ftruncate: pass a signed offset

crypto: bcm - Fix pointer arithmetic

scsi: qedf: Ensure the copied buf is NUL terminated

usb: atm: cxacru: fix endpoint checking in cxacru_bind()

drivers: core: synchronize really_probe() and dev_uevent()

af_unix: Fix garbage collector racing against connect()

net/iucv: Avoid explicit cpumask var allocation on stack

net: openvswitch: fix overwriting ct original tuple for ICMPv6

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

vmci: prevent speculation leaks by sanitizing event in event_deliver()

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). (Adaptation)

x86: stop playing stack games in profile_pc()

mm: avoid overflows in dirty throttling logic

scsi: qedf: Make qedf_execute_tmf() non-preemptible

NFSv4: Fix memory leak in nfs4_set_security_label

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

usb-storage: alauda: Fix uninit-value in alauda_check_media()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: Fix NULL pointer dereference by removing unnecessary structure field

tap: add missing verification for short frame

tun: add missing verification for short frame

mlxsw: thermal: Fix out-of-bounds memory accesses

drm/amdgpu: add error handle to avoid out-of-bounds

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

nvmet: fix a possible leak when destroy a ctrl during qp establishment

nvmet-fc: release reference on target port

nvmet-fc: avoid deadlock on delete association path

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

wifi: mt76: replace skb_put with skb_put_zero

net/sched: Fix UAF when resolving a clash

HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts

wifi: ath11k: fix htt pktlog locking

Out of scope: boot time issue

net: fix possible store tearing in neigh_periodic_work()

perf/x86/lbr: Filter vsyscall addresses

phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP

wifi: ath11k: fix dfs radar event locking

scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

mlxsw: spectrum_acl_tcam: Move devlink param to TCAM code

mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path

CVE Rejected

slub: don't panic for memcg kmem cache creation failure

mm, slub: fix potential memoryleak in kmem_cache_open()

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

serial: core: fix transmit-buffer reset and memleak

USB: core: Fix hang in usb_kill_urb by adding memory barriers

firmware: arm_scpi: Fix string overflow in SCPI genpd driver

firmware: arm_scpi: Fix string overflow in SCPI genpd driver

drm/radeon: check the alloc_workqueue return value in radeon_crtc_init()

vt_ioctl: fix array_index_nospec in vt_setactivate

Input: aiptek - use descriptors of current altsetting

Input: aiptek - fix endpoint sanity check

Input: aiptek - properly check endpoint type

USB: core: Make do_proc_control() and do_proc_bulk() killable

usb: core: Don't hold the device lock while sleeping in do_proc_control()

tcp_metrics: validate source addr length

tcp_metrics: validate source addr length

phylib: fix potential use-after-free

drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL

drm/amdgpu/debugfs: fix error code when smc register accessors are NULL

netfilter: nf_tables: Reject tables of unsupported family

drm/amdgpu/mes: fix use-after-free issue

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header (adaptation)

wifi: mac80211: Avoid address calculations via out of bounds array indexing

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

sched/deadline: Fix task_struct reference leak

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor

ppp: reject claimed-as-LCP but actually malformed packets

drm/radeon: check bo_va->bo is non-NULL before using it

The patch affects too much kernel code. Low impact CVE.

VMCI: Use struct_size() in kmalloc()

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

scsi: mpi3mr: Avoid memcpy field-spanning write WARNING

net: fix out-of-bounds access in ops_init

ipv6: prevent NULL dereference in ip6_output()

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload

wifi: iwlwifi: read txq->read_ptr under lock

nfs: handle error of rpc_proc_register() in init_nfs_fs()

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

mptcp: ensure snd_una is properly initialized on connect

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

ipv6: prevent possible NULL dereference in rt6_probe()

scsi: qedi: Fix crash while reading debugfs attribute

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

firmware: cs_dsp: Validate payload length before processing block

firmware: cs_dsp: Return error if block header overflows file

protect the fetch of ->fd[fd] in do_dup2() from mispredictions

ipvs: properly dereference pe in ip_vs_add_service

leds: trigger: Unregister sysfs attributes before calling deactivate()

devres: Fix memory leakage caused by driver API devm_free_percpu()

Patch introduced regression and was reverted later.

nbd: Low-score CVE. Patched function is called from a kthread and sleeps, which may prevent patching/unpatching.

tracing: Ensure visibility when inserting an element into tracing_map

drm/amdgpu: Fix the null pointer when load rlc firmware

net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink()

dm: call the resume method on internal suspend

filelock: Remove locks reliably when fcntl/close race is detected

Input: add bounds checking to input_set_capability()

Input: elantech - fix stack out of bound access in elantech_change_report_id()

asix: fix uninit-value in asix_mdio_read()

HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect

ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()

driver core: auxiliary bus: Fix memory leak when driver_register() fail

ACPI: fix NULL pointer dereference

watchdog: Fix possible use-after-free by calling del_timer_sync()

drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

drm/i915/vma: Fix UAF on destroy against retire race

x86/mm/pat: fix VM_PAT handling in COW mappings

tunnels: fix out of bounds access when building IPv6 PMTU error

mlxsw: Verify the accessed index doesn't exceed the array length

mlxsw: spectrum: Protect driver from buggy firmware

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

media: cec: cec-adap: always cancel work in cec_transmit_msg_fh

media: cec: core: avoid recursive cec_claim_log_addrs

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

media: cec: cec-api: add locking in cec_release()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

HID: i2c-hid-of: fix NULL-deref on failed power up

HID: i2c-hid-of: fix NULL-deref on failed power up

kyber: fix out of bounds access when preempted

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: remove duplicate definition of ext4_xattr_ibody_inline_set()

ext4: do not create EA inode under buffer lock

udp: do not accept non-tunnel GSO skbs landing in a tunnel

udp: do not accept non-tunnel GSO skbs landing in a tunnel

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

netpoll: Fix race condition in netpoll_owner_active

xfs: don't walk off the end of a directory data block

drm/radeon: fix UBSAN warning in kv_dpm.c

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

xfs: add bounds checking to xlog_recover_process_data

tcp: refactor tcp_retransmit_timer()

net: tcp: fix unexcepted socket die when snd_wnd is 0

tcp: avoid too many retransmit packets

ptp: Fix possible memory leak in ptp_clock_register()

virtio-net: Add validation for used length

tty: Fix out-of-bound vmalloc access in imageblit

block: don't call rq_qos_ops->done_bio if the bio isn't tracked

lib/generic-radix-tree.c: Don't overflow in peek()

hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs

fbmem: Do not delete the mode that is still in use

tun: limit printing rate when illegal packet received by tun dev

PCI/PM: Drain runtime-idle callbacks before driver removal

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

Complex adaptation required, low score patch for non critical subsystem amdgpu

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

nvme-fc: do not wait in vain when unloading module

nvme-fc: do not wait in vain when unloading module

dev/parport: fix the array out-of-bounds risk

ipv6: prevent possible NULL deref in fib6_nh_init()

tipc: Return non-zero value from tipc_udp_addr2str() on error

drm/i915/gt: Fix potential UAF by revoke of fence registers

of: module: add buffer overflow check in of_modalias()

nouveau: lock the client object tree

nouveau: lock the client object tree

KVM: Always flush async #PF workqueue when vCPU is being destroyed

KVM: Always flush async #PF workqueue when vCPU is being destroyed

net/mlx5e: Add wrapping for auxiliary_driver op and remove unused args

net/mlx5e: Fix netif state handling

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

r8169: Fix possible ring buffer corruption on fragmented Tx packets.

tipc: force a dst refcount before doing decryption

drm/i915/dpt: Make DPT object unshrinkable

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

netfilter: nf_tables: prefer nft_chain_validate

ELF: fix kernel.randomize_va_space double read

bpf: Fix overrunning reservations in ringbuf

bpf: Fix overrunning reservations in ringbuf (adaptation)

sctp: Fix null-ptr-deref in reuseport_add_sock().

netfilter: flowtable: initialise extack before use

dmaengine: fix NULL pointer in channel unregistration function

bonding: fix null pointer deref in bond_ipsec_offload_ok

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

bonding: fix xfrm real_dev null pointer dereference

ibmvnic: rename local variable index to bufidx

ibmvnic: Add tx check to prevent skb leak

drm/amdgpu: avoid using null object of framebuffer

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

gfs2: Fix NULL pointer dereference in gfs2_log_flush

USB: serial: mos7840: fix crash on resume

USB: serial: mos7840: fix crash on resume kpatch

kobject_uevent: Fix OOB access within zap_modalias_env()

block: initialize integrity buffer to zero before writing it to media

mlxsw: spectrum_acl_erp: Fix object nesting warning

mlxsw: spectrum_acl_erp: Fix object nesting warning kpatch

Out of scope: This CVE modified the __init function which won't be available to patch as it is used during bootup time.

netfilter: nft_set_pipapo: do not free live element

netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()

xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create

dma-direct: Leak pages on dma_set_decrypted() failure

mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX

mm: memcontrol: fix cannot alloc the maximum memcg ID

memcontrol: ensure memcg acquired by id is properly set up

memcg: protect concurrent access to mem_cgroup_idr

memcg: protect concurrent access to mem_cgroup_idr

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

Bluetooth: Fix TOCTOU in HCI debugfs implementation

netfilter: nf_conntrack_h323: Add protection for bmp length out of

gso: do not skip outer ip header in case of ipip and net_failover

netfilter: nftables: add helper function to flush set elements

netfilter: nft_set_pipapo: walk over current view on netlink dump

netfilter: nf_tables: missing iterator type in lookup walk

netfilter: nft_set_pipapo: walk over current view on netlink dump

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

mptcp: pm: Fix uaf in __timer_delete_sync

media: edia: dvbdev: fix a use-after-free

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

selinux,smack: don't bypass permissions check in inode_setsecctx hook

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

xfrm: fix one more kernel-infoleak in algo dumping

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

i40e: fix i40e_count_filters() to count only active/new filters

i40e: fix race condition by adding filter's intermediate sync state

i40e: fix race condition by adding filter's intermediate sync state

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

scsi: core: Fix unremoved procfs host directory regression

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

HID: core: zero-initialize the report buffer

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

scsi: megaraid_sas: Fix for a potential deadlock

PPS for embedded GPS devices. Irrelevant for servers.

can: bcm: Fix UAF in bcm_proc_show()

Out of scope: ARM64 architecture isn't supported for current kernel

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

netfilter: ipset: add missing range check in bitmap_ip_uadt

hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()

net/mlx5: Always stop health timer during driver removal

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

Out of scope: User-mode Linux isn't supported for current kernel

cifs: fix double free race when mount fails in cifs_get_root()

security/keys: fix slab-out-of-bounds in key_task_permission

idpf: fix idpf_vc_core_init error path

ndisc: use RCU protection in ndisc_alloc_skb()

Bluetooth: Fix use after free in hci_send_acl

udf: Fix a slab-out-of-bounds write bug in udf_find_entry()

cifs: potential buffer overflow in handling symlinks

media: uvcvideo: Fix double free in error path

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

net: atm: fix use after free in lec_send()

misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram()

ext4: fix off-by-one error in do_split

ext4: ignore xattrs past end

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

net: ch9200: fix uninitialised access during mii_nway_restart

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

wifi: iwlwifi: limit printed string from FW file

ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

ext4: avoid resizing to a partial cluster size

crypto: algif_hash - fix double free in hash_accept

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Complex adaptation required. Low impact CVE

can: peak_usb: fix use after free bugs

padata: fix UAF in padata_reorder

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: extend RCU protection in igmp6_send()

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

net/ipv6: release expired exception dst cached in socket

Complex adaptation required. High risk of regression.

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

net_sched: ets: Fix double list add in class with netem as child qdisc

i2c/designware: Fix an initialization issue

Bluetooth: hci_core: Fix use-after-free in vhci_flush()

udp: Fix memory accounting leak.

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Fix race condition on qfq_aggregate

tipc: Fix use-after-free in tipc_conn_close().

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

scsi: lpfc: Use memcpy() for BIOS version

bpf: Don't use tnum_range on array range checking for poke descriptors

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

net: usb: smsc75xx: Limit packet length to skb->len

net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull

sch_qfq: make qfq_qlen_notify() idempotent

sch_cbq: make cbq_qlen_notify() idempotent

sch_htb: make htb_qlen_notify() idempotent

sch_htb: make htb_deactivate() idempotent

sch_hfsc: make hfsc_qlen_notify() idempotent

sch_ets: make est_qlen_notify() idempotent

sch_drr: make drr_qlen_notify() idempotent

net/sched: Always pass notifications when child class becomes empty

requires a very complex adaptation

idpf: convert control queue mutex to a spinlock

vsock: Fix transport_* TOCTOU

vsock: Fix transport_* TOCTOU

use uniform permission checks for all mount propagation changes

HID: core: Harden s32ton() against conversion to 0 bits

HID: core: fix shift-out-of-bounds in hid_report_raw_event

sctp: linearize cloned gso packets in sctp_rcv

Out of scope: not affected

net_sched: hfsc: Fix a UAF vulnerability in class handling

Out of scope: not affected

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

smb: client: fix use-after-free in cifs_oplock_break

Bluetooth: L2CAP: Fix use-after-free

KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0

crypto: seqiv - Handle EBUSY correctly

This CVE has been rejected or withdrawn by its CVE Numbering Authority as per NVD website

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

scsi: lpfc: Fix buffer free/clear order in deferred receive path

wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()

Bluetooth: Fix potential use-after-free when clear keys

wifi: cfg80211: fix use-after-free in cmp_bss()

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mwifiex: Fix missed return in oob checks failed path

wifi: mwifiex: Fix OOB and integer underflow when rx packets

wifi: mac80211: check S1G action frame size

fs: fix UAF/GPF bug in nilfs_mdt_destroy

mm: fix zswap writeback race condition

mm: zswap: fix missing folio cleanup in writeback race path

vsock/virtio: Validate length in packet header before skb_put()

NFS: Fix a race when updating an existing write

i40e: fix idx validation in config queues msg

nbd: fix incomplete validation of ioctl arg

smb: client: fix race with concurrent opens in rename(2)

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

e1000e: fix heap overflow in e1000_set_eeprom

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

RDMA/rxe: Fix mr->map double free

mm: kmem: fix a NULL pointer dereference in obj_stock_flush_required()

RDMA/rxe: Fix incomplete state save in rxe_requester

sctp: avoid NULL dereference when chunk data buffer is missing

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

media: rc: fix races with imon_disconnect()

Complex adaptation required.

drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies

net: atlantic: fix fragment overflow handling in RX path

smb: client: Fix use-after-free in cifs_fill_dirent

smb: client: let recv_done verify data_offset, data_length and remaining_data_length

vsock: Ignore signal/timeout on connect() if already established

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

Bluetooth: hci_event: call disconnect callback before deleting conn

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

Squashfs: check return result of sb_min_blocksize

IB/hfi1: Fix sdma.h tx->num_descs off-by-one error

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

atm: clip: Fix infinite recursive call of clip_push().

usb: core: config: Prevent OOB read in SS endpoint companion parsing

mptcp: fix race condition in mptcp_schedule_work()

fs/proc: fix uaf in proc_readdir_de()

fbdev: bitblit: bound-check glyph index in bit_putcs*

ext4: fix use-after-free in ext4_orphan_cleanup

vsock/vmci: Clear the vmci transport packet properly when initializing it

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec

net: dst: add four helpers to annotate data-races around dst->dev

net: Add locking to protect skb->dev access in ip_output

net: gain ipv4 mtu when mtu is not locked

ipv4: use RCU protection in __ip_rt_update_pmtu()

net: dst: introduce dst->dev_rcu

ipv6: use RCU in ip6_output()

ipv6: use RCU in ip6_xmit()

net: use dst_dev_rcu() in sk_setup_caps()

ipv4: add RCU protection to ip4_dst_hoplimit()

ipv4: use RCU protection in ip_dst_mtu_maybe_forward()

net: use dst_dev_rcu() in sk_setup_caps()

smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

Bluetooth: hci_event: Ignore multiple conn complete events

Bluetooth: hci_event: Fix checking for invalid handle on error status

Bluetooth: hci_sync: Cleanup hci_conn if it cannot be aborted

Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync

Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync

smc: Fix use-after-free in __pnet_find_base_ndev().

mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats

page_pool: Fix use-after-free in page_pool_recycle_in_ring

net/sched: Enforce that teql can only be used as root qdisc

bridge: mcast: Fix use-after-free during router port configuration

migrate: correct lock ordering for hugetlb file folios

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

macvlan: fix possible UAF in macvlan_forward_source()

x86 xen add xenpv restore regs and return to usermode

kpatch add alt asm definitions