[ubuntu/jammy-proposed] linux-gke 5.15.0-1096.102 (Accepted)
Andy Whitcroft
apw at canonical.com
Tue Jan 27 16:40:34 UTC 2026
linux-gke (5.15.0-1096.102) jammy; urgency=medium
* jammy/linux-gke: 5.15.0-1096.102 -proposed tracker (LP: #2137785)
[ Ubuntu: 5.15.0-170.180 ]
* jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)
* ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)
- SAUCE increase socat timeout in gre_gso.sh
* CVE-2025-40256
- xfrm: also call xfrm_state_delete_tunnel at destroy time for states that
were never added
* CVE-2025-40215
- xfrm: delete x->tunnel as we delete x
* CVE-2025-38248
- bridge: mcast: Fix use-after-free during router port configuration
* selftests: net: veth: fix compatibility with older ethtool versions
(LP: #2136734)
- SAUCE: selftests: net: veth: use short form gro for ethtool -K
- SAUCE: selftests: net: veth: accept 0 for unsupported combined channels
* veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp
attached - gro flag) (LP: #2065369)
- selftests: net: veth: test the ability to independently manipulate GRO
and XDP
* Jammy update: v5.15.196 upstream stable release (LP: #2134182)
- r8152: add error handling in rtl8152_driver_init
- jbd2: ensure that all ongoing I/O complete before freeing blocks
- btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already
running
- media: s5p-mfc: remove an unused/uninitialized variable
- media: rc: Directly use ida_free()
- media: lirc: Fix error handling in lirc_register()
- blk-crypto: fix missing blktrace bio split events
- drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in
functions
- drm/exynos: exynos7_drm_decon: properly clear channels during bind
- drm/exynos: exynos7_drm_decon: remove ctx->suspended
- crypto: rockchip - Fix dma_unmap_sg() nents value
- cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
- HID: multitouch: fix sticky fingers
- dax: skip read lock assertion for read-only filesystems
- can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()
- net: dlink: handle dma_map_single() failure properly
- doc: fix seg6_flowlabel path
- r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H
- amd-xgbe: Avoid spurious link down messages during interface toggle
- tcp: fix tcp_tso_should_defer() vs large RTT
- tg3: prevent use of uninitialized remote_adv and local_adv variables
- splice, net: Add a splice_eof op to file-ops and socket-ops
- net: tls: wait for async completion on last message
- tls: wait for async encrypt in case of error during latter iterations of
sendmsg
- tls: always set record_type in tls_process_cmsg
- tls: don't rely on tx_work during send()
- net: usb: use eth_hw_addr_set() instead of ether_addr_copy()
- net: usb: lan78xx: Add error handling to lan78xx_init_mac_address
- net: usb: lan78xx: fix use of improperly initialized dev->chipid in
lan78xx_reset
- riscv: kprobes: Fix probe address validation
- drm/amd/powerplay: Fix CIK shutdown temperature
- sched/balancing: Rename newidle_balance() => sched_balance_newidle()
- sched/fair: Fix pelt lost idle time detection
- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
- PCI/sysfs: Ensure devices are powered for config reads (part 2)
- exec: Fix incorrect type for ret
- nios2: ensure that memblock.current_limit is set when setting pfn limits
- hfs: clear offset and space out of valid records in b-tree node
- hfs: make proper initalization of struct hfs_find_data
- hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
