debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02847
[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
This bug was fixed in the package linux - 6.11.0-28.28
---------------
linux (6.11.0-28.28) oracular; urgency=medium
* oracular/linux: 6.11.0-28.28 -proposed tracker (LP: #2110681)
* Oracular update: upstream stable patchset 2025-05-07 (LP: #2110173)
- drm/dp_mst: Factor out function to queue a topology probe work
- drm/dp_mst: Add a helper to queue a topology probe
- drm/amd/display: Don't write DP_MSTM_CTRL after LT
- watch_queue: fix pipe accounting mismatch
- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
- cpufreq: scpi: compare kHz instead of Hz
- smack: dont compile ipv6 code unless ipv6 is configured
- smack: ipv4/ipv6: tcp/dccp/sctp: fix incorrect child socket label
- sched: Cancel the slice protection of the idle entity
- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
- EDAC/{skx_common,i10nm}: Fix some missing error reports on Emerald Rapids
- x86/fpu: Fix guest FPU state buffer allocation size
- x86/fpu: Avoid copying dynamic FP state from init_task in
arch_dup_task_struct()
- x86/platform: Only allow CONFIG_EISA for 32-bit
- [Config] updateconfigs for EISA
- x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()
- lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock
- PM: sleep: Adjust check before setting power.must_resume
- cpufreq: tegra194: Allow building for Tegra234
- RISC-V: KVM: Disable the kernel perf counter during configure
- kunit/stackinit: Use fill byte different from Clang i386 pattern
- watchdog/hardlockup/perf: Fix perf_event memory leak
- selinux: Chain up tool resolving errors in install_policy.sh
- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
- EDAC/ie31200: Fix the DIMM size mask for several SoCs
- EDAC/ie31200: Fix the error path order of ie31200_init()
- x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors
- thermal: int340x: Add NULL check for adev
- PM: sleep: Fix handling devices with direct_complete set on errors
- lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
- x86/traps: Make exc_double_fault() consistently noreturn
- x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures
- x86/entry: Add __init to ia32_emulation_override_cmdline()
- regulator: pca9450: Fix enable register for LDO5
- auxdisplay: MAX6959 should select BITREVERSE
- media: verisilicon: HEVC: Initialize start_bit field
- media: platform: allgro-dvt: unregister v4l2_device on the error path
- auxdisplay: panel: Fix an API misuse in panel.c
- platform/x86: lenovo-yoga-tab2-pro-1380-fastcharger: Make symbol static
- platform/x86: dell-uart-backlight: Make dell_uart_bl_serdev_driver static
- platform/x86: dell-ddv: Fix temperature calculation
- ASoC: cs35l41: check the return value from spi_setup()
- ASoC: amd: acp: Fix for enabling DMIC on acp platforms via _DSD entry
- HID: remove superfluous (and wrong) Makefile entry for
CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
- dt-bindings: vendor-prefixes: add GOcontroll
- ALSA: hda/realtek: Always honor no_shutup_pins
- ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
compatible
- ALSA: timer: Don't take register_mutex with copy_from/to_user()
- drm/bridge: ti-sn65dsi86: Fix multiple instances
- drm/ssd130x: Set SPI .id_table to prevent an SPI core warning
- drm/ssd130x: fix ssd132x encoding
- drm/ssd130x: ensure ssd132x pitch is correct
- drm/dp_mst: Fix drm RAD print
- drm/bridge: it6505: fix HDCP V match check is not performed correctly
- drm: xlnx: zynqmp: Fix max dma segment size
- drm/vkms: Fix use after free and double free on init error
- gpu: cdns-mhdp8546: fix call balance of mhdp->clk handling routines
- drm/amdgpu: refine smu send msg debug log format
- drm/amdgpu/umsch: fix ucode check
- PCI: Use downstream bridges for distributing resources
- PCI: Remove add_align overwrite unrelated to size0
- drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
- PCI/ASPM: Fix link state exit during switch upstream function removal
- drm/panel: ilitek-ili9882t: fix GPIO name in error message
- PCI/ACS: Fix 'pci=config_acs=' parameter
- drm/amd/display: fix an indent issue in DML21
- drm/msm/dpu: don't use active in atomic_check()
- drm/msm/dsi/phy: Program clock inverters in correct register
- drm/msm/dsi: Use existing per-interface slice count in DSC timing
- drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host
- drm/amdkfd: Fix Circular Locking Dependency in
'svm_range_cpu_invalidate_pagetables'
- PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
payload
- PCI: brcmstb: Set generation limit before PCIe link up
- PCI: brcmstb: Use internal register to change link capability
- PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
- PCI: brcmstb: Fix potential premature regulator disabling
- PCI/portdrv: Only disable pciehp interrupts early when needed
- drm/panthor: Update CS_STATUS_ defines to correct values
- drm/amd/display: fix type mismatch in CalculateDynamicMetadataParameters()
- drm/msm/a6xx: Fix a6xx indexed-regs in devcoreduump
- crypto: powerpc: Mark ghashp8-ppc.o as an OBJECT_FILES_NON_STANDARD
- powerpc/kexec: fix physical address calculation in clear_utlb_entry()
- PCI: Remove stray put_device() in pci_register_host_bridge()
- PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
- drm/mediatek: Fix config_updating flag never false when no mbox channel
- drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr
- drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
- drm/amd/display: avoid NPD when ASIC does not support DMUB
- PCI: dwc: ep: Return -ENOMEM for allocation failures
- PCI: histb: Fix an error handling path in histb_pcie_probe()
- PCI: Fix BAR resizing when VF BARs are assigned
- PCI: pciehp: Don't enable HPIE when resuming in poll mode
- fbdev: au1100fb: Move a variable assignment behind a null pointer check
- dummycon: fix default rows/cols
- mdacon: rework dependency list
- fbdev: sm501fb: Add some geometry checks.
- crypto: iaa - Test the correct request flag
- crypto: qat - set parity error mask for qat_420xx
- crypto: tegra - Use separate buffer for setkey
- crypto: tegra - check return value for hash do_one_req
- crypto: bpf - Add MODULE_DESCRIPTION for skcipher
- crypto: tegra - Use HMAC fallback when keyslots are full
- clk: amlogic: gxbb: drop incorrect flag on 32k clock
- crypto: hisilicon/sec2 - fix for aead authsize alignment
- crypto: hisilicon/sec2 - fix for sec spec check
- remoteproc: core: Clear table_sz when rproc_shutdown
- of: property: Increase NR_FWNODE_REFERENCE_ARGS
- pinctrl: renesas: rzg2l: Suppress binding attributes
- remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
- libbpf: Fix hypothetical STT_SECTION extern NULL deref case
- selftests/bpf: Fix string read in strncmp benchmark
- x86/mm/pat: Fix VM_PAT handling when fork() fails in copy_page_range()
- clk: renesas: r8a08g045: Check the source of the CPU PLL settings
- remoteproc: qcom: pas: add minidump_id to SC7280 WPSS
- clk: samsung: Fix UBSAN panic in samsung_clk_init()
- pinctrl: nuvoton: npcm8xx: Fix error handling in npcm8xx_gpio_fw()
- crypto: tegra - Fix CMAC intermediate result handling
- clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
- s390: Remove ioremap_wt() and pgprot_writethrough()
- RDMA/mana_ib: Ensure variable err is initialized
- crypto: tegra - Set IV to NULL explicitly for AES ECB
- remoteproc: qcom_q6v5_pas: Use resource with CX PD for MSM8226
- clk: qcom: gcc-x1e80100: Unregister GCC_GPU_CFG_AHB_CLK/GCC_DISP_XO_CLK
- bpf: Use preempt_count() directly in bpf_send_signal_common()
- lib: 842: Improve error handling in sw842_compress()
- pinctrl: renesas: rza2: Fix missing of_node_put() call
- pinctrl: renesas: rzg2l: Fix missing of_node_put() call
- RDMA/mlx5: Fix MR cache initialization error flow
- clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
- RDMA/core: Don't expose hw_counters outside of init net namespace
- RDMA/mlx5: Fix calculation of total invalidated pages
- RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
- remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
- power: supply: bq27xxx_battery: do not update cached flags prematurely
- IB/mad: Check available slots before posting receive WRs
- pinctrl: tegra: Set SFIO mode to Mux Register
- clk: amlogic: g12b: fix cluster A parent data
- clk: amlogic: gxbb: drop non existing 32k clock parent
- selftests/bpf: Select NUMA_NO_NODE to create map
- pinctrl: npcm8xx: Fix incorrect struct npcm8xx_pincfg assignment
- crypto: qat - remove access to parity register for QAT GEN4
- clk: clk-imx8mp-audiomix: fix dsp/ocram_a clock parents
- clk: amlogic: g12a: fix mmc A peripheral clock
- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
- power: supply: max77693: Fix wrong conversion of charge input threshold
value
- crypto: nx - Fix uninitialised hv_nxc on error
- clk: qcom: gcc-sm8650: Do not turn off USB GDSCs during gdsc_disable()
- bpf: Fix array bounds error with may_goto
- RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
- pinctrl: renesas: rzv2m: Fix missing of_node_put() call
- mfd: sm501: Switch to BIT() to mitigate integer overflows
- leds: Fix LED_OFF brightness race
- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
misplaced assignment
- crypto: hisilicon/sec2 - fix for aead auth key length
- pinctrl: intel: Fix wrong bypass assignment in intel_pinctrl_probe_pwm()
- clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
- perf stat: Fix find_stat for mixed legacy/non-legacy events
- perf: Always feature test reallocarray
- w1: fix NULL pointer dereference in probe
- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
- soundwire: slave: fix an OF node reference leak in soundwire slave device
- perf report: Switch data file correctly in TUI
- coresight: catu: Fix number of pages while using 64k pages
- vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
- coresight-etm4x: add isb() before reading the TRCSTATR
- perf pmu: Don't double count common sysfs and json events
- ucsi_ccg: Don't show failed to get FW build information error
- iio: accel: mma8452: Ensure error return on failure to matching oversampling
ratio
- iio: accel: msa311: Fix failure to release runtime pm if direct mode claim
fails.
- perf arm-spe: Fix load-store operation checking
- perf bench: Fix perf bench syscall loop count
- usb: xhci: correct debug message page size calculation
- fs/ntfs3: Fix a couple integer overflows on 32bit systems
- fs/ntfs3: Prevent integer overflow in hdr_first_de()
- dmaengine: fsl-edma: cleanup chan after dma_async_device_unregister
- dmaengine: fsl-edma: free irq correctly in remove path
- iio: adc: ad4130: Fix comparison of channel setups
- iio: adc: ad7124: Fix comparison of channel configs
- iio: adc: ad7173: Fix comparison of channel configs
- iio: light: Add check for array bounds in veml6075_read_int_time_ms
- perf debug: Avoid stack overflow in recursive error message
- perf evlist: Add success path to evlist__create_syswide_maps
- perf units: Fix insufficient array space
- kernel/events/uprobes: handle device-exclusive entries correctly in
__replace_page()
- kexec: initialize ELF lowest address to ULONG_MAX
- ocfs2: validate l_tree_depth to avoid out-of-bounds access
- arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig
- NFSv4: Don't trigger uneccessary scans for return-on-close delegations
- NFSv4: Avoid unnecessary scans of filesystems for returning delegations
- NFSv4: Avoid unnecessary scans of filesystems for expired delegations
- NFSv4: Avoid unnecessary scans of filesystems for delayed delegations
- NFS: fix open_owner_id_maxsz and related fields.
- fuse: fix dax truncate/punch_hole fault path
- selftests/mm/cow: fix the incorrect error handling
- um: Pass the correct Rust target and options with gcc
- um: remove copy_from_kernel_nofault_allowed
- um: hostfs: avoid issues on inode number reuse by host
- i3c: master: svc: Fix missing the IBI rules
- perf python: Fixup description of sample.id event member
- perf python: Decrement the refcount of just created event on failure
- perf python: Don't keep a raw_data pointer to consumed ring buffer space
- perf python: Check if there is space to copy all the event
- perf dso: fix dso__is_kallsyms() check
- staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES
- staging: vchiq_arm: Register debugfs after cdev
- staging: vchiq_arm: Fix possible NPR of keep-alive thread
- tty: n_tty: use uint for space returned by tty_write_room()
- perf vendor events arm64 AmpereOneX: Fix frontend_bound calculation
- fs/procfs: fix the comment above proc_pid_wchan()
- perf tools: annotate asm_pure_loop.S
- thermal: core: Remove duplicate struct declaration
- objtool, nvmet: Fix out-of-bounds stack access in nvmet_ctrl_state_show()
- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
- NFS: Shut down the nfs_client only after all the superblocks
- exfat: fix the infinite loop in exfat_find_last_cluster()
- rtnetlink: Allocate vfinfo size for VF GUIDs when supported
- rndis_host: Flag RNDIS modems as WWAN devices
- ksmbd: use aead_request_free to match aead_request_alloc
- ksmbd: fix multichannel connection failure
- ksmbd: fix r_count dec/increment mismatch
- net/mlx5e: SHAMPO, Make reserved size independent of page size
- ring-buffer: Fix bytes_dropped calculation issue
- objtool: Fix segfault in ignore_unreachable_insn()
- LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig
- LoongArch: Fix device node refcount leak in fdt_cpu_clk_init()
- LoongArch: Rework the arch_kgdb_breakpoint() implementation
- ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states are
invalid
- net: phy: broadcom: Correct BCM5221 PHY model detection
- octeontx2-af: Fix mbox INTR handler when num VFs > 64
- octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
- objtool: Fix verbose disassembly if CROSS_COMPILE isn't set
- sched/smt: Always inline sched_smt_active()
- context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()
- rcu-tasks: Always inline rcu_irq_work_resched()
- objtool/loongarch: Add unwind hints in prepare_frametrace()
- nfs: Add missing release on error in nfs_lock_and_join_requests()
- wifi: mac80211: Cleanup sta TXQs on flush
- wifi: mac80211: remove debugfs dir for virtual monitor
- wifi: iwlwifi: fw: allocate chained SG tables for dump
- wifi: iwlwifi: mvm: use the right version of the rate API
- nvme-tcp: fix possible UAF in nvme_tcp_poll
- nvme-pci: clean up CMBMSC when registering CMB fails
- nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
- wifi: brcmfmac: keep power during suspend if board requires it
- affs: generate OFS sequence numbers starting at 1
- affs: don't write overlarge OFS data block size fields
- ALSA: hda/realtek: Fix Asus Z13 2025 audio
- ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0
- perf/core: Fix perf_pmu_register() vs. perf_init_event()
- smb: common: change the data type of num_aces to le16
- cifs: fix incorrect validation for num_aces field of smb_acl
- platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4 tablet
- platform/x86/intel/vsec: Add Diamond Rapids support
- HID: i2c-hid: improve i2c_hid_get_report error message
- platform/x86/amd/pmf: Propagate PMF-TA return codes
- platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-TA
- exfat: add a check for invalid data size
- ALSA: hda/realtek: Add support for ASUS ROG Strix G814 Laptop using CS35L41
HDA
- ALSA: hda/realtek: Add support for ASUS ROG Strix GA603 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using CS35L41
HDA
- ALSA: hda/realtek: Add support for various ASUS Laptops using CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS B3405 and B3605 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS B5405 and B5605 Laptops using
CS35L41 HDA
- ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops using
CS35L41 HDA
- sched/deadline: Use online cpus for validating runtime
- x86/hyperv/vtl: Stop kernel from probing VTL0 low memory
- ASoC: rt1320: set wake_capable = 0 explicitly
- wifi: mac80211: flush the station before moving it to UN-AUTHORIZED state
- wifi: mac80211: fix SA Query processing in MLO
- locking/semaphore: Use wake_q to wake up processes outside lock critical
section
- x86/hyperv: Fix output argument to hypercall that changes page visibility
- x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
- nvme-pci: fix stuck reset on concurrent DPC and HP
- drm/amd: Keep display off while going into S4
- selftests: netfilter: skip br_netfilter queue tests if kernel is tainted
- ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
- can: statistics: use atomic access in hot path
- memory: omap-gpmc: drop no compatible check
- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
- spufs: fix a leak on spufs_new_file() failure
- spufs: fix gang directory lifetimes
- spufs: fix a leak in spufs_create_context()
- fs/9p: fix NULL pointer dereference on mkdir
- riscv: ftrace: Add parentheses in macro definitions of make_call_t0 and
make_call_ra
- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans
- ntb: intel: Fix using link status DB's
- firmware: cs_dsp: Ensure cs_dsp_load[_coeff]() returns 0 on success
- ALSA: hda/realtek: Fix built-in mic breakage on ASUS VivoBook X515JA
- RISC-V: errata: Use medany for relocatable builds
- x86/uaccess: Improve performance by aligning writes to 8 bytes in
copy_user_generic(), on non-FSRM/ERMS CPUs
- ublk: make sure ubq->canceling is set when queue is frozen
- s390/entry: Fix setting _CIF_MCCK_GUEST with lowcore relocation
- ASoC: codecs: rt5665: Fix some error handling paths in rt5665_probe()
- riscv: Fix hugetlb retrieval of number of ptes in case of !present pte
- riscv/kexec_file: Handle R_RISCV_64 in purgatory relocator
- riscv/purgatory: 4B align purgatory_start
- ASoC: imx-card: Add NULL check in imx_card_probe()
- spi: bcm2835: Do not call gpiod_put() on invalid descriptor
- ALSA: hda/realtek: Fix built-in mic on another ASUS VivoBook model
- spi: bcm2835: Restore native CS probing when pinctrl-bcm2835 is absent
- e1000e: change k1 configuration on MTP and later platforms
- idpf: fix adapter NULL pointer dereference on reboot
- netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets
only
- netfilter: nf_tables: don't unregister hook when table is dormant
- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
- net_sched: skbprio: Remove overly strict queue assertions
- sctp: add mutual exclusion in proc_sctp_do_udp_port()
- net: mvpp2: Prevent parser TCAM memory corruption
- udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
- udp: Fix memory accounting leak.
- vsock: avoid timeout during connect() if the socket is closing
- tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
- net: decrease cached dst counters in dst_release
- netfilter: nft_tunnel: fix geneve_opt type confusion addition
- ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS
- net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy
- net: fix geneve_opt length integer overflow
- ipv6: Start path selection from the first nexthop
- ipv6: Do not consider link down nexthops in path selection
- arcnet: Add NULL check in com20020pci_probe()
- net: ibmveth: make veth_pool_store stop hanging
- kbuild: deb-pkg: don't set KBUILD_BUILD_VERSION unconditionally
- drm/amdgpu/gfx11: fix num_mec
- drm/amdgpu/gfx12: fix num_mec
- perf/core: Fix child_total_time_enabled accounting bug at task exit
- tools/power turbostat: report CoreThr per measurement interval
- tracing: Switch trace_events_hist.c code over to use guard()
- tracing/hist: Add poll(POLLIN) support on hist file
- tracing/hist: Support POLLPRI event for poll on histogram
- tracing: Correct the refcount if the hist/hist_debug file fails to open
- cgroup/rstat: Tracking cgroup-level niced CPU time
- cgroup/rstat: Fix forceidle time in cpu.stat
- tty: serial: fsl_lpuart: Use u32 and u8 for register variables
- tty: serial: fsl_lpuart: use port struct directly to simply code
- tty: serial: fsl_lpuart: Fix unused variable 'sport' build warning
- tty: serial: lpuart: only disable CTS instead of overwriting the whole
UARTMODIR register
- wifi: mac80211: Fix sparse warning for monitor_sdata
- usbnet:fix NPE during rx_complete
- rust: Fix enabling Rust and building with GCC for LoongArch
- LoongArch: Increase ARCH_DMA_MINALIGN up to 16
- LoongArch: Increase MAX_IO_PICS up to 8
- LoongArch: BPF: Fix off-by-one error in build_prologue()
- LoongArch: BPF: Don't override subprog's return value
- LoongArch: BPF: Use move_addr() for BPF_PSEUDO_FUNC
- x86/hyperv: Fix check of return value from snp_set_vmsa()
- KVM: x86: block KVM_CAP_SYNC_REGS if guest state is protected
- x86/microcode/AMD: Fix __apply_microcode_amd()'s return value
- x86/mce: use is_copy_from_user() to determine copy-from-user context
- x86/tdx: Fix arch_safe_halt() execution for TDX VMs
- ACPI: x86: Extend Lenovo Yoga Tab 3 quirk with skip GPIO event-handlers
- platform/x86: ISST: Correct command storage data length
- ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()
- perf/x86/intel: Apply static call for drain_pebs
- perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read
- uprobes/x86: Harden uretprobe syscall trampoline check
- idpf: Don't hard code napi_struct size
- x86/Kconfig: Add cmpxchg8b support back to Geode CPUs
- x86/tsc: Always save/restore TSC sched_clock() on suspend/resume
- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs
- wifi: mt76: mt7925: remove unused acpi function for clc
- acpi: nfit: fix narrowing conversion in acpi_nfit_ctl
- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP
- ARM: 9444/1: add KEEP() keyword to ARM_VECTORS
- media: omap3isp: Handle ARM dma_iommu_mapping
- Remove unnecessary firmware version check for gc v9_4_2
- mmc: omap: Fix memory leak in mmc_omap_new_slot
- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability
- mmc: sdhci-omap: Disable MMC_CAP_AGGRESSIVE_PM for eMMC/SD
- KVM: SVM: Don't change target vCPU state on AP Creation VMGEXIT error
- ksmbd: add bounds check for durable handle context
- ksmbd: add bounds check for create lease context
- ksmbd: fix use-after-free in ksmbd_sessions_deregister()
- ksmbd: fix session use-after-free in multichannel connection
- ksmbd: fix overflow in dacloffset bounds check
- ksmbd: validate zero num_subauth before sub_auth is accessed
- ksmbd: fix null pointer dereference in alloc_preauth_hash()
- exfat: fix potential wrong error return from get_block
- tracing: Fix use-after-free in print_graph_function_flags during tracer
switching
- tracing: Ensure module defining synth event cannot be unloaded while tracing
- tracing: Fix synth event printk format for str fields
- tracing/osnoise: Fix possible recursive locking for cpus_read_lock()
- mm/gup: reject FOLL_SPLIT_PMD with hugetlb VMAs
- arm64: Don't call NULL in do_compat_alignment_fixup()
- wifi: mt76: mt7921: fix kernel panic due to null pointer dereference
- ext4: don't over-report free space or inodes in statvfs
- ext4: fix OOB read when checking dotdot dir
- jfs: fix slab-out-of-bounds read in ea_get()
- jfs: add index corruption check to DT_GETPAGE()
- mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()
- exec: fix the racy usage of fs_struct->in_exec
- media: vimc: skip .s_stream() for stopped entities
- media: streamzap: fix race between device disconnection and urb callback
- nfsd: allow SC_STATUS_FREEABLE when searching via nfs4_lookup_stateid()
- nfsd: put dl_stid if fail to queue dl_recall
- nfsd: fix management of listener transports
- NFSD: Skip sending CB_RECALL_ANY when the backchannel isn't up
- ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE
- [Config] updateconfigs for LD_CAN_USE_KEEP_IN_OVERLAY
- tracing: Do not use PERF enums when perf is not defined
- platform/x86/amd/pmf: fix cleanup in amd_pmf_init_smart_pc()
- Upstream stable to v6.6.86, v6.12.23
* CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
(LP: #2099914) // CVE-2025-2312
- CIFS: New mount option for cifs.upcall namespace resolution
* Oracular update: upstream stable patchset 2025-04-29 (LP: #2109634)
- wifi: iwlwifi: support BIOS override for 5G9 in CA also in LARI version 8
- netfilter: nft_counter: Use u64_stats_t for statistic.
- ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
- HID: hid-plantronics: Add mic mute mapping and generalize quirks
- atm: Fix NULL pointer dereference
- nfsd: fix legacy client tracking initialization
- netfilter: socket: Lookup orig tuple for IPv6 SNAT
- ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx
- counter: stm32-lptimer-cnt: fix error handling when enabling
- counter: microchip-tcb-capture: Fix undefined counter channel state on probe
- tty: serial: 8250: Add some more device IDs
- tty: serial: 8250: Add Brainboxes XC devices
- tty: serial: fsl_lpuart: disable transmitter before changing RS485 related
registers
- net: usb: qmi_wwan: add Telit Cinterion FN990B composition
- net: usb: qmi_wwan: add Telit Cinterion FE990B composition
- net: usb: usbnet: restore usb%d name exception for local mac addresses
- usb: xhci: Don't skip on Stopped - Length Invalid
- usb: xhci: Apply the link chain quirk on NEC isoc endpoints
- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove
- perf tools: Fix up some comments and code to properly use the event_source
bus
- serial: stm32: do not deassert RS485 RTS GPIO prematurely
- serial: 8250_dma: terminate correct DMA in tx_dma_flush()
- bcachefs: bch2_ioctl_subvolume_destroy() fixes
- Upstream stable to v6.6.85, v6.12.22
* Oracular update: upstream stable patchset 2025-04-28 (LP: #2109530)
- Revert "mm/page_alloc: fix memory accept before watermarks gets initialized"
- mm/page_alloc: fix memory accept before watermarks gets initialized
- Revert "hrtimer: Use and report correct timerslack values for realtime
tasks"
- hrtimer: Use and report correct timerslack values for realtime tasks
* [SRU] Fix jack detection of rt712 on intel soundwire (LP: #2104876)
- soundwire: mipi_disco: add MIPI-specific property_read_bool() helpers
* [SRU] Fix screen flickering in inverted display mode (LP: #2103617)
- drm/xe/display: Re-use display vmas when possible
- drm/xe/display: Fix fbdev GGTT mapping handling.
* Oracular update: upstream stable patchset 2025-04-24 (LP: #2109301)
- clockevents/drivers/i8253: Fix stop sequence for timer 0
- zram: fix NULL pointer in comp_algorithm_show()
- hrtimer: Use and report correct timerslack values for realtime tasks
- rust: init: fix `Zeroable` implementation for `Option<NonNull<T>>` and
`Option<KBox<T>>`
- lib/buildid: Handle memfd_secret() files in build_id_parse()
- mm: split critical region in remap_file_pages() and invoke LSMs in between
- firmware: qcom: scm: Fix error code in probe()
- firmware: imx-scu: fix OF node leak in .probe()
- arm64: dts: freescale: tqma8mpql: Fix vqmmc-supply
- arm64: dts: rockchip: remove supports-cqe from rk3588 jaguar
- arm64: dts: rockchip: remove supports-cqe from rk3588 tiger
- xfrm: fix tunnel mode TX datapath in packet offload mode
- xfrm_output: Force software GSO only in tunnel mode
- soc: imx8m: Remove global soc_uid
- soc: imx8m: Use devm_* to simplify probe failure handling
- soc: imx8m: Unregister cpufreq and soc dev in cleanup path
- ARM: dts: bcm2711: Fix xHCI power-domain
- ARM: dts: bcm2711: PL011 UARTs are actually r1p5
- arm64: dts: rockchip: Remove undocumented sdmmc property from lubancat-1
- RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex()
tests
- RDMA/bnxt_re: Add missing paranthesis in map_qp_id_to_tbl_indx
- RDMA/mlx5: Handle errors returned from mlx5r_ib_rate()
- ARM: OMAP1: select CONFIG_GENERIC_IRQ_CHIP
- ARM: dts: bcm2711: Don't mark timer regs unconfigured
- ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC5300
- ARM: dts: BCM5301X: Fix switch port labels of ASUS RT-AC3200
- dma-mapping: fix missing clear bdr in check_ram_in_range_map()
- RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
- RDMA/hns: Fix soft lockup during bt pages loop
- RDMA/hns: Fix unmatched condition in error path of alloc_user_qp_db()
- RDMA/hns: Fix invalid sq params not being blocked
- RDMA/hns: Fix a missing rollback in error path of
hns_roce_create_qp_common()
- RDMA/hns: Fix missing xa_destroy()
- RDMA/hns: Fix wrong value of max_sge_rd
- Bluetooth: Fix error code in chan_alloc_skb_cb()
- Bluetooth: hci_event: Fix connection regression between LE and non-LE
adapters
- accel/qaic: Fix possible data corruption in BOs > 2G
- ARM: davinci: da850: fix selecting ARCH_DAVINCI_DA8XX
- net: ipv6: fix TCP GSO segmentation with NAT
- ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
- ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
- devlink: fix xa_alloc_cyclic() error handling
- dpll: fix xa_alloc_cyclic() error handling
- gpu: host1x: Do not assume that a NULL domain means no DMA IOMMU
- net: atm: fix use after free in lec_send()
- net: ti: icssg-prueth: Add lock to stats
- net: lwtunnel: fix recursion loops
- net: ipv6: ioam6: fix lwtunnel_output() loop
- libfs: Fix duplicate directory entry in offset_dir_lookup
- net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
- i2c: omap: fix IRQ storms
- net: mana: Support holes in device list reply msg
- can: rcar_canfd: Fix page entries in the AFL list
- can: ucan: fix out of bound read in strscpy() source
- can: flexcan: only change CAN state when link up in system PM
- can: flexcan: disable transceiver during system PM
- drm/xe: Fix exporting xe buffers multiple times
- drm/v3d: Don't run jobs that have errors flagged in its fence
- io_uring/net: don't clear REQ_F_NEED_CLEANUP unconditionally
- riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions
- netfs: Call `invalidate_cache` only if implemented
- regulator: dummy: force synchronous probing
- regulator: check that dummy regulator has been probed before using it
- accel/qaic: Fix integer overflow in qaic_validate_req()
- arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound
card
- arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound
card
- arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou
- arm64: dts: rockchip: fix pinmux of UART5 for PX30 Ringneck on Haikou
- mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
- mmc: atmel-mci: Add missing clk_disable_unprepare()
- selftests/mm: run_vmtests.sh: fix half_ufd_size_MB calculation
- mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT
- mm/migrate: fix shmem xarray update during migration
- mm/page_alloc: fix memory accept before watermarks gets initialized
- proc: fix UAF in proc_get_inode()
- memcg: drain obj stock on cpu hotplug teardown
- ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6
- ARM: shmobile: smp: Enforce shmobile_smp_* alignment
- firmware: qcom: uefisecapp: fix efivars registration race
- efi/libstub: Avoid physical address 0x0 when doing random allocation
- keys: Fix UAF in key_put()
- xsk: fix an integer overflow in xp_create_and_assign_umem()
- batman-adv: Ignore own maximum aggregation size during RX
- soc: qcom: pdr: Fix the potential deadlock
- pmdomain: amlogic: fix T7 ISP secpower
- drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
- drm/sched: Fix fence reference count leak
- drm/amdgpu/gfx12: correct cleanup of 'me' field with gfx_v12_0_me_fini()
- drm/amd/display: Fix message for support_edp0_on_dp1
- drm/amd/display: Use HW lock mgr for PSR1 when only one eDP
- drm/amd/pm: add unique_id for gfx12
- drm/amdgpu: Restore uncached behaviour on GFX12
