net: qcom/emac: fix UAF in emac_remove

proc/vmcore: let pfn_is_ram() return a bool

proc/vmcore: fix clearing user buffer by properly using clear_user()

bnxt: prevent skb UAF after handing over to PTP worker

NFSD: Fix the behavior of READ near OFFSET_MAX

NFSD: Fix ia_size underflow

NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

uio: Fix use-after-free in uio_open

gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump

tcp: do not accept ACK of bytes we never sent

SUNRPC: Fix UAF in svc_tcp_listen_data_ready()

VFIO: Add the SPR_DSA and SPR_IAX devices to the

mlxsw: spectrum_acl_tcam: Fix memory leak when

rtnetlink: Correct nested IFLA_VF_VLAN_LIST

net: fix __dst_negative_advice() race

ionic: clean interrupt before enabling queue to avoid credit race

ionic: fix use after netif_napi_del()

tap: add missing verification for short frame

tun: add missing verification for short frame

ipc/mqueue.c: remove duplicated code

ipc/mqueue.c: update/document memory barriers

ipc/msg.c: update and document memory barriers

ipc/sem.c: document and update memory barriers

ipc/mqueue, msg, sem: avoid relying on a stack reference past its expiry

mISDN: fix possible use-after-free in HFC_cleanup()

mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq

isdn: mISDN: Fix sleeping function called from invalid context

KVM: x86: nSVM: fix potential NULL derefernce on nested migration

perf: Fix list corruption in perf_cgroup_switch()

smb: client: fix potential OOBs in

smb: client: fix parsing of SMB3.1.1 POSIX create

net/sched: act_ct: fix skb leak and crash on ooo frags

platform/x86: wmi: Fix opening of char device

wifi: iwlwifi: dbg-tlv: ensure NUL termination

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

tcp: Use refcount_inc_not_zero() in tcp_twsk_unique()

wifi: nl80211: don't free NULL coalescing rule

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

iommu: Fix potential use-after-free during probe

cxgb4: avoid accessing registers when clearing filters

nvme-rdma: destroy cm id before destroy qp to avoid use after free

mm/slub: fix to return errno if kmalloc() fails

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

r8169: Fix possible ring buffer corruption on fragmented Tx packets

xfs: add bounds checking to xlog_recover_process_data

userfaultfd: fix a race between writeprotect and exit_mmap()

hv_netvsc: Fix race condition between netvsc_probe and netvsc_remove

Squashfs: check the inode number is not the invalid

vt: fix unicode buffer corruption when deleting

mm, thp: bail out early in collapse_file for writeback page

ipv6: sr: fix out-of-bounds read when setting HMAC data

virtio-net: Add validation for used length

netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()

netfilter: nf_tables: Fix potential data-race in

netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

ext4: fix double-free of blocks due to wrong

ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

cgroup: cgroup_get_from_id() must check the looked-up kn is a directory

exit: Use the correct exit_code in /proc/<pid>/stat

fs/proc: do_task_stat: use __for_each_thread()

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

mptcp: ensure snd_nxt is properly initialized on connect

wifi: mac80211: Avoid address calculations via out of bounds array indexing

netfilter: tproxy: bail out if IP has been disabled

af_unix: Fix garbage collector racing against connect()

KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache

Fixed function sleeps and executed in kthread, which may prevent patching/unpatching. Low score CVE.

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

drm/amdgpu: fix use-after-free bug

mptcp: pm: Fix uaf in __timer_delete_sync

scsi: mpt3sas: Fix use-after-free warning

vsock: remove vsock from connected table when connect is interrupted by a signal

gro: fix ownership transfer

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

cifs: Return correct error code from smb2_get_enc_key

can: bcm: Fix UAF in bcm_proc_show()

HID: core: zero-initialize the report buffer

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

ALSA: usb-audio: add minimal macros for __free(kfree) to work

Out of scope: ARM64 architecture isn't supported for current kernel

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

netfilter: ipset: add missing range check in bitmap_ip_uadt

Postponed: complex analysis and adaptation required

tipc: fix use-after-free Read in tipc_named_reinit

ndisc: use RCU protection in ndisc_alloc_skb()

scsi: libfc: Fix use after free in fc_exch_abts_resp()

dm ioctl: prevent potential spectre v1 gadget

Bluetooth: Fix use after free in hci_send_acl

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

cifs: potential buffer overflow in handling symlinks

Out of scope: User-mode Linux isn't supported for current kernel

net: atm: fix use after free in lec_send()

wifi: iwlwifi: limit printed string from FW file

ext4: ignore xattrs past end

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: avoid resizing to a partial cluster size

drivers:md:fix a potential use-after-free bug

media: uvcvideo: Fix double free in error path

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Remove s_ctrl and g_ctrl

media: uvcvideo: Set error_idx during ctrl_commit errors

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

padata: fix UAF in padata_reorder

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

ext4: fix off-by-one error in do_split

Complex adaptation required. Low impact CVE

net: ch9200: fix uninitialised access during mii_nway_restart

i2c/designware: Fix an initialization issue

can: peak_usb: fix use after free bugs

sch_hfsc: make hfsc_qlen_notify() idempotent

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

crypto: algif_hash - fix double free in hash_accept

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

scsi: lpfc: Use memcpy() for BIOS version

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

tipc: Fix use-after-free in tipc_conn_close().

md-raid10: fix KASAN warning

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: extend RCU protection in igmp6_send()

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

smb: client: fix use-after-free in cifs_oplock_break

drm/amd/display: clear optc underflow before turn off odm clock

bpf: Don't use tnum_range on array range checking for poke descriptors

Out of scope: not affected

ALSA: bcd2000: Fix a UAF bug on the error path of probing

net_sched: ets: Fix double list add in class with netem as child qdisc

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

requires a very complex adaptation

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

Not affected: issue introduced since 4.18.0-477.*

Bluetooth: L2CAP: Fix use-after-free

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

Out of scope: not affected

RDMA/irdma: Fix a window for use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

net_sched: hfsc: Fix a UAF vulnerability in class handling

ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control

mptcp: do not queue data on closed subflows

tty: keyboard, do not speculate on func_table index

tty/vt: fix write/write race in ioctl(KDSKBSENT)

vt: keyboard, simplify vt_kdgkbsent

vt: keyboard, extend func_buf_lock to readers

vt: keyboard, rename i to kb_func in vt_do_kdgkb_ioctl

vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl

wifi: mac80211: don't return unset power in ieee80211_get_tx_power()

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust