[РЕШЕНО] Ошибка № ...

понедельник

[Bug 2037490] Re: UBSAN: array-index-out-of-bounds in /build/linux-IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c

** Also affects: linux (Ubuntu Noble)
Importance: Undecided
Status: New

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2037490

Title:
UBSAN: array-index-out-of-bounds in /build/linux-
IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c

Status in linux package in Ubuntu:
Won't Fix
Status in linux source package in Noble:
New

Bug description:
Steps to reproduce:
1. install a ubuntu 23.10 VM on an ESXi Server
2. hot add a lsilogicsas controller and a lsilogicsas disk

Call Trace will be reported in dmesg log

[ 176.181166] ================================================================================
[ 176.181167] UBSAN: array-index-out-of-bounds in /build/linux-IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c:2448:22
[ 176.181171] index 1 is out of range for type 'MPI_SAS_IO_UNIT0_PHY_DATA [1]'
[ 176.181174] CPU: 0 PID: 2102 Comm: (udev-worker) Not tainted 6.5.0-5-generic #5-Ubuntu
[ 176.181177] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
[ 176.181179] Call Trace:
[ 176.181181] <TASK>
[ 176.181183] dump_stack_lvl+0x48/0x70
[ 176.181228] dump_stack+0x10/0x20
[ 176.181232] __ubsan_handle_out_of_bounds+0xc6/0x110
[ 176.181236] mptsas_sas_io_unit_pg0+0x3b1/0x3f0 [mptsas]
[ 176.181248] mptsas_probe_hba_phys.isra.0+0x55/0x490 [mptsas]
[ 176.181257] ? __pfx_scsi_runtime_idle+0x10/0x10
[ 176.181264] ? rpm_idle+0x1dc/0x2b0
[ 176.181269] mptsas_scan_sas_topology+0x32/0x210 [mptsas]
[ 176.181277] ? scsi_autopm_put_host+0x1a/0x30
[ 176.181280] mptsas_probe.part.0+0x3cc/0x570 [mptsas]
[ 176.181289] mptsas_probe+0x1e/0x30 [mptsas]
[ 176.181298] local_pci_probe+0x44/0xb0
[ 176.181302] pci_call_probe+0x55/0x190
[ 176.181307] pci_device_probe+0x84/0x120
[ 176.181312] really_probe+0x1c4/0x410
[ 176.181316] __driver_probe_device+0x8c/0x180
[ 176.181320] driver_probe_device+0x24/0xd0
[ 176.181324] __driver_attach+0x10b/0x210
[ 176.181327] ? __pfx___driver_attach+0x10/0x10
[ 176.181330] bus_for_each_dev+0x8a/0xf0
[ 176.181333] driver_attach+0x1e/0x30
[ 176.181336] bus_add_driver+0x127/0x240
[ 176.181340] driver_register+0x5e/0x130
[ 176.181343] ? __pfx_mptsas_init+0x10/0x10 [mptsas]
[ 176.181352] __pci_register_driver+0x62/0x70
[ 176.181356] mptsas_init+0x119/0xff0 [mptsas]
[ 176.181365] do_one_initcall+0x5b/0x340
[ 176.181371] do_init_module+0x68/0x260
[ 176.181375] load_module+0xba1/0xcf0
[ 176.181380] ? vfree+0xff/0x2d0
[ 176.181385] init_module_from_file+0x96/0x100
[ 176.181388] ? init_module_from_file+0x96/0x100
[ 176.181394] idempotent_init_module+0x11c/0x2b0
[ 176.181399] __x64_sys_finit_module+0x64/0xd0
[ 176.181402] do_syscall_64+0x59/0x90
[ 176.181409] ? exit_to_user_mode_prepare+0x30/0xb0
[ 176.181413] ? syscall_exit_to_user_mode+0x37/0x60
[ 176.181417] ? do_syscall_64+0x68/0x90
[ 176.181421] ? syscall_exit_to_user_mode+0x37/0x60
[ 176.181424] ? do_syscall_64+0x68/0x90
[ 176.181428] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 176.181432] RIP: 0033:0x7f847a725c5d
[ 176.181441] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8b 71 13 00 f7 d8 64 89 01 48
[ 176.181481] RSP: 002b:00007fff6734e878 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 176.181484] RAX: ffffffffffffffda RBX: 0000563ba212a6b0 RCX: 00007f847a725c5d
[ 176.181486] RDX: 0000000000000004 RSI: 00007f847aa0144a RDI: 000000000000000d
[ 176.181488] RBP: 00007f847aa0144a R08: 0000000000000040 R09: fffffffffffffde0
[ 176.181490] R10: fffffffffffffe18 R11: 0000000000000246 R12: 0000000000020000
[ 176.181526] R13: 0000563ba2216ae0 R14: 0000000000000000 R15: 0000563ba20dff90
[ 176.181531] </TASK>
[ 176.181532] ================================================================================
---
ProblemType: Bug
ApportVersion: 2.27.0-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/seq: vmware 950 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 23.10
InstallationDate: Installed on 2023-09-26 (0 days ago)
InstallationMedia: Ubuntu 23.10 "Mantic Minotaur" - Beta amd64 (20230919.1)
IwConfig:
lo no wireless extensions.

ens33 no wireless extensions.
Lsusb: Error: command ['lsusb'] failed with exit code 1:
Lsusb-t:

Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1:
MachineType: {report['dmi.sys.vendor']} {report['dmi.product.name']}
Package: linux (not installed)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
ProcFB: 0 vmwgfxdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-5-generic root=UUID=e70caf6c-4fa5-4fd6-9a60-61d851a337f9 ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0
RelatedPackageVersions:
linux-restricted-modules-6.5.0-5-generic N/A
linux-backports-modules-6.5.0-5-generic N/A
linux-firmware 20230919.git3672ccab-0ubuntu2
RfKill:

Tags: mantic
Uname: Linux 6.5.0-5-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: N/A
_MarkForUpload: True
dmi.bios.date: 05/22/2023
dmi.bios.vendor: VMware, Inc.
dmi.bios.version: VMW201.00V.21805430.B64.2305221830
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnVMware,Inc.:bvrVMW201.00V.21805430.B64.2305221830:bd05/22/2023:svnVMware,Inc.:pnVMware20,1:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:sku:
dmi.product.name: VMware20,1
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2037490/+subscriptions

[Bug 2139322] Re: Fix conntrack use after free when ovs hardware offload is enabled

** Description changed:

BugLink: https://bugs.launchpad.net/bugs/2139322

[Impact]
-

Enable mlx5 ovs hardware offload on 6.8 kernel, we see different issues on our production environment,
it only happens under real and heavy workloads.

Issue 1, general protection fault:

[75202.650580] general protection fault, probably for non-canonical address 0x9cad655f9b42c237: 0000 [#1] PREEMPT SMP NOPTI
[75202.661464] CPU: 29 PID: 0 Comm: swapper/29 Kdump: loaded Not tainted 6.8.0-51-generic #52~22.04.1-Ubuntu
[75202.671039] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.15.2 04/02/2024
[75202.678701] RIP: 0010:kmalloc_trace+0xd7/0x360
[75202.683158] Code: 83 78 10 00 48 8b 38 0f 84 36 02 00 00 48 85 ff 0f 84 2d 02 00 00 41 8b 44 24 28 49 8b 9c 24 b8 00 00 00 49 8b 34 24 48 01 f8 <48> 33 18 48 89 c1 48 89 f8 48 0f c9 48 31 cb 48 8d 8a 00 20 00 00
[75202.701933] RSP: 0018:ffffabfc19a08990 EFLAGS: 00010282
[75202.707166] RAX: 9cad655f9b42c237 RBX: 1c00e25717636e48 RCX: 0000000000000000
[75202.714310] RDX: 000000bec1e5c01d RSI: 000000000003b980 RDI: 9cad655f9b42c1b7
[75202.721449] RBP: ffffabfc19a089e0 R08: 0000000000000000 R09: 0000000000000000
[75202.728593] R10: ffffabfc19a08a00 R11: 0000000000000000 R12: ffff94db00050c00
[75202.735735] R13: 0000000000000920 R14: 00000000000000d8 R15: 0000000000000000
[75202.742876] FS: 0000000000000000(0000) GS:ffff95da7cc80000(0000) knlGS:0000000000000000
[75202.750971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[75202.756722] CR2: 00007a5f6af90010 CR3: 0000010263b44002 CR4: 0000000000f70ef0
[75202.763866] PKRU: 55555554
[75202.766581] Call Trace:
[75202.769033] <IRQ>
[75202.771053] ? show_regs+0x6d/0x80
[75202.774483] ? die_addr+0x37/0xa0
[75202.777807] ? exc_general_protection+0x1db/0x480
[75202.782525] ? asm_exc_general_protection+0x27/0x30
[75202.787412] ? kmalloc_trace+0xd7/0x360
[75202.791261] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.796938] flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.802431] ? nf_conntrack_in+0x113/0x360 [nf_conntrack]
[75202.807846] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.813517] tcf_ct_flow_table_process_conn+0xc2/0x1e0 [act_ct]
[75202.819444] tcf_ct_act+0x6c8/0xae0 [act_ct]
[75202.823726] tcf_action_exec+0xbc/0x190
[75202.827571] __tcf_classify+0xcb/0x1f0
[75202.831332] tcf_classify+0xff/0x260
[75202.834920] tc_run+0xa3/0x110
[75202.837987] __netif_receive_skb_core.constprop.0+0x459/0xf90
[75202.843744] ? dev_gro_receive+0xc0/0x350
[75202.847763] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.852565] ? napi_gro_receive+0x73/0x220
[75202.856675] __netif_receive_skb_list_core+0xfd/0x250
[75202.861736] netif_receive_skb_list_internal+0x1a3/0x2d0
[75202.867056] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.871858] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[75202.878752] napi_complete_done+0x74/0x1c0
[75202.882855] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[75202.887911] __napi_poll+0x33/0x200
[75202.891753] net_rx_action+0x181/0x2e0
[75202.895849] handle_softirqs+0xdb/0x340
[75202.900027] __irq_exit_rcu+0xd9/0x100
[75202.904103] irq_exit_rcu+0xe/0x20
[75202.907828] common_interrupt+0xa4/0xb0
[75202.911983] </IRQ>
[75202.914387] <TASK>
[75202.916786] asm_common_interrupt+0x27/0x40
[75202.921258] RIP: 0010:mwait_idle+0x50/0x80

This is caused by use-after-free in slab (kmalloc-256).

Issue 2, soft lockup:

[148720.717134] watchdog: BUG: soft lockup - CPU#3 stuck for 7923s! [swapper/3:0]
[148720.725207] Modules linked in: act_csum act_pedit act_tunnel_key vhost_net vhost tap vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd xt_CT xt_tcpudp nft_compat nf_tables veth
act_ct nf_flow_table nf_conntrack_netlink nvme_fabrics nvme_keyring xfs dm_crypt act_skbedit act_vlan act_mirred cls_matchall geneve ip6_udp_tunnel udp_tunnel nfnetlink_cttimeout nfnet
link act_gact cls_flower sch_ingress openvswitch nsh nf_conncount nf_nat 8021q garp mrp stp llc bonding sunrpc binfmt_misc nls_iso8859_1 mlx5_vdpa vringh vhost_iotlb vdpa intel_rapl_ms
r intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass rapl dell_wmi video ledtrig_audio sparse_keymap dell_smbios dcdbas dell_wmi_descriptor wmi_bmof ipmi_ssif ccp ptdma k1
0temp acpi_power_meter ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler mac_hid dm_service_time sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 msr efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov
[148720.725328] async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c mlx5_ib ib_uverbs macsec ib_core ses enclosure raid1 raid0 bcache mlx5_core crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel mlxfw mpt3sas sha256_ssse3 nvme psample ahci sha1_ssse3 raid_class tg3 nvme_core tls libahci xhci_pci mgag200 nvme_auth scsi_transport_sas i2c_algo_bit pci_hyperv_intf i2c_piix4 xhci_pci_renesas wmi aesni_intel crypto_simd cryptd
[148720.725385] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G L 6.8.0-57-generic #59~22.04.1-Ubuntu
[148720.725388] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.16.3 09/10/2024
[148720.725390] RIP: 0010:flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725398] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 47 08 ba 32 00 00 00 48 8d 7e 08 48 89 c6 48 89 e5 e8 62 4a b6 fa 5d <85> c0 0f 95 c0 0f b6 c0 31 d2 31 f6 31 ff e9 b9 3b ee fa 66 66 2e
[148720.725401] RSP: 0018:ffffad9f403fc928 EFLAGS: 00000246
[148720.725404] RAX: 0000000000000004 RBX: ffff8a8f9a3c3a40 RCX: 0000000000000000
[148720.725406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[148720.725409] RBP: ffffad9f403fc990 R08: 0000000000000000 R09: 000000000000003c
[148720.725411] R10: 000000000000003c R11: 0000000000000000 R12: ffff89b49b080000
[148720.725413] R13: 0000000000000000 R14: ffff89b49b09e6b8 R15: ffff89b2ba69ea58
[148720.725415] FS: 0000000000000000(0000) GS:ffff8a8f3bf80000(0000) knlGS:0000000000000000
[148720.725417] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[148720.725419] CR2: 000056c0ae793900 CR3: 000000021d904002 CR4: 0000000000f70ef0
[148720.725421] PKRU: 55555554
[148720.725423] Call Trace:
[148720.725426] <IRQ>
[148720.725428] ? show_regs+0x6d/0x80
[148720.725435] ? watchdog_timer_fn+0x206/0x290
[148720.725441] ? __pfx_watchdog_timer_fn+0x10/0x10
[148720.725445] ? __hrtimer_run_queues+0x112/0x2a0
[148720.725450] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725457] ? hrtimer_interrupt+0xf6/0x250
[148720.725462] ? __sysvec_apic_timer_interrupt+0x51/0x120
[148720.725467] ? sysvec_apic_timer_interrupt+0x3b/0xd0
[148720.725473] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[148720.725479] ? flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725484] ? flow_offload_lookup+0xb2/0x180 [nf_flow_table]
[148720.725491] tcf_ct_flow_table_lookup.isra.0+0x244/0x6b0 [act_ct]
[148720.725494] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725499] ? ovs_dp_process_packet+0x1af/0x220 [openvswitch]
[148720.725518] tcf_ct_act+0x23d/0xae0 [act_ct]
[148720.725524] tcf_action_exec+0xbc/0x190
[148720.725531] __tcf_classify+0xcb/0x1f0
[148720.725535] tcf_classify+0xff/0x260
[148720.725539] tc_run+0xa3/0x110
[148720.725543] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725547] __netif_receive_skb_core.constprop.0+0x459/0xf90
[148720.725552] ? dev_gro_receive+0x150/0x350
[148720.725557] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725560] ? napi_gro_receive+0x73/0x220
[148720.725564] __netif_receive_skb_list_core+0xfd/0x250
[148720.725569] netif_receive_skb_list_internal+0x1a3/0x2d0
[148720.725573] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725578] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[148720.725688] napi_complete_done+0x74/0x1c0
[148720.725693] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[148720.725782] __napi_poll+0x33/0x200
[148720.725786] net_rx_action+0x181/0x2e0
[148720.725792] handle_softirqs+0xdb/0x340
[148720.725799] __irq_exit_rcu+0xd9/0x100
[148720.725802] irq_exit_rcu+0xe/0x20

before soft lockup, we see some error messages from mlx5, e.g.:

[486111.016058] mlx5_core 0000:41:00.1 ens3f1: NETDEV WATCHDOG: CPU: 119: transmit queue 0 timed out 17547 ms
[486111.025773] mlx5_core 0000:41:00.1 ens3f1: TX timeout detected
[486111.031726] mlx5_core 0000:41:00.1 ens3f1: TX timeout on queue: 0, SQ: 0x11d0, CQ: 0x1487, SQ Cons: 0xae7a SQ Prod: 0xaec3, usecs since last trans: 17562000
[486111.045845] mlx5_core 0000:41:00.1 ens3f1: EQ 0x7: Cons = 0x8ac57014, irqn = 0x5f5

Kernel cmdline:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8 nvme_core.multipath=0 amd_iommu=on iommu=pt probe_vf=0 transparent_hugepage=never hugepagesz=1G hugepages=1536 default_hugepagesz=1G"

[Fix]

This upstream commit fixes it:

commit 03428ca5cee9f0792edc996c06ce4514816af1fb
Author: Florian Westphal <fw@strlen.de>
Date: Tue Jan 14 00:50:36 2025 +0100

- netfilter: conntrack: rework offload nf_conn timeout extension logic
+ netfilter: conntrack: rework offload nf_conn timeout extension logic
+
+ And a dependency:
+
+ commit 31768596b15aa8c9c55f078acad29d0238c8269b
+ Author: Florian Westphal <fw@strlen.de>
+ Date: Tue Jan 14 00:50:35 2025 +0100
+
+ netfilter: conntrack: remove skb argument from nf_ct_refresh

This patch fixes ct use-after-free and packet gets stuck issues, which
should be related to the above two call traces.

-
[Test Plan]

- This issue can only be reproduced on our production environment with mlx5 NIC and ovs hw-offload enabled.
- We need to run the kernel on the environment for few weeks to confirm it's fixed.
+ This issue can only be reproduced on PS6/7 with mlx5 NIC and ovs hw-offload enabled.
+ We have run test kernel with these 2 patches for 3 weeks, it's been working fine.

[Where problems could occur]

The patch makes sure to take a refcount on ct and test offload bits, it could prevent ct being used after it's removed.
And also modifies flow offload teardown logic, if there is anything wrong, the ovs flow offload might be broken.

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2139322

Title:
Fix conntrack use after free when ovs hardware offload is enabled

Status in linux package in Ubuntu:
In Progress
Status in linux source package in Noble:
In Progress

Bug description:
BugLink: https://bugs.launchpad.net/bugs/2139322

[Impact]

Enable mlx5 ovs hardware offload on 6.8 kernel, we see different issues on our production environment,
it only happens under real and heavy workloads.

Issue 1, general protection fault:

[75202.650580] general protection fault, probably for non-canonical address 0x9cad655f9b42c237: 0000 [#1] PREEMPT SMP NOPTI
[75202.661464] CPU: 29 PID: 0 Comm: swapper/29 Kdump: loaded Not tainted 6.8.0-51-generic #52~22.04.1-Ubuntu
[75202.671039] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.15.2 04/02/2024
[75202.678701] RIP: 0010:kmalloc_trace+0xd7/0x360
[75202.683158] Code: 83 78 10 00 48 8b 38 0f 84 36 02 00 00 48 85 ff 0f 84 2d 02 00 00 41 8b 44 24 28 49 8b 9c 24 b8 00 00 00 49 8b 34 24 48 01 f8 <48> 33 18 48 89 c1 48 89 f8 48 0f c9 48 31 cb 48 8d 8a 00 20 00 00
[75202.701933] RSP: 0018:ffffabfc19a08990 EFLAGS: 00010282
[75202.707166] RAX: 9cad655f9b42c237 RBX: 1c00e25717636e48 RCX: 0000000000000000
[75202.714310] RDX: 000000bec1e5c01d RSI: 000000000003b980 RDI: 9cad655f9b42c1b7
[75202.721449] RBP: ffffabfc19a089e0 R08: 0000000000000000 R09: 0000000000000000
[75202.728593] R10: ffffabfc19a08a00 R11: 0000000000000000 R12: ffff94db00050c00
[75202.735735] R13: 0000000000000920 R14: 00000000000000d8 R15: 0000000000000000
[75202.742876] FS: 0000000000000000(0000) GS:ffff95da7cc80000(0000) knlGS:0000000000000000
[75202.750971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[75202.756722] CR2: 00007a5f6af90010 CR3: 0000010263b44002 CR4: 0000000000f70ef0
[75202.763866] PKRU: 55555554
[75202.766581] Call Trace:
[75202.769033] <IRQ>
[75202.771053] ? show_regs+0x6d/0x80
[75202.774483] ? die_addr+0x37/0xa0
[75202.777807] ? exc_general_protection+0x1db/0x480
[75202.782525] ? asm_exc_general_protection+0x27/0x30
[75202.787412] ? kmalloc_trace+0xd7/0x360
[75202.791261] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.796938] flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.802431] ? nf_conntrack_in+0x113/0x360 [nf_conntrack]
[75202.807846] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.813517] tcf_ct_flow_table_process_conn+0xc2/0x1e0 [act_ct]
[75202.819444] tcf_ct_act+0x6c8/0xae0 [act_ct]
[75202.823726] tcf_action_exec+0xbc/0x190
[75202.827571] __tcf_classify+0xcb/0x1f0
[75202.831332] tcf_classify+0xff/0x260
[75202.834920] tc_run+0xa3/0x110
[75202.837987] __netif_receive_skb_core.constprop.0+0x459/0xf90
[75202.843744] ? dev_gro_receive+0xc0/0x350
[75202.847763] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.852565] ? napi_gro_receive+0x73/0x220
[75202.856675] __netif_receive_skb_list_core+0xfd/0x250
[75202.861736] netif_receive_skb_list_internal+0x1a3/0x2d0
[75202.867056] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.871858] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[75202.878752] napi_complete_done+0x74/0x1c0
[75202.882855] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[75202.887911] __napi_poll+0x33/0x200
[75202.891753] net_rx_action+0x181/0x2e0
[75202.895849] handle_softirqs+0xdb/0x340
[75202.900027] __irq_exit_rcu+0xd9/0x100
[75202.904103] irq_exit_rcu+0xe/0x20
[75202.907828] common_interrupt+0xa4/0xb0
[75202.911983] </IRQ>
[75202.914387] <TASK>
[75202.916786] asm_common_interrupt+0x27/0x40
[75202.921258] RIP: 0010:mwait_idle+0x50/0x80

This is caused by use-after-free in slab (kmalloc-256).

Issue 2, soft lockup:

[148720.717134] watchdog: BUG: soft lockup - CPU#3 stuck for 7923s! [swapper/3:0]
[148720.725207] Modules linked in: act_csum act_pedit act_tunnel_key vhost_net vhost tap vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd xt_CT xt_tcpudp nft_compat nf_tables veth
act_ct nf_flow_table nf_conntrack_netlink nvme_fabrics nvme_keyring xfs dm_crypt act_skbedit act_vlan act_mirred cls_matchall geneve ip6_udp_tunnel udp_tunnel nfnetlink_cttimeout nfnet
link act_gact cls_flower sch_ingress openvswitch nsh nf_conncount nf_nat 8021q garp mrp stp llc bonding sunrpc binfmt_misc nls_iso8859_1 mlx5_vdpa vringh vhost_iotlb vdpa intel_rapl_ms
r intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass rapl dell_wmi video ledtrig_audio sparse_keymap dell_smbios dcdbas dell_wmi_descriptor wmi_bmof ipmi_ssif ccp ptdma k1
0temp acpi_power_meter ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler mac_hid dm_service_time sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 msr efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov
[148720.725328] async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c mlx5_ib ib_uverbs macsec ib_core ses enclosure raid1 raid0 bcache mlx5_core crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel mlxfw mpt3sas sha256_ssse3 nvme psample ahci sha1_ssse3 raid_class tg3 nvme_core tls libahci xhci_pci mgag200 nvme_auth scsi_transport_sas i2c_algo_bit pci_hyperv_intf i2c_piix4 xhci_pci_renesas wmi aesni_intel crypto_simd cryptd
[148720.725385] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G L 6.8.0-57-generic #59~22.04.1-Ubuntu
[148720.725388] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.16.3 09/10/2024
[148720.725390] RIP: 0010:flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725398] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 47 08 ba 32 00 00 00 48 8d 7e 08 48 89 c6 48 89 e5 e8 62 4a b6 fa 5d <85> c0 0f 95 c0 0f b6 c0 31 d2 31 f6 31 ff e9 b9 3b ee fa 66 66 2e
[148720.725401] RSP: 0018:ffffad9f403fc928 EFLAGS: 00000246
[148720.725404] RAX: 0000000000000004 RBX: ffff8a8f9a3c3a40 RCX: 0000000000000000
[148720.725406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[148720.725409] RBP: ffffad9f403fc990 R08: 0000000000000000 R09: 000000000000003c
[148720.725411] R10: 000000000000003c R11: 0000000000000000 R12: ffff89b49b080000
[148720.725413] R13: 0000000000000000 R14: ffff89b49b09e6b8 R15: ffff89b2ba69ea58
[148720.725415] FS: 0000000000000000(0000) GS:ffff8a8f3bf80000(0000) knlGS:0000000000000000
[148720.725417] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[148720.725419] CR2: 000056c0ae793900 CR3: 000000021d904002 CR4: 0000000000f70ef0
[148720.725421] PKRU: 55555554
[148720.725423] Call Trace:
[148720.725426] <IRQ>
[148720.725428] ? show_regs+0x6d/0x80
[148720.725435] ? watchdog_timer_fn+0x206/0x290
[148720.725441] ? __pfx_watchdog_timer_fn+0x10/0x10
[148720.725445] ? __hrtimer_run_queues+0x112/0x2a0
[148720.725450] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725457] ? hrtimer_interrupt+0xf6/0x250
[148720.725462] ? __sysvec_apic_timer_interrupt+0x51/0x120
[148720.725467] ? sysvec_apic_timer_interrupt+0x3b/0xd0
[148720.725473] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[148720.725479] ? flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725484] ? flow_offload_lookup+0xb2/0x180 [nf_flow_table]
[148720.725491] tcf_ct_flow_table_lookup.isra.0+0x244/0x6b0 [act_ct]
[148720.725494] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725499] ? ovs_dp_process_packet+0x1af/0x220 [openvswitch]
[148720.725518] tcf_ct_act+0x23d/0xae0 [act_ct]
[148720.725524] tcf_action_exec+0xbc/0x190
[148720.725531] __tcf_classify+0xcb/0x1f0
[148720.725535] tcf_classify+0xff/0x260
[148720.725539] tc_run+0xa3/0x110
[148720.725543] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725547] __netif_receive_skb_core.constprop.0+0x459/0xf90
[148720.725552] ? dev_gro_receive+0x150/0x350
[148720.725557] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725560] ? napi_gro_receive+0x73/0x220
[148720.725564] __netif_receive_skb_list_core+0xfd/0x250
[148720.725569] netif_receive_skb_list_internal+0x1a3/0x2d0
[148720.725573] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725578] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[148720.725688] napi_complete_done+0x74/0x1c0
[148720.725693] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[148720.725782] __napi_poll+0x33/0x200
[148720.725786] net_rx_action+0x181/0x2e0
[148720.725792] handle_softirqs+0xdb/0x340
[148720.725799] __irq_exit_rcu+0xd9/0x100
[148720.725802] irq_exit_rcu+0xe/0x20

before soft lockup, we see some error messages from mlx5, e.g.:

[486111.016058] mlx5_core 0000:41:00.1 ens3f1: NETDEV WATCHDOG: CPU: 119: transmit queue 0 timed out 17547 ms
[486111.025773] mlx5_core 0000:41:00.1 ens3f1: TX timeout detected
[486111.031726] mlx5_core 0000:41:00.1 ens3f1: TX timeout on queue: 0, SQ: 0x11d0, CQ: 0x1487, SQ Cons: 0xae7a SQ Prod: 0xaec3, usecs since last trans: 17562000
[486111.045845] mlx5_core 0000:41:00.1 ens3f1: EQ 0x7: Cons = 0x8ac57014, irqn = 0x5f5

Kernel cmdline:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8 nvme_core.multipath=0 amd_iommu=on iommu=pt probe_vf=0 transparent_hugepage=never hugepagesz=1G hugepages=1536 default_hugepagesz=1G"

[Fix]

This upstream commit fixes it:

commit 03428ca5cee9f0792edc996c06ce4514816af1fb
Author: Florian Westphal <fw@strlen.de>
Date: Tue Jan 14 00:50:36 2025 +0100

netfilter: conntrack: rework offload nf_conn timeout extension
logic

And a dependency:

commit 31768596b15aa8c9c55f078acad29d0238c8269b
Author: Florian Westphal <fw@strlen.de>
Date: Tue Jan 14 00:50:35 2025 +0100

netfilter: conntrack: remove skb argument from nf_ct_refresh

This patch fixes ct use-after-free and packet gets stuck issues, which
should be related to the above two call traces.

[Test Plan]

This issue can only be reproduced on PS6/7 with mlx5 NIC and ovs hw-offload enabled.
We have run test kernel with these 2 patches for 3 weeks, it's been working fine.

[Where problems could occur]

The patch makes sure to take a refcount on ct and test offload bits, it could prevent ct being used after it's removed.
And also modifies flow offload teardown logic, if there is anything wrong, the ovs flow offload might be broken.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2139322/+subscriptions

[Bug 2139322] Re: Fix conntrack use after free when ovs hardware offload is enabled

** Summary changed:

- Enable mlx5 ovs hardware offload causes multiple issues
+ Fix conntrack use after free when ovs hardware offload is enabled

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2139322

Title:
Fix conntrack use after free when ovs hardware offload is enabled

Status in linux package in Ubuntu:
In Progress
Status in linux source package in Noble:
In Progress

Bug description:
BugLink: https://bugs.launchpad.net/bugs/2139322

[Impact]

Enable mlx5 ovs hardware offload on 6.8 kernel, we see different issues on our production environment,
it only happens under real and heavy workloads.

Issue 1, general protection fault:

[75202.650580] general protection fault, probably for non-canonical address 0x9cad655f9b42c237: 0000 [#1] PREEMPT SMP NOPTI
[75202.661464] CPU: 29 PID: 0 Comm: swapper/29 Kdump: loaded Not tainted 6.8.0-51-generic #52~22.04.1-Ubuntu
[75202.671039] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.15.2 04/02/2024
[75202.678701] RIP: 0010:kmalloc_trace+0xd7/0x360
[75202.683158] Code: 83 78 10 00 48 8b 38 0f 84 36 02 00 00 48 85 ff 0f 84 2d 02 00 00 41 8b 44 24 28 49 8b 9c 24 b8 00 00 00 49 8b 34 24 48 01 f8 <48> 33 18 48 89 c1 48 89 f8 48 0f c9 48 31 cb 48 8d 8a 00 20 00 00
[75202.701933] RSP: 0018:ffffabfc19a08990 EFLAGS: 00010282
[75202.707166] RAX: 9cad655f9b42c237 RBX: 1c00e25717636e48 RCX: 0000000000000000
[75202.714310] RDX: 000000bec1e5c01d RSI: 000000000003b980 RDI: 9cad655f9b42c1b7
[75202.721449] RBP: ffffabfc19a089e0 R08: 0000000000000000 R09: 0000000000000000
[75202.728593] R10: ffffabfc19a08a00 R11: 0000000000000000 R12: ffff94db00050c00
[75202.735735] R13: 0000000000000920 R14: 00000000000000d8 R15: 0000000000000000
[75202.742876] FS: 0000000000000000(0000) GS:ffff95da7cc80000(0000) knlGS:0000000000000000
[75202.750971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[75202.756722] CR2: 00007a5f6af90010 CR3: 0000010263b44002 CR4: 0000000000f70ef0
[75202.763866] PKRU: 55555554
[75202.766581] Call Trace:
[75202.769033] <IRQ>
[75202.771053] ? show_regs+0x6d/0x80
[75202.774483] ? die_addr+0x37/0xa0
[75202.777807] ? exc_general_protection+0x1db/0x480
[75202.782525] ? asm_exc_general_protection+0x27/0x30
[75202.787412] ? kmalloc_trace+0xd7/0x360
[75202.791261] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.796938] flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.802431] ? nf_conntrack_in+0x113/0x360 [nf_conntrack]
[75202.807846] ? flow_offload_alloc+0x64/0x120 [nf_flow_table]
[75202.813517] tcf_ct_flow_table_process_conn+0xc2/0x1e0 [act_ct]
[75202.819444] tcf_ct_act+0x6c8/0xae0 [act_ct]
[75202.823726] tcf_action_exec+0xbc/0x190
[75202.827571] __tcf_classify+0xcb/0x1f0
[75202.831332] tcf_classify+0xff/0x260
[75202.834920] tc_run+0xa3/0x110
[75202.837987] __netif_receive_skb_core.constprop.0+0x459/0xf90
[75202.843744] ? dev_gro_receive+0xc0/0x350
[75202.847763] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.852565] ? napi_gro_receive+0x73/0x220
[75202.856675] __netif_receive_skb_list_core+0xfd/0x250
[75202.861736] netif_receive_skb_list_internal+0x1a3/0x2d0
[75202.867056] ? srso_alias_return_thunk+0x5/0xfbef5
[75202.871858] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[75202.878752] napi_complete_done+0x74/0x1c0
[75202.882855] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[75202.887911] __napi_poll+0x33/0x200
[75202.891753] net_rx_action+0x181/0x2e0
[75202.895849] handle_softirqs+0xdb/0x340
[75202.900027] __irq_exit_rcu+0xd9/0x100
[75202.904103] irq_exit_rcu+0xe/0x20
[75202.907828] common_interrupt+0xa4/0xb0
[75202.911983] </IRQ>
[75202.914387] <TASK>
[75202.916786] asm_common_interrupt+0x27/0x40
[75202.921258] RIP: 0010:mwait_idle+0x50/0x80

This is caused by use-after-free in slab (kmalloc-256).

Issue 2, soft lockup:

[148720.717134] watchdog: BUG: soft lockup - CPU#3 stuck for 7923s! [swapper/3:0]
[148720.725207] Modules linked in: act_csum act_pedit act_tunnel_key vhost_net vhost tap vfio_pci vfio_pci_core vfio_iommu_type1 vfio iommufd xt_CT xt_tcpudp nft_compat nf_tables veth
act_ct nf_flow_table nf_conntrack_netlink nvme_fabrics nvme_keyring xfs dm_crypt act_skbedit act_vlan act_mirred cls_matchall geneve ip6_udp_tunnel udp_tunnel nfnetlink_cttimeout nfnet
link act_gact cls_flower sch_ingress openvswitch nsh nf_conncount nf_nat 8021q garp mrp stp llc bonding sunrpc binfmt_misc nls_iso8859_1 mlx5_vdpa vringh vhost_iotlb vdpa intel_rapl_ms
r intel_rapl_common amd64_edac edac_mce_amd kvm_amd kvm irqbypass rapl dell_wmi video ledtrig_audio sparse_keymap dell_smbios dcdbas dell_wmi_descriptor wmi_bmof ipmi_ssif ccp ptdma k1
0temp acpi_power_meter ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler mac_hid dm_service_time sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 msr efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov
[148720.725328] async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c mlx5_ib ib_uverbs macsec ib_core ses enclosure raid1 raid0 bcache mlx5_core crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel mlxfw mpt3sas sha256_ssse3 nvme psample ahci sha1_ssse3 raid_class tg3 nvme_core tls libahci xhci_pci mgag200 nvme_auth scsi_transport_sas i2c_algo_bit pci_hyperv_intf i2c_piix4 xhci_pci_renesas wmi aesni_intel crypto_simd cryptd
[148720.725385] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Tainted: G L 6.8.0-57-generic #59~22.04.1-Ubuntu
[148720.725388] Hardware name: Dell Inc. PowerEdge R7525/0H3K7P, BIOS 2.16.3 09/10/2024
[148720.725390] RIP: 0010:flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725398] Code: 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 8b 47 08 ba 32 00 00 00 48 8d 7e 08 48 89 c6 48 89 e5 e8 62 4a b6 fa 5d <85> c0 0f 95 c0 0f b6 c0 31 d2 31 f6 31 ff e9 b9 3b ee fa 66 66 2e
[148720.725401] RSP: 0018:ffffad9f403fc928 EFLAGS: 00000246
[148720.725404] RAX: 0000000000000004 RBX: ffff8a8f9a3c3a40 RCX: 0000000000000000
[148720.725406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[148720.725409] RBP: ffffad9f403fc990 R08: 0000000000000000 R09: 000000000000003c
[148720.725411] R10: 000000000000003c R11: 0000000000000000 R12: ffff89b49b080000
[148720.725413] R13: 0000000000000000 R14: ffff89b49b09e6b8 R15: ffff89b2ba69ea58
[148720.725415] FS: 0000000000000000(0000) GS:ffff8a8f3bf80000(0000) knlGS:0000000000000000
[148720.725417] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[148720.725419] CR2: 000056c0ae793900 CR3: 000000021d904002 CR4: 0000000000f70ef0
[148720.725421] PKRU: 55555554
[148720.725423] Call Trace:
[148720.725426] <IRQ>
[148720.725428] ? show_regs+0x6d/0x80
[148720.725435] ? watchdog_timer_fn+0x206/0x290
[148720.725441] ? __pfx_watchdog_timer_fn+0x10/0x10
[148720.725445] ? __hrtimer_run_queues+0x112/0x2a0
[148720.725450] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725457] ? hrtimer_interrupt+0xf6/0x250
[148720.725462] ? __sysvec_apic_timer_interrupt+0x51/0x120
[148720.725467] ? sysvec_apic_timer_interrupt+0x3b/0xd0
[148720.725473] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[148720.725479] ? flow_offload_hash_cmp+0x1f/0x40 [nf_flow_table]
[148720.725484] ? flow_offload_lookup+0xb2/0x180 [nf_flow_table]
[148720.725491] tcf_ct_flow_table_lookup.isra.0+0x244/0x6b0 [act_ct]
[148720.725494] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725499] ? ovs_dp_process_packet+0x1af/0x220 [openvswitch]
[148720.725518] tcf_ct_act+0x23d/0xae0 [act_ct]
[148720.725524] tcf_action_exec+0xbc/0x190
[148720.725531] __tcf_classify+0xcb/0x1f0
[148720.725535] tcf_classify+0xff/0x260
[148720.725539] tc_run+0xa3/0x110
[148720.725543] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725547] __netif_receive_skb_core.constprop.0+0x459/0xf90
[148720.725552] ? dev_gro_receive+0x150/0x350
[148720.725557] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725560] ? napi_gro_receive+0x73/0x220
[148720.725564] __netif_receive_skb_list_core+0xfd/0x250
[148720.725569] netif_receive_skb_list_internal+0x1a3/0x2d0
[148720.725573] ? srso_alias_return_thunk+0x5/0xfbef5
[148720.725578] ? mlx5e_rx_cq_process_basic_cqe_comp+0x2f7/0x310 [mlx5_core]
[148720.725688] napi_complete_done+0x74/0x1c0
[148720.725693] mlx5e_napi_poll+0x190/0x7b0 [mlx5_core]
[148720.725782] __napi_poll+0x33/0x200
[148720.725786] net_rx_action+0x181/0x2e0
[148720.725792] handle_softirqs+0xdb/0x340
[148720.725799] __irq_exit_rcu+0xd9/0x100
[148720.725802] irq_exit_rcu+0xe/0x20

before soft lockup, we see some error messages from mlx5, e.g.:

[486111.016058] mlx5_core 0000:41:00.1 ens3f1: NETDEV WATCHDOG: CPU: 119: transmit queue 0 timed out 17547 ms
[486111.025773] mlx5_core 0000:41:00.1 ens3f1: TX timeout detected
[486111.031726] mlx5_core 0000:41:00.1 ens3f1: TX timeout on queue: 0, SQ: 0x11d0, CQ: 0x1487, SQ Cons: 0xae7a SQ Prod: 0xaec3, usecs since last trans: 17562000
[486111.045845] mlx5_core 0000:41:00.1 ens3f1: EQ 0x7: Cons = 0x8ac57014, irqn = 0x5f5

Kernel cmdline:
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8 nvme_core.multipath=0 amd_iommu=on iommu=pt probe_vf=0 transparent_hugepage=never hugepagesz=1G hugepages=1536 default_hugepagesz=1G"

[Fix]

This upstream commit fixes it:

commit 03428ca5cee9f0792edc996c06ce4514816af1fb
Author: Florian Westphal <fw@strlen.de>
Date: Tue Jan 14 00:50:36 2025 +0100

netfilter: conntrack: rework offload nf_conn timeout extension
logic

This patch fixes ct use-after-free and packet gets stuck issues, which
should be related to the above two call traces.

[Test Plan]

This issue can only be reproduced on our production environment with mlx5 NIC and ovs hw-offload enabled.
We need to run the kernel on the environment for few weeks to confirm it's fixed.

[Where problems could occur]

The patch makes sure to take a refcount on ct and test offload bits, it could prevent ct being used after it's removed.
And also modifies flow offload teardown logic, if there is anything wrong, the ovs flow offload might be broken.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2139322/+subscriptions

[Bug 2037490] Re: UBSAN: array-index-out-of-bounds in /build/linux-IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c

The bug still exists in Noble's 6.8 kernel.

[ 0.000000] Linux version 6.8.0-100-generic (buildd@lcy02-amd64-061)
(x86_64-linux-gnu-gcc-13 (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0, GNU ld
(GNU Binutils for Ubuntu) 2.42) #100-Ubuntu SMP PREEMPT_DYNAMIC Tue Jan
13 16:40:06 UTC 2026 (Ubuntu 6.8.0-100.100-generic 6.8.12)

[ 12.844084] ------------[ cut here ]------------
[ 12.844089] UBSAN: array-index-out-of-bounds in /build/linux-ylyFjh/linux-6.8.0/drivers/message/fusion/mptsas.c:2446:22
[ 12.844095] index 1 is out of range for type 'MPI_SAS_IO_UNIT0_PHY_DATA [1]'
[ 12.844099] CPU: 12 PID: 249 Comm: (udev-worker) Not tainted 6.8.0-100-generic #100-Ubuntu
[ 12.844104] Hardware name: Supermicro X8DTN+-F/X8DTN+-F, BIOS 2.1c 10/28/2011
[ 12.844107] Call Trace:
[ 12.844111] <TASK>
[ 12.844115] dump_stack_lvl+0x76/0xa0
[ 12.844127] dump_stack+0x10/0x20
[ 12.844132] __ubsan_handle_out_of_bounds+0xc6/0x110
[ 12.844141] mptsas_sas_io_unit_pg0+0x3d9/0x3f0 [mptsas]
[ 12.844156] mptsas_probe_hba_phys.isra.0+0x82/0x4c0 [mptsas]
[ 12.844166] ? __pfx_scsi_runtime_idle+0x10/0x10
[ 12.844172] ? rpm_idle+0x1dc/0x2b0
[ 12.844181] mptsas_scan_sas_topology+0x32/0x210 [mptsas]
[ 12.844191] ? scsi_autopm_put_host+0x1a/0x30
[ 12.844197] mptsas_probe.part.0+0x3cc/0x570 [mptsas]
[ 12.844208] mptsas_probe+0x1e/0x30 [mptsas]
[ 12.844218] local_pci_probe+0x44/0xb0
[ 12.844224] pci_call_probe+0x55/0x1a0
[ 12.844230] pci_device_probe+0x84/0x120
[ 12.844236] really_probe+0x1c4/0x410
[ 12.844241] __driver_probe_device+0x8c/0x180
[ 12.844246] driver_probe_device+0x24/0xd0
[ 12.844251] __driver_attach+0x10b/0x210
[ 12.844255] ? __pfx___driver_attach+0x10/0x10
[ 12.844259] bus_for_each_dev+0x8a/0xf0
[ 12.844266] driver_attach+0x1e/0x30
[ 12.844272] bus_add_driver+0x14e/0x290
[ 12.844279] driver_register+0x5e/0x130
[ 12.844284] ? __pfx_mptsas_init+0x10/0x10 [mptsas]
[ 12.844292] __pci_register_driver+0x5e/0x70
[ 12.844300] mptsas_init+0x119/0xff0 [mptsas]
[ 12.844308] do_one_initcall+0x5b/0x340
[ 12.844318] do_init_module+0x97/0x290
[ 12.844325] load_module+0xb5f/0xca0
[ 12.844332] init_module_from_file+0x96/0x100
[ 12.844337] ? init_module_from_file+0x96/0x100
[ 12.844344] idempotent_init_module+0x11c/0x310
[ 12.844350] __x64_sys_finit_module+0x64/0xd0
[ 12.844355] x64_sys_call+0x2019/0x25a0
[ 12.844360] do_syscall_64+0x7f/0x180
[ 12.844365] ? arch_exit_to_user_mode_prepare.isra.0+0x1a/0xe0
[ 12.844371] ? syscall_exit_to_user_mode+0x43/0x1e0
[ 12.844376] ? do_syscall_64+0x8c/0x180
[ 12.844381] ? generic_file_llseek+0x24/0x40
[ 12.844388] ? ksys_lseek+0x7d/0xd0
[ 12.844393] ? do_sync_core+0x2c/0x40
[ 12.844400] ? __flush_smp_call_function_queue+0x9f/0x440
[ 12.844408] ? arch_exit_to_user_mode_prepare.isra.0+0x1a/0xe0
[ 12.844413] ? irqentry_exit_to_user_mode+0x38/0x1e0
[ 12.844418] ? irqentry_exit+0x43/0x50
[ 12.844423] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 12.844431] RIP: 0033:0x79c271fb128d
[ 12.844439] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48
[ 12.844443] RSP: 002b:00007ffc1c4b4ef8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 12.844449] RAX: ffffffffffffffda RBX: 000062b45fb0e050 RCX: 000079c271fb128d
[ 12.844452] RDX: 0000000000000004 RSI: 000079c2720ee07d RDI: 0000000000000024
[ 12.844455] RBP: 00007ffc1c4b4fb0 R08: 0000000000000040 R09: 00007ffc1c4b4f40
[ 12.844458] R10: 000079c27208db20 R11: 0000000000000246 R12: 000079c2720ee07d
[ 12.844461] R13: 0000000000020000 R14: 000062b45fb00de0 R15: 000062b45fb0fc30
[ 12.844467] </TASK>
[ 12.844469] ---[ end trace ]---
[ 12.844472] ------------[ cut here ]------------

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2037490

Title:
UBSAN: array-index-out-of-bounds in /build/linux-
IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c

Status in linux package in Ubuntu:
Won't Fix

Bug description:
Steps to reproduce:
1. install a ubuntu 23.10 VM on an ESXi Server
2. hot add a lsilogicsas controller and a lsilogicsas disk

Call Trace will be reported in dmesg log

[ 176.181166] ================================================================================
[ 176.181167] UBSAN: array-index-out-of-bounds in /build/linux-IPoq5q/linux-6.5.0/drivers/message/fusion/mptsas.c:2448:22
[ 176.181171] index 1 is out of range for type 'MPI_SAS_IO_UNIT0_PHY_DATA [1]'
[ 176.181174] CPU: 0 PID: 2102 Comm: (udev-worker) Not tainted 6.5.0-5-generic #5-Ubuntu
[ 176.181177] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.21805430.B64.2305221830 05/22/2023
[ 176.181179] Call Trace:
[ 176.181181] <TASK>
[ 176.181183] dump_stack_lvl+0x48/0x70
[ 176.181228] dump_stack+0x10/0x20
[ 176.181232] __ubsan_handle_out_of_bounds+0xc6/0x110
[ 176.181236] mptsas_sas_io_unit_pg0+0x3b1/0x3f0 [mptsas]
[ 176.181248] mptsas_probe_hba_phys.isra.0+0x55/0x490 [mptsas]
[ 176.181257] ? __pfx_scsi_runtime_idle+0x10/0x10
[ 176.181264] ? rpm_idle+0x1dc/0x2b0
[ 176.181269] mptsas_scan_sas_topology+0x32/0x210 [mptsas]
[ 176.181277] ? scsi_autopm_put_host+0x1a/0x30
[ 176.181280] mptsas_probe.part.0+0x3cc/0x570 [mptsas]
[ 176.181289] mptsas_probe+0x1e/0x30 [mptsas]
[ 176.181298] local_pci_probe+0x44/0xb0
[ 176.181302] pci_call_probe+0x55/0x190
[ 176.181307] pci_device_probe+0x84/0x120
[ 176.181312] really_probe+0x1c4/0x410
[ 176.181316] __driver_probe_device+0x8c/0x180
[ 176.181320] driver_probe_device+0x24/0xd0
[ 176.181324] __driver_attach+0x10b/0x210
[ 176.181327] ? __pfx___driver_attach+0x10/0x10
[ 176.181330] bus_for_each_dev+0x8a/0xf0
[ 176.181333] driver_attach+0x1e/0x30
[ 176.181336] bus_add_driver+0x127/0x240
[ 176.181340] driver_register+0x5e/0x130
[ 176.181343] ? __pfx_mptsas_init+0x10/0x10 [mptsas]
[ 176.181352] __pci_register_driver+0x62/0x70
[ 176.181356] mptsas_init+0x119/0xff0 [mptsas]
[ 176.181365] do_one_initcall+0x5b/0x340
[ 176.181371] do_init_module+0x68/0x260
[ 176.181375] load_module+0xba1/0xcf0
[ 176.181380] ? vfree+0xff/0x2d0
[ 176.181385] init_module_from_file+0x96/0x100
[ 176.181388] ? init_module_from_file+0x96/0x100
[ 176.181394] idempotent_init_module+0x11c/0x2b0
[ 176.181399] __x64_sys_finit_module+0x64/0xd0
[ 176.181402] do_syscall_64+0x59/0x90
[ 176.181409] ? exit_to_user_mode_prepare+0x30/0xb0
[ 176.181413] ? syscall_exit_to_user_mode+0x37/0x60
[ 176.181417] ? do_syscall_64+0x68/0x90
[ 176.181421] ? syscall_exit_to_user_mode+0x37/0x60
[ 176.181424] ? do_syscall_64+0x68/0x90
[ 176.181428] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[ 176.181432] RIP: 0033:0x7f847a725c5d
[ 176.181441] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 8b 71 13 00 f7 d8 64 89 01 48
[ 176.181481] RSP: 002b:00007fff6734e878 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 176.181484] RAX: ffffffffffffffda RBX: 0000563ba212a6b0 RCX: 00007f847a725c5d
[ 176.181486] RDX: 0000000000000004 RSI: 00007f847aa0144a RDI: 000000000000000d
[ 176.181488] RBP: 00007f847aa0144a R08: 0000000000000040 R09: fffffffffffffde0
[ 176.181490] R10: fffffffffffffe18 R11: 0000000000000246 R12: 0000000000020000
[ 176.181526] R13: 0000563ba2216ae0 R14: 0000000000000000 R15: 0000563ba20dff90
[ 176.181531] </TASK>
[ 176.181532] ================================================================================
---
ProblemType: Bug
ApportVersion: 2.27.0-0ubuntu2
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/seq: vmware 950 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 23.10
InstallationDate: Installed on 2023-09-26 (0 days ago)
InstallationMedia: Ubuntu 23.10 "Mantic Minotaur" - Beta amd64 (20230919.1)
IwConfig:
lo no wireless extensions.

ens33 no wireless extensions.
Lsusb: Error: command ['lsusb'] failed with exit code 1:
Lsusb-t:

Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1:
MachineType: {report['dmi.sys.vendor']} {report['dmi.product.name']}
Package: linux (not installed)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
ProcFB: 0 vmwgfxdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.5.0-5-generic root=UUID=e70caf6c-4fa5-4fd6-9a60-61d851a337f9 ro quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 6.5.0-5.5-generic 6.5.0
RelatedPackageVersions:
linux-restricted-modules-6.5.0-5-generic N/A
linux-backports-modules-6.5.0-5-generic N/A
linux-firmware 20230919.git3672ccab-0ubuntu2
RfKill:

Tags: mantic
Uname: Linux 6.5.0-5-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: N/A
_MarkForUpload: True
dmi.bios.date: 05/22/2023
dmi.bios.vendor: VMware, Inc.
dmi.bios.version: VMW201.00V.21805430.B64.2305221830
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnVMware,Inc.:bvrVMW201.00V.21805430.B64.2305221830:bd05/22/2023:svnVMware,Inc.:pnVMware20,1:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:sku:
dmi.product.name: VMware20,1
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2037490/+subscriptions

[Bug 2101816] Re: [amdgpu] Crash with SIGABRT in amdgpu_ctx_set_sw_reset_status() from amdgpu_cs_submit_ib() from util_queue_thread_func() from impl_thrd_routine() from start_thread()

I hit what seems to be the same/similar crash (lockup) several times in
late January, and managed to get a dmesg log on Feb 1. I've attached
what I can of it here.

** Attachment added: "The dmesg logs I could retrieve of the crash"
https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/2101816/+attachment/5944394/+files/gpu-crash.log

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2101816

Title:
[amdgpu] Crash with SIGABRT in amdgpu_ctx_set_sw_reset_status() from
amdgpu_cs_submit_ib() from util_queue_thread_func() from
impl_thrd_routine() from start_thread()

Status in Mesa:
New
Status in Mutter:
New
Status in linux package in Ubuntu:
Confirmed
Status in mesa package in Ubuntu:
Confirmed
Status in mutter package in Ubuntu:
Triaged
Status in xwayland package in Ubuntu:
Triaged

Bug description:
The Ubuntu Error Tracker has been receiving reports about a problem regarding gnome-shell. This problem was most recently seen with package version 48~beta-3ubuntu1, the problem page at https://errors.ubuntu.com/problem/fb85627cf28fc2fa707952f5c3c1a887e8f2b5fb contains more details, including versions of packages affected, stacktrace or traceback, and individual crash reports.
If you do not have access to the Ubuntu Error Tracker and are a software developer, you can request it at http://forms.canonical.com/reports/.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mesa/+bug/2101816/+subscriptions

[Bug 2132119] Re: [HP][ZBook Power 16 G11] Laptop freezed after upgrading the BIOS

I am experiencing the same issue. Is there any way to re-open this?

Kernel: 6.8.0-94-generic #96~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 16 13:19:05 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
System Firmware Version: 0x01080200

pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:58:00.0
rtsx_pci 0000:58:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
rtsx_pci 0000:58:00.0: device [10ec:525a] error status/mask=00001000/00006000
rtsx_pci 0000:58:00.0: [12] Timeout

** Changed in: linux (Ubuntu)
Status: Expired => Confirmed

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2132119

Title:
[HP][ZBook Power 16 G11] Laptop freezed after upgrading the BIOS

Status in linux package in Ubuntu:
Confirmed

Bug description:
Hi team,
I experienced a serious bug on my laptop after upgrading a new BIOS with firmware-updater application. The details are:
Environment:
Laptop: HP ZBook Power 16 inch G11
OS ver: Ubuntu 24.04.3
BIOS Information
        Vendor: HP
        Version: W97 Ver. 01.07.01
        Release Date: 09/24/2025
Kernel: 6.17.0-1005-oem
DE: GNOME

Problem description:

My laptop is working well with the previous BIOS with ver: 01.06.01.
However, a notification says there's a new BIOS release and suggests
upgrading. After the upgrade, reboot the laptop, works as usual. But,
it can't reboot or shutdown, it remains freezing after exection the
commands. By entering the text model I can see the logs as below:

2025-11-20T20:28:08.362397+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362397+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362398+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362399+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.362399+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362400+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362401+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362401+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.362402+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362402+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362403+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362404+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.362404+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362405+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362406+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362406+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.362407+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362408+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362408+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362409+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.362414+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.362415+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.362415+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.362416+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout
2025-11-20T20:28:08.363396+08:00 zbook-g11 kernel: pcieport 0000:00:1c.0: AER: Correctable error message received from 0000:56:00.0
2025-11-20T20:28:08.363405+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: PCIe Bus Error: severity=Correctable, type=Data Link Layer, (Transmitter ID)
2025-11-20T20:28:08.363407+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: device [10ec:525a] error status/mask=00001000/00006000
2025-11-20T20:28:08.363407+08:00 zbook-g11 kernel: rtsx_pci 0000:56:00.0: [12] Timeout

I have to do a hard reset to shut down. By searching on Google, the issue is caused by the Realtek SD card reader driver. The temp fix is to add a 'pcie_aspm=off' parameter in the GRUB CMDLINE. Then, it's working.
Can you help check the issue? Firmware or Kernel?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2132119/+subscriptions

[Bug 2141314] [NEW] xhci_find_slot_id_by_port kernel panic on boot on arm64

Public bug reported:

On noble:linux 6.8.0-102.102 running on openstack arm64-vm the kernel panics and doesn't boot properly.
The commit inducing the regression is

xhci: fix stale flag preventig URBs after link state error is cleared

[ 3.942479] xhci_hcd 0000:04:00.0: xHCI Host Controller
[ 3.945493] xhci_hcd 0000:04:00.0: new USB bus registered, assigned bus number 1
[ 3.945585] virtio_net virtio0 enp3s0: renamed from eth0
[ 3.947045] xhci_hcd 0000:04:00.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010
[ 3.954946] xhci_hcd 0000:04:00.0: xHCI Host Controller
[ 3.955625] xhci_hcd 0000:04:00.0: new USB bus registered, assigned bus number 2
[ 3.958265] xhci_hcd 0000:04:00.0: Host supports USB 3.0 SuperSpeed
[ 3.958951] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.08
[ 3.959702] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 3.960384] usb usb1: Product: xHCI Host Controller
[ 3.960823] usb usb1: Manufacturer: Linux 6.8.0-102-generic xhci-hcd
[ 3.961348] usb usb1: SerialNumber: 0000:04:00.0
[ 3.962227] hub 1-0:1.0: USB hub found
[ 3.962897] hub 1-0:1.0: 4 ports detected
[ 3.963674] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 3.964770] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.08
[ 3.966255] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 3.966994] usb usb2: Product: xHCI Host Controller
[ 3.967431] usb usb2: Manufacturer: Linux 6.8.0-102-generic xhci-hcd
[ 3.967988] usb usb2: SerialNumber: 0000:04:00.0
[ 3.969233] hub 2-0:1.0: USB hub found
[ 3.969858] hub 2-0:1.0: 4 ports detected
[ 4.009945] [drm] pci: virtio-gpu-pci detected at 0000:09:00.0
[ 4.010569] [drm] features: -virgl +edid -resource_blob -host_visible
[ 4.010571] [drm] features: -context_init
[ 4.018692] [drm] number of scanouts: 1
[ 4.019325] [drm] number of cap sets: 0
[ 4.020235] [drm] Initialized virtio_gpu 0.1.0 0 for 0000:09:00.0 on minor 0
[ 4.024718] Console: switching to colour frame buffer device 160x50
[ 4.033596] virtio-pci 0000:09:00.0: [drm] fb0: virtio_gpudrmfb frame buffer device
Begin: Loading essential drivers ... [ 4.091843] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 4.092765] Mem abort info:
[ 4.093051] ESR = 0x0000000096000004
[ 4.093401] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.093948] SET = 0, FnV = 0
[ 4.094235] EA = 0, S1PTW = 0
[ 4.094531] FSC = 0x04: level 0 translation fault
[ 4.094994] Data abort info:
[ 4.095264] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 4.095834] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.096349] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.096862] user pgtable: 4k pages, 48-bit VAs, pgdp=000000010864e000
[ 4.097456] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000
[ 4.098115] Internal error: Oops: 0000000096000004 [#1] SMP
[ 4.098629] Modules linked in: crct10dif_ce polyval_ce polyval_generic virtio_gpu ghash_ce virtio_dma_buf sm4 sha2_ce sha256_arm64 sha1_ce virtio_rng xhci_pci xhci_pci_renesas aes_neon_bs aes_neon_blk aes_ce_blk aes_ce_cipher
[ 4.100591] CPU: 0 PID: 185 Comm: init Not tainted 6.8.0-102-generic #102-Ubuntu
[ 4.101297] Hardware name: QEMU KVM Virtual Machine, BIOS 2025.02-8~22.04.0~ppa3 05/14/2025
[ 4.102096] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.102738] pc : xhci_find_slot_id_by_port+0x80/0x150
[ 4.103224] lr : handle_port_status.isra.0+0xa8/0x9c0
[ 4.103692] sp : ffff800080003d80
[ 4.104020] x29: ffff800080003d80 x28: ffff0000c7d88000 x27: 0000000000000001
[ 4.104683] x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c7b6d3c0
[ 4.105743] x23: 0000000000000001 x22: ffff0000c4116800 x21: 0000000000000001
[ 4.106832] x20: ffff0000c86ec000 x19: 0000000000000001 x18: ffff800080005060
[ 4.107892] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 4.108945] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 4.109983] x11: ffff0000c6ea7908 x10: 0000000000000000 x9 : ffffcafdb9b9e4a0
[ 4.111016] x8 : ffff8000806d3d18 x7 : 0000000000000000 x6 : 0000000000000000
[ 4.112044] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000008801
[ 4.113071] x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
[ 4.114095] Call trace:
[ 4.114666] xhci_find_slot_id_by_port+0x80/0x150
[ 4.115454] handle_port_status.isra.0+0xa8/0x9c0
[ 4.116276] xhci_handle_event+0x1d8/0x2b8
[ 4.117045] xhci_irq+0xe8/0x588
[ 4.117693] xhci_msi_irq+0x20/0x48
[ 4.118358] __handle_irq_event_percpu+0x68/0x2c0
[ 4.119149] handle_irq_event+0x58/0xe8
[ 4.119904] handle_fasteoi_irq+0xb0/0x218
[ 4.120633] handle_irq_desc+0x58/0x98
[ 4.121459] generic_handle_domain_irq+0x28/0x50
[ 4.122278] __gic_handle_irq_from_irqson.isra.0+0x180/0x310
[ 4.123155] gic_handle_irq+0x2c/0xa0
[ 4.123831] call_on_irq_stack+0x48/0x68
[ 4.124523] do_interrupt_handler+0xb0/0xc0
[ 4.125308] el1_interrupt+0x48/0xf0
[ 4.125999] el1h_64_irq_handler+0x1c/0x40
[ 4.126694] el1h_64_irq+0x7c/0x80
[ 4.127346] percpu_counter_add_batch+0x7c/0x170
[ 4.128118] set_pte_range+0x100/0x2c8
[ 4.128846] filemap_map_pages+0x198/0x5e8
[ 4.129534] do_read_fault+0x150/0x2f0
[ 4.130196] do_pte_missing+0x208/0x3f8
[ 4.130874] handle_pte_fault+0x12c/0x1a0
[ 4.131549] __handle_mm_fault+0x24c/0x400
[ 4.132250] handle_mm_fault+0xac/0x2e0
[ 4.132919] do_page_fault+0x104/0x538
[ 4.133568] do_translation_fault+0x7c/0xd8
[ 4.134312] do_mem_abort+0x50/0xd0
[ 4.134952] el0_da+0x4c/0x178
[ 4.135526] el0t_64_sync_handler+0xdc/0x158
[ 4.136236] el0t_64_sync+0x1b0/0x1b8
[ 4.136911] Code: b4fffe76 f10402bf 54000542 b9401ec4 (b940a323)
[ 4.137740] ---[ end trace 0000000000000000 ]---
[ 4.138432] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 4.139334] SMP: stopping secondary CPUs
[ 4.140021] Kernel Offset: 0x4afd38a10000 from 0xffff800080000000
[ 4.140857] PHYS_OFFSET: 0x40000000
[ 4.141438] CPU features: 0x1,00000021,7002014a,2141720b
[ 4.142251] Memory Limit: none
[ 4.142788] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

** Affects: linux (Ubuntu)
Importance: Undecided
Status: New

** Affects: linux (Ubuntu Noble)
Importance: Undecided
Assignee: Edoardo Canepa (ecanepa)
Status: Triaged

** Also affects: linux (Ubuntu Noble)
Importance: Undecided
Status: New

** Changed in: linux (Ubuntu Noble)
Status: New => Triaged

** Changed in: linux (Ubuntu Noble)
Assignee: (unassigned) => Edoardo Canepa (ecanepa)

** Summary changed:

- Kernel panic on boot on arm64
+ xhci_find_slot_id_by_port kernel panic on boot on arm64

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2141314

Title:
xhci_find_slot_id_by_port kernel panic on boot on arm64

Status in linux package in Ubuntu:
New
Status in linux source package in Noble:
Triaged

Bug description:
On noble:linux 6.8.0-102.102 running on openstack arm64-vm the kernel panics and doesn't boot properly.
The commit inducing the regression is

xhci: fix stale flag preventig URBs after link state error is cleared

[ 3.942479] xhci_hcd 0000:04:00.0: xHCI Host Controller
[ 3.945493] xhci_hcd 0000:04:00.0: new USB bus registered, assigned bus number 1
[ 3.945585] virtio_net virtio0 enp3s0: renamed from eth0
[ 3.947045] xhci_hcd 0000:04:00.0: hcc params 0x00087001 hci version 0x100 quirks 0x0000000000000010
[ 3.954946] xhci_hcd 0000:04:00.0: xHCI Host Controller
[ 3.955625] xhci_hcd 0000:04:00.0: new USB bus registered, assigned bus number 2
[ 3.958265] xhci_hcd 0000:04:00.0: Host supports USB 3.0 SuperSpeed
[ 3.958951] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.08
[ 3.959702] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 3.960384] usb usb1: Product: xHCI Host Controller
[ 3.960823] usb usb1: Manufacturer: Linux 6.8.0-102-generic xhci-hcd
[ 3.961348] usb usb1: SerialNumber: 0000:04:00.0
[ 3.962227] hub 1-0:1.0: USB hub found
[ 3.962897] hub 1-0:1.0: 4 ports detected
[ 3.963674] usb usb2: We don't know the algorithms for LPM for this host, disabling LPM.
[ 3.964770] usb usb2: New USB device found, idVendor=1d6b, idProduct=0003, bcdDevice= 6.08
[ 3.966255] usb usb2: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 3.966994] usb usb2: Product: xHCI Host Controller
[ 3.967431] usb usb2: Manufacturer: Linux 6.8.0-102-generic xhci-hcd
[ 3.967988] usb usb2: SerialNumber: 0000:04:00.0
[ 3.969233] hub 2-0:1.0: USB hub found
[ 3.969858] hub 2-0:1.0: 4 ports detected
[ 4.009945] [drm] pci: virtio-gpu-pci detected at 0000:09:00.0
[ 4.010569] [drm] features: -virgl +edid -resource_blob -host_visible
[ 4.010571] [drm] features: -context_init
[ 4.018692] [drm] number of scanouts: 1
[ 4.019325] [drm] number of cap sets: 0
[ 4.020235] [drm] Initialized virtio_gpu 0.1.0 0 for 0000:09:00.0 on minor 0
[ 4.024718] Console: switching to colour frame buffer device 160x50
[ 4.033596] virtio-pci 0000:09:00.0: [drm] fb0: virtio_gpudrmfb frame buffer device
Begin: Loading essential drivers ... [ 4.091843] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0
[ 4.092765] Mem abort info:
[ 4.093051] ESR = 0x0000000096000004
[ 4.093401] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.093948] SET = 0, FnV = 0
[ 4.094235] EA = 0, S1PTW = 0
[ 4.094531] FSC = 0x04: level 0 translation fault
[ 4.094994] Data abort info:
[ 4.095264] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[ 4.095834] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.096349] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.096862] user pgtable: 4k pages, 48-bit VAs, pgdp=000000010864e000
[ 4.097456] [00000000000000a0] pgd=0000000000000000, p4d=0000000000000000
[ 4.098115] Internal error: Oops: 0000000096000004 [#1] SMP
[ 4.098629] Modules linked in: crct10dif_ce polyval_ce polyval_generic virtio_gpu ghash_ce virtio_dma_buf sm4 sha2_ce sha256_arm64 sha1_ce virtio_rng xhci_pci xhci_pci_renesas aes_neon_bs aes_neon_blk aes_ce_blk aes_ce_cipher
[ 4.100591] CPU: 0 PID: 185 Comm: init Not tainted 6.8.0-102-generic #102-Ubuntu
[ 4.101297] Hardware name: QEMU KVM Virtual Machine, BIOS 2025.02-8~22.04.0~ppa3 05/14/2025
[ 4.102096] pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 4.102738] pc : xhci_find_slot_id_by_port+0x80/0x150
[ 4.103224] lr : handle_port_status.isra.0+0xa8/0x9c0
[ 4.103692] sp : ffff800080003d80
[ 4.104020] x29: ffff800080003d80 x28: ffff0000c7d88000 x27: 0000000000000001
[ 4.104683] x26: 0000000000000001 x25: 0000000000000000 x24: ffff0000c7b6d3c0
[ 4.105743] x23: 0000000000000001 x22: ffff0000c4116800 x21: 0000000000000001
[ 4.106832] x20: ffff0000c86ec000 x19: 0000000000000001 x18: ffff800080005060
[ 4.107892] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 4.108945] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 4.109983] x11: ffff0000c6ea7908 x10: 0000000000000000 x9 : ffffcafdb9b9e4a0
[ 4.111016] x8 : ffff8000806d3d18 x7 : 0000000000000000 x6 : 0000000000000000
[ 4.112044] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000008801
[ 4.113071] x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000000
[ 4.114095] Call trace:
[ 4.114666] xhci_find_slot_id_by_port+0x80/0x150
[ 4.115454] handle_port_status.isra.0+0xa8/0x9c0
[ 4.116276] xhci_handle_event+0x1d8/0x2b8
[ 4.117045] xhci_irq+0xe8/0x588
[ 4.117693] xhci_msi_irq+0x20/0x48
[ 4.118358] __handle_irq_event_percpu+0x68/0x2c0
[ 4.119149] handle_irq_event+0x58/0xe8
[ 4.119904] handle_fasteoi_irq+0xb0/0x218
[ 4.120633] handle_irq_desc+0x58/0x98
[ 4.121459] generic_handle_domain_irq+0x28/0x50
[ 4.122278] __gic_handle_irq_from_irqson.isra.0+0x180/0x310
[ 4.123155] gic_handle_irq+0x2c/0xa0
[ 4.123831] call_on_irq_stack+0x48/0x68
[ 4.124523] do_interrupt_handler+0xb0/0xc0
[ 4.125308] el1_interrupt+0x48/0xf0
[ 4.125999] el1h_64_irq_handler+0x1c/0x40
[ 4.126694] el1h_64_irq+0x7c/0x80
[ 4.127346] percpu_counter_add_batch+0x7c/0x170
[ 4.128118] set_pte_range+0x100/0x2c8
[ 4.128846] filemap_map_pages+0x198/0x5e8
[ 4.129534] do_read_fault+0x150/0x2f0
[ 4.130196] do_pte_missing+0x208/0x3f8
[ 4.130874] handle_pte_fault+0x12c/0x1a0
[ 4.131549] __handle_mm_fault+0x24c/0x400
[ 4.132250] handle_mm_fault+0xac/0x2e0
[ 4.132919] do_page_fault+0x104/0x538
[ 4.133568] do_translation_fault+0x7c/0xd8
[ 4.134312] do_mem_abort+0x50/0xd0
[ 4.134952] el0_da+0x4c/0x178
[ 4.135526] el0t_64_sync_handler+0xdc/0x158
[ 4.136236] el0t_64_sync+0x1b0/0x1b8
[ 4.136911] Code: b4fffe76 f10402bf 54000542 b9401ec4 (b940a323)
[ 4.137740] ---[ end trace 0000000000000000 ]---
[ 4.138432] Kernel panic - not syncing: Oops: Fatal exception in interrupt
[ 4.139334] SMP: stopping secondary CPUs
[ 4.140021] Kernel Offset: 0x4afd38a10000 from 0xffff800080000000
[ 4.140857] PHYS_OFFSET: 0x40000000
[ 4.141438] CPU features: 0x1,00000021,7002014a,2141720b
[ 4.142251] Memory Limit: none
[ 4.142788] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141314/+subscriptions

[Bug 2140634] Re: package linux-image-6.8.0-94-generic 6.8.0-94.96 failed to install/upgrade: le sous-processus paquet linux-image-6.8.0-94-generic script pre-removal installé a renvoyé un état de sortie d'erreur 1

*** This bug is a duplicate of bug 2073399 ***
https://bugs.launchpad.net/bugs/2073399

You're aborting the removal of the running kernel.

** This bug has been marked a duplicate of bug 2073399
Aborting the removal of the running kernel triggers apport

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2140634

Title:
package linux-image-6.8.0-94-generic 6.8.0-94.96 failed to
install/upgrade: le sous-processus paquet linux-image-6.8.0-94-generic
script pre-removal installé a renvoyé un état de sortie d'erreur 1

Status in linux package in Ubuntu:
New
Status in linux source package in Noble:
New

Bug description:
aptitude warrying me it wants to delete the current kernel without
fallack

ProblemType: Package
DistroRelease: Ubuntu 24.04
Package: linux-image-6.8.0-94-generic 6.8.0-94.96
ProcVersionSignature: Ubuntu 6.8.0-94.96-generic 6.8.12
Uname: Linux 6.8.0-94-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: sylvain 7828 F.... pipewire
sylvain 7832 F.... wireplumber
/dev/snd/seq: sylvain 7828 F.... pipewire
CRDA: N/A
CasperMD5CheckResult: unknown
Date: Thu Feb 5 23:27:27 2026
ErrorMessage: le sous-processus paquet linux-image-6.8.0-94-generic script pre-removal installé a renvoyé un état de sortie d'erreur 1
InstallationDate: Installed on 2021-12-13 (1515 days ago)
InstallationMedia: Ubuntu 20.04.2.0 LTS "Focal Fossa" - Release amd64 (20210209.1)
MachineType: LENOVO 20W40090FR
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-94-generic root=/dev/mapper/vgcrypt-root ro quiet splash vt.handoff=7
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
Python3Details: /usr/bin/python3.12, Python 3.12.3, python3-minimal, 3.12.3-0ubuntu2.1
PythonDetails: N/A
RebootRequiredPkgs: Error: path contained symlinks.
RelatedPackageVersions: grub-pc 2.12-1ubuntu7.3
SourcePackage: linux
Title: package linux-image-6.8.0-94-generic 6.8.0-94.96 failed to install/upgrade: le sous-processus paquet linux-image-6.8.0-94-generic script pre-removal installé a renvoyé un état de sortie d'erreur 1
UpgradeStatus: Upgraded to noble on 2024-12-21 (411 days ago)
dmi.bios.date: 11/27/2025
dmi.bios.release: 1.69
dmi.bios.vendor: LENOVO
dmi.bios.version: N34ET69W (1.69 )
dmi.board.asset.tag: Not Available
dmi.board.name: 20W40090FR
dmi.board.vendor: LENOVO
dmi.board.version: SDK0J40697 WIN
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.ec.firmware.release: 1.46
dmi.modalias: dmi:bvnLENOVO:bvrN34ET69W(1.69):bd11/27/2025:br1.69:efr1.46:svnLENOVO:pn20W40090FR:pvrThinkPadT15Gen2i:rvnLENOVO:rn20W40090FR:rvrSDK0J40697WIN:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20W4_BU_Think_FM_ThinkPadT15Gen2i:
dmi.product.family: ThinkPad T15 Gen 2i
dmi.product.name: 20W40090FR
dmi.product.sku: LENOVO_MT_20W4_BU_Think_FM_ThinkPad T15 Gen 2i
dmi.product.version: ThinkPad T15 Gen 2i
dmi.sys.vendor: LENOVO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2140634/+subscriptions

[Bug 2139276] Re: [usrmerge] evaluate kernel owned packages for DEP17 compliance

alsa-driver
linux-firmware-xilinx-ap1302
linux-firmware-xilinx-vcu
nouveau-firmware

are afected but they're not part of the the kernel package set.

** Also affects: alsa-driver (Ubuntu)
Importance: Undecided
Status: New

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2139276

Title:
[usrmerge] evaluate kernel owned packages for DEP17 compliance

Status in alsa-driver package in Ubuntu:
New
Status in linux package in Ubuntu:
Triaged
Status in linux-firmware package in Ubuntu:
Invalid
Status in linux-firmware-xilinx-ap1302 package in Ubuntu:
New
Status in linux-firmware-xilinx-vcu package in Ubuntu:
New
Status in nouveau-firmware package in Ubuntu:
New

Bug description:
The following packages have been identified as having a possible issue
related to usr-merge. DEP-17 describes the issue and problems at
length[0]. The check done was not perfect, and may lead to false
positives. The following was the run to identify possible packages,
further refined with slight pruning of obvious false positives

apt-file search --package-only --regexp
'^/(sbin|bin|lib|lib32|lib64|libx32)/*'

Lintian, when run on a suitably new system (such as within a resolute
build environment), will provide some errors related to usr-merge. an
example of a Lintian error from busybox

E: busybox-static: aliased-location [bin/]
E: busybox-static: aliased-location [bin/static-sh]

Please evaluate the follow packages for any issues dictated in dep17.
If any package below is not a part of the Kernel set, please let me
know and I'll file separate bugs for those packages (a bunch are
nvidia based, and I'm not sure who is owning them)

[0] https://dep-team.pages.debian.net/deps/dep17/

alsa-driver
fabric-manager-570
fabric-manager-580
fabric-manager-590
linux
linux-firmware-xilinx-ap1302
linux-firmware-xilinx-vcu
linux-realtime
linux-restricted-modules
linux-restricted-modules-aws
linux-restricted-modules-azure
linux-restricted-modules-gcp
linux-restricted-modules-oracle
linux-restricted-signatures
linux-riscv
nouveau-firmware
nvidia-graphics-drivers-580
nvidia-graphics-drivers-580-server
nvidia-graphics-drivers-590
nvidia-graphics-drivers-590-server
nvidia-imex-570
nvidia-imex-580
nvidia-imex-590
nvidia-prime

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2139276/+subscriptions

[Bug 2141302] [NEW] The computer does not switch off completely

Public bug reported:

After the update, if I switch off the PC or put it into hibernation
mode, the operating system, monitor and keyboard switch off, but the PC
remains lit up and the fans continue to run.

** Affects: linux (Ubuntu)
Importance: Undecided
Status: New

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2141302

Title:
The computer does not switch off completely

Status in linux package in Ubuntu:
New

Bug description:
After the update, if I switch off the PC or put it into hibernation
mode, the operating system, monitor and keyboard switch off, but the
PC remains lit up and the fans continue to run.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2141302/+subscriptions

[Bug 2139276] Re: [usrmerge] evaluate kernel owned packages for DEP17 compliance

linux-firmware is not affected.

** Changed in: linux-firmware (Ubuntu)
Status: Triaged => Invalid

** Also affects: linux-firmware-xilinx-ap1302 (Ubuntu)
Importance: Undecided
Status: New

** Also affects: linux-firmware-xilinx-vcu (Ubuntu)
Importance: Undecided
Status: New

** Also affects: nouveau-firmware (Ubuntu)
Importance: Undecided
Status: New

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2139276

Title:
[usrmerge] evaluate kernel owned packages for DEP17 compliance

Status in alsa-driver package in Ubuntu:
New
Status in linux package in Ubuntu:
Triaged
Status in linux-firmware package in Ubuntu:
Invalid
Status in linux-firmware-xilinx-ap1302 package in Ubuntu:
New
Status in linux-firmware-xilinx-vcu package in Ubuntu:
New
Status in nouveau-firmware package in Ubuntu:
New

Bug description:
The following packages have been identified as having a possible issue
related to usr-merge. DEP-17 describes the issue and problems at
length[0]. The check done was not perfect, and may lead to false
positives. The following was the run to identify possible packages,
further refined with slight pruning of obvious false positives

apt-file search --package-only --regexp
'^/(sbin|bin|lib|lib32|lib64|libx32)/*'

Lintian, when run on a suitably new system (such as within a resolute
build environment), will provide some errors related to usr-merge. an
example of a Lintian error from busybox

E: busybox-static: aliased-location [bin/]
E: busybox-static: aliased-location [bin/static-sh]

Please evaluate the follow packages for any issues dictated in dep17.
If any package below is not a part of the Kernel set, please let me
know and I'll file separate bugs for those packages (a bunch are
nvidia based, and I'm not sure who is owning them)

[0] https://dep-team.pages.debian.net/deps/dep17/

alsa-driver
fabric-manager-570
fabric-manager-580
fabric-manager-590
linux
linux-firmware-xilinx-ap1302
linux-firmware-xilinx-vcu
linux-realtime
linux-restricted-modules
linux-restricted-modules-aws
linux-restricted-modules-azure
linux-restricted-modules-gcp
linux-restricted-modules-oracle
linux-restricted-signatures
linux-riscv
nouveau-firmware
nvidia-graphics-drivers-580
nvidia-graphics-drivers-580-server
nvidia-graphics-drivers-590
nvidia-graphics-drivers-590-server
nvidia-imex-570
nvidia-imex-580
nvidia-imex-590
nvidia-prime

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2139276/+subscriptions

[Bug 2065369] Re: veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp attached - gro flag)

This bug was fixed in the package linux - 5.15.0-170.180

---------------
linux (5.15.0-170.180) jammy; urgency=medium

* jammy/linux: 5.15.0-170.180 -proposed tracker (LP: #2137825)

* ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)
- SAUCE increase socat timeout in gre_gso.sh

* CVE-2025-40256
- xfrm: also call xfrm_state_delete_tunnel at destroy time for states that
were never added

* CVE-2025-40215
- xfrm: delete x->tunnel as we delete x

* CVE-2025-38248
- bridge: mcast: Fix use-after-free during router port configuration

* selftests: net: veth: fix compatibility with older ethtool versions
(LP: #2136734)
- SAUCE: selftests: net: veth: use short form gro for ethtool -K
- SAUCE: selftests: net: veth: accept 0 for unsupported combined channels

* veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp
attached - gro flag) (LP: #2065369)
- selftests: net: veth: test the ability to independently manipulate GRO
and XDP

* Jammy update: v5.15.196 upstream stable release (LP: #2134182)
- r8152: add error handling in rtl8152_driver_init
- jbd2: ensure that all ongoing I/O complete before freeing blocks
- btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already
running
- media: s5p-mfc: remove an unused/uninitialized variable
- media: rc: Directly use ida_free()
- media: lirc: Fix error handling in lirc_register()
- blk-crypto: fix missing blktrace bio split events
- drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in
functions
- drm/exynos: exynos7_drm_decon: properly clear channels during bind
- drm/exynos: exynos7_drm_decon: remove ctx->suspended
- crypto: rockchip - Fix dma_unmap_sg() nents value
- cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay
- HID: multitouch: fix sticky fingers
- dax: skip read lock assertion for read-only filesystems
- can: m_can: m_can_plat_remove(): add missing pm_runtime_disable()
- net: dlink: handle dma_map_single() failure properly
- doc: fix seg6_flowlabel path
- r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H
- amd-xgbe: Avoid spurious link down messages during interface toggle
- tcp: fix tcp_tso_should_defer() vs large RTT
- tg3: prevent use of uninitialized remote_adv and local_adv variables
- splice, net: Add a splice_eof op to file-ops and socket-ops
- net: tls: wait for async completion on last message
- tls: wait for async encrypt in case of error during latter iterations of
sendmsg
- tls: always set record_type in tls_process_cmsg
- tls: don't rely on tx_work during send()
- net: usb: use eth_hw_addr_set() instead of ether_addr_copy()
- net: usb: lan78xx: Add error handling to lan78xx_init_mac_address
- net: usb: lan78xx: fix use of improperly initialized dev->chipid in
lan78xx_reset
- riscv: kprobes: Fix probe address validation
- drm/amd/powerplay: Fix CIK shutdown temperature
- sched/balancing: Rename newidle_balance() => sched_balance_newidle()
- sched/fair: Fix pelt lost idle time detection
- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings
- PCI/sysfs: Ensure devices are powered for config reads (part 2)
- exec: Fix incorrect type for ret
- nios2: ensure that memblock.current_limit is set when setting pfn limits
- hfs: clear offset and space out of valid records in b-tree node
- hfs: make proper initalization of struct hfs_find_data
- hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
- hfs: validate record offset in hfsplus_bmap_alloc
- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
- dlm: check for defined force value in dlm_lockspace_release
- hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
- hfsplus: return EIO when type of hidden directory mismatch in
hfsplus_fill_super()
- m68k: bitops: Fix find_*_bit() signatures
- net: rtnetlink: add helper to extract msg type's kind
- net: rtnetlink: use BIT for flag values
- net: netlink: add NLM_F_BULK delete request modifier
- net: rtnetlink: add bulk delete support flag
- net: add ndo_fdb_del_bulk
- net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
- rtnetlink: Allow deleting FDB entries in user namespace
- net: enetc: correct the value of ENETC_RXB_TRUESIZE
- dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path
- arm64, mm: avoid always making PTE dirty in pte_mkwrite()
- sctp: avoid NULL dereference when chunk data buffer is missing
- net: bonding: fix possible peer notify event loss or dup issue
- Revert "cpuidle: menu: Avoid discarding useful information"
- MIPS: Malta: Fix keyboard resource preventing i8042 driver from
registering
- ocfs2: clear extent cache after moving/defragmenting extents
- vsock: fix lock inversion in vsock_assign_transport()
- net: usb: rtl8150: Fix frame padding
- net: ravb: Ensure memory write completes before ringing TX doorbell
- USB: serial: option: add UNISOC UIS7720
- USB: serial: option: add Quectel RG255C
- USB: serial: option: add Telit FN920C04 ECM compositions
- usb/core/quirks: Add Huawei ME906S to wakeup quirk
- usb: raw-gadget: do not limit transfer length
- xhci: dbc: enable back DbC in resume if it was enabled before suspend
- binder: remove "invalid inc weak" check
- mei: me: add wildcat lake P DID
- most: usb: Fix use-after-free in hdm_disconnect
- most: usb: hdm_probe: Fix calling put_device() before device
initialization
- serial: 8250_exar: add support for Advantech 2 port card with Device ID
0x0018
- arm64: cputype: Add Neoverse-V3AE definitions
- arm64: errata: Apply workarounds for Neoverse-V3AE
- s390/cio: Update purge function to unregister the unused subchannels
- xfs: rename the old_crc variable in xlog_recover_process
- xfs: fix log CRC mismatches between i386 and other architectures
- NFSD: Rework encoding and decoding of nfsd4_deviceid
- NFSD: Minor cleanup in layoutcommit processing
- NFSD: Fix last write offset handling in layoutcommit
- iio: imu: inv_icm42600: use = { } instead of memset()
- iio: imu: inv_icm42600: Avoid configuring if already pm_runtime
suspended
- PM: runtime: Add new devm functions
- iio: imu: inv_icm42600: Simplify pm_runtime setup
- padata: Reset next CPU when reorder sequence wraps around
- fuse: allocate ff->release_args only if release is needed
- fuse: fix livelock in synchronous file put from fuseblk workers
- PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl"
exists
- PCI: j721e: Fix programming sequence of "strap" settings
- wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
- PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
- drm/amdgpu: use atomic functions with memory barriers for vm fault info
- f2fs: fix wrong block mapping for multi-devices
- PCI: tegra194: Handle errors in BPMP response
- PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access()
- PCI: rcar-host: Drop PMSR spinlock
- PCI: tegra194: Reset BARs when running in PCIe endpoint mode
- devcoredump: Fix circular locking dependency with devcd->mutex.
- xfs: always warn about deprecated mount options
- arch_topology: Fix incorrect error check in
topology_parse_cpu_capacity()
- usb: gadget: Store endpoint pointer in usb_request
- usb: gadget: Introduce free_usb_request helper
- net: rtnetlink: fix module reference count leak issue in
rtnetlink_rcv_msg
- PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()
- Linux 5.15.196

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40094
- usb: gadget: f_acm: Refactor bind path to use __free()

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40092
- usb: gadget: f_ncm: Refactor bind path to use __free()

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40087
- NFSD: Define a proc_layoutcommit for the FlexFiles layout type

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40105
- vfs: Don't leak disconnected dentries on umount

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40106
- comedi: fix divide-by-zero in comedi_buf_munge()

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40088
- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40085
- ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40173
- net/ip6_tunnel: Prevent perpetual tunnel growth

* Jammy update: v5.15.196 upstream stable release (LP: #2134182) //
CVE-2025-40167
- ext4: detect invalid INLINE_DATA + EXTENTS flag combination

* Jammy update: v5.15.195 upstream stable release (LP: #2133909)
- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback support
- KVM: arm64: Fix softirq masking in FPSIMD register saving sequence
- media: tunner: xc5000: Refactor firmware load
- USB: serial: option: add SIMCom 8230C compositions
- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
- dm-integrity: limit MAX_TAG_SIZE to 255
- perf subcmd: avoid crash in exclude_cmds when excludes is empty
- hid: fix I2C read buffer overflow in raw_event() for mcp2221
- serial: stm32: allow selecting console when the driver is module
- staging: axis-fifo: fix maximum TX packet length check
- staging: axis-fifo: flush RX FIFO on read errors
- driver core/PM: Set power.no_callbacks along with power.no_pm
- minmax: add in_range() macro
- filelock: add FL_RECLAIM to show_fl_flags() macro
- selftests: arm64: Check fread return value in exec_target
- coresight: trbe: Prevent overflow in PERF_IDX2OFF()
- x86/vdso: Fix output operand size of RDPID
- regmap: Remove superfluous check for !config in __regmap_init()
- libbpf: Fix reuse of DEVMAP
- cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()
- ACPI: processor: idle: Fix memory leak when register cpuidle device
failed
- soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS
- pinctrl: meson-gxl: add missing i2c_d pinmux
- ARM: at91: pm: fix MCKx restore routine
- regulator: scmi: Use int type to store negative error codes
- block: use int to store blk_stack_limits() return value
- PM: sleep: core: Clear power.must_resume in noirq suspend error path
- pinctrl: renesas: Use int type to store negative error codes
- firmware: firmware: meson-sm: fix compile-test default
- arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible
- pwm: tiehrpwm: Fix corner case in clock divisor calculation
- i3c: master: svc: Recycle unused IBI slot
- selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported
- smp: Fix up and expand the smp_call_function_many() kerneldoc
- tools/nolibc: make time_t robust if __kernel_old_time_t is missing in
host headers
- thermal/drivers/qcom: Make LMH select QCOM_SCM
- thermal/drivers/qcom/lmh: Add missing IRQ includes
- i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD
- i2c: designware: Add disabling clocks when probe fails
- drm/radeon/r600_cs: clean up of dead code in r600_cs
- scsi: myrs: Fix dma_alloc_coherent() error check
- media: rj54n1cb0c: Fix memleak in rj54n1_probe()
- ALSA: lx_core: use int type to store negative error codes
- drm/amdgpu: Power up UVD 3 for FW validation (v2)
- wifi: mwifiex: send world regulatory domain to driver
- PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation
- tcp: fix __tcp_close() to only send RST when required
- drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()
- usb: phy: twl6030: Fix incorrect type for ret
- usb: gadget: configfs: Correctly set use_os_string at bind
- misc: genwqe: Fix incorrect cmd field being reported in error
- ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
- iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
- netfilter: ipset: Remove unused htable_bits in macro ahash_region
- watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the
watchdog
- drivers/base/node: handle error properly in register_one_node()
- RDMA/cm: Rate limit destroy CM ID timeout error message
- wifi: mt76: fix potential memory leak in mt76_wmac_probe()
- ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message
- scsi: qla2xxx: edif: Fix incorrect sign of error code
- scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()
- Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems
Running"
- RDMA/core: Resolve MAC of next-hop device without ARP support
- IB/sa: Fix sa_local_svc_timeout_ms read race
- Documentation: trace: historgram-design: Separate sched_waking histogram
section heading and the following diagram
- wifi: ath10k: avoid unnecessary wait for service ready message
- sparc: fix accurate exception reporting in copy_to_user for Niagara 4
- sparc: fix accurate exception reporting in copy_{from,to}_user for M7
- remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice
- NFSv4.1: fix backchannel max_resp_sz verification check
- usb: vhci-hcd: Prevent suspending virtually attached devices
- RDMA/siw: Always report immediate post SQ errors
- Bluetooth: MGMT: Fix not exposing debug UUID on
MGMT_OP_READ_EXP_FEATURES_INFO
- drivers/base/node: fix double free in register_one_node()
- nfp: fix RSS hash key size when RSS is not supported
- net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not
configurable
- Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set"
- mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()
- ext4: fix checks for orphan inodes
- nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()
- Input: atmel_mxt_ts - allow reset GPIO to sleep
- usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call
- fs: always return zero on success from replace_fd()
- clocksource/drivers/clps711x: Fix resource leaks in error paths
- iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE
- perf evsel: Avoid container_of on a NULL leader
- libperf event: Ensure tracing data is multiple of 8 sized
- clk: at91: peripheral: fix return value
- perf util: Fix compression checks returning -1 as bool
- rtc: x1205: Fix Xicor X1205 vendor prefix
- perf session: Fix handling when buffer exceeds 2 GiB
- clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()
- clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver
- cpufreq: tegra186: Set target frequency for all cpus in policy
- scsi: libsas: Add sas_task_find_rq()
- scsi: mvsas: Delete mvs_tag_init()
- scsi: mvsas: Use sas_task_find_rq() for tagging
- net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
- s390/cio: unregister the subchannel while purging
- drm/vmwgfx: Copy DRM hash-table code into driver
- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
- net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe
- tools build: Align warning options with perf
- mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call
- mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes
- drm/amdgpu: Add additional DCE6 SCL registers
- drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
- drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
- drm/amd/display: Properly disable scaling on DCE6
- bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()
- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
- gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells
- gpio: wcd934x: mark the GPIO controller as sleeping
- bpf: Avoid RCU context warning when unpinning htab with internal structs
- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
- ACPI: debug: fix signedness issues in read/write helpers
- arm64: dts: qcom: msm8916: Add missing MDSS reset
- ARM: OMAP2+: pm33xx-core: ix device node reference leaks in
amx3_idle_init
- xen/events: Cleanup find_virq() return codes
- xen/manage: Fix suspend error path
- firmware: meson_sm: fix device leak at probe
- media: i2c: mt9v111: fix incorrect type for ret
- drm/nouveau: fix bad ret code in nouveau_bo_move_prep
- bus: mhi: host: Do not use uninitialized 'dev' pointer in
mhi_init_irq_setup()
- copy_sighand: Handle architectures where sizeof(unsigned long) <
sizeof(u64)
- crypto: atmel - Fix dma_unmap_sg() direction
- fs/ntfs3: Fix a resource leak bug in wnd_extend()
- iio: dac: ad5360: use int type to store negative error codes
- iio: dac: ad5421: use int type to store negative error codes
- iio: frequency: adf4350: Fix prescaler usage.
- init: handle bootloader identifier in kernel parameters
- iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in
resume
- iommu/vt-d: PRS isn't usable if PDS isn't supported
- KEYS: trusted_tpm1: Compare HMAC values in constant time
- lib/genalloc: fix device leak in of_gen_pool_get()
- openat2: don't trigger automounts with RESOLVE_NO_XDEV
- parisc: don't reference obsolete termio struct for TC* constants
- nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
- powerpc/powernv/pci: Fix underflow and leak issue
- powerpc/pseries/msi: Fix potential underflow and leak issue
- scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
- sparc64: fix hugetlb for sun4u
- sparc: fix error handling in scan_one_device()
- mtd: rawnand: fsmc: Default to autodetect buswidth
- mmc: core: SPI mode remove cmd7
- memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
- rtc: interface: Ensure alarm irq is enabled when UIE is enabled
- rtc: interface: Fix long-standing race when setting alarm
- rseq/selftests: Use weak symbol reference, not definition, to link with
glibc
- PCI/sysfs: Ensure devices are powered for config reads
- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
- PCI/ERR: Fix uevent on failure to recover
- PCI/AER: Fix missing uevent on recovery when a reset is requested
- PCI/AER: Support errors introduced by PCIe r6.0
- PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on
exit
- PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
- spi: cadence-quadspi: Flush posted register writes before INDAC access
- spi: cadence-quadspi: Flush posted register writes before DAC access
- x86/umip: Check that the instruction opcode is at least two bytes
- x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT
aliases)
- mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations
- NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
- ext4: increase i_disksize to offset + len in
ext4_update_disksize_before_punch()
- ext4: correctly handle queries for metadata mappings
- ext4: guard against EA inode refcount underflow in xattr update
- ext4: free orphan info with kvfree
- lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older
- ASoC: codecs: wcd934x: Simplify with dev_err_probe
- ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()
- Squashfs: add additional inode sanity checking
- media: mc: Clear minor number before put device
- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register
value
- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type
- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag
- ksmbd: fix error code overwriting in smb2_get_info_filesystem()
- locking: Introduce __cleanup() based infrastructure
- fscontext: do not consume log entries when returning -EMSGSIZE
- btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()
- arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees
- minmax: Introduce {min,max}_array()
- minmax: deduplicate __unconst_integer_typeof()
- minmax: fix indentation of __cmp_once() and __clamp_once()
- minmax: avoid overly complicated constant expressions in VM code
- minmax: add a few more MIN_T/MAX_T users
- minmax: simplify and clarify min_t()/max_t() implementation
- minmax: make generic MIN() and MAX() macros available everywhere
- minmax: don't use max() in situations that want a C constant expression
- minmax: simplify min()/max()/clamp() implementation
- minmax: improve macro expansion and type checking
- minmax: fix up min3() and max3() too
- minmax.h: add whitespace around operators and after commas
- minmax.h: update some comments
- minmax.h: reduce the #define expansion of min(), max() and clamp()
- minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp()
- minmax.h: move all the clamp() definitions after the min/max() ones
- minmax.h: simplify the variants of clamp()
- minmax.h: remove some #defines that are only expanded once
- minixfs: Verify inode mode when loading from disk
- fs: Add 'initramfs_options' to set initramfs mount options
- cramfs: Verify inode mode when loading from disk
- writeback: Avoid softlockup when switching many inodes
- writeback: Avoid excessively long inode switching times
- media: switch from 'pci_' to 'dma_' API
- media: cx18: Add missing check after DMA map
- arm64: mte: Do not flag the zero page as PG_mte_tagged
- media: pci/ivtv: switch from 'pci_' to 'dma_' API
- media: pci: ivtv: Add missing check after DMA map
- xen/events: Update virq_to_irq on migration
- media: pci: ivtv: Add check for DMA map result
- mm/slab: make __free(kfree) accept error pointers
- mptcp: pm: in-kernel: usable client side with C-flag
- selftests: mptcp: join: validate C-flag + def limit
- Linux 5.15.195

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40178
- pid: Add a judgment for ns null in pid_nr_ns

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40134
- dm: fix NULL pointer dereference in __dm_suspend()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40042
- tracing: Fix race condition in kprobe initialization causing NULL
pointer dereference

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40120
- net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40200
- Squashfs: reject negative file sizes in squashfs_read_inode()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40026
- KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40179
- ext4: verify orphan file size is not too big

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40204
- sctp: Fix MAC comparison to be constant-time

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40188
- pwm: berlin: Fix wrong register in suspend/resume

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40194
- cpufreq: intel_pstate: Fix object lifecycle issue in
update_qos_request()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40205
- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40183
- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40187
- net/sctp: fix a null dereference in sctp_disposition
sctp_sf_do_5_1D_ce()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40111
- drm/vmwgfx: Fix Use-after-free in validation

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40001
- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40029
- bus: fsl-mc: Check return value of platform_get_resource()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40030
- pinctrl: check the return value of pinmux_ops::get_function_name()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40035
- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info
leak

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40153
- mm: hugetlb: avoid soft lockup when mprotect to large memory area

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40043
- net: nfc: nci: Add parameter validation for packet data

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40044
- fs: udf: fix OOB read in lengthAllocDescs handling

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40048
- uio_hv_generic: Let userspace take care of interrupt mask

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40049
- Squashfs: fix uninit-value in squashfs_get_parent

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40053
- net: dlink: handle copy_thresh allocation failure

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40055
- ocfs2: fix double free in user_cluster_connect()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40127
- hwrng: ks-sa - fix division by zero in ks_sa_rng_init

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40140
- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40115
- scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40060
- coresight: trbe: Return NULL pointer for allocation failures

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40112
- sparc: fix accurate exception reporting in copy_{from_to}_user for
Niagara

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40124
- sparc: fix accurate exception reporting in copy_{from_to}_user for
UltraSPARC III

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40126
- sparc: fix accurate exception reporting in copy_{from_to}_user for
UltraSPARC

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40068
- fs: ntfs3: Fix integer overflow in run_unpack()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40121
- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40154
- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40070
- pps: fix warning in pps_register_cdev when register device fail

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40118
- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40116
- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40078
- bpf: Explicitly check accesses to bpf_sock_addr

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40171
- nvmet-fc: move lsop put work to nvmet_fc_ls_req_op

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40125
- blk-mq: check kobject state_in_sysfs before deleting in
blk_mq_unregister_hctx

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40081
- perf: arm_spe: Prevent overflow in PERF_IDX2OFF()

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40027
- net/9p: fix double req put in p9_fd_cancelled

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-40109
- crypto: rng - Ensure set_ent is always present

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2024-58011
- platform/x86: int3472: Check for adev == NULL

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39995
- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in
probe

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39994
- media: tuner: xc5000: Fix use-after-free in xc5000_release

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-22058
- udp: Fix memory accounting leak.

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39996
- media: b2c2: Fix use-after-free causing by irq_check_work in
flexcop_pci_remove

* Jammy update: v5.15.195 upstream stable release (LP: #2133909) //
CVE-2025-39998
- scsi: target: target_core_configfs: Add length check to avoid buffer
overflow

* CAP_PERFMON insufficient to get perf data (LP: #2131046)
- SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4

* Jammy Linux: Introduced Warning with CVE-2024-53090 fix (LP: #2130553)
- SAUCE: Remove warning introduced during CVE-2024-53090 fix

* [SRU] Apparmor: Unshifted uids for hardlinks and unix sockets in user
namespaces (LP: #2121257)
- apparmor: shift ouid when mediating hard links in userns
- apparmor: shift uid when mediating af_unix in userns

