tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

ksmbd: fix potencial out-of-bounds when buffer offset is

smb: client: fix use-after-free bug in

Bluetooth: af_bluetooth: Fix deadlock

x86/sev: Harden #VC instruction emulation somewhat

x86/sev: Check for MWAITX and MONITORX opcodes in the #VC

netfilter: nft_set_pipapo: constify lookup fn args where

netfilter: nft_set_pipapo: walk over current view on netlink

netfilter: nf_tables: missing iterator type in lookup walk

ksmbd: fix slab-out-of-bounds in smb2_allocate_rsp_buf

ksmbd: validate request buffer size in

eeprom: at24: Probe for DDR3 thermal sensor in the SPD case (dependency)

eeprom: at24: Use dev_err_probe for nvmem register failure (dependency)

eeprom: at24: fix memory corruption race condition

Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

firewire: nosy: ensure user_length is taken into account when

dyndbg: fix old BUG_ON in >control parser

md: fix kmemleak of rdev->serial

KEYS: trusted: Fix memory leak in tpm2_key_encode()

KEYS: trusted: Do not use WARN when encode fails

remoteproc: mediatek: Make sure IPI buffer fits in L2TCM

net: fix out-of-bounds access in ops_init

tipc: fix UAF in error path

drm/vmwgfx: Fix invalid reads in fence signaled events

drm/amd/display: Fix division by zero in setup_dsc_config

ALSA: Fix deadlocks with kctl removals at disconnection

arm: arch is not supported

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

drm/amd/display: Atom Integrated System Info v2_2 for DCN35

mptcp: ensure snd_nxt is properly initialized on connect

Bluetooth: qca: add missing firmware sanity checks

s390: arch is not supported

bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue

bna: ensure the copied buf is NUL terminated

s390: arch is not supported

net: core: reject skb_copy(_expand) for fraglist GSO skbs

scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload

blk-iocost: avoid out of bounds shift

KVM: arm64: vgic-v2: Use cpuid from userspace as vcpu_id (dependency)

KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()

wifi: nl80211: don't free NULL coalescing rule

pinctrl: core: delete incorrect free in pinctrl_enable()

ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()

tipc: fix a possible memleak in tipc_buf_append

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

firewire: ohci: mask bus reset interrupts between ISR and bottom half

qibfs: fix dentry leak

phonet: fix rtm_phonet_notify() skb allocation

octeontx2-af: avoid off-by-one read from userspace

fs/9p: only translate RWX permissions for plain 9P2000

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()

keys: Fix overwrite of key expiration on instantiation

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

Out of scope - related to SuperH

gfs2: Fix slab-use-after-free in gfs2_qd_dealloc

net: atlantic: Fix DMA mapping for PTP hwts ring

Fixed function sleeps and executed in kthread, which may prevent patching/unpatching. Low score CVE.

ipv6: prevent NULL dereference in ip6_output()

Out of scope: User-mode Linux isn't supported for current kernel

mmc: davinci: Don't strip remove function when driver is

tcp_metrics: validate source addr length

tcp_metrics: validate source addr length

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

drm/amd/display: Fix potential index out of bounds in color transformation function

net/mlx5: Discard command completions in internal error

nilfs2: We cannot patch functions that sleep in kthread().

stm class: Fix a double free in stm_register_device()

kdb: Fix buffer overflow during tab-complete

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

dma-mapping: benchmark: handle NUMA_NO_NODE correctly

Out of scope as the patch is for NFC/Android

net/dpaa2: Avoid explicit cpumask var allocation on stack

net/iucv: Avoid explicit cpumask var allocation on stack

nilfs2: add missing check for inode numbers on directory

BPF selftest fix, not a kernel code.

net: dsa: mv88e6xxx: Correct check for empty list

wifi: mt76: replace skb_put with skb_put_zero

drm/amdgpu: add error handle to avoid out-of-bounds

bonding: Fix out-of-bounds read in

net/sched: Fix UAF when resolving a clash

media: lgdt3306a: Add a check against null-pointer-def

Patched functions sleep and are called from a kthread. Trackpad suspend/resume fix.

net: can: j1939: enhanced error handling for tightly received

media: cec: cec-api: add locking in cec_release()

usb: gadget: printer: fix races against disable

genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

f2fs: compress: don't allow unaligned truncation on released

f2fs: compress: fix to cover

dma-mapping: benchmark: fix node id validation

tls: fix missing memory barrier in tls_init

ppdev: Add an error check in register_device

Bluetooth: qca: fix info leak when fetching fw build id

drm/arm/malidp: fix a possible null pointer dereference

netfilter: tproxy: bail out if IP has been disabled on the device

usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete

netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()

drm: Check output polling initialized before disabling

Complex adaptation required. Livepatching of this vulnerability can harm the network subsystem.

