The report:

6.6 backport was done correctly upstream (!), identical to ours from the 23rd last month

Proper, ugly fix:

(~20 years in the making)

If you're wondering why so many commits were backported to the LTS kernels over the weekend, take a look for example at 48964027809b9097991050fa72a0cc68be3ce966 and its "dependencies" of 9621a0a5e338, f66ba30be7be, and e6d1529c79e9.

Fixes tag for should actually point to 8032bf1233a74627ce69b803608e650f3f35971c (2022 vs 2021) as that introduced the new sleeping behavior, prandom_u32_max() was fine.

Was the right fix: Looked into this syscall when it was added, appeared safe to me as well. Depending on future appetites for new syscalls, the theme of this problem will be a recurring one only a libc update away, unique to hardcoded self-sandboxing.

Quite a few finds from the percpu alloc leak detection added to kmemleak:

Since the Linux CNA, it now looks like this. Note the complete absence of any CVEs published before a fix. They pretend the vulns don't exist, and everyone goes along with it.