* Jammy update: v5.15.194 upstream stable release (LP: #2127866)
- Revert "fbdev: Disable sysfb device registration when removing
conflicting FBs"
- xfs: short circuit xfs_growfs_data_private() if delta is zero
- kunit: kasan_test: disable fortify string checker on kasan_strings()
test
- mm: introduce and use {pgd,p4d}_populate_kernel()
- media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
- media: i2c: imx214: Fix link frequency validation
- net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
- tracing: Do not add length to print format in synthetic events
- mm/rmap: reject hugetlb folios in folio_make_device_exclusive()
- flexfiles/pNFS: fix NULL checks on result of
ff_layout_choose_ds_for_read
- NFSv4: Don't clear capabilities that won't be reset
- NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set
- NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server
- tracing: Fix tracing_marker may trigger page fault during
preempt_disable
- NFSv4/flexfiles: Fix layout merge mirror check.
- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to
allocate psock->cork.
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code
- KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func()
- KVM: SVM: Set synthesized TSA CPUID flags
- EDAC/altera: Delete an inappropriate dma_free_coherent() call
- compiler-clang.h: define __SANITIZE_*__ macros only when undefined
- ocfs2: fix recursive semaphore deadlock in fiemap call
- mtd: rawnand: stm32_fmc2: fix ECC overwrite
- fuse: check if copy_file_range() returns larger than requested size
- fuse: prevent overflow in copy_file_range return value
- libceph: fix invalid accesses to ceph_connection_v1_info
- mm/khugepaged: fix the address passed to notifier on testing young
- mtd: nand: raw: atmel: Fix comment in timings preparation
- mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing
- mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check
- mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer
- Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk
table
- tty: hvc_console: Call hvc_kick in hvc_write unconditionally
- dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks
- USB: serial: option: add Telit Cinterion FN990A w/audio compositions
- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions
- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
- tunnels: reset the GSO metadata before reusing the skb
- igb: fix link test skipping when interface is admin down
- genirq: Provide new interfaces for affinity hints
- i40e: Use irq_update_affinity_hint()
- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when
j1939_local_ecu_get() failed
- can: j1939: j1939_local_ecu_get(): undo increment when
j1939_local_ecu_get() fails
- can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted
SKB
- net: hsr: Disable promiscuous mode in offload mode
- net: hsr: Add support for MC filtering at the slave device
- net: hsr: Add VLAN CTAG filter support
- hsr: use rtnl lock when iterating over ports
- hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr
- dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
- regulator: sy7636a: fix lifecycle of power good gpio
- hrtimer: Remove unused function
- hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active()
- hrtimers: Unconditionally update target CPU base after offline timer
migration
- dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
- phy: tegra: xusb: fix device and OF node leak at probe
- phy: ti-pipe3: fix device leak at unbind
- soc: qcom: mdt_loader: Deal with zero e_shentsize
- drm/amdgpu: fix a memory leak in fence cleanup when unloading
- drm/i915/power: fix size for for_each_set_bit() in abox iteration
- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison
memory
- net: hsr: hsr_slave: Fix the promiscuous mode in offload mode
- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is
not supported
- wifi: mac80211: fix incorrect type for ret
- pcmcia: omap_cf: Mark driver struct with __refdata to prevent section
mismatch
- cgroup: split cgroup_destroy_wq into 3 workqueues
- um: virtio_uml: Fix use-after-free after put_device in probe
- dpaa2-switch: fix buffer pool seeding for control traffic
- qed: Don't collect too many protection override GRC elements
- net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure
- i40e: remove redundant memory barrier when cleaning Tx descs
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().
- Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set"
- net: liquidio: fix overflow in octeon_init_instr_queue()
- cnic: Fix use-after-free bugs in cnic_delete_task
- nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*
- power: supply: bq27xxx: fix error return in case of no bq27000 hdq
battery
- power: supply: bq27xxx: restrict no-battery detection to bq27000
- btrfs: tree-checker: fix the incorrect inode ref size check
- mmc: mvsdio: Fix dma_unmap_sg() nents value
- KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active
- rds: ib: Increment i_fastreg_wrs before bailing out
- ASoC: wm8940: Correct typo in control name
- ASoC: wm8974: Correct PLL rate rounding
- ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error
message
- drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ
- drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path
- serial: sc16is7xx: fix bug in flow control levels init
- xhci: dbc: decouple endpoint allocation from initialization
- xhci: dbc: Fix full DbC transfer ring after several reconnects
- usb: gadget: dummy_hcd: remove usage of list iterator past the loop body
- USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
- phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning
- phy: Use device_get_match_data()
- phy: ti: omap-usb2: fix device leak at unbind
- mptcp: set remote_deny_join_id0 on SYN recv
- ksmbd: smbdirect: validate data_offset and data_length field of
smb_direct_data_transfer
- mptcp: propagate shutdown to subflows when possible
- net: rfkill: gpio: add DT support
- net: rfkill: gpio: Fix crash due to dereferencering uninitialized
pointer
- ALSA: usb-audio: Fix block comments in mixer_quirks
- ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks
- ALSA: usb-audio: Avoid multiple assignments in mixer_quirks
- ALSA: usb-audio: Simplify NULL comparison in mixer_quirks
- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks
- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5
- ALSA: usb-audio: Convert comma to semicolon
- ALSA: usb-audio: Fix build with CONFIG_INPUT=n
- usb: core: Add 0x prefix to quirks debug output
- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions
- arm64: dts: imx8mp: Correct thermal sensor index
- cpufreq: Initialize cpufreq-based invariance before subsys
- can: rcar_can: rcar_can_resume(): fix s2ram with PSCI
- bpf: Reject bpf_timer for PREEMPT_RT
- can: bittiming: allow TDC{V,O} to be zero and add
can_tdc_const::tdc{v,o,f}_min
- can: bittiming: replace CAN units with the generic ones from
linux/units.h
- can: dev: add generic function can_ethtool_op_get_ts_info_hwts()
- can: dev: add generic function can_eth_ioctl_hwts()
- can: etas_es58x: advertise timestamping capabilities and add ioctl
support
- can: etas_es58x: sort the includes by alphabetic order
- can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow
- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
- can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
- can: peak_usb: fix shift-out-of-bounds issue
- ethernet: rvu-af: Remove slash from the driver name
- bnxt_en: correct offset handling for IPv6 destination address
- nexthop: Forbid FDB status change while nexthop is in a group
- selftests: fib_nexthops: Fix creation of non-FDB nexthops
- net: dsa: lantiq_gswip: do also enable or disable cpu port
- net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to
port_setup()
- net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries
added to the CPU port
- drm/gma500: Fix null dereference in hdmi teardown
- i40e: fix idx validation in i40e_validate_queue_map
- i40e: fix input validation logic for action_meta
- i40e: add max boundary check for VF filters
- i40e: add mask to apply valid bits for itr_idx
- tracing: dynevent: Add a missing lockdown check on dynevent
- fbcon: fix integer overflow in fbcon_do_set_font
- fbcon: Fix OOB access in font allocation
- af_unix: Don't leave consecutive consumed OOB skbs.
- mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize()
- mm/hugetlb: fix folio is still mapped when deleted
- i40e: fix validation of VF state in get resources
- i40e: fix idx validation in config queues msg
- i40e: increase max descriptors for XL710
- i40e: add validation for ring_len param
- drm/i915/backlight: Return immediately when scale() finds invalid
parameters
- Linux 5.15.194

* CVE-2024-56538
- drm: zynqmp_kms: Unplug DRM device before removal

* CVE-2024-53114
- tools headers cpufeatures: Sync with the kernel sources
- x86: Fix comment for X86_FEATURE_ZEN
- x86/CPU/AMD: Add ZenX generations flags
- x86/CPU/AMD: Carve out the erratum 1386 fix
- x86/CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
- x86/CPU/AMD: Move erratum 1076 fix into the Zen1 init function
- x86/CPU/AMD: Call the spectral chicken in the Zen2 init function
- x86/CPU/AMD: Rename init_amd_zn() to init_amd_zen_common()
- x86/CPU/AMD: Move Zenbleed check to the Zen2 init function
- x86/CPU/AMD: Move the DIV0 bug detection to the Zen1 init function
- x86/CPU/AMD: Get rid of amd_erratum_1054[]
- x86/CPU/AMD: Get rid of amd_erratum_383[]
- x86/CPU/AMD: Get rid of amd_erratum_400[]
- x86/CPU/AMD: Get rid of amd_erratum_1485[]
- x86/CPU/AMD: Drop now unused CPU erratum checking function
- x86/CPU/AMD: Add X86_FEATURE_ZEN1
- tools headers x86 cpufeatures: Sync with the kernel sources to pick TDX,
Zen, APIC MSR fence changes
- x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load
- x86/CPU/AMD: Clear virtualized VMLOAD/VMSAVE on Zen4 client
- x86/cpu/amd: Fix workaround for erratum 1054

* CVE-2025-38584
- padata: Fix pd UAF once and for all
- padata: Remove comment for reorder_work

* CVE-2025-40019
- crypto: essiv - Check ssize for decryption and in-place encryption

* Black screen when booting 5.15.0-160 (on AMD Lucienne / Cezanne / Navi /
Renoir / Rembrandt) (LP: #2128729)
- SAUCE: drm/amd/display: Fix incorrect code path taken in
amdgpu_dm_atomic_check()

* CVE-2025-38561
- ksmbd: fix Preauh_HashValue race condition

* Miscellaneous Ubuntu changes
- [SAUCE] Fix selftest/net/rtnetlink.sh for Big Endian

* Miscellaneous upstream changes
- selftests: net: use slowwait to stabilize vrf_route_leaking test

-- Mehmet Basaran <mehmet.basaran@canonical.com> Fri, 09 Jan 2026
18:51:02 +0300

** Changed in: linux (Ubuntu Jammy)
Status: Fix Committed => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2024-53090

** CVE added: https://cve.org/CVERecord?id=CVE-2024-53114

** CVE added: https://cve.org/CVERecord?id=CVE-2024-56538

** CVE added: https://cve.org/CVERecord?id=CVE-2024-58011

** CVE added: https://cve.org/CVERecord?id=CVE-2025-22058

** CVE added: https://cve.org/CVERecord?id=CVE-2025-38248

** CVE added: https://cve.org/CVERecord?id=CVE-2025-38561

** CVE added: https://cve.org/CVERecord?id=CVE-2025-38584

** CVE added: https://cve.org/CVERecord?id=CVE-2025-39994

** CVE added: https://cve.org/CVERecord?id=CVE-2025-39995

** CVE added: https://cve.org/CVERecord?id=CVE-2025-39996

** CVE added: https://cve.org/CVERecord?id=CVE-2025-39998

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40001

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40019

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40026

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40027

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40029

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40030

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40035

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40042

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40043

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40044

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40048

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40049

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40053

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40055

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40060

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40068

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40070

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40078

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40081

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40085

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40087

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40088

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40092

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40094

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40105

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40106

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40109

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40111

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40112

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40115

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40116

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40118

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40120

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40121

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40124

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40125

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40126

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40127

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40134

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40140

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40153

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40154

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40167

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40171

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40173

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40178

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40179

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40183

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40187

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40188

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40194

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40200

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40204

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40205

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40215

** CVE added: https://cve.org/CVERecord?id=CVE-2025-40256

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2065369

Title:
veth.sh from ubuntu_kselftests_net failed on J-5.15 / N-6.8 (with xdp
attached - gro flag)

Status in ubuntu-kernel-tests:
In Progress
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Fix Released
Status in linux source package in Noble:
Fix Committed

Bug description:
[ Impact ]

The test veth.sh from ubuntu_kselftests_net fails on both Jammy and Noble.
...
bad setting: reducing RX nr below peer TX with XDP set ok
with xdp attached - gro flag fail - expected on found off
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
        - aggregation fail - got 10 packets, expected 1
        - after dev off, flag fail - expected on found off
        - peer flag ok
...

The test execution reveals a consistent failure pattern
during the interaction between XDP program attachment and GRO
feature state management on veth interfaces.

It is possible to notice that the commit
d7db7775ea2e (net: veth: do not manipulate GRO when using XDP)
changed the veth driver's behavior by removing automatic GRO manipulation
when XDP programs attach or detach.
Both Noble and Jammy includes this behavioral change,
but the kselftest net:vet.sh has not been update accordingly.
In practice, commit ba5a6476e386 (selftests: net: veth: test the ability
to independently manipulate GRO and XDP) it's missing.
This creates a mismatch between actual kernel behavior and test expectations.

[ Fix ]

Backport commit ba5a6476e386 (selftests: net: veth: test the ability
to independently manipulate GRO and XDP) from mainline.

[ Test ]

Execute net:vet.sh on both Noble and Jammy.

In Noble:
$ uname -a
Linux ubuntu-noble-amd64-server 6.8.0-91-generic #92-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 28 16:26:35 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
$ sudo apt install -y build-essential docutils-common ethtool iptables jq kernel-wedge libfuse-dev libnuma-dev libssl-dev net-tools pkg-config tcpdump uuid-runtime socat netsniff-ng libcap-dev libelf-dev clang llvm
$ fakeroot debian/rules clean
$ make -j$(nproc) headers
$ sudo make run_tests -C tools/testing/selftests/net TEST_PROGS=veth.sh
# selftests: net: veth.sh
# default - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation ok
# - aggregation with TSO off ok
# with gro on - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation with TSO off ok
# gro vs xdp while down - gro flag off ok
# - after down ok
# - after xdp off ok
# - after up ok
# - after peer xdp ok
# gro vs xdp while down - gro flag on ok
# - after down ok
# - after xdp off ok
# - after up ok
# - after peer xdp ok
# default channels ok
# with gro enabled on link down - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation with TSO off ok
# setting tx channels ok
# setting both rx and tx channels ok
# bad setting: combined channels ok
# setting invalid channels nr ok
# bad setting: XDP with RX nr less than TX ok
# bad setting: reducing RX nr below peer TX with XDP set ok
# bad setting: increasing peer TX nr above RX with XDP set ok
# setting invalid channels nr ok
# with xdp attached - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - no aggregation ok
# - gro flag with GRO on ok
# - aggregation ok
# - after dev off, flag ok
# - peer flag ok
# - after gro on xdp off, gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# decreasing tx channels with device down ok
# - aggregation ok
# increasing tx channels with device down ok
# aggregation again with default and TSO off ok
ok 14 selftests: net: veth.sh

In Jammy:

$ uname -a
Linux ubuntu-jammy-amd64-server 5.15.0-163-generic #173-Ubuntu SMP Tue Oct 14 17:51:00 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
$ sudo apt install -y build-essential docutils-common ethtool iptables jq kernel-wedge libfuse-dev libnuma-dev libssl-dev net-tools pkg-config tcpdump uuid-runtime socat netsniff-ng libcap-dev libelf-dev clang llvm
$ fakeroot debian/rules clean
$ make -j$(nproc) headers
$ make -j$(nproc) -C tools/testing/selftests TARGETS=bpf SKIP_TARGETS= KDIR=/usr/src/linux-headers-5.15.0-163-generic
$ sudo make run_tests -C tools/testing/selftests/net TEST_PROGS=veth.sh
# selftests: net: veth.sh
# default - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation ok
# - aggregation with TSO off ok
# with gro on - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation with TSO off ok
# gro vs xdp while down - gro flag on ok
# - after down ok
# - after xdp off ok
# - after up ok
# - after peer xdp ok
# default channels ok
# with gro enabled on link down - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - aggregation with TSO off ok
# setting tx channels ok
# setting both rx and tx channels ok
# bad setting: combined channels ok
# setting invalid channels nr ok
# bad setting: XDP with RX nr less than TX ok
# bad setting: reducing RX nr below peer TX with XDP set ok
# bad setting: increasing peer TX nr above RX with XDP set ok
# setting invalid channels nr ok
# with xdp attached - gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# - no aggregation ok
# - gro flag with GRO on ok
# - aggregation ok
# - after dev off, flag ok
# - peer flag ok
# - after gro on xdp off, gro flag ok
# - peer gro flag ok
# - tso flag ok
# - peer tso flag ok
# decreasing tx channels with device down ok
# - aggregation ok
# increasing tx channels with device down ok
# aggregation again with default and TSO off ok
ok 7 selftests: net: veth.sh

[ Regression Potential ]

The fix affects only scripts in kselftest.
No regression potential for the kernel.

---

Issue found with Jammy 5.15.0-111.121 in sru-20240429

Reproduce rate is 100% across different arches on openstack cloud.

Test log:
ubuntu@kt-j-l-gen-5-15-bc2r4d20-u-kselftests-net-amd64:~/autotest/client/tmp/ubuntu_kselftests_net/src/linux/tools/testing/selftests/net$ sudo ./veth.sh
default - gro flag ok
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
        - aggregation ok
        - aggregation with TSO off ok
with gro on - gro flag ok
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
        - aggregation with TSO off ok
default channels ok
with gro enabled on link down - gro flag ok
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
        - aggregation with TSO off ok
setting tx channels ok
bad setting: combined channels ok
setting invalid channels nr ok
bad setting: XDP with RX nr less than TX ok
bad setting: reducing RX nr below peer TX with XDP set ok
with xdp attached - gro flag fail - expected on found off
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
        - aggregation fail - got 10 packets, expected 1
        - after dev off, flag fail - expected on found off
        - peer flag ok
        - after gro on xdp off, gro flag ok
        - peer gro flag ok
        - tso flag ok
        - peer tso flag ok
decreasing tx channels with device down ok
        - aggregation ok
increasing tx channels with device down ok
aggregation again with default and TSO off ok

This failure is different than our known issue of this test (LP:
#1949569 with gro on/aggregation with TSO off) And we don't have this
failure on openstack cloud in the previous cycles.

I have also verified the following combinations:
* 105 kernel + 106 source code - GOOD
* 106 kernel + 106 source code - GOOD
* 111 kernel + 106 source code - BAD
* 111 kernel + 111 source code - BAD
* 106 kernel + 111 source code - GOOD

This appears to be a possible regression in the kernel to me.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2065369/+subscriptions