ubuntu
linux package

Ubuntu 22.04 kernel 5.15.0-46-generic leaks kernel memory in kmalloc-2k slabs

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	In Progress	Medium	Matthew Ruffell
Jammy	Fix Released	Medium	Matthew Ruffell
Kinetic	Fix Released	Medium	Matthew Ruffell

Ubuntulinux package

Ubuntu 22.04 kernel 5.15.0-46-generic leaks kernel memory in kmalloc-2k slabs

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux package