This bug was fixed in the package linux-nvidia-bos - 7.0.0-2012.12
---------------
linux-nvidia-bos (7.0.0-2012.12) resolute; urgency=medium
* resolute/linux-nvidia-bos: 7.0.0-2012.12 -proposed tracker (LP:
#2156940)
* Packaging resync (LP: #1786013)
- [Packaging] debian.nvidia-bos/dkms-versions -- update from kernel-
versions (adhoc/d2026.06.15)
* Backport the arm-smmu-v3 kdump adoption series (LP: #2156531)
- iommu/arm-smmu-v3: Add arm_smmu_kdump_adopt_strtab() for kdump
- iommu/arm-smmu-v3: Implement is_attach_deferred() for kdump
- iommu/arm-smmu-v3: Do not enable EVTQ/PRIQ interrupts in kdump kernel
- iommu/arm-smmu-v3: Skip EVTQ/PRIQ setup in kdump kernel
- iommu/arm-smmu-v3: Retain CR0_SMMUEN during kdump device reset
- iommu/arm-smmu-v3: Skip RMR bypass for kdump adoption
- iommu/arm-smmu-v3: Detect ARM_SMMU_OPT_KDUMP_ADOPT in probe()
- NVIDIA: SAUCE: iommu/arm-smmu-v3: Block kdump MPAM updates
* Backport mana support for PF device 0x00C1 (LP: #2156821)
- net: mana: Add support for PF device 0x00C1
* Backport: fuse: back uncached readdir buffers with pages (LP: #2156632)
- fuse: back uncached readdir buffers with pages
* Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557) // CVE-
Enable ARM64_ERRATUM_4118414 to mitigate 2025-10263 on NVIDIA platforms.
- NVIDIA: [Config] Enable ARM64_ERRATUM_4118414
* Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557) //
CVE-2025-10263. The existing ARM64_ERRATUM_4118414 handling already uses
- arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
* Backport: Mitigate TLBI errata on various Arm CPUs (LP: #2156557)
- arm64: cputype: Add C1-Ultra definitions
- arm64: cputype: Add C1-Premium definitions
- arm64: errata: Mitigate TLBI errata on various Arm CPUs
* PCI: mirror PI7C9X3G606GPC Port 4 BAR0 (LP: #2154457)
- NVIDIA: SAUCE: PCI: quirks: mirror PI7C9X3G606GPC Port 4 BAR0
* fs/ntfs3: fix mount failure on 64K page-size kernels (LP: #2155467)
- fs/ntfs3: fix mount failure on 64K page-size kernels
[ Ubuntu: 7.0.0-27.27 ]
* resolute/linux: 7.0.0-27.27 -proposed tracker (LP: #2157114)
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
* Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,
conflicting with nouveau (LP: #2150845)
- [Config] Disable NOVA_CORE
* CVE-2026-46316
- KVM: arm64: vgic-its: Drop the translation cache reference only for the
erased entry
* CVE-2026-46244
- netfilter: nft_inner: Fix IPv6 inner_thoff desync
* CVE-2026-46137
- mptcp: pm: ADD_ADDR rtx: allow ID 0
- mptcp: pm: ADD_ADDR rtx: fix potential data-race
* CVE-2026-46185
- smb/client: fix out-of-bounds read in symlink_data()
* CVE-2026-46195
- smb: client: validate dacloffset before building DACL pointers
* CVE-2026-46289
- lib/scatterlist: fix length calculations in extract_kvec_to_sg
* CVE-2026-46119
- libceph: Fix slab-out-of-bounds access in auth message processing
* CVE-2026-46135
- nvmet-tcp: fix race between ICReq handling and queue teardown
* CVE-2026-46155
- smb/client: fix out-of-bounds read in smb2_compound_op()
* CVE-2026-46115
- block: add pgmap check to biovec_phys_mergeable
* CVE-2026-46243
- smb: client: reject userspace cifs.spnego descriptions
[ Ubuntu: 7.0.0-26.26 ]
* resolute/linux: 7.0.0-26.26 -proposed tracker (LP: #2154530)
* Packaging resync (LP: #1786013)
- Revert "UBUNTU: SAUCE: import Huawei ES3000_V2 (2.1.0.23)"
- [Packaging] debian.master/dkms-versions -- remove dkms-versions
(main/2026.05.18)
* Fix mic mute led on a HP EliteBook 6 G2a platform (LP: #2150065)
- ALSA: hda/realtek: Add LED fixup for HP EliteBook 6 G2a Laptops
* ov08x40 module mounted upside down on a certain DELL platforms
(LP: #2146517)
- SAUCE: media: ipu-bridge: Add DMI quirk for new Dell XPS laptops with
upside down sensors
- SAUCE: media: ipu-bridge: Add DMI quirk for Dell 14 laptops with upside
down sensors
* Support additional 2888x1808@30fps 900MHz for OVTI05C1 camera sensor
(LP: #2147409)
- SAUCE: media: ipu-bridge: Add 900MHz for OV05C10
- SAUCE: platform/x86: int3472: increase handshake delay to 50ms for
OV05C10
* Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)
- SAUCE: media: ipu-bridge: Support s5k3j1 sensor
* [SRU] ASoC: enable rt1320 speaker amp and DMIC on PTL SoundWire platforms
(LP: #2150196)
- ASoC: Intel: soc-acpi-intel-ptl-match: drop rt722 monolithic match
tables
- ASoC: SOF: Intel: Add a is_amp flag to fix the wrong name prefix
- ASoC: sdw_utils: add rt1320 and rt1321 dmic dai in codec_info_list
* powerpc-build in ubuntu_kernel_selftests fails to build due to
uninitialized value (LP: #2129844)
- selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
* Ubuntu 26.04 linux kernel has non-functional nova-core GPU driver enabled,
conflicting with nouveau (LP: #2150845)
- [Config] Disable DRM_NOVA
* Resolute update: v7.0.6 upstream stable release (LP: #2152558)
- Linux 7.0.6
- Upstream stable to v7.0.6
* Resolute update: v7.0.5 upstream stable release (LP: #2152556)
- Linux 7.0.5
- Upstream stable to v7.0.5
* Resolute update: v7.0.4 upstream stable release (LP: #2152552)
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- usb: chipidea: otg: not wait vbus drop if use role_switch
- usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS
change
- ALSA: usb-audio: Evaluate packsize caps at the right place
- LoongArch: Add spectre boundry for syscall dispatch table
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
- leds: qcom-lpg: Check for array overflow when selecting the high
resolution
- greybus: gb-beagleplay: bound bootloader receive buffering
- greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
- misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
- ibmasm: fix OOB reads in command_file_write due to missing size checks
- ibmasm: fix heap over-read in ibmasm_send_i2o_message()
- sysfs: attribute_group: Respect is_visible_const() when changing owner
- driver core: Don't let a device probe until it's ready
- device property: Make modifications of fwnode "flags" thread safe
- drm/nouveau: fix nvkm_device leak on aperture removal failure
- rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs
- kbuild: rust: allow `clippy::uninlined_format_args`
- fs: afs: revert mmap_prepare() change
- firmware: google: framebuffer: Do not mark framebuffer as busy
- lib: test_hmm: evict device pages on file close to avoid use-after-free
- arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
- arm64: mm: Fix rodata=full block mapping support for realm guests
- mm: migrate: requeue destination folio on deferred split queue
- mm: prevent droppable mappings from being locked
- mm: fix deferred split queue races during migration
- ocfs2: split transactions in dio completion to avoid credit exhaustion
- Input: edt-ft5x06 - fix use-after-free in debugfs teardown
- zram: do not forget to endio for partial discard requests
- wifi: rtw88: check for PCI upstream bridge existence
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
- vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set()
- vfio/xe: Add a missing vfio_pci_core_release_dev()
- vfio/virtio: Convert list_lock from spinlock to mutex
- vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex
- vfio/cdx: Fix NULL pointer dereference in interrupt trigger path
- um: drivers: call kernel_strrchr() explicitly in cow_user.c
- thermal: core: Fix thermal zone governor cleanup issues
- spi: imx: fix use-after-free on unbind
- spi: ch341: fix memory leaks on probe failures
- crypto: algif_aead - snapshot IV for async AEAD requests
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests
- dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock
constraints
- of: unittest: fix use-after-free in of_unittest_changeset()
- of: unittest: fix use-after-free in testdrv_probe()
- hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
- EDAC/versalnet: Fix device_node leak in mc_probe()
- PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX
- media: amphion: Fix race between m2m job_abort and device_run
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names()
- net: caif: clear client service pointer on teardown
- net: strparser: fix skb_head leak in strp_abort_strp()
- media: mtk-jpeg: fix use-after-free in release path due to uncancelled
work
- crypto: atmel-sha204a - Fix OTP sysfs read and error handling
- PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
- Revert "ALSA: usb: Increase volume range that triggers a warning"
- phy: qcom: m31-eusb2: clear PLL_EN during init
- PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
- lib/ts_kmp: fix integer overflow in pattern length calculation
- media: i2c: imx219: Check return value of devm_gpiod_get_optional() in
imx219_probe()
- net: qrtr: ns: Fix use-after-free in driver remove()
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
- mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
- ALSA: aoa: i2sbus: clear stale prepared state
- ALSA: aoa: i2sbus: fix OF node lifetime handling
- ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
- ipmi:ssif: Clean up kthread on errors
- jbd2: fix deadlock in jbd2_journal_cancel_revoke()
- KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs
- md/raid10: fix deadlock with check operation and nowait requests
- media: rc: igorplugusb: heed coherency rules
- media: rockchip: rkcif: fix off by one bugs
- media: rockchip: rkcif: comply with minimum number of buffers
requirement
- mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
- mm/alloc_tag: clear codetag for pages allocated before page_ext
initialization
- mm/damon/core: fix damon_call() vs kdamond_fn() exit race
- mm/damon/core: fix damos_walk() vs kdamond_fn() exit race
- mm/hugetlb: fix early boot crash on parameters without '=' separator
- mtd: docg3: fix use-after-free in docg3_release()
- nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
- nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
- parisc: _llseek syscall is only available for 32-bit userspace
- parisc: Drop ip_fast_csum() inline assembly implementation
- PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access
- PCI: imx6: Fix reference clock source selection for i.MX95
- perf annotate: Use jump__delete when freeing LoongArch jumps
- RDMA/mana_ib: Disable RX steering on RSS QP destroy
- remoteproc: xlnx: Only access buffer information if IPI is buffered
- reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime
- sched: Use u64 for bandwidth ratio calculations
- selftests/mqueue: Fix incorrectly named file
- landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork()
- landlock: Allow TSYNC with LOG_SUBDOMAINS_OFF and fd=-1
- selftests/landlock: Drain stale audit records on init
- selftests/landlock: Fix format warning for __u64 in net_test
- selftests/landlock: Fix snprintf truncation checks in audit helpers
- selftests/landlock: Skip stale records in audit_match_record()
- rbd: fix null-ptr-deref when device_add_disk() fails
- mm/zone_device: do not touch device folio after calling ->folio_free()
- block: fix zone write plugs refcount handling in
disk_zone_wplug_schedule_bio_work()
- io_uring/zcrx: return back two step unregistration
- io_uring/timeout: check unused sqe fields
- block: relax pgmap check in bio_add_page for compatible zone device
pages
- iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
- io_uring/register: fix ring resizing with mixed/large SQEs/CQEs
- io_uring/zcrx: fix user_struct uaf
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
- io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
- module.lds,codetag: force 0 sh_addr for sections
- module.lds.S: Fix modules on 32-bit parisc architecture
- ALSA: core: Fix potential data race at fasync handling
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: caiaq: Handle probe errors properly
- ALSA: 6fire: Fix input volume change detection
- ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx
- ALSA: pcmtest: fix reference leak on failed device registration
- ALSA: pcmtest: Fix resource leaks in module init error paths
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- iio: adc: ad7768-1: remove switch to one-shot mode
- rxrpc: Fix memory leaks in rxkad_verify_response()
- rxrpc: Fix rxkad crypto unalignment handling
- rxrpc: Fix error handling in rxgk_extract_token()
- rxrpc: Fix re-decryption of RESPONSE packets
- EDAC/versalnet: Fix memory leak in remove and probe error paths
- tools/accounting: handle truncated taskstats netlink messages
- net: txgbe: fix RTNL assertion warning when remove module
- arm64: dts: marvell: uDPU: add ethernet aliases
- net: qrtr: ns: Limit the maximum server registration per node
- net: qrtr: ns: Limit the maximum number of lookups
- net: qrtr: ns: Free the node during ctrl_cmd_bye()
- net: qrtr: ns: Limit the total number of nodes
- net: rds: fix MR cleanup on copy error
- net: txgbe: fix firmware version check
- net/smc: avoid early lgr access in smc_clc_wait_msg
- net: ks8851: Reinstate disabling of BHs around IRQ handler
- net: bridge: use a stable FDB dst snapshot in RCU readers
- netconsole: avoid out-of-bounds access on empty string in trim_newline()
- net: mctp: fix don't require received header reserved bits to be zero
- net: ks8851: Avoid excess softirq scheduling
- drm/arcpgu: fix device node leak
- slub: fix data loss and overflow in krealloc()
- tracing/fprobe: Reject registration of a registered fprobe before init
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
- printf: Compile the kunit test with DISABLE_BRANCH_PROFILING
DISABLE_BRANCH_PROFILING
- ipv4: icmp: validate reply type before using icmp_pointers
- libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
- spi: fix resource leaks on device setup failure
- extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
- tpm: avoid -Wunused-but-set-variable
- LoongArch: Make arch_irq_work_has_interrupt() true only if IPI HW exist
- LoongArch: Show CPU vulnerabilites correctly
- fbdev: defio: Disconnect deferred I/O from the lifetime of struct
fb_info
- power: supply: axp288_charger: Do not cancel work before initializing it
- hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit
- hwmon: (powerz) Avoid cacheline sharing for DMA buffer
- media: rzv2h-ivc: Revise default VBLANK formula
- media: rzv2h-ivc: Fix AXIRX_VBLANK register write
- fs: prepare for adding LSM blob to backing_file
- lsm: add backing_file LSM hooks
- selinux: fix overlayfs mmap() and mprotect() access checks
- hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data()
- randomize_kstack: Maintain kstack_offset per task
- mmc: block: use single block write in retry
- mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
- arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
- crypto: qat - fix IRQ cleanup on 6xxx probe failure
- xfs: start gc on zonegc_low_space attribute updates
- xfs: fix a resource leak in xfs_alloc_buftarg()
- firmware: google: framebuffer: Do not unregister platform device
- firmware: exynos-acpm: Drop fake 'const' on handle pointer
- crypto: talitos - fix SEC1 32k ahash request limitation
- crypto: talitos - rename first/last to first_desc/last_desc
- pwm: imx-tpm: Count the number of enabled channels in probe
- tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public()
- tpm: Fix auth session leak in tpm2_get_random() error path
- tpm: Use kfree_sensitive() to free auth session in tpm_dev_release()
- tpm: tpm_tis: add error logging for data transfer
- tpm: tpm_tis: stop transmit if retries are exhausted
- rtc: ntxec: fix OF node reference imbalance
- mm/vmalloc: take vmap_purge_lock in shrinker
- mm/memfd_luo: fix physical address conversion in put_folios cleanup
- mm/mempolicy: fix memory leaks in weighted_interleave_auto_store()
- mm/damon/stat: fix memory leak on damon_start() failure in
damon_stat_start()
- mm/damon/core: validate damos_quota_goal->nid for
node_mem_{used,free}_bp
- mm/damon/core: validate damos_quota_goal->nid for
node_memcg_{used,free}_bp
- mm/damon/core: use time_in_range_open() for damos quota window start
- mm/damon/core: disallow time-quota setting zero esz
- mm/damon/core: disallow non-power of two min_region_sz on damon_start()
- userfaultfd: allow registration of ranges below mmap_min_addr
- LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel()
- KVM: x86: Defer non-architectural deliver of exception payload to
userspace read
- KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
- KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
- KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
- KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
- KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
- KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
- KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN
- KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run
- KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
- KVM: arm64: Account for RESx bits in __compute_fgt()
- KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12
- KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run
- KVM: SVM: Switch svm_copy_lbrs() to a macro
- KVM: SVM: Add missing save/restore handling of LBR MSRs
- KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
- KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper
- KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper
- KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT
- KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT
- KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
- KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
- KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
- KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE
- KVM: nSVM: Add missing consistency check for nCR3 validity
- KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
- KVM: nSVM: Always intercept VMMCALL when L2 is active
- ARM: 9472/1: fix race condition on PG_dcache_clean in
__sync_icache_dcache()
- ring-buffer: Do not double count the reader_page
- ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
- udf: fix partition descriptor append bookkeeping
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- mtd: spinand: winbond: Declare the QE bit on W25NxxJW
- amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
- md/md-llbitmap: skip reading rdevs that are not in_sync
- md/md-llbitmap: raise barrier before state machine transition
- md/raid5: fix soft lockup in retry_aligned_read()
- md/raid5: validate payload size before accessing journal metadata
- check-uapi: link into shared objects
- mm, swap: speed up hibernation allocation and writeout
- HID: apple: ensure the keyboard backlight is off if suspending
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked()
fails
- x86/cpu: Disable FRED when PTI is forced on
- x86/shstk: Prevent deadlock during shstk sigreturn
- wifi: rtl8xxxu: fix potential use of uninitialized value
- tcp: call sk_data_ready() after listener migration
- taskstats: set version in TGID exit notifications
- mptcp: sync the msk->sndbuf at accept() time
- mfd: core: Preserve OF node when ACPI handle is present
- 9p: fix access mode flags being ORed instead of replaced
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
- bus: mhi: host: pci_generic: Switch to async power up to avoid boot
delays
- can: ucan: fix devres lifetime
- crypto: acomp - fix wrong pointer stored by acomp_save_req()
- crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
- crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
- crypto: atmel-ecc - Release client on allocation failure
- crypto: hisilicon - Fix dma_unmap_single() direction
- crypto: ccree - fix a memory leak in cc_mac_digest()
- crypto: atmel-tdes - fix DMA sync direction
- crypto: atmel-sha204a - Fix error codes in OTP reads
- crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
- crypto: atmel-sha204a - Fix uninitialized data access on OTP read error
- crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
- crypto: nx - fix context leak in nx842_crypto_free_ctx
- crypto: nx - Fix packed layout in struct nx842_crypto_header
- dm mirror: fix integer overflow in create_dirty_log()
- erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
- ceph: fix num_ops off-by-one when crypto allocation fails
- ceph: only d_add() negative dentries when they are unhashed
- gtp: disable BH before calling udp_tunnel_xmit_skb()
- IB/core: Fix zero dmac race in neighbor resolution
- ktest: Fix the month in the name of the failure directory
- NFSv4.1: Apply session size limits on clone path
- ntfs3: add buffer boundary checks to run_unpack()
- ntfs3: fix integer overflow in run_unpack() volume boundary check
- rtmutex: Use waiter::task instead of current in remove_waiter()
- rxgk: Fix potential integer overflow in length check
- sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle
- scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
- seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
- perf loongarch: Fix build failure with CONFIG_LIBDW_DWARF_UNWIND
- iio: frequency: admv1013: add dev variable
- iio: frequency: admv1013: fix NULL pointer dereference on str
- wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
- wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
- mm: various small mmap_prepare cleanups
- mm: avoid deadlock when holding rmap on mmap_prepare error
- mei: me: use PCI_DEVICE_DATA macro
- mei: me: add nova lake point H DID
- crypto: authencesn - reject short ahash digests during instance creation
- driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
- drm/amdgpu: fix zero-size GDS range init on RDNA4
- drm/imagination: Fix segfault when updating ftrace mask
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- ALSA: aloop: Fix peer runtime UAF during format-change stop
- vmalloc: fix buffer overflow in vrealloc_node_align()
- mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI
on UP
- mm/slab: return NULL early from kmalloc_nolock() in NMI on UP
- net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
- netfilter: reject zero shift in nft_bitwise
- ipmi:ssif: Remove unnecessary indention
- ipmi:ssif: NULL thread on error
- Linux 7.0.4
- Upstream stable to v7.0.4
* Resolute update: v7.0.3 upstream stable release (LP: #2152550)
- Buffer overflow in drivers/xen/sys-hypervisor.c
- xen/privcmd: fix double free via VMA splitting
- Linux 7.0.3
- Upstream stable to v7.0.3
* Resolute update: v7.0.2 upstream stable release (LP: #2150553)
- crypto: authencesn - Fix src offset when decrypting in-place
- pwm: th1520: fix `CLIPPY=1` warning
- drm/amdgpu: replace PASID IDR with XArray
- crypto: krb5enc - fix sleepable flag handling in encrypt dispatch
- crypto: krb5enc - fix async decrypt skipping hash verification
- ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
- ksmbd: validate owner of durable handle on reconnect
- scripts: generate_rust_analyzer.py: define scripts
- scripts/dtc: Remove unused dts_version in dtc-lexer.l
- fs/ntfs3: validate rec->used in journal-replay file record check
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io()
- f2fs: fix to avoid memory leak in f2fs_rename()
- f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer
- fuse: reject oversized dirents in page cache
- fuse: abort on fatal signal during sync init
- fuse: Check for large folio with SPLICE_F_MOVE
- fuse: quiet down complaints in fuse_conn_limit_write
- fuse: fuse_dev_ioctl_clone() should wait for device file to be
initialized
- ksmbd: require minimum ACE size in smb_check_perm_dacl()
- smb: server: fix active_num_conn leak on transport allocation failure
- smb: client: fix dir separator in SMB1 UNIX mounts
- smb: server: fix max_connections off-by-one in tcp accept path
- smb: client: require a full NFS mode SID before reading mode bits
- smb: client: validate the whole DACL before rewriting it in cifsacl
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
- ksmbd: validate response sizes in ipc_validate_msg()
- ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
- ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
- writeback: Fix use after free in inode_switch_wbs_work_fn()
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- ALSA: hda/realtek: Add quirk for Legion S7 15IMH
- ALSA: caiaq: take a reference on the USB device in create_card()
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command
failed
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
- mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER
- Linux 7.0.2
* Resolute update: v7.0.1 upstream stable release (LP: #2150547)
- Revert "UBUNTU: SAUCE: cdc-acm: Exclude Exar USB serial ports"
- nfc: llcp: add missing return after LLCP_CLOSED checks
- x86/CPU: Fix FPDSS on Zen1
- can: raw: fix ro->uniq use-after-free in raw_rcv()
- i2c: s3c24xx: check the size of the SMBUS message before using it
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
- HID: alps: fix NULL pointer dereference in alps_raw_event()
- HID: core: clamp report_size in s32ton() to avoid undefined shift
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
- drm/vc4: platform_get_irq_byname() returns an int
- bnge: return after auxiliary_device_uninit() in error path
- ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0
- ALSA: fireworks: bound device-supplied status before string array lookup
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
- usb: gadget: renesas_usb3: validate endpoint index in standard request
handlers
- smb: client: fix off-by-8 bounds check in check_wsl_eas()
- smb: client: fix OOB reads parsing symlink error response
- ksmbd: validate EaNameLength in smb2_get_ea()
- ksmbd: require 3 sub-authorities before reading sub_auth[2]
- ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
- smb: client: avoid double-free in smbd_free_send_io() after
smbd_send_batch_flush()
- smb: server: avoid double-free in smb_direct_free_sendmsg after
smb_direct_flush_send_list()
- usbip: validate number_of_packets in usbip_pack_ret_submit()
- usb: typec: fusb302: Switch to threaded IRQ handler
- usb: storage: Expand range of matched versions for VL817 quirks entry
- USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
- usb: gadget: f_hid: don't call cdev_init while cdev in use
- usb: port: add delay after usb_hub_set_port_power()
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
- scripts/gdb/symbols: handle module path parameters
- scripts: generate_rust_analyzer.py: avoid FD leak
- wifi: rtw88: fix device leak on probe failure
- staging: sm750fb: fix division by zero in ps_to_hz()
- selftests/mm: hmm-tests: don't hardcode THP size to 2MB
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates
race
- Docs/admin-guide/mm/damon/lru_sort: warn commit_inputs vs param updates
race
- ALSA: ctxfi: Limit PTP to a single page
- dcache: Limit the minimal number of bucket to two
- vfio/xe: Reorganize the init to decouple migration from reset
- arm64: mm: Handle invalid large leaf mappings correctly
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
- ocfs2: handle invalid dinode in ocfs2_group_extend
- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in
epf_ntb_epc_cleanup
- PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
- KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES
migrate test
- KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted
vCPU
- KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock
- KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created
- KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish
- KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
- mm: call ->free_folio() directly in folio_unmap_invalidate()
- checkpatch: add support for Assisted-by tag
- x86-64: rename misleadingly named '__copy_user_nocache()' function
- x86: rename and clean up __copy_from_user_inatomic_nocache()
- x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache
- KVM: x86: Use scratch field in MMIO fragment to hold small write values
- ASoC: qcom: q6apm: move component registration to unmanaged version
- mm/kasan: fix double free for kasan pXds
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
- media: vidtv: fix nfeeds state corruption on start_streaming failure
- media: mediatek: vcodec: fix use-after-free in encoder release path
- media: em28xx: fix use-after-free in em28xx_v4l2_open()
- hwmon: (powerz) Fix use-after-free on USB disconnect
- ALSA: 6fire: fix use-after-free on disconnect
- bcache: fix cached_dev.sb_bio use-after-free and crash
- wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in
pre_exit
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe()
- nilfs2: fix NULL i_assoc_inode dereference in
nilfs_mdt_save_to_shadow_map
- media: vidtv: fix pass-by-value structs causing MSAN warnings
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe()
- mm/userfaultfd: fix hugetlb fault mutex hash calculation
- clockevents: Add missing resets of the next_event_forced flag
- Linux 7.0.1
* GRO managed-frag use-after-free leading to local privilege escalation
(LP: #2154172)
- net: gro: don't merge zcopy skbs
* AppArmor Vulnerabilities (LP: #2151747)
- SAUCE: apparmor: pass big_resp to handler
- SAUCE: apparmor: remove redundant kref_init for listener->count
- SAUCE: apparmor: fix NULL pointer dereference in unpack_pdb
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47337
- SAUCE: apparmor: fix NULL pointer dereference in bind_map_addr
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47334
- SAUCE: apparmor: fix sleep prone memory allocation under a spin_lock
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47333
- SAUCE: apparmor: fix dfa unpacking size of the notification filter
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47332
- SAUCE: apparmor: fix size check against type instead of pointer
* apparmor: LLVM/clang build failure due to uninitialized variable in
notify.c (LP: #2148809) // CVE-2026-47330
- SAUCE: apparmor: initialize variable used in uninitialized context
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47329
- SAUCE: apparmor: fix name validation bypass on notification
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47327 //
CVE-2026-47328
- SAUCE: apparmor: fix glob memory leak after kstrdup
* AppArmor Vulnerabilities (LP: #2151747) // CVE-2026-47326
- SAUCE: apparmor: fix inverted NULL check after aa_get_buffer
* CVE-2026-46300
- net: skbuff: preserve shared-frag marker during coalescing
- net: skbuff: propagate shared-frag marker through frag-transfer helpers
* net/rds: reset op_nents when zerocopy page pin fails (LP: #2153962)
- net/rds: reset op_nents when zerocopy page pin fails
* CVE-2026-46333
- ptrace: slightly saner 'get_dumpable()' logic
* CVE-2026-43500
- rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
- rxrpc: Fix potential UAF after skb_unshare() failure
- rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
- rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
* CVE-2026-43284
- xfrm: esp: avoid in-place decrypt on shared skb frags
-- Jacob Martin <[email protected]> Thu, 18 Jun 2026 20:24:04
-0500
** Changed in: linux-nvidia-bos (Ubuntu Resolute)
Status: Fix Committed => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2025-10263
** CVE added: https://cve.org/CVERecord?id=CVE-2026-43284
** CVE added: https://cve.org/CVERecord?id=CVE-2026-43500
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46115
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46119
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46135
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46137
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46155
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46185
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46195
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46243
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46244
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46289
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46300
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46316
** CVE added: https://cve.org/CVERecord?id=CVE-2026-46333
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47326
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47327
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47328
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47329
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47330
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47332
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47333
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47334
** CVE added: https://cve.org/CVERecord?id=CVE-2026-47337
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156821
Title:
Backport mana support for PF device 0x00C1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-nvidia-7.0/+bug/2156821/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs