diff --git a/debian/changelog b/debian/changelog index 92f63be8b5..45fb8c2a9a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,239 @@ -linux (6.1.147-2) UNRELEASED; urgency=medium +linux (6.1.148-1) UNRELEASED; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.148 + - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT + (CVE-2025-38335) + - regulator: core: fix NULL dereference on unbind due to stale coupling data + - RDMA/core: Rate limit GID cache warning messages + - iio: adc: ad7949: use spi_is_bpw_supported() + - regmap: fix potential memory leak of regmap_bus + - [x86] hyperv: Fix usage of cpu_online_mask to get valid cpu + - [arm64,armhf] staging: vc04_services: Drop VCHIQ_SUCCESS usage + - [arm64,armhf] staging: vc04_services: Drop VCHIQ_ERROR usage + - [arm64,armhf] staging: vc04_services: Drop VCHIQ_RETRY usage + - [arm64,armhf] staging: vchiq_arm: Make vchiq_shutdown never fail + - xfrm: interface: fix use-after-free after changing collect_md xfrm + interface (CVE-2025-38500) + - net/mlx5: Fix memory leak in cmd_exec() + - i40e: Add rx_missed_errors for buffer exhaustion + - i40e: report VF tx_dropped with tx_errors instead of tx_discards + - i40e: When removing VF MAC filters, only check PF-set MAC + - net: appletalk: Fix use-after-free in AARP proxy probe + - can: dev: can_restart(): reverse logic to remove need for goto + - can: dev: can_restart(): move debug message and stats after successful + restart + - can: netlink: can_changelink(): fix NULL pointer deref of struct + can_priv::do_set_mode + - [arm64] drm/bridge: ti-sn65dsi86: Remove extra semicolon in + ti_sn_bridge_probe() + - [arm64] net: hns3: fix concurrent setting vlan filter issue + - [arm64] net: hns3: disable interrupt when ptp init failed + - [arm64] net: hns3: fixed vf get max channels bug + - [x86] platform/x86: ideapad-laptop: Fix kbd backlight not remembered among + boots + - i2c: qup: jump out of the loop in case of timeout + - i2c: tegra: Fix reset error handling with ACPI + - i2c: virtio: Avoid hang by using interruptible completion wait + - bus: fsl-mc: Fix potential double device reference in + fsl_mc_get_endpoint() + - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx + - [arm64] dpaa2-eth: Fix device reference count leak in MAC endpoint + handling + - e1000e: disregard NVM checksum on tgp when valid checksum bit is not set + - e1000e: ignore uninitialized checksum word on tgp + - gve: Fix stuck TX queue for DQ queue format + - ice: Fix a null pointer dereference in ice_copy_and_init_pkg() + - nilfs2: reject invalid file types when reading inodes + - mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n + - drm/amdkfd: Don't call mmput from MMU notifier callback + - usb: typec: tcpm: allow to use sink in accessory mode + - usb: typec: tcpm: allow switching to mode accessory to mux properly + - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach + - jfs: reject on-disk inodes of an unsupported type (CVE-2025-37925) + - [x86] comedi: comedi_test: Fix possible deletion of uninitialized timers + - ALSA: hda/tegra: Add Tegra264 support + - ALSA: hda: Add missing NVIDIA HDA codec IDs + - [x86] drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x + - mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma + - erofs: get rid of debug_one_dentry() + - erofs: sunset erofs_dbg() + - erofs: drop z_erofs_page_mark_eio() + - erofs: simplify z_erofs_transform_plain() + - erofs: address D-cache aliasing + - usb: chipidea: add USB PHY event + - usb: phy: mxs: disconnect line when USB charger is attached + - ethernet: intel: fix building with large NR_CPUS + - [x86] ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx + - ASoC: Intel: fix SND_SOC_SOF dependencies + - fs_context: fix parameter name in infofc() macro + - ublk: use vmalloc for ublk_device's __queues + - hfsplus: remove mutex_lock check in hfsplus_free_extents + - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() + - ASoC: ops: dynamically allocate struct snd_ctl_elem_value + - soc: qcom: QMI encoding/decoding for big endian + - [arm64] dts: qcom: sdm845: Expand IMEM region + - [arm64] dts: qcom: sc7180: Expand IMEM region + - [arm64,armhf] usb: host: xhci-plat: fix incorrect type for of_match + variable in xhci_plat_probe() + - usb: misc: apple-mfi-fastcharge: Make power supply names unique + - vmci: Prevent the dispatching of uninitialized payloads + - pps: fix poll support + - Revert "vmci: Prevent the dispatching of uninitialized payloads" + - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() + - usb: early: xhci-dbc: Fix early_ioremap leak + - [armhf] dts: ti: omap: Fixup pinheader typo + - [arm64] dts: imx8mm-beacon: Fix HS400 USDHC clock speed + - [arm64] dts: imx8mn-beacon: Fix HS400 USDHC clock speed + - PM / devfreq: Check governor before using governor->name + - cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode + - cpufreq: Initialize cpufreq-based frequency-invariance later + - cpufreq: Init policy->rwsem before it may be possibly used + - [arm64,armhf] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed + - bpf, sockmap: Fix psock incorrectly pointing to sk + - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls + - net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain + - bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure + - wifi: rtl818x: Kill URBs before clearing tx status queue + - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() + - iwlwifi: Add missing check for alloc_ordered_workqueue + - wifi: ath11k: clear initialized flag for deinit-ed srng lists + - tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range + - net/mlx5: Check device memory pointer before usage + - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value + - fbcon: Fix outdated registered_fb reference in comment + - netfilter: nf_tables: adjust lockdep assertions handling + - net/sched: Restrict conditions for adding duplicating netems to qdisc tree + - net_sched: act_ctinfo: use atomic64_t for three counters + - xen/gntdev: remove struct gntdev_copy_batch from stack + - wifi: rtl8xxxu: Fix RX skb size for aggregation disabled + - mwl8k: Add missing check after DMA map + - wifi: mac80211: reject TDLS operations when station is not associated + - wifi: plfxlc: Fix error handling in usb driver probe + - wifi: mac80211: Do not schedule stopped TXQs + - wifi: mac80211: Don't call fq_flow_idx() for management frames + - wifi: mac80211: Check 802.11 encaps offloading in + ieee80211_tx_h_select_key() + - Reapply "wifi: mac80211: Update skb's control block key in + ieee80211_tx_dequeue()" + - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P + IE + - can: peak_usb: fix USB FD devices potential malfunction + - can: kvaser_pciefd: Store device channel index + - can: kvaser_usb: Assign netdev.dev_port based on device channel index + - netfilter: xt_nfacct: don't assume acct name is null-terminated + - vrf: Drop existing dst reference in vrf_ip6_input_dst + - ipv6: prevent infinite loop in rt6_nlmsg_size() + - ipv6: fix possible infinite loop in fib6_info_uses_dev() + - ipv6: annotate data-races around rt->fib6_nsiblings + - bpf/preload: Don't select USERMODE_DRIVER + - PCI: rockchip-host: Fix "Unexpected Completion" log message + - [arm64] crypto: sun8i-ce - fix nents passed to dma_unmap_sg() + - [arm*] crypto: marvell/cesa - Fix engine load inaccuracy + - mtd: fix possible integer overflow in erase_xfer() + - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check + - power: supply: cpcap-charger: Fix null check for power_supply_get_by_name + - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set + - PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() + fails + - [arm64,armhf] pinctrl: sunxi: Fix memory leak on krealloc failure + - perf sched: Fix memory leaks for evsel->priv in timehist + - perf sched: Fix memory leaks in 'perf sched latency' + - [arm64] crypto: inside-secure - Fix `dma_unmap_sg()` nents value + - crypto: ccp - Fix crash when rebind ccp device for ccp.ko + - [arm64] RDMA/hns: Fix -Wframe-larger-than issue + - kernel: trace: preemptirq_delay_test: use offstack cpu mask + - proc: use the same treatment to check proc_lseek as ones for + proc_read_iter et.al + - perf tests bp_account: Fix leaked file descriptor + - [armhf] clk: sunxi-ng: v3s: Fix de clock definition + - [ppc64el] scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value + - scsi: elx: efct: Fix dma_unmap_sg() nents value + - scsi: mvsas: Fix dma_unmap_sg() nents value + - scsi: isci: Fix dma_unmap_sg() nents value + - soundwire: stream: restore params when prepare ports fail + - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute + - fs/orangefs: Allow 2 more characters in do_c_string() + - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap + - [x86] crypto: qat - fix seq_file position update in adf_ring_next() + - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref + - jfs: fix metapage reference count leak in dbAllocCtl + - vhost-scsi: Fix log flooding with target does not exist errors + - bpf: Check flow_dissector ctx accesses are aligned + - apparmor: ensure WB_HISTORY_SIZE value is a power of 2 + - module: Restore the moduleparam prefix length check + - ucount: fix atomic_long_inc_below() argument type + - rtc: ds1307: fix incorrect maximum clock rate handling + - rtc: hym8563: fix incorrect maximum clock rate handling + - rtc: nct3018y: fix incorrect maximum clock rate handling + - rtc: pcf85063: fix incorrect maximum clock rate handling + - rtc: pcf8563: fix incorrect maximum clock rate handling + - rtc: rv3028: fix incorrect maximum clock rate handling + - f2fs: fix KMSAN uninit-value in extent_info usage + - f2fs: doc: fix wrong quota mount option description + - f2fs: fix to avoid UAF in f2fs_sync_inode_meta() + - f2fs: fix to avoid panic in f2fs_evict_inode + - f2fs: fix to avoid out-of-boundary access in devs.path + - f2fs: vm_unmap_ram() may be called from an invalid context + - f2fs: fix to update upper_p in __get_secs_required() correctly + - f2fs: fix to calculate dirty data during has_not_enough_free_secs() + - vfio/pci: Separate SR-IOV VF dev_set + - scsi: mpt3sas: Fix a fw_event memory leak + - scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" + - scsi: ufs: core: Use link recovery when h8 exit fails during runtime + resume + - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately + - PCI: pnv_php: Clean up allocated IRQs on unplug + - PCI: pnv_php: Work around switches with broken presence detection + - [powerpc*] eeh: Export eeh_unfreeze_pe() + - [powerpc*] eeh: Rely on dev->link_active_reporting + - [powerpc*] eeh: Make EEH driver device hotplug safe + - PCI: pnv_php: Fix surprise plug detection and recovery + - pNFS/flexfiles: don't attempt pnfs on fatal DS errors + - sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() + - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() + - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() + - NFSv4.2: another fix for listxattr + - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY + - netpoll: prevent hanging NAPI when netcons gets enabled + - phy: mscc: Fix parsing of unicast frames + - pptp: ensure minimal skb length in pptp_xmit() + - net/mlx5: Correctly set gso_segs when LRO is used + - ipv6: reject malicious packets in ipv6_gso_segment() + - net: drop UFO packets in udp_rcv_segment() + - benet: fix BUG when creating VFs + - irqchip: Build IMX_MU_MSI only on ARM + - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() + - smb: server: remove separate empty_recvmsg_queue + - smb: server: make sure we call ib_dma_unmap_single() only if we called + ib_dma_map_single already + - smb: server: let recv_done() consistently call + put_recvmsg/smb_direct_disconnect_rdma_connection + - smb: server: let recv_done() avoid touching data_transfer after + cleanup/move + - smb: client: let recv_done() cleanup before notifying the callers. + - pptp: fix pptp_xmit() error path + - perf/core: Don't leak AUX buffer refcount on allocation failure + - perf/core: Exit early on perf_mmap() fail + - perf/core: Prevent VMA split of buffer mappings + - net/packet: fix a race in packet_set_ring() and packet_notifier() + - vsock: Do not allow binding to VMADDR_PORT_ANY + - ksmbd: fix null pointer dereference error in generate_encryptionkey + - ksmbd: fix Preauh_HashValue race condition + - ksmbd: fix corrupted mtime and ctime in smb2_open + - ksmbd: limit repeated connections from clients with the same IP + (CVE-2025-38501) + - smb: server: Fix extension string in ksmbd_extract_shortname() + - USB: serial: option: add Foxconn T99W709 + - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event + - net: usbnet: Fix the wrong netif_carrier_on() call + - [x86] sev: Evict cache lines during SNP memory validation (CVE-2024-36331) + - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() + - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() + - [x86] fpu: Delay instruction pointer fixup until after warning + - [mips*] mm: tlb-r4k: Uniquify TLB entries on init + - mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery + - usb: gadget : fix use-after-free in composite_dev_cleanup() [ Bastian Blank ] * Drop not needed extra step to add debug links diff --git a/debian/patches/bugfix/all/net-sched-sch_qfq-Avoid-triggering-might_sleep-in-at.patch b/debian/patches/bugfix/all/net-sched-sch_qfq-Avoid-triggering-might_sleep-in-at.patch deleted file mode 100644 index 2f622f436e..0000000000 --- a/debian/patches/bugfix/all/net-sched-sch_qfq-Avoid-triggering-might_sleep-in-at.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Xiang Mei -Date: Thu, 17 Jul 2025 16:01:28 -0700 -Subject: net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in - qfq_delete_class -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=29c13f40a43118ba50606be564f772bc6d5819b0 - -[ Upstream commit cf074eca0065bc5142e6004ae236bb35a2687fdf ] - -might_sleep could be trigger in the atomic context in qfq_delete_class. - -qfq_destroy_class was moved into atomic context locked -by sch_tree_lock to avoid a race condition bug on -qfq_aggregate. However, might_sleep could be triggered by -qfq_destroy_class, which introduced sleeping in atomic context (path: -qfq_destroy_class->qdisc_put->__qdisc_destroy->lockdep_unregister_key -->might_sleep). - -Considering the race is on the qfq_aggregate objects, keeping -qfq_rm_from_agg in the lock but moving the left part out can solve -this issue. - -Fixes: 5e28d5a3f774 ("net/sched: sch_qfq: Fix race condition on qfq_aggregate") -Reported-by: Dan Carpenter -Signed-off-by: Xiang Mei -Link: https://patch.msgid.link/4a04e0cc-a64b-44e7-9213-2880ed641d77@sabinyo.mountain -Reviewed-by: Cong Wang -Reviewed-by: Dan Carpenter -Link: https://patch.msgid.link/20250717230128.159766-1-xmei5@asu.edu -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sched/sch_qfq.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c -index f2692c9173f7..2f2863ae18ad 100644 ---- a/net/sched/sch_qfq.c -+++ b/net/sched/sch_qfq.c -@@ -540,9 +540,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, - - static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl) - { -- struct qfq_sched *q = qdisc_priv(sch); -- -- qfq_rm_from_agg(q, cl); - gen_kill_estimator(&cl->rate_est); - qdisc_put(cl->qdisc); - kfree(cl); -@@ -561,10 +558,11 @@ static int qfq_delete_class(struct Qdisc *sch, unsigned long arg, - - qdisc_purge_queue(cl->qdisc); - qdisc_class_hash_remove(&q->clhash, &cl->common); -- qfq_destroy_class(sch, cl); -+ qfq_rm_from_agg(q, cl); - - sch_tree_unlock(sch); - -+ qfq_destroy_class(sch, cl); - return 0; - } - -@@ -1505,6 +1503,7 @@ static void qfq_destroy_qdisc(struct Qdisc *sch) - for (i = 0; i < q->clhash.hashsize; i++) { - hlist_for_each_entry_safe(cl, next, &q->clhash.hash[i], - common.hnode) { -+ qfq_rm_from_agg(q, cl); - qfq_destroy_class(sch, cl); - } - } --- -2.50.0 - diff --git a/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch b/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch deleted file mode 100644 index 31eb2eb5d2..0000000000 --- a/debian/patches/bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: Ben Hutchings -Date: Mon, 07 Feb 2022 00:00:26 +0100 -Subject: sh: Do not use hyphen in exported variable names - -arch/sh/Makefile defines and exports ld-bfd to be used by -arch/sh/boot/Makefile and arch/sh/boot/compressed/Makefile. However -some shells, including dash, will not pass through environment -variables whose name includes a hyphen. Usually GNU make does not use -a shell to recurse, but if e.g. $(srctree) contains '~' it will use a -shell here. - -Rename the variable to ld_bfd. - -(Another instance of this problem was fixed upstream by commit -82977af93a0d "sh: rename suffix-y to suffix_y".) - -References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sh4&ver=4.13%7Erc5-1%7Eexp1&stamp=1502943967&raw=0 -Fixes: ef9b542fce00 ("sh: bzip2/lzma uImage support.") -Signed-off-by: Ben Hutchings ---- - arch/sh/Makefile | 10 +++++----- - arch/sh/boot/compressed/Makefile | 4 ++-- - arch/sh/boot/romimage/Makefile | 4 ++-- - 3 files changed, 9 insertions(+), 9 deletions(-) - -Index: linux/arch/sh/Makefile -=================================================================== ---- linux.orig/arch/sh/Makefile -+++ linux/arch/sh/Makefile -@@ -102,16 +102,16 @@ UTS_MACHINE := sh - LDFLAGS_vmlinux += -e _stext - - ifdef CONFIG_CPU_LITTLE_ENDIAN --ld-bfd := elf32-sh-linux --LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld-bfd) -+ld_bfd := elf32-sh-linux -+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64 --oformat $(ld_bfd) - KBUILD_LDFLAGS += -EL - else --ld-bfd := elf32-shbig-linux --LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld-bfd) -+ld_bfd := elf32-shbig-linux -+LDFLAGS_vmlinux += --defsym jiffies=jiffies_64+4 --oformat $(ld_bfd) - KBUILD_LDFLAGS += -EB - endif - --export ld-bfd -+export ld_bfd - - # Mach groups - machdir-$(CONFIG_SOLUTION_ENGINE) += mach-se -Index: linux/arch/sh/boot/compressed/Makefile -=================================================================== ---- linux.orig/arch/sh/boot/compressed/Makefile -+++ linux/arch/sh/boot/compressed/Makefile -@@ -36,7 +36,7 @@ endif - - ccflags-remove-$(CONFIG_MCOUNT) += -pg - --LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(IMAGE_OFFSET) -e startup \ -+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(IMAGE_OFFSET) -e startup \ - -T $(obj)/../../kernel/vmlinux.lds - - KBUILD_CFLAGS += -DDISABLE_BRANCH_PROFILING -@@ -60,7 +60,7 @@ $(obj)/vmlinux.bin.lzo: $(obj)/vmlinux.b - - OBJCOPYFLAGS += -R .empty_zero_page - --LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T -+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T - - $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/vmlinux.bin.$(suffix_y) FORCE - $(call if_changed,ld) -Index: linux/arch/sh/boot/romimage/Makefile -=================================================================== ---- linux.orig/arch/sh/boot/romimage/Makefile -+++ linux/arch/sh/boot/romimage/Makefile -@@ -13,7 +13,7 @@ mmcif-obj-$(CONFIG_CPU_SUBTYPE_SH7724) : - load-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-load-y) - obj-$(CONFIG_ROMIMAGE_MMCIF) := $(mmcif-obj-y) - --LDFLAGS_vmlinux := --oformat $(ld-bfd) -Ttext $(load-y) -e romstart \ -+LDFLAGS_vmlinux := --oformat $(ld_bfd) -Ttext $(load-y) -e romstart \ - -T $(obj)/../../kernel/vmlinux.lds - - $(obj)/vmlinux: $(obj)/head.o $(obj-y) $(obj)/piggy.o FORCE -@@ -24,7 +24,7 @@ OBJCOPYFLAGS += -j .empty_zero_page - $(obj)/zeropage.bin: vmlinux FORCE - $(call if_changed,objcopy) - --LDFLAGS_piggy.o := -r --format binary --oformat $(ld-bfd) -T -+LDFLAGS_piggy.o := -r --format binary --oformat $(ld_bfd) -T - - $(obj)/piggy.o: $(obj)/vmlinux.scr $(obj)/zeropage.bin arch/sh/boot/zImage FORCE - $(call if_changed,ld) diff --git a/debian/patches/bugfix/x86/x86-bugs-Fix-use-of-possibly-uninit-value-in-amd_che.patch b/debian/patches/bugfix/x86/x86-bugs-Fix-use-of-possibly-uninit-value-in-amd_che.patch deleted file mode 100644 index f17ab1c652..0000000000 --- a/debian/patches/bugfix/x86/x86-bugs-Fix-use-of-possibly-uninit-value-in-amd_che.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Michael Zhivich -Date: Wed, 23 Jul 2025 09:40:19 -0400 -Subject: x86/bugs: Fix use of possibly uninit value in - amd_check_tsa_microcode() -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=ab2c2b383f0b1a2a37d06219952f59ed0e88fa02 - -For kernels compiled with CONFIG_INIT_STACK_NONE=y, the value of __reserved -field in zen_patch_rev union on the stack may be garbage. If so, it will -prevent correct microcode check when consulting p.ucode_rev, resulting in -incorrect mitigation selection. - -This is a stable-only fix. - -Cc: -Signed-off-by: Michael Zhivich -Fixes: d12145e8454f ("x86/bugs: Add a Transient Scheduler Attacks mitigation") -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/amd.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c -index 4785d41558d6..2d71c329b347 100644 ---- a/arch/x86/kernel/cpu/amd.c -+++ b/arch/x86/kernel/cpu/amd.c -@@ -563,6 +563,8 @@ static bool amd_check_tsa_microcode(void) - p.model = c->x86_model; - p.ext_model = c->x86_model >> 4; - p.stepping = c->x86_stepping; -+ /* reserved bits are expected to be 0 in test below */ -+ p.__reserved = 0; - - if (c->x86 == 0x19) { - switch (p.ucode_rev >> 8) { --- -2.50.0 - diff --git a/debian/patches/series b/debian/patches/series index 1ee65cd786..14cd15769c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -66,7 +66,6 @@ debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch # Arch bug fixes bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch -bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch @@ -103,7 +102,6 @@ features/arm64/quartz64/arm64-dts-rockchip-Add-SOQuartz-Model-A-baseboard.patch # Miscellaneous bug fixes bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch -bugfix/all/net-sched-sch_qfq-Avoid-triggering-might_sleep-in-at.patch # Miscellaneous features @@ -121,7 +119,6 @@ features/all/db-mok-keyring/trust-machine-keyring-by-default.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/x86/x86-bugs-Fix-use-of-possibly-uninit-value-in-amd_che.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch