This bug was fixed in the package linux-nvidia-bos - 7.0.0-2012.12

---------------
linux-nvidia-bos (7.0.0-2012.12) resolute; urgency=medium

  * resolute/linux-nvidia-bos: 7.0.0-2012.12 -proposed tracker (LP:
#2156940)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.nvidia-bos/dkms-versions -- update from kernel-
      versions (adhoc/d2026.06.15)

  * Backport the arm-smmu-v3 kdump adoption series (LP: #2156531)
    - iommu/arm-smmu-v3: Add arm_smmu_kdump_adopt_strtab() for kdump
    - iommu/arm-smmu-v3: Implement is_attach_deferred() for kdump
    - iommu/arm-smmu-v3: Do not enable EVTQ/PRIQ interrupts in kdump kernel
    - iommu/arm-smmu-v3: Skip EVTQ/PRIQ setup in kdump kernel
    - iommu/arm-smmu-v3: Retain CR0_SMMUEN during kdump device reset
    - iommu/arm-smmu-v3: Skip RMR bypass for kdump adoption
    - iommu/arm-smmu-v3: Detect ARM_SMMU_OPT_KDUMP_ADOPT in probe()
    - NVIDIA: SAUCE: iommu/arm-smmu-v3: Block kdump MPAM updates

  * Backport mana support for PF device 0x00C1 (LP: #2156821)
    - net: mana: Add support for PF device 0x00C1

  * Backport: fuse: back uncached readdir buffers with pages (LP: #2156632)
    - fuse: back uncached readdir buffers with pages

  * Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557) // CVE-
    Enable ARM64_ERRATUM_4118414 to mitigate 2025-10263 on NVIDIA platforms.
    - NVIDIA: [Config] Enable ARM64_ERRATUM_4118414

  * Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557) //
    CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
    - arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU

  * Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557)
    - arm64: cputype: Add C1-Ultra definitions
    - arm64: cputype: Add C1-Premium definitions
    - arm64: errata: Mitigate TLBI errata on various Arm CPUs

  * PCI: mirror PI7C9X3G606GPC Port 4 BAR0 (LP: #2154457)
    - NVIDIA: SAUCE: PCI: quirks: mirror PI7C9X3G606GPC Port 4 BAR0

  * fs/ntfs3: fix mount failure on 64K page-size kernels (LP: #2155467)
    - fs/ntfs3: fix mount failure on 64K page-size kernels

  [ Ubuntu: 7.0.0-27.27 ]

  * resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)
  * Packaging resync (LP: #1786013)
    - [Packaging] update annotations scripts
  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,
    conflicting with nouveau (LP: #2150845)
    - [Config] Disable NOVA_CORE
  * CVE-2026-46316
    - KVM: arm64: vgic-its: Drop the translation cache reference only for the
      erased entry
  * CVE-2026-46244
    - netfilter: nft_inner: Fix IPv6 inner_thoff desync
  * CVE-2026-46137
    - mptcp: pm: ADD_ADDR rtx: allow ID 0
    - mptcp: pm: ADD_ADDR rtx: fix potential data-race
  * CVE-2026-46185
    - smb/client: fix out-of-bounds read in symlink_data()
  * CVE-2026-46195
    - smb: client: validate dacloffset before building DACL pointers
  * CVE-2026-46289
    - lib/scatterlist: fix length calculations in extract_kvec_to_sg
  * CVE-2026-46119
    - libceph: Fix slab-out-of-bounds access in auth message processing
  * CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * CVE-2026-46155
    - smb/client: fix out-of-bounds read in smb2_compound_op()
  * CVE-2026-46115
    - block: add pgmap check to biovec_phys_mergeable
  * CVE-2026-46243
    - smb: client: reject userspace cifs.spnego descriptions

  [ Ubuntu: 7.0.0-26.26 ]

  * resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)
  * Packaging resync (LP: #1786013)
    - Revert "UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)"
    - [Packaging] debian.master/dkms-versions -- remove dkms-versions
      (main/2026.05.18)
  * Fix mic mute  led on a HP EliteBook 6 G2a platform (LP: #2150065)
    - ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops
  * ov08x40 module mounted upside down on a certain DELL platforms
    (LP: #2146517)
    - SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with
      upside down sensors
    - SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside
      down sensors
  * Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor
    (LP: #2147409)
    - SAUCE: media: ipu-bridge: Add 900MHz for OV05C10
    - SAUCE: platform/x86: int3472: increase handshake delay to 50ms for
      OV05C10
  * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)
    - SAUCE: media: ipu-bridge: Support s5k3j1 sensor
  * [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms
    (LP: #2150196)
    - ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match
      tables
    - ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix
    - ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list
  * powerpc-build in ubuntu_kernel_selftests fails to build due to
    uninitialized value (LP: #2129844)
    - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
  * Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,
    conflicting with nouveau (LP: #2150845)
    - [Config] Disable DRM_NOVA
  * Resolute update: v7.0.6 upstream stable release (LP: #2152558)
    - Linux 7.0.6
    - Upstream stable to v7.0.6
  * Resolute update: v7.0.5 upstream stable release (LP: #2152556)
    - Linux 7.0.5
    - Upstream stable to v7.0.5
  * Resolute update: v7.0.4 upstream stable release (LP: #2152552)
    - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
    - ALSA: usb-audio: Avoid false E-MU sample-rate notifications
    - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
    - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
    - usb: chipidea: otg: not wait vbus drop if use role_switch
    - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS
      change
    - ALSA: usb-audio: Evaluate packsize caps at the right place
    - LoongArch: Add spectre boundry for syscall dispatch table
    - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
    - leds: qcom-lpg: Check for array overflow when selecting the high
      resolution
    - greybus: gb-beagleplay: bound bootloader receive buffering
    - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
    - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
    - ibmasm: fix OOB reads in command_file_write due to missing size checks
    - ibmasm: fix heap over-read in ibmasm_send_i2o_message()
    - sysfs: attribute_group: Respect is_visible_const() when changing owner
    - driver core: Don't let a device probe until it's ready
    - device property: Make modifications of fwnode "flags" thread safe
    - drm/nouveau: fix nvkm_device leak on aperture removal failure
    - rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs
    - kbuild: rust: allow `clippy::uninlined_format_args`
    - fs: afs: revert mmap_prepare() change
    - firmware: google: framebuffer: Do not mark framebuffer as busy
    - lib: test_hmm: evict device pages on file close to avoid use-after-free
    - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
    - arm64: mm: Fix rodata=full block mapping support for realm guests
    - mm: migrate: requeue destination folio on deferred split queue
    - mm: prevent droppable mappings from being locked
    - mm: fix deferred split queue races during migration
    - ocfs2: split transactions in dio completion to avoid credit exhaustion
    - Input: edt-ft5x06 - fix use-after-free in debugfs teardown
    - zram: do not forget to endio for partial discard requests
    - wifi: rtw88: check for PCI upstream bridge existence
    - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
    - vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()
    - vfio/xe: Add a missing vfio_pci_core_release_dev()
    - vfio/virtio: Convert list_lock from spinlock to mutex
    - vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
    - vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
    - um: drivers: call kernel_strrchr() explicitly in cow_user.c
    - thermal: core: Fix thermal zone governor cleanup issues
    - spi: imx: fix use-after-free on unbind
    - spi: ch341: fix memory leaks on probe failures
    - crypto: algif_aead - snapshot IV for async AEAD requests
    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests
    - dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock
      constraints
    - of: unittest: fix use-after-free in of_unittest_changeset()
    - of: unittest: fix use-after-free in testdrv_probe()
    - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
    - EDAC/versalnet: Fix device_node leak in mc_probe()
    - PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX
    - media: amphion: Fix race between m2m job_abort and device_run
    - ALSA: control: Validate buf_len before strnlen() in
      snd_ctl_elem_init_enum_names()
    - net: caif: clear client service pointer on teardown
    - net: strparser: fix skb_head leak in strp_abort_strp()
    - media: mtk-jpeg: fix use-after-free in release path due to uncancelled
      work
    - crypto: atmel-sha204a - Fix OTP sysfs read and error handling
    - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
    - Revert "ALSA: usb: Increase volume range that triggers a warning"
    - phy: qcom: m31-eusb2: clear PLL_EN during init
    - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
    - lib/ts_kmp: fix integer overflow in pattern length calculation
    - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in
      imx219_probe()
    - net: qrtr: ns: Fix use-after-free in driver remove()
    - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
    - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
    - ALSA: aoa: i2sbus: clear stale prepared state
    - ALSA: aoa: i2sbus: fix OF node lifetime handling
    - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
    - ALSA: ctxfi: Add fallback to default RSR for S/PDIF
    - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
    - erofs: fix the out-of-bounds nameoff handling for trailing dirents
    - ipmi:ssif: Clean up kthread on errors
    - jbd2: fix deadlock in jbd2_journal_cancel_revoke()
    - KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs
    - md/raid10: fix deadlock with check operation and nowait requests
    - media: rc: igorplugusb: heed coherency rules
    - media: rockchip: rkcif: fix off by one bugs
    - media: rockchip: rkcif: comply with minimum number of buffers
      requirement
    - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
    - mm/alloc_tag: clear codetag for pages allocated before page_ext
      initialization
    - mm/damon/core: fix damon_call() vs kdamond_fn() exit race
    - mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
    - mm/hugetlb: fix early boot crash on parameters without '=' separator
    - mtd: docg3: fix use-after-free in docg3_release()
    - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
    - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
    - parisc: _llseek syscall is only available for 32-bit userspace
    - parisc: Drop ip_fast_csum() inline assembly implementation
    - PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access
    - PCI: imx6: Fix reference clock source selection for i.MX95
    - perf annotate: Use jump__delete when freeing LoongArch jumps
    - RDMA/mana_ib: Disable RX steering on RSS QP destroy
    - remoteproc: xlnx: Only access buffer information if IPI is buffered
    - reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime
    - sched: Use u64 for bandwidth ratio calculations
    - selftests/mqueue: Fix incorrectly named file
    - landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()
    - landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1
    - selftests/landlock: Drain stale audit records on init
    - selftests/landlock: Fix format warning for __u64 in net_test
    - selftests/landlock: Fix snprintf truncation checks in audit helpers
    - selftests/landlock: Skip stale records in audit_match_record()
    - rbd: fix null-ptr-deref when device_add_disk() fails
    - mm/zone_device: do not touch device folio after calling ->folio_free()
    - block: fix zone write plugs refcount handling in
      disk_zone_wplug_schedule_bio_work()
    - io_uring/zcrx: return back two step unregistration
    - io_uring/timeout: check unused sqe fields
    - block: relax pgmap check in bio_add_page for compatible zone device
      pages
    - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
    - io_uring/register: fix ring resizing with mixed/large SQEs/CQEs
    - io_uring/zcrx: fix user_struct uaf
    - io_uring/poll: fix signed comparison in io_poll_get_ownership()
    - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
    - module.lds,codetag: force 0 sh_addr for sections
    - module.lds.S: Fix modules on 32-bit parisc architecture
    - ALSA: core: Fix potential data race at fasync handling
    - ALSA: caiaq: Fix control_put() result and cache rollback
    - ALSA: caiaq: Handle probe errors properly
    - ALSA: 6fire: Fix input volume change detection
    - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx
    - ALSA: pcmtest: fix reference leak on failed device registration
    - ALSA: pcmtest: Fix resource leaks in module init error paths
    - iio: adc: ad7768-1: fix one-shot mode data acquisition
    - iio: adc: ad7768-1: remove switch to one-shot mode
    - rxrpc: Fix memory leaks in rxkad_verify_response()
    - rxrpc: Fix rxkad crypto unalignment handling
    - rxrpc: Fix error handling in rxgk_extract_token()
    - rxrpc: Fix re-decryption of RESPONSE packets
    - EDAC/versalnet: Fix memory leak in remove and probe error paths
    - tools/accounting: handle truncated taskstats netlink messages
    - net: txgbe: fix RTNL assertion warning when remove module
    - arm64: dts: marvell: uDPU: add ethernet aliases
    - net: qrtr: ns: Limit the maximum server registration per node
    - net: qrtr: ns: Limit the maximum number of lookups
    - net: qrtr: ns: Free the node during ctrl_cmd_bye()
    - net: qrtr: ns: Limit the total number of nodes
    - net: rds: fix MR cleanup on copy error
    - net: txgbe: fix firmware version check
    - net/smc: avoid early lgr access in smc_clc_wait_msg
    - net: ks8851: Reinstate disabling of BHs around IRQ handler
    - net: bridge: use a stable FDB dst snapshot in RCU readers
    - netconsole: avoid out-of-bounds access on empty string in trim_newline()
    - net: mctp: fix don't require received header reserved bits to be zero
    - net: ks8851: Avoid excess softirq scheduling
    - drm/arcpgu: fix device node leak
    - slub: fix data loss and overflow in krealloc()
    - tracing/fprobe: Reject registration of a registered fprobe before init
    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
    - printf: Compile the kunit test with DISABLE_BRANCH_PROFILING
      DISABLE_BRANCH_PROFILING
    - ipv4: icmp: validate reply type before using icmp_pointers
    - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
    - spi: fix resource leaks on device setup failure
    - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
    - tpm: avoid -Wunused-but-set-variable
    - LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist
    - LoongArch: Show CPU vulnerabilites correctly
    - fbdev: defio: Disconnect deferred I/O from the lifetime of struct
      fb_info
    - power: supply: axp288_charger: Do not cancel work before initializing it
    - hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit
    - hwmon: (powerz) Avoid cacheline sharing for DMA buffer
    - media: rzv2h-ivc: Revise default VBLANK formula
    - media: rzv2h-ivc: Fix AXIRX_VBLANK register write
    - fs: prepare for adding LSM blob to backing_file
    - lsm: add backing_file LSM hooks
    - selinux: fix overlayfs mmap() and mprotect() access checks
    - hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
    - randomize_kstack: Maintain kstack_offset per task
    - mmc: block: use single block write in retry
    - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
    - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
    - crypto: qat - fix IRQ cleanup on 6xxx probe failure
    - xfs: start gc on zonegc_low_space attribute updates
    - xfs: fix a resource leak in xfs_alloc_buftarg()
    - firmware: google: framebuffer: Do not unregister platform device
    - firmware: exynos-acpm: Drop fake 'const' on handle pointer
    - crypto: talitos - fix SEC1 32k ahash request limitation
    - crypto: talitos - rename first/last to first_desc/last_desc
    - pwm: imx-tpm: Count the number of enabled channels in probe
    - tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()
    - tpm: Fix auth session leak in tpm2_get_random() error path
    - tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
    - tpm: tpm_tis: add error logging for data transfer
    - tpm: tpm_tis: stop transmit if retries are exhausted
    - rtc: ntxec: fix OF node reference imbalance
    - mm/vmalloc: take vmap_purge_lock in shrinker
    - mm/memfd_luo: fix physical address conversion in put_folios cleanup
    - mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()
    - mm/damon/stat: fix memory leak on damon_start() failure in
      damon_stat_start()
    - mm/damon/core: validate damos_quota_goal->nid for
      node_mem_{used,free}_bp
    - mm/damon/core: validate damos_quota_goal->nid for
      node_memcg_{used,free}_bp
    - mm/damon/core: use time_in_range_open() for damos quota window start
    - mm/damon/core: disallow time-quota setting zero esz
    - mm/damon/core: disallow non-power of two min_region_sz on damon_start()
    - userfaultfd: allow registration of ranges below mmap_min_addr
    - LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()
    - KVM: x86: Defer non-architectural deliver of exception payload to
      userspace read
    - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
    - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
    - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
    - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
    - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
    - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
    - KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN
    - KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run
    - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
    - KVM: arm64: Account for RESx bits in __compute_fgt()
    - KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
    - KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run
    - KVM: SVM: Switch svm_copy_lbrs() to a macro
    - KVM: SVM: Add missing save/restore handling of LBR MSRs
    - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
    - KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper
    - KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper
    - KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT
    - KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT
    - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
    - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
    - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
    - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
    - KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE
    - KVM: nSVM: Add missing consistency check for nCR3 validity
    - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
    - KVM: nSVM: Always intercept VMMCALL when L2 is active
    - ARM: 9472/1: fix race condition on PG_dcache_clean in
      __sync_icache_dcache()
    - ring-buffer: Do not double count the reader_page
    - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
    - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
    - udf: fix partition descriptor append bookkeeping
    - mtd: spi-nor: sst: Fix write enable before AAI sequence
    - mtd: spinand: winbond: Declare the QE bit on W25NxxJW
    - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
    - md/md-llbitmap: skip reading rdevs that are not in_sync
    - md/md-llbitmap: raise barrier before state machine transition
    - md/raid5: fix soft lockup in retry_aligned_read()
    - md/raid5: validate payload size before accessing journal metadata
    - check-uapi: link into shared objects
    - mm, swap: speed up hibernation allocation and writeout
    - HID: apple: ensure the keyboard backlight is off if suspending
    - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()
      fails
    - x86/cpu: Disable FRED when PTI is forced on
    - x86/shstk: Prevent deadlock during shstk sigreturn
    - wifi: rtl8xxxu: fix potential use of uninitialized value
    - tcp: call sk_data_ready() after listener migration
    - taskstats: set version in TGID exit notifications
    - mptcp: sync the msk->sndbuf at accept() time
    - mfd: core: Preserve OF node when ACPI handle is present
    - 9p: fix access mode flags being ORed instead of replaced
    - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
    - bus: mhi: host: pci_generic: Switch to async power up to avoid boot
      delays
    - can: ucan: fix devres lifetime
    - crypto: acomp - fix wrong pointer stored by acomp_save_req()
    - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
    - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
    - crypto: atmel-ecc - Release client on allocation failure
    - crypto: hisilicon - Fix dma_unmap_single() direction
    - crypto: ccree - fix a memory leak in cc_mac_digest()
    - crypto: atmel-tdes - fix DMA sync direction
    - crypto: atmel-sha204a - Fix error codes in OTP reads
    - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
    - crypto: atmel-sha204a - Fix uninitialized data access on OTP read error
    - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
    - crypto: nx - fix context leak in nx842_crypto_free_ctx
    - crypto: nx - Fix packed layout in struct nx842_crypto_header
    - dm mirror: fix integer overflow in create_dirty_log()
    - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
    - ceph: fix num_ops off-by-one when crypto allocation fails
    - ceph: only d_add() negative dentries when they are unhashed
    - gtp: disable BH before calling udp_tunnel_xmit_skb()
    - IB/core: Fix zero dmac race in neighbor resolution
    - ktest: Fix the month in the name of the failure directory
    - NFSv4.1: Apply session size limits on clone path
    - ntfs3: add buffer boundary checks to run_unpack()
    - ntfs3: fix integer overflow in run_unpack() volume boundary check
    - rtmutex: Use waiter::task instead of current in remove_waiter()
    - rxgk: Fix potential integer overflow in length check
    - sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle
    - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
    - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
    - perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND
    - iio: frequency: admv1013: add dev variable
    - iio: frequency: admv1013: fix NULL pointer dereference on str
    - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
    - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
    - mm: various small mmap_prepare cleanups
    - mm: avoid deadlock when holding rmap on mmap_prepare error
    - mei: me: use PCI_DEVICE_DATA macro
    - mei: me: add nova lake point H DID
    - crypto: authencesn - reject short ahash digests during instance creation
    - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
    - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
    - ALSA: caiaq: Don't abort when no input device is available
    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
    - drm/amdgpu: fix zero-size GDS range init on RDNA4
    - drm/imagination: Fix segfault when updating ftrace mask
    - ALSA: caiaq: fix usb_dev refcount leak on probe failure
    - ALSA: aloop: Fix peer runtime UAF during format-change stop
    - vmalloc: fix buffer overflow in vrealloc_node_align()
    - mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI
      on UP
    - mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
    - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
    - netfilter: reject zero shift in nft_bitwise
    - ipmi:ssif: Remove unnecessary indention
    - ipmi:ssif: NULL thread on error
    - Linux 7.0.4
    - Upstream stable to v7.0.4
  * Resolute update: v7.0.3 upstream stable release (LP: #2152550)
    - Buffer overflow in drivers/xen/sys-hypervisor.c
    - xen/privcmd: fix double free via VMA splitting
    - Linux 7.0.3
    - Upstream stable to v7.0.3
  * Resolute update: v7.0.2 upstream stable release (LP: #2150553)
    - crypto: authencesn - Fix src offset when decrypting in-place
    - pwm: th1520: fix `CLIPPY=1` warning
    - drm/amdgpu: replace PASID IDR with XArray
    - crypto: krb5enc - fix sleepable flag handling in encrypt dispatch
    - crypto: krb5enc - fix async decrypt skipping hash verification
    - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
    - ksmbd: validate owner of durable handle on reconnect
    - scripts: generate_rust_analyzer.py: define scripts
    - scripts/dtc: Remove unused dts_version in dtc-lexer.l
    - fs/ntfs3: validate rec->used in journal-replay file record check
    - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
    - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
      f2fs_write_end_io()
    - f2fs: fix to avoid memory leak in f2fs_rename()
    - f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer
    - fuse: reject oversized dirents in page cache
    - fuse: abort on fatal signal during sync init
    - fuse: Check for large folio with SPLICE_F_MOVE
    - fuse: quiet down complaints in fuse_conn_limit_write
    - fuse: fuse_dev_ioctl_clone() should wait for device file to be
      initialized
    - ksmbd: require minimum ACE size in smb_check_perm_dacl()
    - smb: server: fix active_num_conn leak on transport allocation failure
    - smb: client: fix dir separator in SMB1 UNIX mounts
    - smb: server: fix max_connections off-by-one in tcp accept path
    - smb: client: require a full NFS mode SID before reading mode bits
    - smb: client: validate the whole DACL before rewriting it in cifsacl
    - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
    - ksmbd: validate response sizes in ipc_validate_msg()
    - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
    - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
    - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
    - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
    - writeback: Fix use after free in inode_switch_wbs_work_fn()
    - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
    - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
    - ALSA: hda/realtek: Add quirk for Legion S7 15IMH
    - ALSA: caiaq: take a reference on the USB device in create_card()
    - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
    - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command
      failed
    - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
      failed
    - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
    - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
    - mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
    - Linux 7.0.2
  * Resolute update: v7.0.1 upstream stable release (LP: #2150547)
    - Revert "UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports"
    - nfc: llcp: add missing return after LLCP_CLOSED checks
    - x86/CPU: Fix FPDSS on Zen1
    - can: raw: fix ro->uniq use-after-free in raw_rcv()
    - i2c: s3c24xx: check the size of the SMBUS message before using it
    - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
    - HID: alps: fix NULL pointer dereference in alps_raw_event()
    - HID: core: clamp report_size in s32ton() to avoid undefined shift
    - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
    - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
    - drm/vc4: platform_get_irq_byname() returns an int
    - bnge: return after auxiliary_device_uninit() in error path
    - ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0
    - ALSA: fireworks: bound device-supplied status before string array lookup
    - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
    - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
    - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
    - usb: gadget: renesas_usb3: validate endpoint index in standard request
      handlers
    - smb: client: fix off-by-8 bounds check in check_wsl_eas()
    - smb: client: fix OOB reads parsing symlink error response
    - ksmbd: validate EaNameLength in smb2_get_ea()
    - ksmbd: require 3 sub-authorities before reading sub_auth[2]
    - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
    - smb: client: avoid double-free in smbd_free_send_io() after
      smbd_send_batch_flush()
    - smb: server: avoid double-free in smb_direct_free_sendmsg after
      smb_direct_flush_send_list()
    - usbip: validate number_of_packets in usbip_pack_ret_submit()
    - usb: typec: fusb302: Switch to threaded IRQ handler
    - usb: storage: Expand range of matched versions for VL817 quirks entry
    - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
    - usb: gadget: f_hid: don't call cdev_init while cdev in use
    - usb: port: add delay after usb_hub_set_port_power()
    - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
    - scripts/gdb/symbols: handle module path parameters
    - scripts: generate_rust_analyzer.py: avoid FD leak
    - wifi: rtw88: fix device leak on probe failure
    - staging: sm750fb: fix division by zero in ps_to_hz()
    - selftests/mm: hmm-tests: don't hardcode THP size to 2MB
    - USB: serial: option: add Telit Cinterion FN990A MBIM composition
    - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates
      race
    - Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates
      race
    - ALSA: ctxfi: Limit PTP to a single page
    - dcache: Limit the minimal number of bucket to two
    - vfio/xe: Reorganize the init to decouple migration from reset
    - arm64: mm: Handle invalid large leaf mappings correctly
    - media: vidtv: fix NULL pointer dereference in
      vidtv_channel_pmt_match_sections
    - ocfs2: fix possible deadlock between unlink and dio_end_io_write
    - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
    - ocfs2: handle invalid dinode in ocfs2_group_extend
    - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in
      epf_ntb_epc_cleanup
    - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
    - KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES
      migrate test
    - KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted
      vCPU
    - KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock
    - KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created
    - KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
    - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
    - mm: call ->free_folio() directly in folio_unmap_invalidate()
    - checkpatch: add support for Assisted-by tag
    - x86-64: rename misleadingly named '__copy_user_nocache()' function
    - x86: rename and clean up __copy_from_user_inatomic_nocache()
    - x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache
    - KVM: x86: Use scratch field in MMIO fragment to hold small write values
    - ASoC: qcom: q6apm: move component registration to unmanaged version
    - mm/kasan: fix double free for kasan pXds
    - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
    - media: vidtv: fix nfeeds state corruption on start_streaming failure
    - media: mediatek: vcodec: fix use-after-free in encoder release path
    - media: em28xx: fix use-after-free in em28xx_v4l2_open()
    - hwmon: (powerz) Fix use-after-free on USB disconnect
    - ALSA: 6fire: fix use-after-free on disconnect
    - bcache: fix cached_dev.sb_bio use-after-free and crash
    - wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in
      pre_exit
    - media: as102: fix to not free memory after the device is registered in
      as102_usb_probe()
    - nilfs2: fix NULL i_assoc_inode dereference in
      nilfs_mdt_save_to_shadow_map
    - media: vidtv: fix pass-by-value structs causing MSAN warnings
    - media: hackrf: fix to not free memory after the device is registered in
      hackrf_probe()
    - mm/userfaultfd: fix hugetlb fault mutex hash calculation
    - clockevents: Add missing resets of the next_event_forced flag
    - Linux 7.0.1
  * GRO managed-frag use-after-free leading to local privilege escalation
    (LP: #2154172)
    - net: gro: don't merge zcopy skbs
  * AppArmor Vulnerabilities  (LP: #2151747)
    - SAUCE: apparmor: pass big_resp to handler
    - SAUCE: apparmor: remove redundant kref_init for listener->count
    - SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47337
    - SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47334
    - SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47333
    - SAUCE: apparmor: fix dfa unpacking size of the notification filter
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47332
    - SAUCE: apparmor: fix size check against type instead of pointer
  * apparmor: LLVM/clang build failure due to uninitialized variable in
    notify.c (LP: #2148809) // CVE-2026-47330
    - SAUCE: apparmor: initialize variable used in uninitialized context
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47329
    - SAUCE: apparmor: fix name validation bypass on notification
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47327 //
    CVE-2026-47328
    - SAUCE: apparmor: fix glob memory leak after kstrdup
  * AppArmor Vulnerabilities  (LP: #2151747) // CVE-2026-47326
    - SAUCE: apparmor: fix inverted NULL check after aa_get_buffer
  * CVE-2026-46300
    - net: skbuff: preserve shared-frag marker during coalescing
    - net: skbuff: propagate shared-frag marker through frag-transfer helpers
  * net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)
    - net/rds: reset op_nents when zerocopy page pin fails
  * CVE-2026-46333
    - ptrace: slightly saner 'get_dumpable()' logic
  * CVE-2026-43500
    - rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
    - rxrpc: Fix potential UAF after skb_unshare() failure
    - rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
    - rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
  * CVE-2026-43284
    - xfrm: esp: avoid in-place decrypt on shared skb frags

 -- Jacob Martin <[email protected]>  Thu, 18 Jun 2026 20:24:04
-0500

** Changed in: linux-nvidia-bos (Ubuntu Resolute)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.org/CVERecord?id=CVE-2025-10263

** CVE added: https://cve.org/CVERecord?id=CVE-2026-43284

** CVE added: https://cve.org/CVERecord?id=CVE-2026-43500

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46115

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46119

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46135

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46137

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46155

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46185

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46195

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46243

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46244

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46289

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46300

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46316

** CVE added: https://cve.org/CVERecord?id=CVE-2026-46333

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47326

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47327

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47328

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47329

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47330

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47332

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47333

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47334

** CVE added: https://cve.org/CVERecord?id=CVE-2026-47337

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156821

Title:
  Backport mana support for PF device 0x00C1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-7.0/+bug/2156821/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to