- hfs: validate record offset in hfsplus_bmap_alloc
- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
- dlm: check for defined force value in dlm_lockspace_release
- hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
- hfsplus: return EIO when type of hidden directory mismatch in
hfsplus_fill_super()
- m68k: bitops: Fix find_*_bit() signatures
- net: rtnetlink: add helper to extract msg type's kind
- net: rtnetlink: use BIT for flag values
- net: netlink: add NLM_F_BULK delete request modifier
- net: rtnetlink: add bulk delete support flag
- net: add ndo_fdb_del_bulk
- net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
- rtnetlink: Allow deleting FDB entries in user namespace
- net: enetc: correct the value of ENETC_RXB_TRUESIZE
- dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path
- arm64, mm: avoid always making PTE dirty in pte_mkwrite()
- sctp: avoid NULL dereference when chunk data buffer is missing
- net: bonding: fix possible peer notify event loss or dup issue
- Revert "cpuidle: menu: Avoid discarding useful information"
- MIPS: Malta: Fix keyboard resource preventing i8042 driver from
registering
- ocfs2: clear extent cache after moving/defragmenting extents
- vsock: fix lock inversion in vsock_assign_transport()
- net: usb: rtl8150: Fix frame padding
- net: ravb: Ensure memory write completes before ringing TX doorbell
- USB: serial: option: add UNISOC UIS7720
- USB: serial: option: add Quectel RG255C
- USB: serial: option: add Telit FN920C04 ECM compositions
- usb/core/quirks: Add Huawei ME906S to wakeup quirk
- usb: raw-gadget: do not limit transfer length
- xhci: dbc: enable back DbC in resume if it was enabled before suspend
- binder: remove "invalid inc weak" check
- mei: me: add wildcat lake P DID
- most: usb: Fix use-after-free in hdm_disconnect
- most: usb: hdm_probe: Fix calling put_device() before device
initialization
- serial: 8250_exar: add support for Advantech 2 port card with Device ID
0x0018
- arm64: cputype: Add Neoverse-V3AE definitions
- arm64: errata: Apply workarounds for Neoverse-V3AE
- s390/cio: Update purge function to unregister the unused subchannels
- xfs: rename the old_crc variable in xlog_recover_process
- xfs: fix log CRC mismatches between i386 and other architectures
- NFSD: Rework encoding and decoding of nfsd4_deviceid
- NFSD: Minor cleanup in layoutcommit processing
- NFSD: Fix last write offset handling in layoutcommit
- iio: imu: inv_icm42600: use = { } instead of memset()
- iio: imu: inv_icm42600: Avoid configuring if already pm_runtime
suspended
- PM: runtime: Add new devm functions
- iio: imu: inv_icm42600: Simplify pm_runtime setup
- padata: Reset next CPU when reorder sequence wraps around
- fuse: allocate ff->release_args only if release is needed
- fuse: fix livelock in synchronous file put from fuseblk workers
- PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl"
exists
- PCI: j721e: Fix programming sequence of "strap" settings
- wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
- PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
- drm/amdgpu: use atomic functions with memory barriers for vm fault info
- f2fs: fix wrong block mapping for multi-devices
- PCI: tegra194: Handle errors in BPMP response
- PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()
- PCI: rcar-host: Drop PMSR spinlock
- PCI: tegra194: Reset BARs when running in PCIe endpoint mode
- devcoredump: Fix circular locking dependency with devcd->mutex.
- xfs: always warn about deprecated mount options
- arch_topology: Fix incorrect error check in
topology_parse_cpu_capacity()
- usb: gadget: Store endpoint pointer in usb_request
- usb: gadget: Introduce free_usb_request helper
- net: rtnetlink: fix module reference count leak issue in
rtnetlink_rcv_msg
- PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()
- Linux 5.15.196
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40094
- usb: gadget: f_acm: Refactor bind path to use __free()
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40092
- usb: gadget: f_ncm: Refactor bind path to use __free()
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40087
- NFSD: Define a proc_layoutcommit for the FlexFiles layout type
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40105
- vfs: Don't leak disconnected dentries on umount
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40106
- comedi: fix divide-by-zero in comedi_buf_munge()
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40088
- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40085
- ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40173
- net/ip6_tunnel: Prevent perpetual tunnel growth
* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40167
- ext4: detect invalid INLINE_DATA + EXTENTS flag combination
* Jammy update: v5.15.195 upstream stable release (LP: #2133909)
- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support
- KVM: arm64: Fix softirq masking in FPSIMD register saving sequence
- media: tunner: xc5000: Refactor firmware load
- USB: serial: option: add SIMCom 8230C compositions
- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
- dm-integrity: limit MAX_TAG_SIZE to 255
- perf subcmd: avoid crash in exclude_cmds when excludes is empty
- hid: fix I2C read buffer overflow in raw_event() for mcp2221
- serial: stm32: allow selecting console when the driver is module
- staging: axis-fifo: fix maximum TX packet length check
- staging: axis-fifo: flush RX FIFO on read errors
- driver core/PM: Set power.no_callbacks along with power.no_pm
- minmax: add in_range() macro
- filelock: add FL_RECLAIM to show_fl_flags() macro
- selftests: arm64: Check fread return value in exec_target
- coresight: trbe: Prevent overflow in PERF_IDX2OFF()
- x86/vdso: Fix output operand size of RDPID
- regmap: Remove superfluous check for !config in __regmap_init()
- libbpf: Fix reuse of DEVMAP
- cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()
- ACPI: processor: idle: Fix memory leak when register cpuidle device
failed
- soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS
- pinctrl: meson-gxl: add missing i2c_d pinmux
- ARM: at91: pm: fix MCKx restore routine
- regulator: scmi: Use int type to store negative error codes
- block: use int to store blk_stack_limits() return value
- PM: sleep: core: Clear power.must_resume in noirq suspend error path
- pinctrl: renesas: Use int type to store negative error codes
- firmware: firmware: meson-sm: fix compile-test default
- arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible
- pwm: tiehrpwm: Fix corner case in clock divisor calculation
- i3c: master: svc: Recycle unused IBI slot
- selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported
- smp: Fix up and expand the smp_call_function_many() kerneldoc
- tools/nolibc: make time_t robust if __kernel_old_time_t is missing in
host headers
- thermal/drivers/qcom: Make LMH select QCOM_SCM
- thermal/drivers/qcom/lmh: Add missing IRQ includes
- i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD
- i2c: designware: Add disabling clocks when probe fails
- drm/radeon/r600_cs: clean up of dead code in r600_cs
- scsi: myrs: Fix dma_alloc_coherent() error check
- media: rj54n1cb0c: Fix memleak in rj54n1_probe()
- ALSA: lx_core: use int type to store negative error codes
- drm/amdgpu: Power up UVD 3 for FW validation (v2)
- wifi: mwifiex: send world regulatory domain to driver
- PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation
- tcp: fix __tcp_close() to only send RST when required
- drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()
- usb: phy: twl6030: Fix incorrect type for ret
- usb: gadget: configfs: Correctly set use_os_string at bind
- misc: genwqe: Fix incorrect cmd field being reported in error
- ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
- iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
- netfilter: ipset: Remove unused htable_bits in macro ahash_region
- watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the
watchdog
- drivers/base/node: handle error properly in register_one_node()
- RDMA/cm: Rate limit destroy CM ID timeout error message
- wifi: mt76: fix potential memory leak in mt76_wmac_probe()
- ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message
- scsi: qla2xxx: edif: Fix incorrect sign of error code
- scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()
- Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems
Running"
- RDMA/core: Resolve MAC of next-hop device without ARP support
- IB/sa: Fix sa_local_svc_timeout_ms read race
