blk-cgroup: Fix UAF in blkcg_unpin_online()

blk-cgroup: Fix UAF in blkcg_unpin_online()

parport: Proper fix for array out-of-bounds access

mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow

ax25: fix use-after-free bugs caused by ax25_ds_del_timer

RDMA/bnxt_re: Add a check for memory allocation

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

tracing: Consider the NULL character when validating the event length

net: sched: fix use-after-free in taprio_change()

udf: fix uninit-value use in udf_get_fileshortad

smb: client: fix OOBs when building SMB2_IOCTL request

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

fs/ntfs3: Check if more than chunk-size bytes are written

wifi: iwlegacy: Clear stale interrupts before resuming device

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm cache: optimize dirty bit checking with find_next_bit when resizing

dm cache: fix potential out-of-bounds access on the first resume

net: do not delay dst_entries_add() in dst_release()

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

security/keys: fix slab-out-of-bounds in key_task_permission

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

bpf: Fix out-of-bounds write in trie_get_next_key()

nilfs2: fix kernel bug due to missing clearing of checked flag

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

usb: musb: sunxi: Fix accessing an released usb phy

USB: serial: io_edgeport: fix use after free in debug printk

tcp: fix mptcp DSS corruption due to large pmtu xmit

media: s5p-jpeg: prevent buffer overflows

The fix for this CVE was reverted in upstream Ubuntu kernel by the following commit (b0feddb6759a) Revert "drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()"

netfilter: Fix use-after-free in get_info()

KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

closures: Change BUG_ON() to WARN_ON()

ibmvnic: Add tx check to prevent skb leak

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

drm/i915: Fix potential context UAFs

io_uring: fix possible deadlock in io_register_iowq_max_workers()

HID: core: zero-initialize the report buffer

dm-crypt, dm-verity: disable tasklets

dm-crypt, dm-verity: disable tasklets (adaptation)

arm64: probes: Remove broken LDR (literal) uprobe support

iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

exec: don't WARN for racy path_noexec check

xfrm: fix one more kernel-infoleak in algo dumping

serial: protect uart_port_dtr_rts() in uart_shutdown() too

ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe()

Out of scope: x86 architecture isn't supported for current kernel

nilfs2: fix kernel bug due to missing clearing of buffer delay flag

ice: Add a per-VF limit on number of FDIR filters

ice: Add a per-VF limit on number of FDIR filters (adaptation)

ALSA: hda/cs8409: Fix possible NULL dereference

scsi: target: core: Fix null-ptr-deref in target_alloc_device()

Bluetooth: bnep: fix wild-memory-access in proto_unregister

Bluetooth: bnep: fix wild-memory-access in proto_unregister kpatch

drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA

drm/amd: Guard against bad data for ATIF ACPI method

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context

[PATCH] ACPI: PRM: Remove unnecessary strict handler address checks

[PATCH] drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported

be2net: fix potential memory leak in be_xmit()

net/sun3_82586: fix potential memory leak in sun3_82586_send_packet()

net: systemport: fix potential memory leak in bcm_sysport_xmit()

secretmem: disable memfd_secret() if arch cannot set direct map

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

posix-clock: Fix missing timespec64 check in pc_clock_settime()

posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime()

pinctrl: ocelot: fix system hang on level based interrupts

iio: light: veml6030: fix IIO device retrieval from embedded device

mm/swapfile: skip HugeTLB pages for unuse_vma

drm/radeon: Fix encoder->possible_clones

nilfs2: propagate directory read errors from nilfs_find_entry()

RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages

ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()

wifi: ath10k: Fix memory leak in management tx

staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()

iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()

nilfs2: fix potential deadlock with newly created symlinks

ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow

netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write()

fs/ntfs3: Fix possible deadlock in mi_read

fs/ntfs3: Additional check in ni_clear()

wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower

ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove

media: cx24116: prevent overflows on SNR calculus

media: v4l2-tpg: prevent the risk of a division by zero

btrfs: reinitialize delayed ref list after deleting it from the list

ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()

[PATCH 2/2] bpf: devmap: provide rxq after redirect

[PATCH 1/2] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

[PATCH 1/2] bpf: Make sure internal and UAPI bpf_redirect flags don't overlap

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data

net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data

wifi: iwlwifi: mvm: fix 6 GHz scan construction

sctp: properly validate chunk size in sctp_sf_ootb()

net: hns3: fix kernel crash when uninstalling driver

The ndev->dev.parent mappings cannot be changed to ndev->dev.parent and driver is broken already

media: dvbdev: prevent the risk of out of memory access

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

nfs: Fix KMSAN warning in decode_getfattr_attrs()

fs: Fix uninitialized value issue in from_kuid and from_kgid

ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_init_flow()

mptcp: handle consistently DSS corruption

clk: Add a devm variant of clk_rate_exclusive_get()

clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get()

i2c: lpi2c: Avoid calling clk_get_rate during transfer

i2c: lpi2c: Avoid calling clk_get_rate during transfer (adaptation)

i40e: fix race condition by adding filter's intermediate sync state

i40e: fix race condition by adding filter's intermediate sync state

cifs: Fix buffer overflow when parsing NFS reparse points

driver core: bus: Fix double free in driver API bus_register()

spi: mpc52xx: Add cancel_work_sync before module remove

crypto: hisilicon/qm - inject error before stopping queue

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

media: xc2028: avoid use-after-free in load_firmware_cb()

fs/ntfs3: Additional check in ntfs_file_release

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

bpf: fix OOB devmap writes when deleting elements

xsk: fix OOB map writes when deleting elements

af_packet: avoid erroring out after sock_init_data() in packet_create()

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

net: af_can: do not leave a dangling sk pointer in can_create()

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

net: inet: do not leave a dangling sk pointer in inet_create()

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount

ila: serialize calls to nf_register_net_hooks()

block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()

pktgen: Avoid out-of-bounds access in get_imix_entries

vfio/platform: check the bounds of read/write syscalls

net: sched: fix ets qdisc OOB Indexing

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

ocfs2: fix uninitialized value in ocfs2_file_read_iter()

netfilter: x_tables: fix LED ID check in led_tg_check()

arm64/sve: Discard stale CPU state when handling SVE traps

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

ksmbd: fix a missing return value check bug

iio: pressure: zpa2326: fix information leak in triggered buffer

iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer

iio: light: vcnl4035: fix information leak in triggered buffer

iio: imu: kmx61: fix information leak in triggered buffer

iio: adc: ti-ads8688: fix information leak in triggered buffer

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

iio: adc: rockchip_saradc: fix information leak in triggered buffer

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

Out of scope: SuperH arch not supported.

arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL

i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request

i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

drm/amd/display: Check BIOS images before it is used

exfat: fix potential deadlock on __exfat_get_dentry_set

RDMA/rtrs: Ensure 'ib_sge list' is accessible

jfs: Fix shift-out-of-bounds in dbDiscardAG

soc: qcom: geni-se: fix array underflow in geni_se_clk_tbl_get()

bpf: Fix bpf_sk_select_reuseport() memory leak

gtp: Destroy device along with udp socket's netns dismantle.

drm/v3d: Ensure job pointer is set to NULL after job completion

drm/v3d: Assign job pointer to NULL before signaling the fence

fs/proc: fix softlockup in __read_vmcore (part 2)

vsock/virtio: discard packets if the transport changes

gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag

scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

Bluetooth: L2CAP: Fix uaf in l2cap_connect

Bluetooth: hci_core: Fix calling mgmt_device_connected

hrtimers: Handle CPU state correctly on hotplug

hrtimers: Handle CPU state correctly on hotplug

EDAC/bluefield: Fix potential integer overflow

firmware: arm_scpi: Check the DVFS OPP count returned by the firmware

vfio/pci: Properly hide first-in-list PCIe extended capability

xen: Fix the issue of resource not being properly released in xenbus_dev_probe()

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

Out of scope: User-mode Linux isn't supported

Out of scope: User-mode Linux isn't supported for current kernel

Out of scope: User-mode Linux isn't supported for current kernel

ALSA: pcm: Add sanity NULL check for the default mmap fault handler

ubi: fastmap: Fix duplicate slab cache names while attaching

EDAC/igen6: Avoid segmentation fault on module unload

powerpc: arch is not supported

9p/xen: fix release of IRQ

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

net/smc: fix LGR and link use-after-free issue

jffs2: Prevent rtime decompress memory corruption

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

scsi: sg: Fix slab-use-after-free read in sg_release()

ksmbd: fix user-after-free from session log off

ksmbd: fix user-after-free from session log off

ksmbd: fix racy issue from session lookup and expire

btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc()

dma-debug: fix a possible deadlock on radix_lock

net/smc: check smcd_v2_ext_offset when receiving proposal msg

ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again

net/smc: check iparea_offset and ipv6_prefixes_cnt when receiving proposal msg

net: dsa: improve shutdown sequence

ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()

netfilter: conntrack: clamp maximum hashtable size to INT_MAX

afs: Fix the maximum cell name length

dm thin: make get_first_thin use rcu-safe list first function

sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

sctp: sysctl: rto_min/max: avoid using current->nsproxy

sctp: sysctl: auth_enable: avoid using current->nsproxy

sctp: sysctl: udp_port: avoid using current->nsproxy

vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]

filemap: avoid truncating 64-bit offset to 32 bits

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute

net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute (adaptation)

af_packet: fix vlan_get_tci() vs MSG_PEEK

drm/amdkfd: Correct the migration DMA map direction

mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim()

usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

Out of scope: ARM architecture isn't supported for current kernel

mptcp: fix TCP options overflow.

brd: remove brd_devices_mutex mutex

brd: defer automatic disk creation until module initialization succeeds

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

hfsplus: don't query the device logical block size multiple times

hfsplus: don't query the device logical block size multiple times

igb: Fix potential invalid memory access in igb_init_module()

ocfs2: uncache inode which has failed entering the group

mm: fix NULL pointer dereference in alloc_pages_bulk_noprof

virtio/vsock: Fix accept_queue memory leak

net/mlx5e: CT: Fix null-ptr-deref in add rule err flow

net/mlx5: fs, lock FTE when checking if active

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

net: fix data-races around sk->sk_forward_alloc

Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K"

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking

pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking (adaptation)

RDMA/uverbs: Prevent integer overflow issue

net: restrict SO_REUSEPORT to inet sockets

ALSA: 6fire: Release resources at card release

Bluetooth: fix use-after-free in device_for_each_child()

Bluetooth: fix use-after-free in device_for_each_child()

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

btrfs: ref-verify: fix use-after-free after invalid ref action

nfsd: make sure exp active before svc_export_show

net: inet6: do not leave a dangling sk pointer in inet6_create()

jfs: array-index-out-of-bounds fix in dtReadFirst

jfs: fix array-index-out-of-bounds in jfs_readdir

jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK

af_packet: fix vlan_get_protocol_dgram() vs MSG_PEEK (adaptation)

net/ipv6: release expired exception dst cached in socket

bpf: sync_linked_regs() must preserve subreg_def

topology: Keep the cpumask unchanged when printing cpumap

drm/amd/display: Add check for granularity in dml ceil/floor helpers

dm array: fix releasing a faulty array block twice in dm_array_cursor_end

selinux: ignore unknown extended permissions

net/sctp: Prevent autoclose integer overflow in sctp_association_init()

Out of scope: RISC V architecture isn't supported for current kernel

exfat: fix the infinite loop in exfat_readdir()

virtio-blk: don't keep queue frozen during system suspend

mac802154: check local interfaces before deleting sdata list

sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy

drm/rockchip: vop: Fix a dereferenced before check warning

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint

nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint

svcrdma: Address an integer overflow

comedi: Flush partial mappings in error case

NFSD: Prevent a potential integer overflow

Out of scope: User-mode Linux isn't supported

net/mlx5e: kTLS, Fix incorrect page refcounting

[PATCH] netlink: terminate outstanding dump on socket close

net: defer final 'struct net' free in netns dismantle

net: defer final 'struct net' free in netns dismantle

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_debug_files_proc_show()

drm/dp_mst: Skip CSN if topology probing is not done yet

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

net: avoid race between device unregistration and ethnl ops

watch_queue: Use the bitmap API when applicable

ntfs3: Add bounds checking to mi_enum_attr()

fs/ntfs3: Sequential field availability check in mi_enum_attr()

iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

can: hi311x: hi3110_can_ist(): fix potential use-after-free

ELF: fix kernel.randomize_va_space double read

net: sched: Disallow replacing of child qdisc from one parent to another

pfifo_tail_enqueue: Drop new packet when sch->limit == 0

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

net: bridge: switchdev: Skip MDB replays of deferred events on offload

net: bridge: switchdev: Skip MDB replays of deferred events on offload (adapatation)

netfilter: allow exp not to be removed in nf_ct_find_expectation

net: atlantic: eliminate double free in error handling logic

net: rose: fix timer races against user threads

soc: qcom: socinfo: Avoid out of bounds read of serial number

orangefs: fix a oob in orangefs_debug_write

wifi: iwlwifi: limit printed string from FW file

padata: fix UAF in padata_reorder

padata: avoid UAF for reorder_work

padata: avoid UAF for reorder_work

Out of scope; patch fixes the memory controller module for Nvidia Tegra SoCs.

rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

The DM9000 chip is available on ARM32 and MIPS architectures, which KernelCare does not support.

media: uvcvideo: Fix double free in error path

usb: gadget: f_tcm: Don't free command immediately

KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()

nilfs2: do not force clear folio if buffer is referenced

PPS for embedded GPS devices. Irrelevant for servers.

nbd: don't allow reconnect after disconnect

btrfs: fix use-after-free when attempting to join an aborted transaction

NFC: nci: Add bounds checking in nci_hci_create_pipe()

Out of scope: ARM64 architecture isn't supported for current kernel

ndisc: use RCU protection in ndisc_alloc_skb()

neighbour: use RCU protection in __neigh_notify()

arp: use RCU protection in arp_xmit()

openvswitch: use RCU protection in ovs_vport_cmd_fill_info()

ndisc: extend RCU protection in ndisc_send_skb()

nfsd: clear acl_access/acl_default after releasing them

vrf: use RCU protection in l3mdev_l3_out()

vrf: use RCU protection in l3mdev_l3_out()

nilfs2: protect access to buffers with no active references

geneve: Fix use-after-free in geneve_find_dev().

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

rapidio: fix an API misues when rio_add_net() fails

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

Squashfs: check the inode number is not the invalid value of zero

x86/CPU/AMD: Terminate the erratum_1386_microcode array

HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections

rdma/cxgb4: Prevent potential integer overflow on 32bit

usb: xhci: Fix NULL pointer dereference on certain command aborts

ocfs2: handle a symlink read error correctly

media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread

f2fs: fix to wait dio completion

tpm: Change to kvalloc() in eventlog/acpi.c

wifi: ath10k: avoid NULL pointer error during sdio remove

vlan: enforce underlying device type

vlan: enforce underlying device type

ftrace: Avoid potential division by zero in function_stat_show()

Out of scope: not affected

wifi: cfg80211: regulatory: improve invalid hints checking

wifi: nl80211: reject cooked mode if it is set along with other flags

caif_virtio: fix wrong pointer check in cfv_probe()

llc: do not use skb_get() before dev_queue_xmit()

ppp: Fix KMSAN uninit-value warning with bpf

usb: renesas_usbhs: Flush the notify_hotplug_work

usb: atm: cxacru: fix a flaw in existing endpoint checks

slimbus: messaging: Free transaction ID in delayed interrupt scenario

[PATCH] media: uvcvideo: Only save async fh if success

[PATCH] media: uvcvideo: Remove dangling pointers

[PATCH] media: uvcvideo: Remove dangling pointers

memcg: fix soft lockup in the OOM process

memcg: always call cond_resched() after fn()

memcg: fix soft lockup in the OOM process (adaptation)

USB: gadget: f_midi: f_midi_complete to call queue_work

Out of scope: PowerPC architecture isn't supported for current kernel

gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

tee: optee: Fix supplicant wait loop

drop_monitor: fix incorrect initialization order

nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()

i2c: npcm: disable interrupt enable bit before devm_request_irq

usbnet: gl620a: fix endpoint checking in genelink_bind()

mptcp: always handle address removal under msk socket lock

acct: perform last write from workqueue

acct: perform last write from workqueue

drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table

ipmi: ipmb: Add check devm_kasprintf() returned value

wifi: rtlwifi: fix memory leaks and invalid access at probe error path

team: prevent adding a device which is already a team device lower

ubifs: skip dumping tnc tree when zroot is null

Out of scope: boot time issue

safesetid: check size of policy writes

wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()

Out of scope: not affected

HID: multitouch: Add NULL check in mt_input_configured

net/rose: prevent integer overflows in rose_setsockopt()

bpf: Send signals asynchronously if !preemptible

bpf: Use preempt_count() directly in bpf_send_signal_common()

ipmr: do not call mr_mfc_uses_dev() for unres entries

net: rose: lock the socket in rose_bind()

blk-cgroup: Fix class @block_class's subsystem refcount leakage

wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()

nilfs2: fix possible int overflows in nilfs_fiemap()

ipv6: mcast: add RCU protection to mld_newpack()

Out of scope: not affected

nilfs2: handle errors that nilfs_prepare_chunk() may return

sched: sch_cake: add bounds checks to host bulk flow fairness counts

sched: sch_cake: add bounds checks to host bulk flow fairness counts kpatch

tomoyo: don't emit warning in tomoyo_write_control()

drm/v3d: Stop active perfmon if it is being destroyed

net: usb: rtl8150: enable basic endpoint checking

net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns()

NFSD: fix hang in nfsd4_shutdown_callback

team: better TEAM_OPTION_TYPE_STRING validation

batman-adv: fix panic during interface removal

KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel

USB: hub: Ignore non-compliant devices with too many configs or interfaces

partitions: mac: fix handling of bogus partition table

clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context

ptp: Ensure info->enable callback is always set

ptp: Ensure info->enable callback is always set

wifi: rtlwifi: remove unused check_buddy_priv

net: let net.core.dev_weight always be non-zero

net: let net.core.dev_weight always be non-zero

Out of scope - affects smartphones SoC component.

landlock: Handle weird files

PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region()

net: hns3: fix oops when unload drivers paralleling

netfilter: nf_tables: reject mismatching sum of field_len with set key length

tty: xilinx_uartps: split sysrq handling

usb: gadget: f_midi: fix MIDI Streaming descriptor lengths

[PATCH] batman-adv: Ignore neighbor throughput metrics in error case

[PATCH] batman-adv: Drop initialization of flexible

[PATCH] batman-adv: Drop unmanaged ELP metric worker

[PATCH] batman-adv: Drop unmanaged ELP metric worker

smb: client: Add check for next_buffer in receive_encrypted_standard()

Out of scope - affects Xilinx FPGA and SoC devices.

drm/amdgpu: fix usage slab after free

sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket

drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

drm/amd/display: Fix slab-use-after-free on hdcp_work

net: atm: fix use after free in lec_send()

proc: fix UAF in proc_get_inode()

proc: fix UAF in proc_get_inode()

Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

net: fix geneve_opt length integer overflow

net: fix geneve_opt length integer overflow

drm/amd/pm: Fix negative array index read

drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration

tracing: Fix use-after-free in print_graph_function_flags during tracer switching

ext4: fix OOB read when checking dotdot dir

jfs: xattr: check invalid xattr size more strictly

jfs: fix slab-out-of-bounds read in ea_get()

bpf, sockmap: Fix race between element replace and close()

objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()

cifs: Fix integer overflow while processing acregmax mount option

cifs: Fix integer overflow while processing acdirmax mount option

cifs: Fix integer overflow while processing closetimeo mount option

vlan: fix memory leak in vlan_newlink()

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

[PATCH] ipv6: Fix signed integer overflow in __ip6_append_data

[PATCH] ipv6: Fix signed integer overflow in __ip6_append_data

ice: fix memory leak in aRFS after reset

net/mlx5: handle errors in mlx5_chains_create_table()

netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

net/mlx5: Bridge, fix the crash caused by LAG state check

scsi: qla1280: Fix kernel oops when debug level > 2

drm/amd/display: Assign normalized_pix_clk when color depth = 14

[PATCH] drm/amd/display: Check for invalid input params when building scaling params

drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params

CONFIG_INFINIBAND_HNS is not enabled on jammy.

[PATCH] ASoC: ops: Consistently treat platform_max as control value

[PATCH] ASoC: ops: Consistently treat platform_max as control value

Postponed: complex analysis and adaptation required

[PATCH] HID: ignore non-functional sensor in HP 5MP Camera

[PATCH] HID: ignore non-functional sensor in HP 5MP Camera

smb: client: fix UAF in async decryption

smb: client: fix NULL ptr deref in crypto_aead_setkey()

sch_htb: make htb_qlen_notify() idempotent

codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()

sch_htb: make htb_deactivate() idempotent

sch_drr: make drr_qlen_notify() idempotent

sch_hfsc: make hfsc_qlen_notify() idempotent

sch_qfq: make qfq_qlen_notify() idempotent

sch_ets: make est_qlen_notify() idempotent

netfilter: ipset: fix region locking in hash types

userfaultfd: fix checks for huge PMDs

drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Out of scope: not affected

Kernel is not vulnerable.

mtd: inftlcore: Add error check for inftl_read_oob()

sctp: detect and prevent references to a freed transport in sendmsg

sctp: detect and prevent references to a freed transport in sendmsg

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

wifi: wl1251: fix memory leak in wl1251_tx_work

Bluetooth: btrtl: Prevent potential NULL dereference

igc: fix PTM cycle trigger logic

net: mctp: Set SOCK_RCU_FREE

net: openvswitch: fix nested key length validation in the set() action

cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path

net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered

i2c: cros-ec-tunnel: defer probe if parent EC is not present

isofs: Prevent the use of too small fid

virtiofs: add filesystem context source name check

net: fix crash when config small gso_max_size/gso_ipv4_max_size

net: fix crash when config small gso_max_size/gso_ipv4_max_size

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

smb: client: fix potential UAF in cifs_dump_full_key()

smb: client: fix potential UAF in cifs_stats_proc_show()

ext4: fix timer use-after-free on failed mount

scsi: ufs: bsg: Set bsg_queue to NULL after removal

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

scsi: lpfc: Fix null pointer dereference after failing to issue FLOGI and PLOGI

Bluetooth: SCO: Fix UAF on sco_sock_timeout

media: streamzap: fix race between device disconnection and urb callback

Out of scope: ARM architecture isn't supported for current kernel

cifs: avoid NULL pointer dereference in dbg call

USB: wdm: close race between wdm_open and wdm_wwan_port_stop

CONFIG_USB_ASPEED_VHUB is not enabled.

udmabuf: fix a buf size overflow issue during udmabuf creation

drm/amd/display: fix double free issue during amdgpu module unload

drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

Out of scope: PA-RISC architecture isn't supported for current kernel

wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

tracing: Fix oob write in trace_seq_to_buffer()

net/sched: act_mirred: don't override retval if we already lost the skb

net_sched: drr: Fix double list add in class with netem as child qdisc

net_sched: ets: Fix double list add in class with netem as child qdisc

net_sched: qfq: Fix double list add in class with netem as child qdisc

ice: Check VF VSI Pointer Value in ice_vc_add_fdir_fltr()

bnxt_en: Fix out-of-bound memcpy() during ethtool -w

net: lan743x: Fix memleak issue when GSO enabled

net: lan743x: Fix memleak issue when GSO enabled

of: module: add buffer overflow check in of_modalias()

firmware: arm_scmi: Balance device refcount when destroying devices

scsi: target: Fix WRITE_SAME No Data Buffer crash

openvswitch: Fix unsafe attribute parsing in output_userspace()

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo

Postponed: complex analysis and adaptation required

module: ensure that kobject_put() is safe for module type kobjects

usb: typec: ucsi: displayport: Fix NULL pointer access

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

nfs: handle failure of nfs_get_lock_context in unlock path

net_sched: Flush gso_skb list too during ->change()

net: cadence: macb: Fix a possible deadlock in macb_halt_tx.

wifi: mt76: disable napi on driver removal

dmaengine: ti: k3-udma: Add missing locking

usb: typec: ucsi: displayport: Fix deadlock

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()

btrfs: do not clean up repair bio if submit fails

ice: arfs: fix use-after-free when freeing @rx_cpu_rmap

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

net_sched: prio: fix a race in prio_tune()

scsi: target: iscsi: Fix timeout on deleted connection

virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN

libnvdimm/labels: Fix divide error in nd_label_data_init()

dm cache: prevent BUG_ON by blocking retries on failed device resumes

orangefs: Do not truncate file size

media: cx231xx: set device_caps for 417

firmware: arm_ffa: Set dma_mask for ffa devices

firmware: arm_ffa: Set dma_mask for ffa devices

net: pktgen: fix access outside of user given buffer in pktgen_thread_write()

vxlan: Annotate FDB data races

nvmet-tcp: don't restore null sk_state_change

__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock

Complex adaptation required. Low impact CVE

crypto: algif_hash - fix double free in hash_accept

padata: do not leak refcount in reorder_work

can: bcm: add locking for bcm_op runtime updates

can: bcm: add locking for bcm_op runtime updates

can: bcm: add missing rcu read protection for procfs content

ALSA: pcm: Fix race of buffer access at PCM OSS layer

platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()

smb: client: Fix use-after-free in cifs_fill_dirent

fs/ntfs3: Fixed overflow check in mi_enum_attr()

net/sched: Always pass notifications when child class becomes empty

thunderbolt: Do not double dequeue a configuration request

crypto: marvell/cesa - Handle zero-length skcipher requests

EDAC/skx_common: Fix general protection fault

drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table

fs/ntfs3: handle hdr_first_de() return value

wifi: ath11k: fix node corruption in ar->arvifs list

f2fs: fix to do sanity check on sbi->total_valid_block_count

clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()

bpf: Fix WARN() in get_bpf_raw_tp_regs

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

wifi: ath9k_htc: Abort software beacon handling if disabled

bpf, sockmap: Avoid using sk_socket after free when sending

net: usb: aqc111: fix error handling of usbnet read calls

bpf: Avoid __bpf_prog_ret0_warn when jit fails

calipso: Don't call calipso functions for AF_INET sk.

calipso: unlock rcu before returning -EAFNOSUPPORT

net: openvswitch: Fix the dead loop of MPLS parse

Squashfs: check return result of sb_min_blocksize

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

bus: fsl-mc: fix double-free on mc_dev

soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()

fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()

backlight: pm8941: Add NULL check in wled_configure()

dmaengine: ti: Add NULL check in udma_probe()

gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO

netfilter: nf_set_pipapo_avx2: fix initial map fill

[PATCH] seg6: Fix validation of nexthop addresses

[PATCH] seg6: Fix validation of nexthop addresses

do_change_type(): refuse to operate on unmounted/not ours mounts

use uniform permission checks for all mount propagation changes

scsi: core: ufs: Fix a hang in the error handler

ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()

ptp: fix breakage after ptp_vclock_in_use() rework

net_sched: sch_sfq: fix a potential crash on gso_skb handling

Out of scope: PowerPC architecture isn't supported for current kernel

net: Fix TOCTOU issue in sk_is_readable()

net/mdiobus: Fix potential out-of-bounds read/write access

net_sched: red: fix a race in __red_change()

net_sched: ets: fix a race in ets_qdisc_change()

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify

x86/iopl: Cure TIF_IO_BITMAP inconsistencies

nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request

nfsd: Initialize ssc before laundromat_work to prevent NULL dereference

jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()

media: cxusb: no longer judge rbuf when the write fails

media: vidtv: Terminating the subsequent process of initialization failure

media: vivid: Change the siize of the composing

ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330

ext4: inline: fix len overflow in ext4_prepare_inline_data

Input: ims-pcu - check record size in ims_pcu_flash_firmware()

f2fs: prevent kernel warning due to negative i_nlink from corrupted image

f2fs: fix to do sanity check on sit_bitmap_size

NFC: nci: uart: Set tty->disc_data only in success path

ipc: fix to protect IPCS lookups using RCU

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

ftrace: Fix UAF when lookup kallsym after ftrace disabled

net: ch9200: fix uninitialised access during mii_nway_restart

remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()

remoteproc: core: Release rproc->clean_table after rproc_attach() fails

Kernel is not vulnerable.

ACPICA: fix acpi parse and parseext cache leaks

exfat: fix double free in delayed_free

jfs: fix array-index-out-of-bounds read in add_missing_indices

jfs: Fix null-ptr-deref in jfs_ioc_trim

media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode()

software node: Correct a OOB check in software_node_get_reference_args()

scsi: lpfc: Use memcpy() for BIOS version

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

platform/x86: dell_rbu: Fix list usage

drivers/rapidio/rio_cm.c: prevent possible heap overwrite

jffs2: check that raw node were preallocated before writing summary

jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

mm/hugetlb: unshare page tables during VMA split, not before

Complex adaptation required

Complex adaptation required. High risk of regression.

aoe: clean device rq_list in aoedev_downdev()

wifi: carl9170: do not ping device which has failed to load firmware

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().

tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer

calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().

mm/huge_memory: fix dereferencing invalid pmd migration entry

perf: Fix sample vs do_exit()

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

bcache: fix NULL pointer in cache_set_flush()

Out of scope: IBM System/390 architecture isn't supported for current kernel

atm: clip: prevent NULL deref in clip_push()

ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()

atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().

drm/tegra: Fix a possible null pointer dereference

drm/amd/display: Add null pointer check for get_first_active_display()

btrfs: don't drop extent_map for free space inode on write error

vsock/vmci: Clear the vmci transport packet properly when initializing it

usb: typec: altmodes/displayport: do not index invalid pin_assignments

mtk-sd: Prevent memory corruption from DMA map failure

mtk-sd: reset host->mrq on prepare_data() error

RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert

NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN

platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks

drm/i915/gt: Fix timeline left held on VMA alloc error

rose: fix dangling neighbour pointers in rose_rt_device_down()

drm/msm: Fix a fence leak in submit error path

scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()

wifi: ath6kl: remove WARN on bad firmware input

ACPICA: Refuse to evaluate a method if arguments are missing

mtd: spinand: fix memory leak of ECC engine conf

drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

netlink: Fix wraparounds of sk->sk_rmem_alloc.

tipc: Fix use-after-free in tipc_conn_close().

vsock: Fix transport_{g2h,h2g} TOCTOU

vsock: Fix transport_* TOCTOU

atm: clip: Fix potential null-ptr-deref in to_atmarpd().

atm: clip: Fix infinite recursive call of clip_push().

atm: Revert atm_account_tx() if copy_from_iter_full() fails.

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

net/sched: Abort __tc_modify_qdisc if parent class does not exist

rxrpc: Fix oops due to non-existence of prealloc backlog struct

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

aoe: avoid potential deadlock at set_capacity

jfs: fix null ptr deref in dtInsertEntry

drm/sched: Increment job count before swapping tail spsc queue

usb: gadget: u_serial: Fix race condition in TTY wakeup

virtio-net: ensure the received length does not exceed allocated size

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

md/raid1: Fix stack memory use after return in raid1_reshape

raid10: cleanup memleak at raid10_make_request

nbd: fix uaf in nbd_genl_connect() error path

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

vhost-scsi: protect vq->log_used with vq->mutex

postponed

RDMA/mlx5: Fix a WARN during dereg_mr for DM type

vsock: Do not allow binding to VMADDR_PORT_ANY

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class

net/packet: fix a race in packet_set_ring() and acket_notifier()

drm/amd/display: Fix MST Null Ptr for RV

wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()

wifi: wfx: repair open network AP mode

wifi: wfx: repair open network AP mode

firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

netfilter: nf_tables: reject duplicate device on updates

phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

usb: gadget: configfs: Fix OOB read on empty string write

HID: core: ensure the allocated report buffer can contain the reserved report ID

HID: core: do not bypass hid_hw_raw_request

tracing: Add down_write(trace_event_sem) when adding trace event

dmaengine: nbpfaxi: Fix memory corruption in probe()

comedi: aio_iiro_16: Fix bit shift out of bounds

comedi: das16m1: Fix bit shift out of bounds

comedi: das6402: Fix bit shift out of bounds

bpf: Reject %p% format string in bprintf-like helpers

smb: client: fix use-after-free in cifs_oplock_break

usb: net: sierra: check for no status endpoint

Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

PEEMPT_RT config isn't enabled

regulator: core: fix NULL dereference on unbind due to stale coupling data

i2c: qup: jump out of the loop in case of timeout

nilfs2: reject invalid file types when reading inodes

jfs: reject on-disk inodes of an unsupported type

hfsplus: remove mutex_lock check in hfsplus_free_extents

staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()

PM / devfreq: Check governor before using governor->name

bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls

wifi: rtl818x: Kill URBs before clearing tx status queue

iwlwifi: Add missing check for alloc_ordered_workqueue

wifi: ath11k: clear initialized flag for deinit-ed srng lists

net/mlx5: Check device memory pointer before usage

net/sched: Restrict conditions for adding duplicating netems to qdisc tree

netfilter: xt_nfacct: don't assume acct name is null-terminated

clk: xilinx: vcu: unregister pll_post only if registered correctly

power: supply: cpcap-charger: Fix null check for power_supply_get_by_name

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref

Out of scope: powerpc: PowerNV PCI Hotplug: not supported

Out of scope: powerpc: PowerNV PCI Hotplug: not supported

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

pptp: ensure minimal skb length in pptp_xmit()

ipv6: reject malicious packets in ipv6_gso_segment()

usb: gadget : fix use-after-free in composite_dev_cleanup()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

net: usb: asix_devices: add phy_mask for ax88772 mdio bus

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

fs: Prevent file descriptor table allocations exceeding INT_MAX

sctp: linearize cloned gso packets in sctp_rcv

hfs: fix slab-out-of-bounds in hfs_bnode_read()

hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()

hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()

hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()

ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()

ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

scsi: bfa: Double-free fix

scsi: bfa: Double-free fix

jfs: truncate good inode pages when hard link is 0

jfs: Regular file corruption check

jfs: upper bound check of tree index in dbAllocAG

RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()

scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure

media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()

media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar

block: avoid possible overflow for chunk_sectors check in blk_stack_limits()

fbdev: Fix vmalloc out-of-bounds write in fast_imageblit

media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()

PCI: endpoint: Fix configfs group list head handling

jbd2: prevent softlockup in jbd2_log_do_checkpoint()

media: usbtv: Lock resolution while streaming

media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()

net, hsr: reject HSR frame if skb can't hold tag

ipv6: sr: Fix MAC comparison to be constant-time

ice: Fix a null pointer dereference in ice_copy_and_init_pkg()

smb: client: fix use-after-free in crypt_message when using async crypto

bus: mhi: host: Detect events pointing to unexpected TREs

net/sched: ets: use old 'nbands' while purging unused classes

ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

mptcp: do not queue data on closed subflows

drm/amd/display: Avoid a NULL pointer dereference

fs/buffer: fix use-after-free when call bh_read() helper

ftrace: Also allocate and copy hash for reading of filter files

f2fs: fix to avoid out-of-boundary access in dnode page

soc: qcom: mdt_loader: Ensure we don't read past the ELF header

scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE

net: bridge: fix soft lockup in br_multicast_query_expired()

net: bridge: fix soft lockup in br_multicast_query_expired()