- drm/amdgpu/pm: wire up hwmon fan speed for smu 14.0.2
- drm/amdgpu: Remove JPEG from vega and carrizo video caps
- drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size
- drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
- ksmbd: fix incorrect validation for num_aces field of smb_acl
- io_uring/net: fix sendzc double notif flush
- KVM: arm64: Fix __pkvm_init_vcpu cptr_el2 error path
- KVM: arm64: Calculate cptr_el2 traps on activating traps
- KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state
- KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN
- KVM: arm64: Remove VHE host restore of CPACR_EL1.SMEN
- KVM: arm64: Refactor exit handlers
- KVM: arm64: Mark some header functions as inline
- Revert "sched/core: Reduce cost of sched_move_task when config autogroup"
- libsubcmd: Silence compiler warning
- arm64: dts: rockchip: fix u2phy1_host status for NanoPi R4S
- mm/huge_memory: drop beyond-EOF folios with the right number of refs
- mptcp: Fix data stream corruption in the address announcement
- Upstream stable to v6.6.84, v6.12.21
* [SRU] enable cs42l43 and cs35l56 audio on Intel LNL (LP: #2106394)
- ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops
- ASoC: Intel: soc-acpi: adl: Add match entries for new cs42l43 laptops
- ASoC: Intel: soc-acpi: lnl: Add match entries for new cs42l43 laptops
- ASoC: Intel: soc-acpi: arl: Fix some missing empty terminators
* Oracular update: upstream stable patchset 2025-04-17 (LP: #2107522)
- ibmvnic: Perform tx CSO during send scrq direct
- ibmvnic: Inspect header requirements before using scrq direct
- net: enetc: Remove setting of RX software timestamp
- net: enetc: Replace ifdef with IS_ENABLED
- net: enetc: VFs do not support HWTSTAMP_TX_ONESTEP_SYNC
- mm: fix kernel BUG when userfaultfd_move encounters swapcache
- userfaultfd: fix PTE unmapping stack-allocated PTE copies
- fbdev: hyperv_fb: iounmap() the correct memory when removing a device
- pinctrl: bcm281xx: Fix incorrect regmap max_registers value
- pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw
- netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.
- ice: do not configure destination override for switchdev
- ice: fix memory leak in aRFS after reset
- netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap
around
- netfilter: nf_tables: make destruction work queue pernet
- sched: address a potential NULL pointer dereference in the GRED scheduler.
- wifi: iwlwifi: mvm: fix PNVM timeout for non-MSI-X platforms
- wifi: mac80211: don't queue sdata::work for a non-running sdata
- wifi: cfg80211: cancel wiphy_work before freeing wiphy
- Bluetooth: hci_event: Fix enabling passive scanning
- Revert "Bluetooth: hci_core: Fix sleeping function called from invalid
context"
- net/mlx5: Fill out devlink dev info only for PFs
- net: dsa: mv88e6xxx: Verify after ATU Load ops
- net: mctp i3c: Copy headers if cloned
- net: mctp i2c: Copy headers if cloned
- netpoll: hold rcu read lock in __netpoll_send_skb()
- drm/hyperv: Fix address space leak when Hyper-V DRM device is removed
- fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs
- fbdev: hyperv_fb: Simplify hvfb_putmem
- Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
- net/mlx5: handle errors in mlx5_chains_create_table()
- eth: bnxt: fix truesize for mb-xdp-pass case
- eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()
- eth: bnxt: do not update checksum in bnxt_xdp_build_skb()
- eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx}
- eth: bnxt: use page pool for head frags
- bnxt_en: refactor tpa_info alloc/free into helpers
- bnxt_en: handle tpa_info in queue API implementation
- eth: bnxt: fix memory leak in queue reset
- net: switchdev: Convert blocking notification chain to a raw one
- net: mctp: unshare packets when reassembling
- bonding: fix incorrect MAC address setting to receive NS messages
- netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in
insert_tree()
- ipvs: prevent integer overflow in do_ip_vs_get_ctl()
- netfilter: nft_exthdr: fix offset with ipv4_find_option()
- net: openvswitch: remove misbehaving actions length check
- net/mlx5: Fix incorrect IRQ pool usage when releasing IRQs
- net/mlx5: Lag, Check shared fdb before creating MultiPort E-Switch
- net/mlx5: Bridge, fix the crash caused by LAG state check
- net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
- nvme-fc: go straight to connecting state when initializing
- nvme-fc: do not ignore connectivity loss during connecting
- hrtimers: Mark is_migration_base() with __always_inline
- powercap: call put_device() on an error path in
powercap_register_control_type()
- btrfs: avoid starting new transaction when cleaning qgroup during subvolume
drop
- futex: Pass in task to futex_queue()
- sched/debug: Provide slice length for fair tasks
- platform/x86/intel: pmc: fix ltr decode in pmc_core_ltr_show()
- scsi: core: Use GFP_NOIO to avoid circular locking dependency
- scsi: ufs: core: Fix error return with query response
- scsi: qla1280: Fix kernel oops when debug level > 2
- ACPI: resource: IRQ override for Eluktronics MECH-17
- smb: client: fix noisy when tree connecting to DFS interlink targets
- alpha/elf: Fix misc/setarch test of util-linux by removing 32bit support
- vboxsf: fix building with GCC 15
- selftests: always check mask returned by statmount(2)
- HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
- HID: intel-ish-hid: Send clock sync message immediately after reset
- HID: ignore non-functional sensor in HP 5MP Camera
- HID: hid-steam: Fix issues with disabling both gamepad mode and lizard mode
- usb: phy: generic: Use proper helper for property detection
- HID: intel-ish-hid: ipc: Add Panther Lake PCI device IDs
- HID: topre: Fix n-key rollover on Realforce R3S TKL boards
- selftests/cgroup: use bash in test_cpuset_v1_hp.sh
- HID: hid-apple: Apple Magic Keyboard a3203 USB-C support
- HID: apple: fix up the F6 key on the Omoton KB066 keyboard
- objtool: Ignore dangling jump table entries
- sched: Clarify wake_up_q()'s write to task->wake_q.next
- platform/x86: thinkpad_acpi: Fix invalid fan speed on ThinkPad X120e
- platform/x86: thinkpad_acpi: Support for V9 DYTC platform profiles
- s390/cio: Fix CHPID "configure" attribute caching
- thermal/cpufreq_cooling: Remove structure member documentation
- LoongArch: KVM: Set host with kernel mode when switch to VM mode
- arm64: amu: Delay allocating cpumask for AMU FIE support
- Xen/swiotlb: mark xen_swiotlb_fixup() __init
- Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
- drm/tests: hdmi: Remove redundant assignments
- drm/tests: hdmi: Reorder DRM entities variables assignment
- drm/tests: hdmi: Fix recursive locking
- selftests/bpf: Fix invalid flag of recv()
- ASoC: Intel: sof_sdw: Add lookup of quirk using PCI subsystem ID
- ASoC: Intel: sof_sdw: Add quirk for Asus Zenbook S14
- ASoC: Intel: soc-acpi-intel-mtl-match: declare adr as ull
- ASoC: simple-card-utils.c: add missing dlc->of_node
- ALSA: hda/realtek: Limit mic boost on Positivo ARN50
- ASoC: rsnd: indicate unsupported clock rate
- ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
- ASoC: rsnd: adjust convert rate limitation
- ASoC: arizona/madera: use fsleep() in up/down DAPM event delays.
- ASoC: SOF: Intel: hda: add softdep pre to snd-hda-codec-hdmi module
- PCI: pci_ids: add INTEL_HDA_PTL_H
- ALSA: hda: intel-dsp-config: Add PTL-H support
- ALSA: hda: hda-intel: add Panther Lake-H support
- ASoC: SOF: amd: Add post_fw_run_delay ACP quirk
- ASoC: SOF: amd: Handle IPC replies before FW_BOOT_COMPLETE
- net: wwan: mhi_wwan_mbim: Silence sequence number glitch errors
- io-wq: backoff when retrying worker creation
- nvme-pci: quirk Acer FA100 for non-uniqueue identifiers
- nvmet-rdma: recheck queue state is LIVE in state lock in recv done
- apple-nvme: Release power domains when probe fails
- cifs: Treat unhandled directory name surrogate reparse points as mount
directory nodes
- sctp: Fix undefined behavior in left shift operation
- nvme: only allow entering LIVE from CONNECTING state
- phy: ti: gmii-sel: Simplify with dev_err_probe()
- phy: ti: gmii-sel: Do not use syscon helper to build regmap
- ASoC: tas2770: Fix volume scale
- ASoC: tas2764: Fix power control mask
- ASoC: tas2764: Set the SDOUT polarity correctly
- fuse: don't truncate cached, mutated symlink
- ASoC: dapm-graph: set fill colour of turned on nodes
- drm/vkms: Round fixp2int conversion in lerp_u16
- perf/x86/intel: Use better start period for frequency mode
- x86/of: Don't use DTB for SMP setup if ACPI is enabled
- x86/irq: Define trace events conditionally
- perf/x86/rapl: Add support for Intel Arrow Lake U
- mptcp: safety check before fallback
- drm/nouveau: Do not override forced connector status
- net: Handle napi_schedule() calls from non-interrupt
- block: fix 'kmem_cache of name 'bio-108' already exists'
- vhost: return task creation error instead of NULL
- cifs: Validate content of WSL reparse point buffers
- cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from
parse_reparse_point()
- Input: goodix-berlin - fix vddio regulator references
- Input: ads7846 - fix gpiod allocation
- Input: iqs7222 - preserve system status register
- Input: xpad - add 8BitDo SN30 Pro, Hyperkin X91 and Gamesir G7 SE
controllers
- Input: xpad - add multiple supported devices
- Input: xpad - add support for ZOTAC Gaming Zone
- Input: xpad - add support for TECNO Pocket Go
- Input: xpad - rename QH controller to Legion Go S
- Input: i8042 - swap old quirk combination with new quirk for NHxxRZQ
- Input: i8042 - add required quirks for missing old boardnames
- Input: i8042 - swap old quirk combination with new quirk for several devices
- Input: i8042 - swap old quirk combination with new quirk for more devices
- USB: serial: ftdi_sio: add support for Altera USB Blaster 3
- USB: serial: option: add Telit Cinterion FE990B compositions
- USB: serial: option: fix Telit Cinterion FE990A name
- USB: serial: option: match on interface class for Telit FN990B
- rust: lockdep: Remove support for dynamically allocated LockClassKeys
- rust: Disallow BTF generation with Rust + LTO
- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes
- spi: microchip-core: prevent RX overflows when transmit size > FIFO size
- drm/i915/cdclk: Do cdclk post plane programming later
- drm/atomic: Filter out redundant DPMS calls
- drm/dp_mst: Fix locking when skipping CSN before topology probing
- drm/amdgpu: NULL-check BO's backing store when determining GFX12 PTE flags
- drm/amd/amdkfd: Evict all queues even HWS remove queue failed
- drm/amdgpu/display: Allow DCC for video formats on GFX12
- drm/amd/display: Disable unneeded hpd interrupts during dm_init
- drm/amd/display: fix default brightness
- drm/amd/display: fix missing .is_two_pixels_per_container
- drm/amd/display: Restore correct backlight brightness after a GPU reset
- drm/amd/display: Assign normalized_pix_clk when color depth = 14
- drm/amd/display: Fix slab-use-after-free on hdcp_work
- ksmbd: fix use-after-free in ksmbd_free_work_struct
- ksmbd: prevent connection release during oplock break notification
- clk: samsung: update PLL locktime for PLL142XX used on FSD platform
- clk: samsung: gs101: fix synchronous external abort in samsung_clk_save()
- ASoC: Intel: sof_sdw: Fix unlikely uninitialized variable use in
create_sdw_dailinks()
- ASoC: amd: yc: Support mic on another Lenovo ThinkPad E16 Gen 2 model
- dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature
- arm64: mm: Populate vmemmap at the page level if not section aligned
- Fix mmu notifiers for range-based invalidates
- qlcnic: fix memory leak issues in qlcnic_sriov_common.c
- smb: client: fix regression with guest option
- net: phy: nxp-c45-tja11xx: add TJA112X PHY configuration errata
- net: phy: nxp-c45-tja11xx: add TJA112XB SGMII PCS restart errata
- ASoC: ops: Consistently treat platform_max as control value
- rust: error: add missing newline to pr_warn! calls
- drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
- ASoC: cs42l43: Fix maximum ADC Volume
- rust: init: add missing newline to pr_info! calls
- ASoC: rt722-sdca: add missing readable registers
- drm/xe: cancel pending job timer before freeing scheduler
- drm/xe: Release guc ids before cancelling work
- drm/xe/userptr: Fix an incorrect assert
- drm/xe/pm: Temporarily disable D3Cold on BMG
- nvme: move error logging from nvme_end_req() to __nvme_end_req()
- ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
- drm/i915: Increase I915_PARAM_MMAP_GTT_VERSION version to indicate support
for partial mmaps
- scripts: generate_rust_analyzer: add missing macros deps
- scripts: generate_rust_analyzer: add missing include_dirs
- scripts: generate_rust_analyzer: add uapi crate
- block: change blk_mq_add_to_batch() third argument type to bool
- cifs: Fix integer overflow while processing acregmax mount option
- cifs: Fix integer overflow while processing acdirmax mount option
- cifs: Fix integer overflow while processing actimeo mount option
- cifs: Fix integer overflow while processing closetimeo mount option
- x86/vmware: Parse MP tables for SEV-SNP enabled guests under VMware
hypervisors
- i2c: ali1535: Fix an error handling path in ali1535_probe()
- i2c: ali15x3: Fix an error handling path in ali15x3_probe()
- i2c: sis630: Fix an error handling path in sis630_probe()
- mm/hugetlb: wait for hugetlb folios to be freed
- smb3: add support for IAKerb
- smb: client: Fix match_session bug preventing session reuse
- Bluetooth: L2CAP: Fix corrupted list in hci_chan_del
- nvme-fc: rely on state transitions to handle connectivity loss
- HID: apple: disable Fn key handling on the Omoton KB066
- Upstream stable to v6.6.83, v6.12.20
* Oracular update: upstream stable patchset 2025-04-15 (LP: #2107437)
- x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()
- rust: block: fix formatting in GenDisk doc
- gpio: vf610: use generic device_get_match_data()
- gpio: vf610: add locking to gpio direction functions
- cifs: Remove symlink member from cifs_open_info_data union
- btrfs: fix data overwriting bug during buffered write when block size < page
size
- x86/microcode/AMD: Add some forgotten models to the SHA check
- loongarch: Use ASM_REACHABLE
- rust: workqueue: remove unneeded ``#[allow(clippy::new_ret_no_self)]`
- rust: sort global Rust flags
- rust: types: avoid repetition in `{As,From}Bytes` impls
- rust: enable `clippy::unnecessary_safety_comment` lint
- rust: enable `clippy::unnecessary_safety_doc` lint
- rust: enable `clippy::ignored_unit_patterns` lint
- rust: enable `rustdoc::unescaped_backticks` lint
- rust: init: remove unneeded `#[allow(clippy::disallowed_names)]`
- rust: introduce `.clippy.toml`
- rust: replace `clippy::dbg_macro` with `disallowed_macros`
- rust: provide proper code documentation titles
- rust: enable Clippy's `check-private-items`
- Documentation: rust: add coding guidelines on lints
- Documentation: rust: discuss `#[expect(...)]` in the guidelines
- rust: error: allow `useless_conversion` for 32-bit builds
- rust: error: optimize error type to use nonzero
- rust: kbuild: expand rusttest target for macros
- rust: fix size_t in bindgen prototypes of C builtins
- rust: map `__kernel_size_t` and friends also to usize/isize
- tracing: tprobe-events: Fix a memory leak when tprobe with $retval
- tracing: tprobe-events: Reject invalid tracepoint name
- stmmac: loongson: Pass correct arg to PCI function
- LoongArch: Convert unreachable() to BUG()
- LoongArch: Use polling play_dead() when resuming from hibernation
- LoongArch: Set max_pfn with the PFN of the last page
- LoongArch: KVM: Add interrupt checking for AVEC
- LoongArch: KVM: Reload guest CSR registers after sleep
- LoongArch: KVM: Fix GPA size issue about VM
- HID: appleir: Fix potential NULL dereference at raw event handle
- ksmbd: fix type confusion via race condition when using ipc_msg_send_request
- ksmbd: fix out-of-bounds in parse_sec_desc()
- ksmbd: fix use-after-free in smb2_lock
- ksmbd: fix bug on trap in smb2_lock
- gpio: rcar: Use raw_spinlock to protect register access
- gpio: aggregator: protect driver attr handlers against module unload
- ALSA: seq: Avoid module auto-load handling at event delivery
- ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
- ALSA: hda/realtek: update ALC222 depop optimize
- btrfs: fix a leaked chunk map issue in read_one_chunk()
- hwmon: (peci/dimmtemp) Do not provide fake thresholds data
- drm/amd/display: Fix null check for pipe_ctx->plane_state in
resource_build_scaling_params
- drm/amd/pm: always allow ih interrupt from fw
- drm/imagination: avoid deadlock on fence release
- drm/imagination: Hold drm_gem_gpuva lock for unmap
- drm/imagination: only init job done fences once
- drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
- Revert "mm/page_alloc.c: don't show protection in zone's ->lowmem_reserve[]
for empty zone"
- Revert "selftests/mm: remove local __NR_* definitions"
- platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
- x86/boot: Sanitize boot params before parsing command line
- x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
- x86/cpu: Validate CPUID leaf 0x2 EDX output
- x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
- drm/xe: Add staging tree for VM binds
- drm/xe/hmm: Style- and include fixes
- drm/xe/hmm: Don't dereference struct page pointers without notifier lock
- drm/xe/vm: Fix a misplaced #endif
- drm/xe/vm: Validate userptr during gpu vma prefetching
- drm/xe: Fix GT "for each engine" workarounds
- drm/xe: Fix fault mode invalidation with unbind
- drm/xe/userptr: properly setup pfn_flags_mask
- drm/xe/userptr: Unmap userptrs in the mmu notifier
- Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()
- Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()
- wifi: cfg80211: regulatory: improve invalid hints checking
- wifi: nl80211: reject cooked mode if it is set along with other flags
- selftests/damon/damos_quota_goal: handle minimum quota that cannot be
further reduced
- selftests/damon/damos_quota: make real expectation of quota exceeds
- selftests/damon/damon_nr_regions: set ops update for merge results check to
100ms
- selftests/damon/damon_nr_regions: sort collected regiosn before checking
with min/max boundaries
- rapidio: add check for rio_add_net() in rio_scan_alloc_net()
- rapidio: fix an API misues when rio_add_net() fails
- dma: kmsan: export kmsan_handle_dma() for modules
- s390/traps: Fix test_monitor_call() inline assembly
- NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback
- userfaultfd: do not block on locking a large folio with raised refcount
- block: fix conversion of GPT partition name to 7-bit
- mm/page_alloc: fix uninitialized variable
- mm: don't skip arch_sync_kernel_mappings() in error paths
- mm: fix finish_fault() handling for large folios
- wifi: iwlwifi: mvm: clean up ROC on failure
- wifi: iwlwifi: mvm: don't try to talk to a dead firmware
- wifi: iwlwifi: limit printed string from FW file
- wifi: iwlwifi: Free pages allocated when failing to build A-MSDU
- wifi: iwlwifi: Fix A-MSDU TSO preparation
- HID: google: fix unused variable warning under !CONFIG_ACPI
- HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()
- HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
- wifi: mac80211: Support parsing EPCS ML element
- wifi: mac80211: fix MLE non-inheritance parsing
- wifi: mac80211: fix vendor-specific inheritance
- drm/fbdev-helper: Move color-mode lookup into 4CC format helper
- drm/fbdev: Add memory-agnostic fbdev client
- drm: Add client-agnostic setup helper
- drm/fbdev-ttm: Support struct drm_driver.fbdev_probe
- drm/nouveau: select FW caching
- bluetooth: btusb: Initialize .owner field of force_poll_sync_fops
- nvme-tcp: add basic support for the C2HTermReq PDU
- nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
- nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
- net: gso: fix ownership in __udp_gso_segment
- caif_virtio: fix wrong pointer check in cfv_probe()
- perf/core: Fix pmus_lock vs. pmus_srcu ordering
- hwmon: (pmbus) Initialise page count in pmbus_identify()
- hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
- hwmon: (ad7314) Validate leading zero bits and return error
- tracing: probe-events: Remove unused MAX_ARG_BUF_LEN macro
- drm/imagination: Fix timestamps in firmware traces
- ALSA: usx2y: validate nrpacks module parameter on probe
- llc: do not use skb_get() before dev_queue_xmit()
- hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
- drm/sched: Fix preprocessor guard
- be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
- net: hns3: make sure ptp clock is unregister and freed if
hclge_ptp_get_cycle returns an error
- drm/i915/color: Extract intel_color_modeset()
- drm/i915: Plumb 'dsb' all way to the plane hooks
- drm/xe: Remove double pageflip
- HID: hid-steam: Fix use-after-free when detaching device
- net: ipa: Fix v4.7 resource group names
- net: ipa: Fix QSB data for v4.7
- net: ipa: Enable checksum for IPA_ENDPOINT_AP_MODEM_{RX,TX} for v4.7
- ppp: Fix KMSAN uninit-value warning with bpf
- vlan: enforce underlying device type
- x86/sgx: Fix size overflows in sgx_encl_create()
- exfat: fix just enough dentries but allocate a new cluster to dir
- exfat: fix soft lockup in exfat_clear_bitmap
- exfat: short-circuit zero-byte writes in exfat_file_write_iter
- net-timestamp: support TCP GSO case for a few missing flags
- ublk: set_params: properly check if parameters can be applied
- sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
- nvme-tcp: fix signedness bug in nvme_tcp_init_connection()
- net: dsa: mt7530: Fix traffic flooding for MMIO devices
- mctp i3c: handle NULL header address
- net: ipv6: fix dst ref loop in ila lwtunnel
- net: ipv6: fix missing dst ref drop in ila lwtunnel
- gpio: rcar: Fix missing of_node_put() call
- Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
- usb: renesas_usbhs: Call clk_put()
- usb: renesas_usbhs: Use devm_usb_get_phy()
- usb: hub: lack of clearing xHC resources
- usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
- usb: typec: ucsi: Fix NULL pointer access
- usb: renesas_usbhs: Flush the notify_hotplug_work
- usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails
- usb: atm: cxacru: fix a flaw in existing endpoint checks
- usb: dwc3: Set SUSPENDENABLE soon after phy init
- usb: dwc3: gadget: Prevent irq storm when TH re-executes
- usb: typec: ucsi: increase timeout for PPM reset operations
- usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
- usb: gadget: Set self-powered based on MaxPower and bmAttributes
- usb: gadget: Fix setting self-powered state on suspend
- usb: gadget: Check bmAttributes only if configuration is valid
- kbuild: userprogs: use correct lld when linking through clang
- acpi: typec: ucsi: Introduce a ->poll_cci method
- xhci: pci: Fix indentation in the PCI device ID definitions
- usb: xhci: Enable the TRB overfetch quirk on VIA VL805
- KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow
- KVM: SVM: Save host DR masks on CPUs with DebugSwap
- KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value
- KVM: SVM: Suppress DEBUGCTL.BTF on AMD
- KVM: x86: Snapshot the host's DEBUGCTL in common x86
- KVM: SVM: Manually context switch DEBUGCTL if LBR virtualization is disabled
- KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs
- KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM
- cdx: Fix possible UAF error in driver_override_show()
- mei: me: add panther lake P DID
- mei: vsc: Use "wakeuphostint" when getting the host wakeup GPIO
- intel_th: pci: Add Arrow Lake support
- intel_th: pci: Add Panther Lake-H support
- intel_th: pci: Add Panther Lake-P/U support
- char: misc: deallocate static minor in error path
- drivers: core: fix device leak in __fw_devlink_relax_cycles()
- slimbus: messaging: Free transaction ID in delayed interrupt scenario
- bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
- eeprom: digsy_mtc: Make GPIO lookup table match the device
- drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
- iio: filter: admv8818: Force initialization of SDO
- iio: light: apds9306: fix max_scale_nano values
- iio: dac: ad3552r: clear reset status flag
- iio: adc: ad7192: fix channel select
- iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value
- mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear()
- arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes
- kbuild: hdrcheck: fix cross build with clang
- nvme-tcp: Fix a C2HTermReq error message
- docs: rust: remove spurious item in `expect` list
- KVM: e500: always restore irqs
- x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
- wifi: iwlwifi: pcie: Fix TSO preparation
- Upstream stable to v6.6.82, v6.12.19
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
-- Stefan Bader <stefan.bader@xxxxxxxxxxxxx> Mon, 19 May 2025 12:47:32
+0200
** Changed in: linux (Ubuntu Oracular)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
Fix Released
Status in linux source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
Fix Released
Status in linux source package in Jammy:
Fix Released
Status in cifs-utils source package in Noble:
Fix Released
Status in linux source package in Noble:
Fix Released
Status in cifs-utils source package in Oracular:
Fix Released
Status in linux source package in Oracular:
Fix Released
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja@xxxxxxxxxxxxx>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this
all work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Focal:
sudo apt install keyutils
Oracular:
sudo apt install samba-ad-dc
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
sudo vim /etc/samba/smb.conf
Change forwarder to 8.8.8.8
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxx
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
36) # mkdir /mnt/testshare1
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root@685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root@685c7e420afc:/# ls /mnt/shared
44) root@685c7e420afc:/# apt install krb5-user vim
45) root@685c7e420afc:/# vim /etc/krb5.conf
Under libdefaults, add default_ccache_name = /tmp/krb5cc_00%{uid} save and exit.
46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
# kdestroy -c /tmp/krb5cc_0
# ss -K dport 445
47) Back in the container:
root@685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
cifs.upcall[2804]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xaf3
cifs.upcall[2805]: ver=2
cifs.upcall[2805]: host=samba-dc.example.com
cifs.upcall[2805]: ip=192.168.122.124
cifs.upcall[2805]: sec=1
cifs.upcall[2805]: uid=0
cifs.upcall[2805]: creduid=0
cifs.upcall[2805]: user=root
cifs.upcall[2805]: pid=2803
cifs.upcall[2804]: get_cachename_from_process_env: pid == 0
cifs.upcall[2804]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
cifs.upcall[2804]: get_tgt_time: unable to get principal
cifs.upcall[2804]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2804]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2804]: handle_krb5_mech: using GSS-API
cifs.upcall[2804]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[2804]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: /tmp/krb5cc_000)
cifs.upcall[2804]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[2804]: Unable to obtain service ticket
cifs.upcall[2804]: Exit status 458752
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
A successful run with upcall_target=mount and fixed cifs-utils should
look like:
cifs.upcall[2122]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x849;upcall_target=mount
cifs.upcall[2123]: ver=2
cifs.upcall[2123]: host=samba-dc.example.com
cifs.upcall[2123]: ip=192.168.122.124
cifs.upcall[2123]: sec=1
cifs.upcall[2123]: uid=0
cifs.upcall[2123]: creduid=0
cifs.upcall[2123]: user=root
cifs.upcall[2123]: pid=2121
cifs.upcall[2123]: upcall_target=mount
cifs.upcall[2122]: upcall_target=mount, not switching namespaces to application thread
cifs.upcall[2122]: get_cachename_from_process_env: pid == 0
cifs.upcall[2122]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2122]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2122]: handle_krb5_mech: using native krb5
cifs.upcall[2122]: handle_krb5_mech: obtained service ticket
cifs.upcall[2122]: Exit status 0
Specific Testcases Of Existing / Patched Packages:
patched kernel, existing cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1540]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x600;upcall_target=app
cifs.upcall[1541]: ver=2
cifs.upcall[1541]: host=samba-dc.example.com
cifs.upcall[1541]: ip=192.168.122.124
cifs.upcall[1541]: sec=1
cifs.upcall[1541]: uid=0
cifs.upcall[1541]: creduid=0
cifs.upcall[1541]: user=root
cifs.upcall[1541]: pid=1536
cifs.upcall[1540]: get_cachename_from_process_env: pid == 0
cifs.upcall[1540]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1540]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1540]: handle_krb5_mech: using native krb5
cifs.upcall[1540]: handle_krb5_mech: obtained service ticket
cifs.upcall[1540]: Exit status 0
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
Apr 30 04:23:35 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x614;upcall_target=app
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ver=2
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: host=samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: ip=192.168.122.124
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: sec=1
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: uid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: creduid=0
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: user=root
Apr 30 04:23:35 samba-dc cifs.upcall[1561]: pid=1556
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_cachename_from_process_env: pid == 0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: getting service ticket for samba-dc.example.com
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: using native krb5
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: handle_krb5_mech: obtained service ticket
Apr 30 04:23:35 samba-dc cifs.upcall[1560]: Exit status 0
existing kernel, patched cifs-utils
-----------------------------------
When specifying "upcall_target" on mount command line, e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=app //samba-dc.example.com/demo /mnt/testshare1
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
# journalctl -f
kernel: cifs: Unknown parameter 'upcall_target'
Test with no "upcall_target". e.g.:
# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
# journalctl -f
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[10899]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x2a8d
cifs.upcall[10900]: ver=2
cifs.upcall[10900]: host=samba-dc.example.com
cifs.upcall[10900]: ip=192.168.122.124
cifs.upcall[10900]: sec=1
cifs.upcall[10900]: uid=0
cifs.upcall[10900]: creduid=0
cifs.upcall[10900]: user=root
cifs.upcall[10900]: pid=10893
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
cifs.upcall[10899]: get_cachename_from_process_env: pid == 0
cifs.upcall[10899]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[10899]: main: valid service ticket exists in credential cache
cifs.upcall[10899]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[10899]: handle_krb5_mech: using native krb5
cifs.upcall[10899]: handle_krb5_mech: obtained service ticket
cifs.upcall[10899]: Exit status 0
Note the line:
cifs.upcall[10899]: upcall_target=app, switching namespaces to application thread
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in
cifs-utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
The default option is "app" and "app" has the same behaviour of pre-
patch, that is, to use the credential cache of the calling process
namespace. This should not introduce any behaviour change to existing
setups. Not specifying any option at mount time defaults to "app"
automatically. Users must opt into using "mount" themselves.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