scsi: qedf: Ensure the copied buf is NUL terminated

net: openvswitch: fix overwriting ct original tuple for ICMPv6

ASoC: kirkwood: Fix potential NULL dereference

drm/mediatek: Add 0 size check to mtk_drm_gem_obj

drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference

media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries

drm: vc4: Fix possible null pointer dereference

net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

nilfs2: fix potential kernel bug due to lack of writeback

r8169: Fix possible ring buffer corruption on fragmented Tx packets.

nilfs2: fix unexpected freezing of nilfs_segctor_sync() (dependency)

nilfs2: fix potential hang in nilfs_detach_log_writer()

epoll: be better about file lifetimes

crypto: bcm - Fix pointer arithmetic

ecryptfs: Fix buffer size for tag 66 packet

cppc_cpufreq: Fix possible null pointer dereference

thermal/drivers/tsens: Fix null pointer dereference

scsi: bfa: Ensure the copied buf is NUL terminated

speakup: Fix sizeof() vs ARRAY_SIZE() bug

ring-buffer: Fix a race between readers and resize checks

jffs2: prevent xattr node from overflowing the eraseblock

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

RDMA/hns: Fix deadlock on SRQ async events.

RDMA/hns: Modify the print level of CQE error

ALSA: core: Fix NULL module pointer assignment at card init

macintosh/via-macii: Fix "BUG: sleeping function called from invalid context"

Out of scope as the patch is for m68k arch only, x86_64, arm64 is not affected

Vulnerability affects OS during boot time and can't be closed via livepatching.

Patch changes global data size, which may lead to FS errors. Low-score CVE requires complex adaptation.

media: stk1160: fix bounds checking in stk1160_copy_video()

ALSA: timer: Set lower bound of start tick time

greybus: lights: check return of get_channel_from_mode

soundwire: cadence: fix invalid PDI offset

serial: max3100: Update uart_driver_registered on driver removal

dma-buf/sw-sync: don't enable IRQ from sync_print_obj()

enic: Validate length of nl attributes in enic_set_vf_port

bpf: Allow delete from sockmap/sockhash only if update is allowed

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

Out of scope as the patch is for s390 arch only, x86_64, arm64 is not affected

ipv6: sr: fix missing sk_buff release in seg6_input_core

ipv6: sr: fix memleak in seg6_hmac_init_algo

f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()

thermal/drivers/qcom/lmh: Check for SCM availability at probe

fbdev: savage: Handle err return when savagefb_check_var failed

net/9p: fix uninit-value in p9_client_rpc()

smb: client: fix deadlock in smb2_find_smb_tcon()

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

drm/komeda: check for error-valued pointer

drivers: core: synchronize really_probe() and dev_uevent()

vmci: prevent speculation leaks by sanitizing event in event_deliver()

HID: core: remove unnecessary WARN_ON() in implement()

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

bpf: Set run context for rawtp test_run callback

ipv6: fix possible race in __fib6_drop_pcpu_from()

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

iommu: Return right value in iommu_sva_bind_device()

iommu: Return right value in iommu_sva_bind_device()

drm/exynos/vidi: fix memory leak in .get_modes()

ocfs2: fix races between hole punching and AIO+DIO

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors

scsi: qedi: Fix crash while reading debugfs attribute

drm/lima: mask irqs in timeout path before hard reset

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

f2fs: remove clear SB_INLINECRYPT flag in default_options

MIPS related CVE.

serial: imx: Introduce timeout when waiting on transmitter empty

Out of scope as the patch is for MIPS arch only, x86_64 is not affected

ipv6: prevent possible NULL deref in fib6_nh_init()

ipv6: prevent possible NULL dereference in rt6_probe()

crypto: hisilicon/sec - Fix memory leak for sec resource release

batman-adv: bypass empty buckets in batadv_purge_orig_ref()

tracing: Build event generation tests only as modules

tracing: Build event generation tests only as modules

tipc: force a dst refcount before doing decryption

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs.

RDMA/mlx5: Add check for srq max_sge attribute

drm/radeon: fix UBSAN warning in kv_dpm.c

drm/amdgpu: fix UBSAN warning in kv_dpm.c

netpoll: Fix race condition in netpoll_owner_active

ppp: reject claimed-as-LCP but actually malformed packets

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

Fix userfaultfd_api to return EINVAL as expected

usb: atm: cxacru: fix endpoint checking in cxacru_bind()

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

drm/amdgpu: avoid using null object of framebuffer

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes

The patch affects too much kernel code. Low impact CVE.

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

ASoC: fsl-asoc-card: set priv->pdev before using it

drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep

gpio: davinci: Validate the obtained number of IRQs

x86: stop playing stack games in profile_pc()

iio: chemical: bme680: Fix overflows in compensate() functions

ftruncate: pass a signed offset

crypto: ecdh - explicitly zeroize private_key

ALSA: emux: improve patch ioctl data validation

drm/amd/display: Check pipe offset before setting vblank

drm/amd/display: Skip finding free audio for unknown engine_id

jffs2: Fix potential illegal address access in jffs2_free_inode

inet_diag: Initialize pad field in struct inet_diag_req_v2

Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

drm/lima: fix shared irq handling on driver remove

scsi: qedf: Make qedf_execute_tmf() non-preemptible

Arch riscv is not supported.

mm: avoid overflows in dirty throttling logic

nvmet: fix a possible leak when destroy a ctrl during qp

nfc/nci: Add the inconsistency check between the input data length and count

crypto: aead,cipher - zeroize key buffer after use

media: dvb-frontends: tda10048: Fix integer overflow

s390 architecture related CVE.

usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()

libceph: fix race between delayed_work() and ceph_monc_stop()

wireguard: allowedips: avoid unaligned 64-bit memory accesses

filelock: fix potential use-after-free in posix_lock_inode

net: ethernet: lantiq_etop: fix double free in detach

jfs: xattr: fix buffer overflow for invalid xattr

block/ioctl: prefer different overflow check

netns: Make get_net_ns() handle zero refcount net

Applies to 32-bit systems only that we don't cover

dmaengine: idxd: Fix possible Use-After-Free in

net: do not leave a dangling sk pointer, when socket creation

drm/i915/gt: Fix potential UAF by revoke of fence registers

ata: libata-core: Fix double free on error

btrfs: zoned: fix use-after-free due to race with dev replace

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

ima: Fix use-after-free on a dentry's dname.name

f2fs: check validation of fault attrs in

netfilter: nf_tables: restore set elements when delete set fails

rxrpc: Fix delayed ACKs to not set the reference serial number

rxrpc: Fix delayed ACKs to not set the reference serial number (Adaptation)

bpf: Fix overrunning reservations in ringbuf

bpf: Fix overrunning reservations in ringbuf (adaptation)

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

netem: fix return value if duplicate enqueue fails

netfilter: netfilter: nf_tables: use timestamp to check for set element timeout

netfilter: netfilter: nf_tables: use timestamp to check for set element timeout kpatch

ipv6: fix possible UAF in ip6_finish_output2()

ipv6: prevent UAF in ip6_send_skb()

atm: idt77252: prevent use after free in dequeue_rx()

Architecture is not supported

scsi: aacraid: Fix double-free on probe failure

drm/amdgpu: Fix out-of-bounds write warning

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

binder: fix UAF caused by offsets overwrite

Squashfs: sanity check symbolic link size

HID: amd_sfh: free driver_data after destroying hid device

hfsplus: fix uninit-value in copy_name

gtp: pull network headers in gtp_dev_xmit()

tap: add missing verification for short frame

tun: add missing verification for short frame

drm/amd/pm: fix the Out-of-bounds read warning

drm/amdgpu: fix ucode out-of-bounds read warning

um: line: always fill *error_out in setup_one_line()

drm/amdgpu: fix mc_data out-of-bounds read warning

exec: Fix ToCToU between perm check and set-uid/gid usage

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

of/irq: Prevent device address out-of-bounds read in interrupt map walk

netfilter: flowtable: validate vlan header

ax25: Fix reference count leak issues of ax25_dev

CVE patch is for RISCV arch only

scsi: core: Fix a use-after-free

scsi: core: Fix a use-after-free

net/sched: flower: Fix chain template offload

net/sched: flower: Fix chain template offload

nvme: avoid double free special payload

CVE patch is for powerpc arch only

tipc: Return non-zero value from tipc_udp_addr2str() on error

mISDN: Fix a use after free in hfcmulti_tx()

net/iucv: fix use after free in iucv_sock_close()

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

wifi: mac80211: Avoid address calculations via out of bounds array indexing

smack: tcp: ipv4, fix incorrect labeling

rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

dev/parport: fix the array out-of-bounds risk

Patched function waits for external events, which may prevent patching/unpatching.

media: venus: fix use after free in vdec_close

jfs: Fix array-index-out-of-bounds in diFree

vhost/vsock: always initialize seqpacket_allow

vhost/vsock: always initialize seqpacket_allow

net: bridge: mcast: wait for previous gc cycles when removing port

mptcp: pm: avoid possible UaF when selecting endp

ipv6: prevent possible UAF in ip6_xmit()

ocfs2: add bounds checking to ocfs2_check_dir_entry()

jfs: don't walk off the end of ealist

fs/ntfs3: Validate ff offset

filelock: Remove locks reliably when fcntl/close race is detected

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

netfilter: nf_tables: prefer nft_chain_validate

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for s390 arch only, x86_64 is not affected

wifi: cfg80211: wext: add extra SIOCSIWSCAN data check

null_blk: fix validation of block size

btrfs: qgroup: fix quota root leak after quota disable failure

ila: block BH in ila_output()

ata: libata-core: Fix null pointer dereference on error

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

powerpc arch not supported.

drm/i915/gem: Fix Virtual Memory mapping boundaries calculation

bna: adjust 'name' buf size of bna_tcb and bna_ccb structures

ila: call nf_unregister_net_hooks() sooner

protect the fetch of ->fd[fd] in do_dup2() from mispredictions

RISCV arch not supported.

netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().

netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().

iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en

bpf: Fix a segment issue when downgrading gso_size

net: nexthop: Initialize all fields in dumped nexthops

f2fs: fix return value of f2fs_convert_inline_inode()

scsi: qla2xxx: Complete command early within lock

can: bcm: Remove proc entry when dev is unregistered.

f2fs: fix to don't dirty inode for readonly filesystem

fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed

kobject_uevent: Fix OOB access within zap_modalias_env()

scsi: qla2xxx: Fix for possible memory corruption

scsi: qla2xxx: validate nvme_local_port correctly

nilfs2: handle inconsistent state in nilfs_btnode_create_block()

drm/amd/display: Add array index check for hdcp ddc access

drm/amd/display: Check gpio_id before used as array index

drm/amd/display: Check msg_id before processing transcation

sch/netem: fix use after free in netem_dequeue

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

apparmor: Fix null pointer deref when receiving skb during sock creation

media: pci: cx23885: check cx23885_vdev_init() return

drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'

media: i2c: et8ek8: Don't strip remove function when driver is builtin

xfs: fix log recovery buffer allocation for the legacy h_size fixup

filelock: Remove locks reliably when fcntl/close race is detected

scsi: qla2xxx: During vport delete send async logout explicitly

fou: remove warn in gue_gro_receive on unsupported protocol

Out of scope: RISC V architecture isn't supported for current kernel

f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

spi: nxp-fspi: fix the KASAN report out-of-bounds bug

dma-buf: heaps: Fix off-by-one in CMA heap fault handler

ASoC: meson: axg-card: fix 'use-after-free'

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

9p: add missing locking around taking dentry fid list

ocfs2: cancel dqi_sync_work before freeing oinfo

net/xen-netback: prevent UAF in xenvif_flush_hash()

wifi: ath11k: fix array out-of-bound access in SoC stats

fbdev: pxafb: Fix possible use after free in pxafb_task()

drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation

drm/amd/display: Fix index out of bounds in degamma hardware format translation

ext4: avoid use-after-free in ext4_ext_show_leaf()

ext4: fix slab-use-after-free in ext4_split_extent_at()

ext4: aovid use-after-free in ext4_ext_insert_extent()

ext4: fix double brelse() the buffer of the extents path

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

wifi: rtw88: always wait for both firmware loading attempts

ext4: avoid OOB when system.data xattr changes underneath the filesystem

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

firmware_loader: Block path traversal

net: ethernet: lantiq_etop: fix memory disclosure

net: bridge: xmit: make sure we have at least eth header len bytes

tipc: guard against string buffer overrun

ALSA: asihpi: Fix potential OOB array access

ext4: no need to continue when the number of entries is 1

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

aoe: fix the potential use-after-free problem in more places

fbdev: sisfb: Fix strbuf array overflow

net: explicitly clear the sk pointer, when pf->create fails

drm/amd/display: Fix index out of bounds in DCN30 color transformation

mptcp: pm: Fix uaf in __timer_delete_sync

net: dpaa: Pad packets to ETH_ZLEN

jfs: fix out-of-bounds in dbNextAG() and diAlloc()

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

ACPI: sysfs: validate return type of _STR method

jfs: Fix uaf in dbFreeBits

jfs: Fix uninit-value access of new_ea in ea_buffer

ppp: fix ppp_async_encode() illegal access

slip: make slhc_remember() more robust against malicious packets

media: venus: fix use after free bug in venus_remove due to race condition

nilfs2: fix potential oob read in nilfs_btree_check_delete()

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

vhost_vdpa: assign irq bypass producer token correctly

ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()

nfsd: return -EINVAL when namelen is 0

media: usbtv: Remove useless locks in usbtv_video_free()

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

IB/core: Fix ib_cache_setup_one error flow cleanup

net: mana: Fix TX CQE error handling

s390 architecture is not supported

ARM related CVE

Affects only __init function for a built-in component, so patching will have no effect

usb: typec: tcpm: Check for port partner validity before consuming it

vfio/pci: fix potential memory leak in vfio_intx_enable()

ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

Out of scope: s390 is not supported

Out of scope: s390 is not supported

gpio: prevent potential speculation leaks in gpio_device_get_desc()

selinux,smack: don't bypass permissions check in inode_setsecctx hook

netfilter: nft_socket: fix sk refcount leaks

USB: usbtmc: prevent kernel-usb-infoleak

wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead

wifi: iwlwifi: mvm: pause TCM when the firmware is stopped

mm: avoid leaving partial pfn mappings around in error case

vfs: fix race between evice_inodes() and find_inode()&iput()

tcp: check skb is non-NULL in tcp_rto_delta_us()

tcp: check skb is non-NULL in tcp_rto_delta_us()

nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()

nilfs2: determine empty node blocks as corrupted

block: fix potential invalid pointer dereference in blk_add_partition

jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

ocfs2: reserve space for inline xattr before attaching reflink tree

ocfs2: remove unreasonable unlock in ocfs2_read_blocks

static_call: Replace pointless WARN_ON() in static_call_module_notify()

ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

ACPI: battery: Fix possible crash when unregistering a battery hook

ocfs2: fix null-ptr-deref when journal load failed.

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

netfilter: nf_tables: prevent nf_skb_duplicated corruption

tpm: Clean up TPM space after command failure

RDMA/cxgb4: Added NULL check for lookup_atid

Out of scope: EFI libstub fix, running kernels not vulnerable.

f2fs: Require FMODE_WRITE for atomic write ioctls

btrfs: fix a NULL pointer dereference when failed to start a new trasacntion

btrfs: wait for fixup workers before stopping cleaner kthread during umount

tracing/timerlat: Fix a race during cpuhp processing

x86/sgx: Fix deadlock in SGX NUMA node search

vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

Out of scope as the patch is for arm64 arch only, x86_64 not affected

Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()

Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() (adaptation)

Out of scope, i.MX SoC is not supported

block, bfq: fix possible UAF for bfqq->bic with merge chain

can: bcm: Clear bo->bcm_proc_read after remove_proc_entry()

sock_map: Add a cond_resched() in sock_hash_free()

wifi: wilc1000: fix ies_len type in connect path

wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param

wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave()

RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled

nfsd: call cache_put if xdr_reserve_space returns NULL

padata: use integer wrap around to prevent deadlock on seq_nr overflow

resource: fix region_intersects() vs add_memory_driver_managed()

drm: omapdrm: Add missing check for alloc_ordered_workqueue

ext4: update orig_path in ext4_find_extent()

platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug

drm/amd/pm: ensure the fw_info is not null before using it

drm/amd/display: Initialize get_bytes_per_element's default to 1

drm/amd/display: Check stream before comparing them

[PATCH] thermal: intel: int340x: processor: Fix warning during module unload

[PATCH 1/1] bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

[PATCH 1/1] netfilter: br_netfilter: fix panic with metadata_dst skb

[PATCH 1/1] drm/amd/display: Check null pointer before dereferencing se

[PATCH 1/1] RDMA/rtrs-srv: Avoid null pointer deref during path

[PATCH 1/1] RDMA/mad: Improve handling of timed out WRs of mad agent

[PATCH 1/1] nouveau/dmem: Fix vulnerability in migrate_to_ram upon

[PATCH 1/1] ceph: remove the incorrect Fw reference check when

[PATCH 1/1] virtio_pmem: Check device status before requesting flush

[PATCH 1/1] net: phy: dp83869: fix memory corruption when enabling

[PATCH 1/1] ext4: don't set SB_RDONLY after filesystem errors

nfsd: map the EBADMSG to nfserr_io to avoid warning

jfs: check if leafidx greater than num leaves per dmap tree

drm/amd/display: Check null pointers before using dc->clk_mgr

drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream

x86/ioapic: Handle allocation failures gracefully

blk_iocost: fix more out of bound shifts

Low-score CVE changes a kthread, which may prevent patching/unpatching

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit

sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start

sctp: ensure sk_state is set to CLOSED if hashing fails in sctp_listen_start

ppp: do not assume bh is held in ppp_channel_bridge_input()

net: add more sanity checks to qdisc_pkt_len_init()

Input: adp5589-keys - fix NULL pointer dereference

[PATCH] NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()

[PATCH] NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies()

When introduced by live-patching, patch causes more problems than it fixes. Complex adaptation required.

f2fs: get rid of online repaire on corrupted directory

uprobes: fix kernel info leak via "[uprobes]" vma

i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume

net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()

net/mlx5: Fix error path in multi-packet WQE transmit

drm/amd/display: Fix system hang while resume with TBT monitor

ext4: fix i_data_sem unlock order in ext4_ind_migrate()

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()

wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()

[PATCH] static_call: Handle module init failure correctly in static_call_del_module()

exfat: fix memory leak in exfat_load_bitmap()

kthread: unpark only parked kthread

net: Fix an unsafe loop on the list

drm/v3d: Stop the active perfmon before being destroyed

igb: Do not bring the device up after non-fatal error

i40e: Fix macvlan leak by synchronizing access to mac_filter_hash

Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change

net/sched: accept TCA_STAB only for root qdisc

net/sched: accept TCA_STAB only for root qdisc

UBUNTU: [Config] Disable BlueZ highspeed support

ax25: Fix refcount imbalance on inbound connections

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

media: mtk-vcodec: potential null pointer deference in SCP

Bluetooth: SCO: Fix not validating setsockopt user input

Bluetooth: RFCOMM: Fix not validating setsockopt user

Bluetooth: L2CAP: Fix not validating setsockopt user input

Bluetooth: hci_sock: Fix not validating setsockopt user input

net: fec: remove .ndo_poll_controller to avoid deadlocks

net: fec: remove .ndo_poll_controller to avoid deadlocks

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing

smb: client: set correct id, uid and cruid for multiuser automounts

net: sched: fix ordering of qlen adjustment

netfilter: ipset: add missing range check in bitmap_ip_uadt

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

blk-cgroup: Fix UAF in blkcg_unpin_online()

blk-cgroup: Fix UAF in blkcg_unpin_online()

parport: Proper fix for array out-of-bounds access

mptcp: pm: only decrement add_addr_accepted for MPJ req

mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow

ax25: fix use-after-free bugs caused by ax25_ds_del_timer

RDMA/bnxt_re: Add a check for memory allocation

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

tracing: Consider the NULL character when validating the event length

net: sched: fix use-after-free in taprio_change()

udf: fix uninit-value use in udf_get_fileshortad

smb: client: fix OOBs when building SMB2_IOCTL request

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

fs/ntfs3: Check if more than chunk-size bytes are written

wifi: iwlegacy: Clear stale interrupts before resuming device

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm cache: optimize dirty bit checking with find_next_bit when resizing

dm cache: fix potential out-of-bounds access on the first resume

net: do not delay dst_entries_add() in dst_release()

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

security/keys: fix slab-out-of-bounds in key_task_permission

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

bpf: Fix out-of-bounds write in trie_get_next_key()

nilfs2: fix kernel bug due to missing clearing of checked flag

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

usb: musb: sunxi: Fix accessing an released usb phy

USB: serial: io_edgeport: fix use after free in debug printk

tcp: fix mptcp DSS corruption due to large pmtu xmit

media: s5p-jpeg: prevent buffer overflows

The fix for this CVE was reverted in upstream Ubuntu kernel by the following commit (b0feddb6759a) Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()"

netfilter: Fix use-after-free in get_info()

KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

closures: Change BUG_ON() to WARN_ON()

ibmvnic: Add tx check to prevent skb leak

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

drm/i915: Fix potential context UAFs

io_uring: fix possible deadlock in io_register_iowq_max_workers()

HID: core: zero-initialize the report buffer

dm-crypt, dm-verity: disable tasklets

dm-crypt, dm-verity: disable tasklets (adaptation)

arm64: probes: Remove broken LDR (literal) uprobe support

iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

exec: don't WARN for racy path_noexec check

xfrm: fix one more kernel-infoleak in algo dumping

serial: protect uart_port_dtr_rts() in uart_shutdown() too

ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()

Out of scope: x86 architecture isn't supported for current kernel

nilfs2: fix kernel bug due to missing clearing of buffer delay flag

ice: Add a per-VF limit on number of FDIR filters

ice: Add a per-VF limit on number of FDIR filters (adaptation)

ALSA: hda/cs8409: Fix possible NULL dereference

scsi: target: core: Fix null-ptr-deref in target_alloc_device()

Bluetooth: bnep: fix wild-memory-access in proto_unregister

Bluetooth: bnep: fix wild-memory-access in proto_unregister kpatch

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

drm/amd: Guard against bad data for ATIF ACPI method

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context

[PATCH] ACPI: PRM: Remove unnecessary strict handler address checks

[PATCH] drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported

be2net: fix potential memory leak in be_xmit()

net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()

net: systemport: fix potential memory leak in bcm_sysport_xmit()

secretmem: disable memfd_secret() if arch cannot set direct map

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

posix-clock: Fix missing timespec64 check in pc_clock_settime()

posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()

pinctrl: ocelot: fix system hang on level based interrupts

iio: light: veml6030: fix IIO device retrieval from embedded device

mm/swapfile: skip HugeTLB pages for unuse_vma

drm/radeon: Fix encoder->possible_clones

nilfs2: propagate directory read errors from nilfs_find_entry()

RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages

ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()

wifi: ath10k: Fix memory leak in management tx

staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()

iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()

nilfs2: fix potential deadlock with newly created symlinks

ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()

fs/ntfs3: Fix possible deadlock in mi_read

fs/ntfs3: Additional check in ni_clear()

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower

ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove

media: cx24116: prevent overflows on SNR calculus

btrfs: reinitialize delayed ref list after deleting it from the list

ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()

[PATCH 2/2] bpf: devmap: provide rxq after redirect

[PATCH 1/2] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

[PATCH 1/2] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data

wifi: iwlwifi: mvm: fix 6 GHz scan construction

sctp: properly validate chunk size in sctp_sf_ootb()

net: hns3: fix kernel crash when uninstalling driver

The ndev->dev.parent mappings cannot be changed to ndev->dev.parent and driver is broken already

media: dvbdev: prevent the risk of out of memory access

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

nfs: Fix KMSAN warning in decode_getfattr_attrs()

fs: Fix uninitialized value issue in from_kuid and from_kgid

cifs: Fix buffer overflow when parsing NFS reparse points

driver core: bus: Fix double free in driver API bus_register()

spi: mpc52xx: Add cancel_work_sync before module remove

crypto: hisilicon/qm - inject error before stopping queue

media: xc2028: avoid use-after-free in load_firmware_cb()

fs/ntfs3: Additional check in ntfs_file_release

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

bpf: fix OOB devmap writes when deleting elements

xsk: fix OOB map writes when deleting elements

af_packet: avoid erroring out after sock_init_data() in packet_create()

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

net: af_can: do not leave a dangling sk pointer in can_create()

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

net: inet: do not leave a dangling sk pointer in inet_create()

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount

ila: serialize calls to nf_register_net_hooks()

pktgen: Avoid out-of-bounds access in get_imix_entries

vfio/platform: check the bounds of read/write syscalls

net: sched: fix ets qdisc OOB Indexing

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

ocfs2: fix uninitialized value in ocfs2_file_read_iter()

netfilter: x_tables: fix LED ID check in led_tg_check()

arm64/sve: Discard stale CPU state when handling SVE traps

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

ksmbd: fix a missing return value check bug

iio: pressure: zpa2326: fix information leak in triggered buffer

iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer

iio: light: vcnl4035: fix information leak in triggered buffer

iio: imu: kmx61: fix information leak in triggered buffer

iio: adc: ti-ads8688: fix information leak in triggered buffer

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

iio: adc: rockchip_saradc: fix information leak in triggered buffer

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

Out of scope: SuperH arch not supported.

arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL

i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request

i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

drm/amd/display: Check BIOS images before it is used

exfat: fix potential deadlock on __exfat_get_dentry_set

RDMA/rtrs: Ensure 'ib_sge list' is accessible

jfs: Fix shift-out-of-bounds in dbDiscardAG

soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()

bpf: Fix bpf_sk_select_reuseport() memory leak

gtp: Destroy device along with udp socket's netns dismantle.

gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

drm/v3d: Ensure job pointer is set to NULL after job completion

drm/v3d: Assign job pointer to NULL before signaling the fence

vsock/virtio: discard packets if the transport changes

gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag

scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

Bluetooth: L2CAP: Fix uaf in l2cap_connect

Bluetooth: hci_core: Fix calling mgmt_device_connected

hrtimers: Handle CPU state correctly on hotplug

hrtimers: Handle CPU state correctly on hotplug

EDAC/bluefield: Fix potential integer overflow

firmware: arm_scpi: Check the DVFS OPP count returned by the firmware

vfio/pci: Properly hide first-in-list PCIe extended capability

xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

Out of scope: User-mode Linux isn't supported

Out of scope: User-mode Linux isn't supported for current kernel

Out of scope: User-mode Linux isn't supported for current kernel

ALSA: pcm: Add sanity NULL check for the default mmap fault handler

ubi: fastmap: Fix duplicate slab cache names while attaching

EDAC/igen6: Avoid segmentation fault on module unload

powerpc: arch is not supported

9p/xen: fix release of IRQ

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

net/smc: fix LGR and link use-after-free issue

jffs2: Prevent rtime decompress memory corruption

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

scsi: sg: Fix slab-use-after-free read in sg_release()

ksmbd: fix user-after-free from session log off

ksmbd: fix user-after-free from session log off

ksmbd: fix racy issue from session lookup and expire

btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc()

dma-debug: fix a possible deadlock on radix_lock

net/smc: check smcd_v2_ext_offset when receiving proposal msg

ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again

net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg

net: dsa: improve shutdown sequence

ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

afs: Fix the maximum cell name length

dm thin: make get_first_thin use rcu-safe list first function

sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

sctp: sysctl: rto_min/max: avoid using current->nsproxy

sctp: sysctl: auth_enable: avoid using current->nsproxy

sctp: sysctl: udp_port: avoid using current->nsproxy

vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]

filemap: avoid truncating 64-bit offset to 32 bits

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute (adaptation)

drm/amdkfd: Correct the migration DMA map direction

mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()

usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

Out of scope: ARM architecture isn't supported for current kernel

mptcp: fix TCP options overflow.

brd: remove brd_devices_mutex mutex

brd: defer automatic disk creation until module initialization succeeds

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

hfsplus: don't query the device logical block size multiple times

hfsplus: don't query the device logical block size multiple times

igb: Fix potential invalid memory access in igb_init_module()

ocfs2: uncache inode which has failed entering the group

mm: fix NULL pointer dereference in alloc_pages_bulk_noprof

virtio/vsock: Fix accept_queue memory leak

net/mlx5e: CT: Fix null-ptr-deref in add rule err flow

net/mlx5: fs, lock FTE when checking if active

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

net: fix data-races around sk->sk_forward_alloc

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking (adaptation)

RDMA/uverbs: Prevent integer overflow issue

net: restrict SO_REUSEPORT to inet sockets

ALSA: 6fire: Release resources at card release

Bluetooth: fix use-after-free in device_for_each_child()

Bluetooth: fix use-after-free in device_for_each_child()

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

btrfs: ref-verify: fix use-after-free after invalid ref action

nfsd: make sure exp active before svc_export_show

net: inet6: do not leave a dangling sk pointer in inet6_create()

jfs: array-index-out-of-bounds fix in dtReadFirst

jfs: fix array-index-out-of-bounds in jfs_readdir

jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

net: defer final 'struct net' free in netns dismantle

net: defer final 'struct net' free in netns dismantle

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_debug_files_proc_show()

drm/dp_mst: Skip CSN if topology probing is not done yet

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

net: avoid race between device unregistration and ethnl ops

watch_queue: Use the bitmap API when applicable

ntfs3: Add bounds checking to mi_enum_attr()

fs/ntfs3: Sequential field availability check in mi_enum_attr()

iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

can: hi311x: hi3110_can_ist(): fix potential use-after-free

ELF: fix kernel.randomize_va_space double read

net: sched: Disallow replacing of child qdisc from one parent to another

pfifo_tail_enqueue: Drop new packet when sch->limit == 0

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

net: bridge: switchdev: Skip MDB replays of deferred events on offload

net: bridge: switchdev: Skip MDB replays of deferred events on offload (adapatation)

netfilter: allow exp not to be removed in nf_ct_find_expectation

net: atlantic: eliminate double free in error handling logic

net: rose: fix timer races against user threads

soc: qcom: socinfo: Avoid out of bounds read of serial number

orangefs: fix a oob in orangefs_debug_write

wifi: iwlwifi: limit printed string from FW file