dgit.raspbian.org Git - linux.git/log

intel-iommu: Add option to exclude integrated GPU only

Bug-Debian: https://bugs.debian.org/935270
Bug-Kali: https://bugs.kali.org/view.php?id=5644

There is still laptop firmware that touches the integrated GPU behind
the operating system's back, and doesn't say so in the RMRR table.
Enabling the IOMMU for all devices causes breakage, but turning it off
for all graphics devices seems like a major weakness.

Add an option, intel_iommu=intgpu_off, to exclude only integrated GPUs
from remapping. This is a narrower exclusion than igfx_off: it only
affects Intel devices on the root bus. Devices attached through an
external port (Thunderbolt or ExpressCard) won't be on the root bus.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/x86
Gbp-Pq: Name intel-iommu-add-option-to-exclude-integrated-gpu-only.patch

security,perf: Allow further restriction of perf_event_open

Forwarded: https://lore.kernel.org/all/20160111152355.GS28542@decadent.org.uk/

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic features/all
Gbp-Pq: Name security-perf-allow-further-restriction-of-perf_event_open.patch

add sysctl to disallow unprivileged CLONE_NEWUSER by default

Origin: http://kernel.ubuntu.com/git?p=serge%2Fubuntu-saucy.git;a=commit;h=5c847404dcb2e3195ad0057877e1422ae90892b8

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER
is certainly an intended feature of user namespaces. However
for at least saucy we want to make sure that, if any security
issues are found, we have a fail-safe.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
[bwh: Remove unneeded binary sysctl bits]
[bwh: Keep this sysctl, but change the default to enabled]

Gbp-Pq: Topic debian
Gbp-Pq: Name add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch

yama: Disable by default

Bug-Debian: https://bugs.debian.org/712740
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name yama-disable-by-default.patch

fs: Enable link security restrictions by default

Bug-Debian: https://bugs.debian.org/609455
Forwarded: not-needed

This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
('VFS: don't do protected {sym,hard}links by default').

Gbp-Pq: Topic debian
Gbp-Pq: Name fs-enable-link-security-restrictions-by-default.patch

hamradio: Disable auto-loading as mitigation against local exploits

Forwarded: not-needed

We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'ham' radio protocols (ax25, netrom, rose) are not actively
maintained or widely used. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch

dccp: Disable auto-loading as mitigation against local exploits

Forwarded: not-needed

We can mitigate the effect of vulnerabilities in obscure protocols by
preventing unprivileged users from loading the modules, so that they
are only exploitable on systems where the administrator has chosen to
load the protocol.

The 'dccp' protocol is not actively maintained or widely used.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch

[PATCH 1/3] rds: Disable auto-loading as mitigation against local exploits

Forwarded: not-needed

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'rds' protocol is one such protocol that has been found to be
vulnerable, and which was not present in the 'lenny' kernel.
Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name rds-Disable-auto-loading-as-mitigation-against-local.patch

[PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits

Forwarded: not-needed

Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.

The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch

radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward

Bug-Debian: https://bugs.debian.org/607194
Bug-Debian: https://bugs.debian.org/607471
Bug-Debian: https://bugs.debian.org/610851
Bug-Debian: https://bugs.debian.org/627497
Bug-Debian: https://bugs.debian.org/632212
Bug-Debian: https://bugs.debian.org/637943
Bug-Debian: https://bugs.debian.org/649448
Bug-Debian: https://bugs.debian.org/697229
Bug-Debian: https://bugs.debian.org/1053764
Forwarded: no
Last-Update: 2023-11-08

radeon requires firmware/microcode for the GPU in all chips, but for
newer chips (apparently R600 'Evergreen' onward) it also expects
firmware for the memory controller and other sub-blocks.

radeon attempts to gracefully fall back and disable some features if
the firmware is not available, but becomes unstable - the framebuffer
and/or system memory may be corrupted, or the display may stay black.

Therefore, perform a basic check for the existence of
/lib/firmware/radeon when a device is probed, and abort if it
is missing, except for the pre-R600 case.

Update 2023-11-08:
In bug 1053764 Mario Limonciello <mario.limonciello@amd.com> states
that the patch isn't needed anymore for amdgpu, so remove that part
of the patch

Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch

firmware_loader: Log direct loading failures as info for d-i

Forwarded: not-needed

On an installed Debian system, firmware packages will normally be
installed automatically based on a mapping of device IDs to firmware.
Within the Debian installer this has not yet happened and we need a
way to detect missing firmware.

Although many/most drivers log firmware loading failures, they do so
using many different formats. This adds a single log message to the
firmware loader, which the installer's hw-detect package will look
for. The log level is set to "info" because some failures are
expected and we do not want to confuse users with bogus error messages
(like in bug #966218).

NOTE: The log message format must not be changed without coordinating
this with the check-missing-firmware.sh in hw-detect.

Gbp-Pq: Topic debian
Gbp-Pq: Name firmware_loader-log-direct-loading-failures-as-info-for-d-i.path

iwlwifi: Do not request unreleased firmware for IWL6000

Bug-Debian: https://bugs.debian.org/689416
Forwarded: not-needed

The iwlwifi driver currently supports firmware API versions 4-6 for
these devices.  It will request the file for the latest supported
version and then fall back to earlier versions.  However, the latest
version that has actually been released is 4, so we expect the
requests for versions 6 and then 5 to fail.

The installer appears to report any failed request, and it is probably
not easy to detect that this particular failure is harmless.  So stop
requesting the unreleased firmware.

Gbp-Pq: Topic debian
Gbp-Pq: Name iwlwifi-do-not-request-unreleased-firmware.patch

af9005: Use request_firmware() to load register init script

Forwarded: no

Read the register init script from the Windows driver. This is sick
but should avoid the potential copyright infringement in distributing
a version of the script which is directly derived from the driver.

Gbp-Pq: Topic features/all
Gbp-Pq: Name drivers-media-dvb-usb-af9005-request_firmware.patch

[PATCH] tools/rtla: Restore option to set VERSION var to VERSION file's contents

From 6640548d40a85053cf065f4c66f298bb5253557f Mon Sep 17 00:00:00 2001
Forwarded: not-needed

In upstream commit 01474dc706ca ("tools/rtla: Use tools/build makefiles
to build rtla") the ``Makefile`` was completely restructered to make
use of the ``tools/build`` infrastructure.

For some reason, the restructuring also caused the ``cat VERSION`` part
to detect the kernel version to be dropped and only runs the
``kernelversion`` (toplevel) Makefile target.
Previously that was used as fallback when ``VERSION`` didn't exist.
Re-add the ``cat VERSION`` part as that is used in the Debian build
system.

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-rtla-Restore-option-to-set-VERSION-var-to-VERS.patch

fixdep: Allow overriding HOSTCC and HOSTLD

Forwarded: not-needed

objtool always uses HOSTCC, HOSTLD, and HOSTAR, so we need to override
these on the command line for cross-builds of linux-kbuild. But it
also builds fixdep which still needs to be native in a cross-build.
Add support for REALHOSTCC and REALHOSTLD variables which, if set,
override HOSTCC and HOSTLD for fixdep only.

Gbp-Pq: Topic debian
Gbp-Pq: Name fixdep-allow-overriding-hostcc-and-hostld.patch

Makefile: Make compiler version comparison optional

Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/1019749

The top-level Makefile warns if the compiler version string changes at
all between the kernel build and an out-of-tree module build.

We expect that major compiler version changes could introduce ABI
changes, and override the CC variable in out-of-tree module builds to
ensure that the same major compiler version is used. But minor
version changes should not make a difference, so this exact version
comparison produces false warnings.

Since custom kernel packages don't have that, don't remove the version
comparison. Instead, skip it if $(DEBIAN_KERNEL_NO_CC_VERSION_CHECK)
is non-empty.

Gbp-Pq: Topic debian
Gbp-Pq: Name makefile-make-compiler-version-comparison-optional.patch

module: Avoid ABI changes when debug info is disabled

Forwarded: not-needed

CI builds are done with debug info disabled, but this removes some
members from struct module. This causes builds to fail if there is an
ABI reference for the current ABI.

Define these members unconditionally, so that there is no ABI change.

Gbp-Pq: Topic debian
Gbp-Pq: Name module-avoid-abi-changes-when-debug-info-is-disabled.patch

kbuild: Abort build if SUBDIRS used

Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/987575

DKMS and module-assistant both build OOT modules as root. If they
build an old OOT module that still use SUBDIRS this causes Kbuild
to try building a full kernel, which obviously fails but not before
deleting files from the installed headers package.

To avoid such mishaps, detect this situation and abort the build.

The error message is based on that used in commit 0126be38d988
"kbuild: announce removal of SUBDIRS if used".

Gbp-Pq: Topic debian
Gbp-Pq: Name kbuild-abort-build-if-subdirs-used.patch

kbuild: Look for module.lds under arch directory too

Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/975571

The module.lds linker script is now built under the scripts directory,
where previously it was under arch/$(SRCARCH).

However, we package the scripts directory as linux-kbuild, which is
meant to be able to do support native and cross-builds. That means it
shouldn't contain files for a specific target architecture without a
wrapper to select between them, and it doesn't appear that linker
scripts are powerful enough to implement such a wrapper.

Building module.lds in a different location would require relatively
large changes. Moving it in the package build rules can work, but we
need to support custom kernel builds from the same source so we can't
assume it's moved.

Therefore, we move module.lds under the arch build directory in
rules.real and change Makefile.modfinal to look for it in both places.

Gbp-Pq: Topic debian
Gbp-Pq: Name kbuild-look-for-module.lds-under-arch-directory-too.patch

[PATCH 2/2] perf/traceevent: Support asciidoctor for documentation

From cd02fc78859ef9aefd7c92406f9523622da0b472 Mon Sep 17 00:00:00 2001
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name perf-traceevent-support-asciidoctor-for-documentatio.patch

[PATCH 1/2] Documentation: Drop sphinx version check

From 252aa79fdbd4ac2da09d9b98f81bf11f5e3e1870 Mon Sep 17 00:00:00 2001
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name documentation-drop-sphinx-version-check.patch

android: Enable building ashmem and binder as modules

Bug-Debian: https://bugs.debian.org/901492

We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.

- Add a MODULE_LICENSE declaration to ashmem
- Change the Makefiles to build each driver as an object with the
"_linux" suffix (which is what Anbox expects)
- Change config symbol types to tristate

Update:
In upstream commit 721412ed3d titled "staging: remove ashmem" the ashmem
driver was removed entirely. Secondary commit message:
"The mainline replacement for ashmem is memfd, so remove the legacy
code from drivers/staging/"
Consequently, the ashmem part of this patch has been removed.

Gbp-Pq: Topic debian
Gbp-Pq: Name android-enable-building-ashmem-and-binder-as-modules.patch

Export symbols needed by Android drivers

Bug-Debian: https://bugs.debian.org/901492

We want to enable use of the Android ashmem and binder drivers to
support Anbox, but they should not be built-in as that would waste
resources and increase security attack surface on systems that don't
need them.

Export the currently un-exported symbols they depend on.

Gbp-Pq: Topic debian
Gbp-Pq: Name export-symbols-needed-by-android-drivers.patch

wireless: Add Debian wireless-regdb certificates

Forwarded: not-needed

This hex dump is generated using:

{
    for cert in debian/certs/wireless-regdb-*.pem; do
        openssl x509 -in $cert -outform der;
    done
} | hexdump -v -e '1/1 "0x%.2x," "\n"' > net/wireless/certs/debian.hex

Gbp-Pq: Topic debian
Gbp-Pq: Name wireless-add-debian-wireless-regdb-certificates.patch

tools: install perf python bindings

Bug-Debian: http://bugs.debian.org/860957
Forwarded: not-needed

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-install-python-bindings.patch

linux-tools: Install perf-read-vdso{,x}32 in directory under /usr/lib

Gbp-Pq: Topic debian
Gbp-Pq: Name tools-perf-perf-read-vdso-in-libexec.patch

[sh4] Fix uImage build

Bug-Debian: https://bugs.debian.org/569034
Forwarded: not-needed

[bwh: This was added without a description, but I think it is done
only to avoid a build-dependency on u-boot-tools.]

Gbp-Pq: Topic debian
Gbp-Pq: Name arch-sh4-fix-uimage-build.patch

Use RELAXED ieee754 mode for Loongson-3 as 3A 4000 is 2008-only

Forwarded: not-needed

There are 2 mode of value of IEEE NaN hardcoded by CPU.
Currently, our mipsel/mips64el port is in so-called lagacy mode.
Loongson 3A 4000 is set as the so-called 2008 mode.

To make Debian workable on Loongson 3A 4000, we need set the kerenl in
RELAXED mode.

https://web.archive.org/web/20180830093617/https://dmz-portal.mips.com/wiki/MIPS_ABI_-_NaN_Interlinking

Gbp-Pq: Topic debian
Gbp-Pq: Name mips-ieee754-relaxed.patch

Disable uImage generation for mips generic

Forwarded: not-needed

MIPS generic trys to generate uImage when build, which then ask for
u-boot-tools.

[bwh: Updated for 5.17:
- zload-y is no longer assigned here and appears to default to empty
- Adjust context]

Gbp-Pq: Topic debian
Gbp-Pq: Name mips-boston-disable-its.patch

kbuild: Make the toolchain variables easily overwritable

Forwarded: not-needed

Allow make variables to be overridden for each flavour by a file in
the build tree, .kernelvariables.

We currently use this for ARCH, KERNELRELEASE, CC, and in some cases
also CROSS_COMPILE, KCFLAGS.

This file can only be read after we establish the build tree, and all
use of $(ARCH) needs to be moved after this.

[bwh: Updated for 5.3: include .kernelvariables from current directory
rather than using undefined $(obj).]

Gbp-Pq: Topic debian
Gbp-Pq: Name kernelvariables.patch

Make mkcompile_h accept an alternate timestamp string

Forwarded: not-needed

We want to include the Debian version in the utsname::version string
instead of a full timestamp string. However, we still need to provide
a standard timestamp string for gen_initramfs_list.sh to make the
kernel image reproducible.

Make mkcompile_h use $KBUILD_BUILD_VERSION_TIMESTAMP in preference to
$KBUILD_BUILD_TIMESTAMP.

Gbp-Pq: Topic debian
Gbp-Pq: Name uname-version-timestamp.patch

Include package version along with kernel release in stack traces

Forwarded: not-needed

For distribution binary packages we assume
$DISTRIBUTION_OFFICIAL_BUILD, $DISTRIBUTOR and $DISTRIBUTION_VERSION
are set.

Gbp-Pq: Topic debian
Gbp-Pq: Name version.patch

Documentation: Fix broken link to CIPSO draft

Forwarded: not-needed

We exclude the CIPSO draft text as its licence is not DFSG compliant.
Link to the IETF's online version instead.

Gbp-Pq: Topic debian/dfsg
Gbp-Pq: Name documentation-fix-broken-link-to-cipso-draft.patch

video: Remove nvidiafb and rivafb

Bug-Debian: https://bugs.debian.org/383481
Forwarded: no

These drivers contain register programming code provided by the
hardware vendor that appears to have been deliberately obfuscated.
This is arguably not the preferred form for modification.

