Package "linux-kvm"

  linux-kvm (4.4.0-1077.84) xenial; urgency=medium

  * xenial/linux-kvm: 4.4.0-1077.84 -proposed tracker (LP: #1885506)

  * LXD 4.2 broken on linux-kvm due to missing VLAN filtering (LP: #1882955)
    - [Config] VLAN_8021Q=m && BRIDGE_VLAN_FILTERING=y

  [ Ubuntu: 4.4.0-186.216 ]

  * xenial/linux: 4.4.0-186.216 -proposed tracker (LP: #1885514)
  * Xenial update: v4.4.228 upstream stable release (LP: #1884564)
    - ipv6: fix IPV6_ADDRFORM operation logic
    - vxlan: Avoid infinite loop when suppressing NS messages with invalid options
    - scsi: return correct blkprep status code in case scsi_init_io() fails.
    - net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well.
    - pwm: fsl-ftm: Use flat regmap cache
    - ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
    - sched/fair: Don't NUMA balance for kthreads
    - ath9k_htc: Silence undersized packet warnings
    - x86_64: Fix jiffies ODR violation
    - x86/speculation: Prevent rogue cross-process SSBD shutdown
    - x86/reboot/quirks: Add MacBook6,1 reboot quirk
    - efi/efivars: Add missing kobject_put() in sysfs entry creation error path
    - ALSA: es1688: Add the missed snd_card_free()
    - ALSA: usb-audio: Fix inconsistent card PM state after resume
    - ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
    - ACPI: PM: Avoid using power resources if there are none for D0
    - cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages
    - nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
    - spi: bcm2835aux: Fix controller unregister order
    - ALSA: pcm: disallow linking stream to itself
    - x86/speculation: Change misspelled STIPB to STIBP
    - x86/speculation: Add support for STIBP always-on preferred mode
    - x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
      IBRS.
    - x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
    - spi: dw: fix possible race condition
    - spi: dw: Fix controller unregister order
    - spi: No need to assign dummy value in spi_unregister_controller()
    - spi: Fix controller unregister order
    - spi: pxa2xx: Fix controller unregister order
    - spi: bcm2835: Fix controller unregister order
    - ovl: initialize error in ovl_copy_xattr
    - proc: Use new_inode not new_inode_pseudo
    - video: fbdev: w100fb: Fix a potential double free.
    - KVM: nSVM: leave ASID aside in copy_vmcb_control_area
    - KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
    - KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
    - ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
    - ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
    - ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
    - ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
    - Smack: slab-out-of-bounds in vsscanf
    - mm/slub: fix a memory leak in sysfs_slab_add()
    - fat: don't allow to mount if the FAT length == 0
    - can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
    - spi: dw: Zero DMA Tx and Rx configurations on stack
    - Bluetooth: Add SCO fallback for invalid LMP parameters error
    - kgdb: Prevent infinite recursive entries to the debugger
    - spi: dw: Enable interrupts in accordance with DMA xfer mode
    - clocksource: dw_apb_timer_of: Fix missing clockevent timers
    - btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
    - ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
    - net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
      vmxnet3_get_rss()
    - staging: android: ion: use vmap instead of vm_map_ram
    - e1000: Distribute switch variables for initialization
    - media: dvb: return -EREMOTEIO on i2c transfer failure.
    - MIPS: Make sparse_init() using top-down allocation
    - netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
    - lib/mpi: Fix 64-bit MIPS build with Clang
    - net: lpc-enet: fix error return code in lpc_mii_init()
    - net: allwinner: Fix use correct return type for ndo_start_xmit()
    - powerpc/spufs: fix copy_to_user while atomic
    - mips: cm: Fix an invalid error code of INTVN_*_ERR
    - kgdb: Fix spurious true from in_dbg_master()
    - md: don't flush workqueue unconditionally in md_open
    - mwifiex: Fix memory corruption in dump_station
    - mips: Add udelay lpj numbers adjustment
    - x86/mm: Stop printing BRK addresses
    - m68k: mac: Don't call via_flush_cache() on Mac IIfx
    - macvlan: Skip loopback packets in RX handler
    - PCI: Don't disable decoding when mmio_always_on is set
    - MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
    - ixgbe: fix signed-integer-overflow warning
    - spi: dw: Return any value retrieved from the dma_transfer callback
    - cpuidle: Fix three reference count leaks
    - ima: Fix ima digest hash table key calculation
    - ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
    - Btrfs: fix unreplayable log after snapshot delete + parent dir fsync
    - btrfs: send: emit file capabilities after chown
    - btrfs: fix error handling when submitting direct I/O bio
    - ima: Directly assign the ima_default_policy pointer to ima_rules
    - PCI: Program MPS for RCiEP devices
    - e1000e: Relax condition to trigger reset for ME workaround
    - carl9170: remove P2P_GO support
    - media: go7007: fix a miss of snd_card_free
    - b43legacy: Fix case where channel status is corrupted
    - b43: Fix connection problem with WPA3
    - b43_legacy: Fix connection problem with WPA3
    - igb: Report speed and duplex as unknown when device is runtime suspended
    - power: vexpress: add suppress_bind_attrs to true
    - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs
    - sparc32: fix register window handling in genregs32_[gs]et()
    - kernel/cpu_pm: Fix uninitted local in cpu_pm
    - ARM: tegr

  linux-kvm (4.4.0-1076.83) xenial; urgency=medium

  * xenial/linux-kvm: 4.4.0-1076.83 -proposed tracker (LP: #1882762)

  [ Ubuntu: 4.4.0-185.215 ]

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
  * CVE-2020-0543
    - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when
      not supported
  * Xenial update: 4.4.224 upstream stable release (LP: #1881356)
    - USB: serial: qcserial: Add DW5816e support
    - Revert "net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS"
    - dp83640: reverse arguments to list_add_tail
    - net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
    - sch_sfq: validate silly quantum values
    - sch_choke: avoid potential panic in choke_reset()
    - enic: do not overwrite error code
    - ipv6: fix cleanup ordering for ip6_mr failure
    - binfmt_elf: move brk out of mmap when doing direct loader exec
    - x86/apm: Don't access __preempt_count with zeroed fs
    - Revert "IB/ipoib: Update broadcast object if PKey value was changed in index
      0"
    - USB: uas: add quirk for LaCie 2Big Quadra
    - USB: serial: garmin_gps: add sanity checking for data length
    - batman-adv: fix batadv_nc_random_weight_tq
    - scripts/decodecode: fix trapping instruction formatting
    - phy: micrel: Ensure interrupts are reenabled on resume
    - binfmt_elf: Do not move brk for INTERP-less ET_EXEC
    - ext4: add cond_resched() to ext4_protect_reserved_inode
    - blktrace: Fix potential deadlock between delete & sysfs ops
    - blktrace: fix unlocked access to init/start-stop/teardown
    - blktrace: fix trace mutex deadlock
    - ptp: do not explicitly set drvdata in ptp_clock_register()
    - ptp: use is_visible method to hide unused attributes
    - ptp: create "pins" together with the rest of attributes
    - chardev: add helper function to register char devs with a struct device
    - ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
    - ptp: fix the race between the release of ptp_clock and cdev
    - ptp: free ptp device pin descriptors properly
    - net: handle no dst on skb in icmp6_send
    - net/sonic: Fix a resource leak in an error handling path in
      'jazz_sonic_probe()'
    - net: moxa: Fix a potential double 'free_irq()'
    - drop_monitor: work around gcc-10 stringop-overflow warning
    - scsi: sg: add sg_remove_request in sg_write
    - cifs: Check for timeout on Negotiate stage
    - cifs: Fix a race condition with cifs_echo_request
    - dmaengine: pch_dma.c: Avoid data race between probe and irq handler
    - dmaengine: mmp_tdma: Reset channel error on release
    - drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper()
    - ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
    - net: openvswitch: fix csum updates for MPLS actions
    - gre: do not keep the GRE header around in collect medata mode
    - mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone()
    - scsi: qla2xxx: Avoid double completion of abort command
    - i40e: avoid NVM acquire deadlock during NVM update
    - net/mlx5: Fix driver load error flow when firmware is stuck
    - netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
    - IB/mlx4: Test return value of calls to ib_get_cached_pkey
    - pnp: Use list_for_each_entry() instead of open coding
    - gcc-10 warnings: fix low-hanging fruit
    - kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig
    - Stop the ad-hoc games with -Wno-maybe-initialized
    - gcc-10: disable 'zero-length-bounds' warning for now
    - gcc-10: disable 'array-bounds' warning for now
    - gcc-10: disable 'stringop-overflow' warning for now
    - gcc-10: disable 'restrict' warning for now
    - blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter
    - blk-mq: Allow blocking queue tag iter callbacks
    - x86/paravirt: Remove the unused irq_enable_sysexit pv op
    - gcc-10: avoid shadowing standard library 'free()' in crypto
    - net: fix a potential recursive NETDEV_FEAT_CHANGE
    - net: ipv4: really enforce backoff for redirects
    - ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
    - ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
    - ALSA: rawmidi: Initialize allocated buffers
    - ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
    - x86: Fix early boot crash on gcc-10, third try
    - exec: Move would_dump into flush_old_exec
    - usb: gadget: net2272: Fix a memory leak in an error handling path in
      'net2272_plat_probe()'
    - usb: gadget: audio: Fix a missing error return value in audio_bind()
    - usb: gadget: legacy: fix error return code in gncm_bind()
    - usb: gadget: legacy: fix error return code in cdc_bind()
    - ARM: dts: r8a7740: Add missing extal2 to CPG node
    - KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
    - Makefile: disallow data races on gcc-10 as well
    - scsi: iscsi: Fix a potential deadlock in the timeout handler
    - Linux 4.4.224
  * upgrading to 4.15.0-99-generic breaks the sound and the trackpad
    (LP: #1875916) // Xenial update: 4.4.224 upstream stable release
    (LP: #1881356)
    - Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
  * CVE-2020-10711
    - netlabel: cope with NULL catmap
  * CVE-2020-13143
    - USB: gadget: fix illegal array access in binding with UDC
  * ext2 build failure on 4.4.0-180.210 (LP: #1880213)
    - ext2: fix debug reference to ext2_xattr_cache
  * test_bpf of ubuntu_kernel_selftests.net ADT test failure with linux
    4.4.0-180.210 (LP: #1879752)
    - bpf, test: fix ld_abs + vlan push/pop stress test

 -- Sultan Alsawaf <email address hidden> Fri, 12 Jun 2020 11:01:55 -0700

  linux-kvm (4.4.0-1075.82) xenial; urgency=medium

  [ Ubuntu: 4.4.0-184.214 ]

  * CVE-2020-0543
    - SAUCE: x86/cpu: Add a steppings field to struct x86_cpu_id
    - SAUCE: x86/cpu: Add 'table' argument to cpu_matches()
    - SAUCE: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS)
      mitigation
    - SAUCE: x86/speculation: Add SRBDS vulnerability and mitigation documentation
    - SAUCE: x86/speculation: Add Ivy Bridge to affected list

  [ Ubuntu: 4.4.0-181.211 ]

  * xenial/linux: 4.4.0-181.211 -proposed tracker (LP: #1881170)
  * CVE-2020-12769
    - spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
  * I2C bus on Dell Edge Gateway stops working after upgrading to
    Ubuntu-4.4.0-180.210 (LP: #1881124)
    - SAUCE: Revert: Revert "ACPI / LPSS: allow to use specific PM domain during
      ->probe()"

  linux-kvm (4.4.0-1071.78) xenial; urgency=medium

  * xenial/linux-kvm: 4.4.0-1071.78 -proposed tracker (LP: #1874796)

  [ Ubuntu: 4.4.0-179.209 ]

  * xenial/linux: 4.4.0-179.209 -proposed tracker (LP: #1874804)
  * Add debian/rules targets to compile/run kernel selftests (LP: #1874286)
    - [Packaging] add support to compile/run selftests
  * getitimer returns it_value=0 erroneously (LP: #1349028)
    - [Config] CONTEXT_TRACKING_FORCE policy should be unset
  * CVE-2020-11608
    - media: ov519: add missing endpoint sanity checks
  * CVE-2019-19060
    - iio: imu: adis16400: release allocated memory on failure
  * Xenial update: 4.4.219 upstream stable release (LP: #1874045)
    - drm/bochs: downgrade pci_request_region failure from error to warning
    - ipv4: fix a RCU-list lock in fib_triestat_seq_show
    - net, ip_tunnel: fix interface lookup with no key
    - sctp: fix possibly using a bad saddr with a given dst
    - l2tp: Correctly return -EBADF from pppol2tp_getname.
    - net: l2tp: Make l2tp_ip6 namespace aware
    - l2tp: fix race in l2tp_recv_common()
    - l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
    - l2tp: fix duplicate session creation
    - l2tp: Refactor the codes with existing macros instead of literal number
    - l2tp: ensure sessions are freed after their PPPOL2TP socket
    - l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()
    - usb: gadget: uac2: Drop unused device qualifier descriptor
    - usb: gadget: printer: Drop unused device qualifier descriptor
    - padata: always acquire cpu_hotplug_lock before pinst->lock
    - mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
    - net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting
    - random: always use batched entropy for get_random_u{32,64}
    - tools/accounting/getdelays.c: fix netlink attribute length
    - power: supply: axp288_charger: Fix unchecked return value
    - ASoC: jz4740-i2s: Fix divider written at incorrect offset in register
    - IB/hfi1: Call kobject_put() when kobject_init_and_add() fails
    - Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
    - RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow
    - clk: qcom: rcg: Return failure for RCG update
    - drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read()
    - Linux 4.4.219
  * Xenial update: 4.4.218 upstream stable release (LP: #1873852)
    - spi: qup: call spi_qup_pm_resume_runtime before suspending
    - powerpc: Include .BTF section
    - ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
    - spi/zynqmp: remove entry that causes a cs glitch
    - drm/exynos: dsi: propagate error value and silence meaningless warning
    - drm/exynos: dsi: fix workaround for the legacy clock name
    - altera-stapl: altera_get_note: prevent write beyond end of 'key'
    - USB: Disable LPM on WD19's Realtek Hub
    - usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
    - USB: serial: option: add ME910G1 ECM composition 0x110b
    - usb: host: xhci-plat: add a shutdown
    - USB: serial: pl2303: add device-id for HP LD381
    - ALSA: line6: Fix endless MIDI read loop
    - ALSA: seq: virmidi: Fix running status after receiving sysex
    - ALSA: seq: oss: Fix running status after receiving sysex
    - ALSA: pcm: oss: Avoid plugin buffer overflow
    - ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
    - staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
    - staging/speakup: fix get_word non-space look-ahead
    - intel_th: Fix user-visible error codes
    - rtc: max8907: add missing select REGMAP_IRQ
    - memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
    - mm: slub: be more careful about the double cmpxchg of freelist
    - mm, slub: prevent kmalloc_node crashes and memory leaks
    - x86/mm: split vmalloc_sync_all()
    - USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
    - USB: cdc-acm: fix rounding error in TIOCSSERIAL
    - kbuild: Disable -Wpointer-to-enum-cast
    - futex: Fix inode life-time issue
    - futex: Unbreak futex hashing
    - arm64: smp: fix smp_send_stop() behaviour
    - Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
    - hsr: fix general protection fault in hsr_addr_is_self()
    - net: dsa: Fix duplicate frames flooded by learning
    - net_sched: cls_route: remove the right filter from hashtable
    - net_sched: keep alloc_hash updated after hash allocation
    - NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
    - slcan: not call free_netdev before rtnl_unlock in slcan_open
    - vxlan: check return value of gro_cells_init()
    - hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
    - hsr: add restart routine into hsr_get_node_list()
    - hsr: set .netnsok flag
    - vhost: Check docket sk_family instead of call getname
    - IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
    - uapi glibc compat: fix outer guard of net device flags enum
    - KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr
    - drivers/hwspinlock: use correct radix tree API
    - net: ipv4: don't let PMTU updates increase route MTU
    - cpupower: avoid multiple definition with gcc -fno-common
    - dt-bindings: net: FMan erratum A050385
    - scsi: ipr: Fix softlockup when rescanning devices in petitboot
    - mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
    - sxgbe: Fix off by one in samsung driver strncpy size arg
    - i2c: hix5hd2: add missed clk_disable_unprepare in remove
    - perf probe: Do not depend on dwfl_module_addrsym()
    - scripts/dtc: Remove redundant YYLOC global declaration
    - scsi: sd: Fix optimal I/O size for devices that change reported values
    - mac80211: mark station unauthorized before key removal
    - genirq: Fix reference leaks on irq affinity notifiers
    - vti[6]: fix packet tx through bpf_redirect() in XinY case

  linux-kvm (4.4.0-1070.77) xenial; urgency=medium

  * xenial/linux-kvm: 4.4.0-1070.77 -proposed tracker (LP: #1870652)

  [ Ubuntu: 4.4.0-178.208 ]

  * xenial/linux: 4.4.0-178.208 -proposed tracker (LP: #1870660)
  * CVE-2019-19768
    - blktrace: Protect q->blk_trace with RCU
    - blktrace: fix dereference after null check
  * Multiple Kexec in AWS Nitro instances fail (LP: #1869948)
    - net: ena: Add PCI shutdown handler to allow safe kexec
  * Insert test_bpf module will report 4 failures for ubuntu_bpf_jit on X s390x
    (LP: #1768452)
    - test_bpf: flag tests that cannot be jited on s390
  * Mounting LVM snapshots with xfs can hit kernel BUG in nvme driver
    (LP: #1869229)
    - block: fix bio_will_gap() for first bvec with offset
  * Xenial update: 4.4.217 upstream stable release (LP: #1868629)
    - NFS: Remove superfluous kmap in nfs_readdir_xdr_to_array
    - r8152: check disconnect status after long sleep
    - net: nfc: fix bounds checking bugs on "pipe"
    - bnxt_en: reinitialize IRQs when MTU is modified
    - fib: add missing attribute validation for tun_id
    - nl802154: add missing attribute validation
    - nl802154: add missing attribute validation for dev_type
    - team: add missing attribute validation for port ifindex
    - team: add missing attribute validation for array index
    - nfc: add missing attribute validation for SE API
    - nfc: add missing attribute validation for vendor subcommand
    - ipvlan: add cond_resched_rcu() while processing muticast backlog
    - ipvlan: do not add hardware address of master to its unicast filter list
    - ipvlan: egress mcast packets are not exceptional
    - ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast()
    - ipvlan: don't deref eth hdr before checking it's set
    - macvlan: add cond_resched() during multicast processing
    - net: fec: validate the new settings in fec_enet_set_coalesce()
    - slip: make slhc_compress() more robust against malicious packets
    - bonding/alb: make sure arp header is pulled before accessing it
    - net: fq: add missing attribute validation for orphan mask
    - iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn +
      add_taint
    - drm/amd/display: remove duplicated assignment to grph_obj_type
    - gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
    - KVM: x86: clear stale x86_emulate_ctxt->intercept value
    - ARC: define __ALIGN_STR and __ALIGN symbols for ARC
    - efi: Fix a race and a buffer overflow while reading efivars via sysfs
    - iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint
    - iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page
    - nl80211: add missing attribute validation for critical protocol indication
    - nl80211: add missing attribute validation for channel switch
    - netfilter: cthelper: add missing attribute validation for cthelper
    - iommu/vt-d: Fix the wrong printing in RHSA parsing
    - iommu/vt-d: Ignore devices with out-of-spec domain number
    - ipv6: restrict IPV6_ADDRFORM operation
    - efi: Add a sanity check to efivar_store_raw()
    - batman-adv: Fix invalid read while copying bat_iv.bcast_own
    - batman-adv: Only put gw_node list reference when removed
    - batman-adv: Only put orig_node_vlan list reference when removed
    - batman-adv: Avoid endless loop in bat-on-bat netdevice check
    - batman-adv: Fix unexpected free of bcast_own on add_if error
    - batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
    - batman-adv: init neigh node last seen field
    - batman-adv: Deactivate TO_BE_ACTIVATED hardif on shutdown
    - batman-adv: Drop reference to netdevice on last reference
    - batman-adv: Fix reference counting of vlan object for tt_local_entry
    - batman-adv: Avoid duplicate neigh_node additions
    - batman-adv: fix skb deref after free
    - batman-adv: Fix use-after-free/double-free of tt_req_node
    - batman-adv: Fix ICMP RR ethernet access after skb_linearize
    - batman-adv: Clean up untagged vlan when destroying via rtnl-link
    - batman-adv: Avoid nullptr dereference in bla after vlan_insert_tag
    - batman-adv: Avoid nullptr dereference in dat after vlan_insert_tag
    - batman-adv: Fix orig_node_vlan leak on orig_node_release
    - batman-adv: lock crc access in bridge loop avoidance
    - batman-adv: Fix non-atomic bla_claim::backbone_gw access
    - batman-adv: Fix reference leak in batadv_find_router
    - batman-adv: Free last_bonding_candidate on release of orig_node
    - batman-adv: Fix speedy join in gateway client mode
    - batman-adv: Add missing refcnt for last_candidate
    - batman-adv: Fix double free during fragment merge error
    - batman-adv: Fix transmission of final, 16th fragment
    - batman-adv: Fix rx packet/bytes stats on local ARP reply
    - batman-adv: fix TT sync flag inconsistencies
    - batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
    - batman-adv: Fix internal interface indices types
    - batman-adv: update data pointers after skb_cow()
    - batman-adv: Fix skbuff rcsum on packet reroute
    - batman-adv: Avoid race in TT TVLV allocator helper
    - batman-adv: Fix TT sync flags for intermediate TT responses
    - batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs
    - batman-adv: Fix debugfs path for renamed hardif
    - batman-adv: Fix debugfs path for renamed softif
    - batman-adv: Avoid storing non-TT-sync flags on singular entries too
    - batman-adv: Prevent duplicated gateway_node entry
    - batman-adv: Prevent duplicated nc_node entry
    - batman-adv: Prevent duplicated global TT entry
    - batman-adv: Prevent duplicated tvlv handler
    - batman-adv: Reduce claim hash refcnt only for removed entry
    - batman-adv: Reduce tt_local hash refcnt only for removed entry
    - batman-adv: Reduce tt_global hash refcnt only for removed entry
    - batman-adv: Only read OGM tvlv_len after buffer len check