- Documentation: trace: historgram-design: Separate sched_waking histogram
section heading and the following diagram
- wifi: ath10k: avoid unnecessary wait for service ready message
- sparc: fix accurate exception reporting in copy_to_user for Niagara 4
- sparc: fix accurate exception reporting in copy_{from,to}_user for M7
- remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice
- NFSv4.1: fix backchannel max_resp_sz verification check
- usb: vhci-hcd: Prevent suspending virtually attached devices
- RDMA/siw: Always report immediate post SQ errors
- Bluetooth: MGMT: Fix not exposing debug UUID on
MGMT_OP_READ_EXP_FEATURES_INFO
- drivers/base/node: fix double free in register_one_node()
- nfp: fix RSS hash key size when RSS is not supported
- net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not
configurable
- Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set"
- mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
- ext4: fix checks for orphan inodes
- nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
- Input: atmel_mxt_ts - allow reset GPIO to sleep
- usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
- fs: always return zero on success from replace_fd()
- clocksource/drivers/clps711x: Fix resource leaks in error paths
- iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
- perf evsel: Avoid container_of on a NULL leader
- libperf event: Ensure tracing data is multiple of 8 sized
- clk: at91: peripheral: fix return value
- perf util: Fix compression checks returning -1 as bool
- rtc: x1205: Fix Xicor X1205 vendor prefix
- perf session: Fix handling when buffer exceeds 2 GiB
- clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
- clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
- cpufreq: tegra186: Set target frequency for all cpus in policy
- scsi: libsas: Add sas_task_find_rq()
- scsi: mvsas: Delete mvs_tag_init()
- scsi: mvsas: Use sas_task_find_rq() for tagging
- net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
- s390/cio: unregister the subchannel while purging
- drm/vmwgfx: Copy DRM hash-table code into driver
- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
- net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
- tools build: Align warning options with perf
- mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
- mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
- drm/amdgpu: Add additional DCE6 SCL registers
- drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
- drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
- drm/amd/display: Properly disable scaling on DCE6
- bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()
- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
- gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells
- gpio: wcd934x: mark the GPIO controller as sleeping
- bpf: Avoid RCU context warning when unpinning htab with internal structs
- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
- ACPI: debug: fix signedness issues in read/write helpers
- arm64: dts: qcom: msm8916: Add missing MDSS reset
- ARM: OMAP2+: pm33xx-core: ix device node reference leaks in
amx3_idle_init
- xen/events: Cleanup find_virq() return codes
- xen/manage: Fix suspend error path
- firmware: meson_sm: fix device leak at probe
- media: i2c: mt9v111: fix incorrect type for ret
- drm/nouveau: fix bad ret code in nouveau_bo_move_prep
- bus: mhi: host: Do not use uninitialized 'dev' pointer in
mhi_init_irq_setup()
- copy_sighand: Handle architectures where sizeof(unsigned long) <
sizeof(u64)
- crypto: atmel - Fix dma_unmap_sg() direction
- fs/ntfs3: Fix a resource leak bug in wnd_extend()
- iio: dac: ad5360: use int type to store negative error codes
- iio: dac: ad5421: use int type to store negative error codes
- iio: frequency: adf4350: Fix prescaler usage.
- init: handle bootloader identifier in kernel parameters
- iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in
resume
- iommu/vt-d: PRS isn't usable if PDS isn't supported
- KEYS: trusted_tpm1: Compare HMAC values in constant time
- lib/genalloc: fix device leak in of_gen_pool_get()
- openat2: don't trigger automounts with RESOLVE_NO_XDEV
- parisc: don't reference obsolete termio struct for TC* constants
- nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
- powerpc/powernv/pci: Fix underflow and leak issue
- powerpc/pseries/msi: Fix potential underflow and leak issue
- scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
- sparc64: fix hugetlb for sun4u
- sparc: fix error handling in scan_one_device()
- mtd: rawnand: fsmc: Default to autodetect buswidth
- mmc: core: SPI mode remove cmd7
- memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
- rtc: interface: Ensure alarm irq is enabled when UIE is enabled
- rtc: interface: Fix long-standing race when setting alarm
- rseq/selftests: Use weak symbol reference, not definition, to link with
glibc
- PCI/sysfs: Ensure devices are powered for config reads
- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
- PCI/ERR: Fix uevent on failure to recover
- PCI/AER: Fix missing uevent on recovery when a reset is requested
- PCI/AER: Support errors introduced by PCIe r6.0
- PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on
exit
- PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
- spi: cadence-quadspi: Flush posted register writes before INDAC access
- spi: cadence-quadspi: Flush posted register writes before DAC access
- x86/umip: Check that the instruction opcode is at least two bytes
- x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT
aliases)
- mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
- NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
- ext4: increase i_disksize to offset + len in
ext4_update_disksize_before_punch()
- ext4: correctly handle queries for metadata mappings
- ext4: guard against EA inode refcount underflow in xattr update
- ext4: free orphan info with kvfree
- lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older
- ASoC: codecs: wcd934x: Simplify with dev_err_probe
- ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()
- Squashfs: add additional inode sanity checking
- media: mc: Clear minor number before put device
- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register
value
- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
- ksmbd: fix error code overwriting in smb2_get_info_filesystem()
- locking: Introduce __cleanup() based infrastructure
- fscontext: do not consume log entries when returning -EMSGSIZE
- btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
- arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
- minmax: Introduce {min,max}_array()
- minmax: deduplicate __unconst_integer_typeof()
- minmax: fix indentation of __cmp_once() and __clamp_once()
- minmax: avoid overly complicated constant expressions in VM code
- minmax: add a few more MIN_T/MAX_T users
- minmax: simplify and clarify min_t()/max_t() implementation
- minmax: make generic MIN() and MAX() macros available everywhere
- minmax: don't use max() in situations that want a C constant expression
- minmax: simplify min()/max()/clamp() implementation
- minmax: improve macro expansion and type checking
- minmax: fix up min3() and max3() too
- minmax.h: add whitespace around operators and after commas
- minmax.h: update some comments
- minmax.h: reduce the #define expansion of min(), max() and clamp()
- minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()
- minmax.h: move all the clamp() definitions after the min/max() ones
- minmax.h: simplify the variants of clamp()
- minmax.h: remove some #defines that are only expanded once
- minixfs: Verify inode mode when loading from disk
- fs: Add 'initramfs_options' to set initramfs mount options
- cramfs: Verify inode mode when loading from disk
- writeback: Avoid softlockup when switching many inodes
- writeback: Avoid excessively long inode switching times
- media: switch from 'pci_' to 'dma_' API
- media: cx18: Add missing check after DMA map
- arm64: mte: Do not flag the zero page as PG_mte_tagged
- media: pci/ivtv: switch from 'pci_' to 'dma_' API
- media: pci: ivtv: Add missing check after DMA map
- xen/events: Update virq_to_irq on migration
- media: pci: ivtv: Add check for DMA map result
- mm/slab: make __free(kfree) accept error pointers
- mptcp: pm: in-kernel: usable client side with C-flag
- selftests: mptcp: join: validate C-flag + def limit
- Linux 5.15.195
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40178
- pid: Add a judgment for ns null in pid_nr_ns
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40134
- dm: fix NULL pointer dereference in __dm_suspend()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40042
- tracing: Fix race condition in kprobe initialization causing NULL
pointer dereference
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40120
- net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40200
- Squashfs: reject negative file sizes in squashfs_read_inode()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40026
- KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40179
- ext4: verify orphan file size is not too big
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40204
- sctp: Fix MAC comparison to be constant-time
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40188
- pwm: berlin: Fix wrong register in suspend/resume
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40194
- cpufreq: intel_pstate: Fix object lifecycle issue in
update_qos_request()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40205
- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40183
- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40187
- net/sctp: fix a null dereference in sctp_disposition
sctp_sf_do_5_1D_ce()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40111
- drm/vmwgfx: Fix Use-after-free in validation
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40001
- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40029
- bus: fsl-mc: Check return value of platform_get_resource()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40030
- pinctrl: check the return value of pinmux_ops::get_function_name()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40035
- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info
leak
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40153
- mm: hugetlb: avoid soft lockup when mprotect to large memory area
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40043
- net: nfc: nci: Add parameter validation for packet data
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40044
- fs: udf: fix OOB read in lengthAllocDescs handling
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40048
- uio_hv_generic: Let userspace take care of interrupt mask
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40049
- Squashfs: fix uninit-value in squashfs_get_parent
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40053
- net: dlink: handle copy_thresh allocation failure
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40055
- ocfs2: fix double free in user_cluster_connect()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40127
- hwrng: ks-sa - fix division by zero in ks_sa_rng_init
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40140
- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40115
- scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40060
- coresight: trbe: Return NULL pointer for allocation failures
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40112
- sparc: fix accurate exception reporting in copy_{from_to}_user for
Niagara
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40124
- sparc: fix accurate exception reporting in copy_{from_to}_user for
UltraSPARC III
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40126
- sparc: fix accurate exception reporting in copy_{from_to}_user for
UltraSPARC
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40068
- fs: ntfs3: Fix integer overflow in run_unpack()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40121
- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40154
- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40070
- pps: fix warning in pps_register_cdev when register device fail
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40118
- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40116
- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40078
- bpf: Explicitly check accesses to bpf_sock_addr
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40171
- nvmet-fc: move lsop put work to nvmet_fc_ls_req_op
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40125
- blk-mq: check kobject state_in_sysfs before deleting in
blk_mq_unregister_hctx
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40081
- perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40027
- net/9p: fix double req put in p9_fd_cancelled
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40109
- crypto: rng - Ensure set_ent is always present
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2024-58011
- platform/x86: int3472: Check for adev == NULL
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39995
- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in
probe
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39994
- media: tuner: xc5000: Fix use-after-free in xc5000_release
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-22058
- udp: Fix memory accounting leak.
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39996
- media: b2c2: Fix use-after-free causing by irq_check_work in
flexcop_pci_remove
* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39998
- scsi: target: target_core_configfs: Add length check to avoid buffer
overflow
* CAP_PERFMON insufficient to get perf data (LP: #2131046)
- SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4
* Jammy Linux: Introduced Warning with CVE-2024-53090 fix (LP: #2130553)
- SAUCE: Remove warning introduced during CVE-2024-53090 fix
* [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces (LP: #2121257)
- apparmor: shift ouid when mediating hard links in userns
- apparmor: shift uid when mediating af_unix in userns
* Jammy update: v5.15.194 upstream stable release (LP: #2127866)
- Revert "fbdev: Disable sysfb device registration when removing
conflicting FBs"
- xfs: short circuit xfs_growfs_data_private() if delta is zero
- kunit: kasan_test: disable fortify string checker on kasan_strings()
test
- mm: introduce and use {pgd,p4d}_populate_kernel()
- media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
- media: i2c: imx214: Fix link frequency validation
- net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
- tracing: Do not add length to print format in synthetic events
- mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
- flexfiles/pNFS: fix NULL checks on result of
ff_layout_choose_ds_for_read
- NFSv4: Don't clear capabilities that won't be reset
- NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set
- NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server
- tracing: Fix tracing_marker may trigger page fault during
preempt_disable
- NFSv4/flexfiles: Fix layout merge mirror check.
- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to
allocate psock->cork.
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code
- KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()
- KVM: SVM: Set synthesized TSA CPUID flags
- EDAC/altera: Delete an inappropriate dma_free_coherent() call
- compiler-clang.h: define __SANITIZE_*__ macros only when undefined
- ocfs2: fix recursive semaphore deadlock in fiemap call
- mtd: rawnand: stm32_fmc2: fix ECC overwrite
- fuse: check if copy_file_range() returns larger than requested size
- fuse: prevent overflow in copy_file_range return value
- libceph: fix invalid accesses to ceph_connection_v1_info
- mm/khugepaged: fix the address passed to notifier on testing young
- mtd: nand: raw: atmel: Fix comment in timings preparation
- mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing
- mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check
- mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
- Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk
table
- tty: hvc_console: Call hvc_kick in hvc_write unconditionally
- dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks
- USB: serial: option: add Telit Cinterion FN990A w/audio compositions
- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions
- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
- tunnels: reset the GSO metadata before reusing the skb
- igb: fix link test skipping when interface is admin down
- genirq: Provide new interfaces for affinity hints
- i40e: Use irq_update_affinity_hint()
- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when
j1939_local_ecu_get() failed
- can: j1939: j1939_local_ecu_get(): undo increment when
j1939_local_ecu_get() fails
- can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted
SKB
- net: hsr: Disable promiscuous mode in offload mode
- net: hsr: Add support for MC filtering at the slave device
- net: hsr: Add VLAN CTAG filter support
- hsr: use rtnl lock when iterating over ports
- hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr
- dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
- regulator: sy7636a: fix lifecycle of power good gpio
- hrtimer: Remove unused function
- hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()
- hrtimers: Unconditionally update target CPU base after offline timer
migration
- dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
- phy: tegra: xusb: fix device and OF node leak at probe
- phy: ti-pipe3: fix device leak at unbind
- soc: qcom: mdt_loader: Deal with zero e_shentsize
- drm/amdgpu: fix a memory leak in fence cleanup when unloading
- drm/i915/power: fix size for for_each_set_bit() in abox iteration
- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison
memory
- net: hsr: hsr_slave: Fix the promiscuous mode in offload mode
- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is
not supported
- wifi: mac80211: fix incorrect type for ret
- pcmcia: omap_cf: Mark driver struct with __refdata to prevent section
mismatch
- cgroup: split cgroup_destroy_wq into 3 workqueues
- um: virtio_uml: Fix use-after-free after put_device in probe
- dpaa2-switch: fix buffer pool seeding for control traffic
- qed: Don't collect too many protection override GRC elements
- net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure
- i40e: remove redundant memory barrier when cleaning Tx descs
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
- Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set"
- net: liquidio: fix overflow in octeon_init_instr_queue()
- cnic: Fix use-after-free bugs in cnic_delete_task
- nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*
- power: supply: bq27xxx: fix error return in case of no bq27000 hdq
battery
- power: supply: bq27xxx: restrict no-battery detection to bq27000
- btrfs: tree-checker: fix the incorrect inode ref size check
- mmc: mvsdio: Fix dma_unmap_sg() nents value
- KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active
- rds: ib: Increment i_fastreg_wrs before bailing out
- ASoC: wm8940: Correct typo in control name
- ASoC: wm8974: Correct PLL rate rounding
- ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error
message
- drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
- drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path
- serial: sc16is7xx: fix bug in flow control levels init
- xhci: dbc: decouple endpoint allocation from initialization
- xhci: dbc: Fix full DbC transfer ring after several reconnects
- usb: gadget: dummy_hcd: remove usage of list iterator past the loop body
- USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
- phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning
- phy: Use device_get_match_data()
- phy: ti: omap-usb2: fix device leak at unbind
- mptcp: set remote_deny_join_id0 on SYN recv
- ksmbd: smbdirect: validate data_offset and data_length field of
smb_direct_data_transfer
- mptcp: propagate shutdown to subflows when possible
- net: rfkill: gpio: add DT support
- net: rfkill: gpio: Fix crash due to dereferencering uninitialized
pointer
- ALSA: usb-audio: Fix block comments in mixer_quirks
- ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks
- ALSA: usb-audio: Avoid multiple assignments in mixer_quirks
- ALSA: usb-audio: Simplify NULL comparison in mixer_quirks
- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks
- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5
- ALSA: usb-audio: Convert comma to semicolon
- ALSA: usb-audio: Fix build with CONFIG_INPUT=n
- usb: core: Add 0x prefix to quirks debug output
- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions
- arm64: dts: imx8mp: Correct thermal sensor index
- cpufreq: Initialize cpufreq-based invariance before subsys
- can: rcar_can: rcar_can_resume(): fix s2ram with PSCI
- bpf: Reject bpf_timer for PREEMPT_RT
- can: bittiming: allow TDC{V,O} to be zero and add
can_tdc_const::tdc{v,o,f}_min
- can: bittiming: replace CAN units with the generic ones from
linux/units.h
- can: dev: add generic function can_ethtool_op_get_ts_info_hwts()
- can: dev: add generic function can_eth_ioctl_hwts()
- can: etas_es58x: advertise timestamping capabilities and add ioctl
support
- can: etas_es58x: sort the includes by alphabetic order
- can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
- can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
- can: peak_usb: fix shift-out-of-bounds issue
- ethernet: rvu-af: Remove slash from the driver name
- bnxt_en: correct offset handling for IPv6 destination address
- nexthop: Forbid FDB status change while nexthop is in a group
- selftests: fib_nexthops: Fix creation of non-FDB nexthops
- net: dsa: lantiq_gswip: do also enable or disable cpu port
- net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to
port_setup()
- net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries
added to the CPU port
- drm/gma500: Fix null dereference in hdmi teardown
- i40e: fix idx validation in i40e_validate_queue_map
- i40e: fix input validation logic for action_meta
- i40e: add max boundary check for VF filters
- i40e: add mask to apply valid bits for itr_idx
- tracing: dynevent: Add a missing lockdown check on dynevent
- fbcon: fix integer overflow in fbcon_do_set_font
- fbcon: Fix OOB access in font allocation
- af_unix: Don't leave consecutive consumed OOB skbs.
- mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
- mm/hugetlb: fix folio is still mapped when deleted
- i40e: fix validation of VF state in get resources
- i40e: fix idx validation in config queues msg
- i40e: increase max descriptors for XL710
- i40e: add validation for ring_len param
- drm/i915/backlight: Return immediately when scale() finds invalid
parameters
- Linux 5.15.194
* CVE-2024-56538
- drm: zynqmp_kms: Unplug DRM device before removal
* CVE-2024-53114
- tools headers cpufeatures: Sync with the kernel sources
- x86: Fix comment for X86_FEATURE_ZEN
- x86/CPU/AMD: Add ZenX generations flags
- x86/CPU/AMD: Carve out the erratum 1386 fix
- x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
- x86/CPU/AMD: Move erratum 1076 fix into the Zen1 init function
- x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
- x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
- x86/CPU/AMD: Move Zenbleed check to the Zen2 init function
- x86/CPU/AMD: Move the DIV0 bug detection to the Zen1 init function
- x86/CPU/AMD: Get rid of amd_erratum_1054[]
- x86/CPU/AMD: Get rid of amd_erratum_383[]
- x86/CPU/AMD: Get rid of amd_erratum_400[]
- x86/CPU/AMD: Get rid of amd_erratum_1485[]
- x86/CPU/AMD: Drop now unused CPU erratum checking function
- x86/CPU/AMD: Add X86_FEATURE_ZEN1
- tools headers x86 cpufeatures: Sync with the kernel sources to pick TDX,
Zen, APIC MSR fence changes
- x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load
- x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
- x86/cpu/amd: Fix workaround for erratum 1054
* CVE-2025-38584
- padata: Fix pd UAF once and for all
- padata: Remove comment for reorder_work
* CVE-2025-40019
- crypto: essiv - Check ssize for decryption and in-place encryption
* Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /
Renoir / Rembrandt) (LP: #2128729)
- SAUCE: drm/amd/display: Fix incorrect code path taken in
amdgpu_dm_atomic_check()
* CVE-2025-38561
- ksmbd: fix Preauh_HashValue race condition
* Miscellaneous Ubuntu changes
- [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian
* Miscellaneous upstream changes
- selftests: net: use slowwait to stabilize vrf_route_leaking test
Date: 2026-01-26 17:56:09.791722+00:00
Changed-By: alice.munduruca at canonical.com (Alice C. Munduruca)
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1096.102
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list