These drivers are also largely redundant with nouveau. The RIVA 128
(NV3) is not supported by nouveau but is about 15 years old and
probably discontinued 10 years ago.

Gbp-Pq: Topic debian/dfsg
Gbp-Pq: Name video-remove-nvidiafb-and-rivafb.patch

dvb-usb-af9005: mark as broken

Forwarded: not-needed

Gbp-Pq: Topic debian/dfsg
Gbp-Pq: Name drivers-media-dvb-dvb-usb-af9005-disable.patch

Remove microcode patches for mgsuvd (not enabled in Debian configs)

Forwarded: not-needed

Gbp-Pq: Topic debian/dfsg
Gbp-Pq: Name arch-powerpc-platforms-8xx-ucode-disable.patch

Tweak gitignore for Debian pkg-kernel using git

Forwarded: not-needed

[bwh: Tweak further for pure git]

Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch

linux (6.9.9-1) unstable; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.9.9
    - locking/mutex: Introduce devm_mutex_init()
    - leds: mlxreg: Use devm_mutex_init() for mutex initialization
    - leds: an30259a: Use devm_mutex_init() for mutex initialization
    - crypto: hisilicon/debugfs - Fix debugfs uninit process issue
    - [arm64,armhf] drm/lima: fix shared irq handling on driver remove
    - [powerpc*] Avoid nmi_enter/nmi_exit in real mode interrupt.
    - media: dvb: as102-fe: Fix as10x_register_addr packing
    - media: dvb-usb: dib0700_devices: Add missing release_firmware()
    - net: dql: Avoid calling BUG() when WARN() is enough
    - wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband
    - drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf
    - IB/core: Implement a limit on UMAD receive List
    - scsi: qedf: Make qedf_execute_tmf() non-preemptible
    - bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable
    - bpf: check bpf_dummy_struct_ops program params for test runs
    - [riscv64] KVM: Fix the initial sample period value
    - crypto: aead,cipher - zeroize key buffer after use
    - media: mediatek: vcodec: Only free buffer VA that is not NULL
    - drm/amdgpu: Fix uninitialized variable warnings
    - drm/amdgpu: Using uninitialized value *size when calling
      amdgpu_vce_cs_reloc
    - drm/amdgpu: Initialize timestamp for some legacy SOCs
    - drm/amdgpu: fix double free err_addr pointer warnings
    - drm/amd/display: Add NULL pointer check for kzalloc
    - drm/amd/display: Check index msg_id before read or write
    - drm/amd/display: Check pipe offset before setting vblank
    - drm/amd/display: Skip finding free audio for unknown engine_id
    - drm/amd/display: Fix overlapping copy within dml_core_mode_programming
    - drm/amd/display: update pipe topology log to support subvp
    - drm/amd/display: Do not return negative stream id for array
    - drm/amd/display: ASSERT when failing to find index by plane/stream id
    - drm/amd/display: Fix uninitialized variables in DM
    - drm/amdgpu: fix uninitialized scalar variable warning
    - drm/amdgpu: fix the warning about the expression (int)size - len
    - media: dw2102: Don't translate i2c read into write
    - [riscv64] Apply SiFive CIP-1200 workaround to single-ASID sfence.vma
    - media: dw2102: fix a potential buffer overflow
    - sctp: prefer struct_size over open coded arithmetic
    - firmware: dmi: Stop decoding on broken entry
    - kunit/fortify: Do not spam logs with fortify WARNs
    - Input: ff-core - prefer struct_size over open coded arithmetic
    - usb: xhci: prevent potential failure in handle_tx_event() for Transfer
      events without TRB
    - wifi: mt76: replace skb_put with skb_put_zero
    - wifi: mt76: mt7996: add sanity checks for background radar trigger
    - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data
    - [arm64,armhf] net: dsa: mv88e6xxx: Correct check for empty list
    - media: dvb-frontends: tda18271c2dd: Remove casting during div
    - media: s2255: Use refcount_t instead of atomic_t for num_channels
    - media: i2c: st-mipid02: Use the correct div function
    - media: tc358746: Use the correct div_ function
    - media: dvb-frontends: tda10048: Fix integer overflow
    - crypto: hisilicon/sec2 - fix for register offset
    - gve: Account for stopped queues when reading NIC stats
    - i2c: i801: Annotate apanel_addr as __ro_after_init
    - [powerpc*] 64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    - orangefs: fix out-of-bounds fsid access
    - kunit: Fix timeout message
    - [powerpc*] xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    - igc: fix a log entry using uninitialized netdev
    - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD
    - f2fs: check validation of fault attrs in f2fs_build_fault_attr()
    - scsi: mpi3mr: Sanitise num_phys
    - serial: imx: Raise TX trigger level to 8
    - jffs2: Fix potential illegal address access in jffs2_free_inode
    - [s390x] Mark psw in __load_psw_mask() as __unitialized
    - [s390x] pkey: Use kfree_sensitive() to fix Coccinelle warnings
    - [s390x] pkey: Wipe sensitive data on failure
    - [s390x] pkey: Wipe copies of clear-key structures on failure
    - [s390x] pkey: Wipe copies of protected- and secure-keys
    - btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation
      warning
    - cdrom: rearrange last_media_change check to avoid unintentional overflow
    - [x86] tools/power turbostat: Remember global max_die_id
    - [x86] tools/power turbostat: Avoid possible memory corruption due to
      sparse topology IDs
    - vhost: Use virtqueue mutex for swapping worker
    - vhost: Release worker mutex during flushes
    - vhost_task: Handle SIGKILL by flushing work and exiting
    - virtio-pci: Check if is_avq is NULL
    - mac802154: fix time calculation in ieee802154_configure_durations()
    - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
    - net: phy: phy_device: Fix PHY LED blinking code comment
    - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP
    - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    - net/mlx5: E-switch, Create ingress ACL when needed
    - net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()
    - net/mlx5e: Present succeeded IPsec SA bytes and packet
    - net/mlx5e: Approximate IPsec per-SA payload data bytes count
    - Bluetooth: hci_event: Fix setting of unicast qos interval
    - Bluetooth: Ignore too large handle values in BIG
    - Bluetooth: ISO: Check socket flag instead of hcon
    - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX
    - tcp_metrics: validate source addr length
    - [s390x] KVM: s390: fix LPSWEY handling
    - e1000e: Fix S0ix residency on corporate systems
    - gpiolib: of: fix lookup quirk for MIPS Lantiq
    - net: allow skb_datagram_iter to be called from any context
    - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts
    - net: txgbe: remove separate irq request for MSI and INTx
    - net: txgbe: add extra handle for MSI/INTx into thread irq handle
    - net: txgbe: free isb resources at the right time
    - btrfs: always do the basic checks for btrfs_qgroup_inherit structure
    - net: phy: aquantia: add missing include guards
    - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from
      __netif_rx()
    - drm/fbdev-generic: Fix framebuffer on big endian devices
    - net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only
    - [s390x] vfio_ccw: Fix target addresses of TIC CCWs
    - gpio: mmio: do not calculate bgpio_bits via "ngpios"
    - wifi: wilc1000: fix ies_len type in connect path
    - [riscv64] kexec: Avoid deadlock in kexec crash path
    - netfilter: nf_tables: unconditionally flush pending work before notifier
    - net: rswitch: Avoid use-after-free in rswitch_poll()
    - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
      (CVE-2024-39487)
    - ice: Fix improper extts handling
    - ice: Don't process extts if PTP is disabled
    - ice: Reject pin requests with unsupported flags
    - ice: use proper macro for testing bit
    - drm/xe/mcr: Avoid clobbering DSS steering
    - tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.
    - inet_diag: Initialize pad field in struct inet_diag_req_v2
    - bnxt_en: Fix the resource check condition for RSS contexts
    - gpiolib: of: add polarity quirk for TSC2005
    - [x86] platform/x86: toshiba_acpi: Fix quickstart quirk handling
    - Revert "igc: fix a log entry using uninitialized netdev"
    - nilfs2: fix inode number range checks
    - nilfs2: add missing check for inode numbers on directory entries
    - nilfs2: fix incorrect inode allocation from reserved inodes
    - mm: optimize the redundant loop of mm_update_owner_next()
    - mm: avoid overflows in dirty throttling logic
    - btrfs: zoned: fix calc_available_free_space() for zoned mode
    - btrfs: fix adding block group to a reclaim list and the unused list during
      reclaim
    - btrfs: fix folio refcount in __alloc_dummy_extent_buffer()
    - f2fs: Add inline to f2fs_build_fault_attr() stub
    - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()
    - Bluetooth: hci_bcm4377: Fix msgid release
    - Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report
    - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot
    - can: kvaser_usb: Explicitly initialize family in leafimx driver_info
      struct
    - fsnotify: Do not generate events for O_PATH file descriptors
    - Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),
      again"
    - drm/xe: fix error handling in xe_migrate_update_pgtables
    - drm/ttm: Always take the bo delayed cleanup path for imported bos
    - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
    - drm/amdgpu/atomfirmware: silence UBSAN warning
    - drm: panel-orientation-quirks: Add quirk for Valve Galileo
    - clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag
    - clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common
    - [powerpc*] pseries: Fix scv instruction crash with kexec
    - [powerpc*] 64s: Fix unnecessary copy to 0 when kernel is booted at address
      0
    - firmware: sysfb: Fix reference count of sysfb parent device
    - filelock: Remove locks reliably when fcntl/close race is detected
    - mtd: rawnand: Ensure ECC configuration is propagated to upper layers
    - mtd: rawnand: Fix the nand_read_data_op() early check
    - mtd: rawnand: Bypass a couple of sanity checks during NAND identification
    - mtd: rawnand: rockchip: ensure NVDDR timings are rejected
    - fs: don't misleadingly warn during thaw operations
    - net: stmmac: dwmac-qcom-ethqos: fix error array size
    - bnx2x: Fix multiple UBSAN array-index-out-of-bounds
    - s390/dasd: Fix invalid dereferencing of indirect CCW data pointer
    - selftests/harness: Fix tests timeout and race condition
    - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model
      B
    - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents
    - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs
    - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg
    - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
    - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
    - vhost-scsi: Handle vhost_vq_work_queue failures for events
    - nvme-multipath: find NUMA path only for online numa-node
    - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails
    - drm/amdgpu: correct hbm field in boot status
    - connector: Fix invalid conversion in cn_proc.h
    - swap: yield device immediately
    - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset
    - libbpf: detect broken PID filtering logic for multi-uprobe
    - regmap-i2c: Subtract reg size from max_write
    - [x86] platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW
      11.6" tablet
    - [x86] platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro
    - block: check for max_hw_sectors underflow
    - nvmet: fix a possible leak when destroy a ctrl during qp establishment
    - kbuild: fix short log for AS in link-vmlinux.sh
    - nfc/nci: Add the inconsistency check between the input data length and
      count
    - spi: cadence: Ensure data lines set to low during dummy-cycle period
    - ALSA: ump: Set default protocol when not given explicitly
    - drm/amdgpu: silence UBSAN warning
    - hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist
    - null_blk: Do not allow runt zone with zone capacity smaller then zone size
    - libbpf: don't close(-1) in multi-uprobe feature detector

[dgit import unpatched linux 6.9.9-1]

Import linux_6.9.9.orig.tar.xz

[dgit import orig linux_6.9.9.orig.tar.xz]

Import linux_6.9.9-1.debian.tar.xz

[dgit import tarball linux 6.9.9-1 linux_6.9.9-1.debian.tar.xz]