[ubuntu/jammy-proposed] linux-gkeop 5.15.0-1088.96 (Accepted)
Andy Whitcroft
apw at canonical.com
Wed Mar 25 12:50:28 UTC 2026
linux-gkeop (5.15.0-1088.96) jammy; urgency=medium
* jammy/linux-gkeop: 5.15.0-1088.96 -proposed tracker (LP: #2143499)
[ Ubuntu: 5.15.0-176.186 ]
* jammy/linux: 5.15.0-176.186 -proposed tracker (LP: #2143539)
* Jammy update: v5.15.199 upstream stable release (LP: #2143343)
- nvmet-tcp: remove boilerplate code
- SAUCE: Fix skb_vlan_inet_prepare() usage
- net: update netdev_lock_{type,name}
- vsock/test: add a final full barrier after run all tests
- net/mlx5e: Restore destroying state bit after profile cleanup
- selftests: drv-net: fix RPS mask handling for high CPU numbers
- ASoC: tlv320adcx140: fix word length
- textsearch: describe @list member in ts_ops search
- mm, kfence: describe @slab parameter in __kfence_obj_info()
- dmaengine: xilinx_dma: Fix uninitialized addr_width when
"xlnx,addrwidth" property is missing
- phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
- HID: usbhid: paper over wrong bNumDescriptor field
- ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
- phy: rockchip: inno-usb2: fix disconnection in gadget mode
- phy: rockchip: inno-usb2: fix communication disruption in gadget mode
- phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
- usb: dwc3: Check for USB4 IP_NAME
- USB: OHCI/UHCI: Add soft dependencies on ehci_platform
- USB: serial: option: add Telit LE910 MBIM composition
- USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
- nvme-pci: disable secondary temp for Wodposit WPBSNM8
- hrtimer: Fix softirq base check in update_needs_ipi()
- EDAC/x38: Fix a resource leak in x38_probe1()
- EDAC/i3200: Fix a resource leak in i3200_probe1()
- x86/resctrl: Add missing resctrl initialization for Hygon
- x86/resctrl: Fix memory bandwidth counter width for Hygon
- mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
- drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
- drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
- dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
- dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
- dmaengine: ti: k3-udma: fix device leak on udma lookup
- posix-clock: introduce posix_clock_context concept
- Fix memory leak in posix_clock_open()
- posix-clock: Store file pointer in struct posix_clock_context
- ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE.
- testptp: add option to shift clock by nanoseconds
- testptp: Add support for testing ptp_clock_info .adjphase callback
- selftests/ptp: Add -x option for testing PTP_SYS_OFFSET_EXTENDED
- selftests/ptp: Add -X option for testing PTP_SYS_OFFSET_PRECISE
- ptp: add testptp mask test
- selftest/ptp: update ptp selftest to exercise the gettimex options
- testptp: Add option to open PHC in readonly mode
- net: usb: dm9601: remove broken SR9700 support
- amd-xgbe: avoid misleading per-packet error log
- netlink: add a proto specification for FOU
- net: fou: rename the source for linking
- net: fou: use policy and operation tables generated from the spec
- comedi: dmm32at: serialize use of paged registers
- w1: fix redundant counter decrement in w1_attach_slave_device()
- Revert "nfc/nci: Add the inconsistency check between the input data
length and count"
- Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
- Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
- scsi: storvsc: Process unsupported MODE_SENSE_10
- x86/kfence: avoid writing L1TF-vulnerable PTEs
- staging:iio:adc:ad7280a: Register define cleanup.
- iio: adc: ad7280a: handle spi_setup() errors in probe()
- ALSA: usb: Increase volume range that triggers a warning
- net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
- net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
- usbnet: limit max_mtu based on device's hard_mtu
- drm/amd/pm: Don't clear SI SMC table when setting power limit
- drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
- octeontx2-af: Fix error handling
- x86: make page fault handling disable interrupts properly
- of: fix reference count leak in of_alias_scan()
- iio: adc: ad9467: fix ad9434 vref mask
- iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
- mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
- wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
- octeontx2: Fix otx2_dma_map_page() error return code
- slimbus: core: fix runtime PM imbalance on report present
- perf/x86/intel: Do not enable BTS for guests
- net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
- net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
- ipv6: use the right ifindex when replying to icmpv6 from localhost
- ice: stop counting UDP csum mismatch as rx_errors
- net/mlx5: Add HW definitions of vport debug counters
- net/mlx5e: Expose rx_oversize_pkts_buffer counter
- net/mlx5e: Report rx_discards_phy via rx_dropped
- net/mlx5e: Account for netdev stats in ndo_get_stats64
- net: bridge: fix static key check
- scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()
- gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler
- dma/pool: distinguish between missing and exhausted atomic pools
- ASoC: fsl: imx-card: Do not force slot width to sample width
- scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo()
- scsi: qla2xxx: edif: Fix dma_free_coherent() size
- mptcp: only reset subflow errors when propagated
- net: Add locking to protect skb->dev access in ip_output
- comedi: Fix getting range information for subdevices 16 to 255
- of: platform: Use default match table for /firmware
- iio: adc: exynos_adc: fix OF populate on driver rebind
- arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
- w1: w1_therm: use swap() to make code cleaner
- dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
- xfs: set max_agbno to allow sparse alloc of last full inode chunk
- nvme-fc: rename free_ctrl callback to match name pattern
- nvme-pci: do not directly handle subsys reset fallout
- nvme: fix PCIe subsystem reset controller state transition
- mei: trace: treat reg parameter as string
- mm/pagewalk: add walk_page_range_vma()
- wifi: cfg80211: add a work abstraction with special semantics
- wifi: mac80211: use wiphy work for sdata->work
- wifi: mac80211: move TDLS work to wiphy work
- HID: uclogic: Add NULL check in uclogic_input_configured()
- drm/amdkfd: fix a memory leak in device_queue_manager_init()
- btrfs: prevent use-after-free on page private data in
btrfs_subpage_clear_uptodate()
- net/sched: act_ife: convert comma to semicolon
- pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver
- writeback: fix 100% CPU usage when dirtytime_expire_interval is 0
- mptcp: avoid dup SUB_CLOSED events after disconnect
- pinctrl: meson: mark the GPIO controller as sleeping
- wifi: cfg80211: use system_unbound_wq for wiphy work
- wifi: cfg80211: fix wiphy delayed work queueing
- wifi: cfg80211: cancel wiphy_work before freeing wiphy
- wifi: cfg80211: fully move wiphy work to unbound workqueue
- wifi: cfg80211: init wiphy_work before allocating rfkill fails
- Linux 5.15.199
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-68340
- team: Move team device type change at the end of team_port_add
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23170
- drm/imx/tve: fix probe device leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23075
- can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-38408
- genirq/irq_sim: Initialize work context pointers properly
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2023-54207
- HID: uclogic: Correct devm device reference for hidinput input_dev name
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2023-53520
- Bluetooth: Fix hci_suspend_sync crash
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-38125
- net: stmmac: make sure that ptp_rate is not 0 before configuring EST
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-40164
- usbnet: Fix using smp_processor_id() in preemptible code warnings
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-38232
- NFSD: fix race between nfsd registration and exports_proc
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2023-53662
- ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup}
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-38057
- espintcp: fix skb leaks
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2023-53421
- blk-cgroup: Reinit blkg_iostat_set after clearing in blkcg_reset_stats()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-68365
- fs/ntfs3: Initialize allocated memory before use
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-68817
- ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2022-50390
- drm/ttm: fix undefined behavior in bit shift for
TTM_TT_FLAG_PRIV_POPULATED
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-68211
- ksm: use range-walk function to jump over holes in
scan_get_next_rmap_item
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23093
- ksmbd: smbd: fix dma_unmap_sg() nents
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23078
- ALSA: scarlett2: Fix buffer overflow in config retrieval
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71186
- dmaengine: stm32: dmamux: fix device leak on route allocation
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71197
- w1: therm: Fix off-by-one buffer overflow in alarms_store
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23087
- scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-40149
- tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23167
- nfc: nci: Fix race between rfkill and nci_unregister_device().
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23150
- nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23164
- rocker: fix memory leak in rocker_world_port_post_fini()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23146
- Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-38591
- bpf: Reject narrower access to pointer ctx fields
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-68725
- bpf: Do not let BPF test infra emit invalid GSO types to stack
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23097
- migrate: correct lock ordering for hugetlb file folios
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23108
- can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23080
- can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23061
- can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23058
- can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23085
- irqchip/gic-v3-its: Avoid truncating memory addresses
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23098
- netrom: fix double-free in nr_route_frame()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23063
- uacce: ensure safe queue release with state management
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23056
- uacce: implement mremap in uacce_vm_ops to return -EPERM
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23096
- uacce: fix cdev handling in the cleanup path
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23091
- intel_th: fix device leak on output open()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23090
- slimbus: core: fix device reference leak on report present
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23128
- arm64: Set __nocfi on swsusp_arch_resume()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23073
- wifi: rsi: Fix memory corruption due to not set vif driver data size
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23133
- wifi: ath10k: fix dma_free_coherent() pointer
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23089
- ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23076
- ALSA: ctxfi: Fix potential OOB access in audio mixer handling
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71199
- iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc
driver
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23101
- leds: led-class: Only Add LED to leds_list when it is fully ready
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23064
- net/sched: act_ife: avoid possible NULL deref
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23119
- bonding: provide a net pointer to __skb_flow_dissect()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23084
- be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23124
- ipv6: annotate data-race in ndisc_router_discovery()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23121
- mISDN: annotate data-race around dev->work
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23071
- regmap: Fix race condition in hwspinlock irqsave routine
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23105
- net/sched: qfq: Use cl_is_active to determine whether class is active in
qfq_rm_from_ag
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23103
- ipvlan: Make the addrs_lock be per port
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23120
- l2tp: avoid one data-race in l2tp_tunnel_del_work()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23083
- fou: Don't allow 0 for FOU_ATTR_IPPROTO.
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23095
- gue: Fix skb memleak with inner IP protocol 0.
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23125
- sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23099
- bonding: limit BOND_MODE_8023AD to Ethernet devices
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71194
- btrfs: fix deadlock in wait_current_trans() due to ignored transaction
type
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71185
- dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23026
- dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71188
- dmaengine: lpc18xx-dmamux: fix device leak on route allocation
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71163
- dmaengine: idxd: fix device leaks on compat bind and unbind
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71190
- dmaengine: bcm-sba-raid: fix device leak on probe
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71191
- dmaengine: at_hdmac: fix device leak on of_dma_xlate()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23049
- drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23145
- ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-22997
- net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session
upon receiving the second rts
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23033
- dmaengine: omap-dma: fix dma_pool resource leak in error paths
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71196
- phy: stm32-usphyc: Fix off by one in probe()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2025-71162
- dmaengine: tegra-adma: Fix use-after-free
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-22999
- net/sched: sch_qfq: do not free existing class in qfq_change_class()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23011
- ipv4: ip_gre: make ipgre_header() robust
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23001
- macvlan: fix possible UAF in macvlan_forward_source()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23003
- ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-22998
- nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23037
- can: etas_es58x: allow partial RX URB allocation to succeed
* Jammy update: v5.15.199 upstream stable release (LP: #2143343) //
CVE-2026-23038
- pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
* ADT test for linux package failed with "fatal: unable to connect to
git.launchpad.net" (LP: #2143033)
- [Packaging] d/t/ubuntu-regression-suite: use https to clone
* efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch
(LP: #2141276)
- SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()
* CVE-2026-23111
- netfilter: nf_tables: fix inverted genmask check in
nft_map_catchall_activate()
* CVE-2026-23209
- macvlan: fix error recovery in macvlan_common_newlink()
* CVE-2025-37849
- KVM: arm64: vgic: Add a non-locking primitive for
kvm_vgic_vcpu_destroy()
- KVM: arm64: Tear down vGIC on failed vCPU creation
* CVE-2026-23074
- net/sched: Enforce that teql can only be used as root qdisc
* CVE-2026-23060
- crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN
spec
Date: 2026-03-24 18:18:14.303334+00:00
Changed-By: Tim Whisonant <tim.whisonant at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1088.96
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list