phy: marvell: a3700-comphy: Fix out of bounds read

ipv4: check for NULL idev in ip_route_use_hint()

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up

dma: xilinx_dpdma: Fix locking

i2c: smbus: fix NULL function pointer dereference

x86/sev: Harden #VC instruction emulation somewhat

x86/sev: Check for MWAITX and MONITORX opcodes in the #VC handler

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

wifi: nl80211: Avoid address calculations via out of bounds array indexing

kunit: Fix kthread reference

net/mlx5: Discard command completions in internal error

drm/amd/display: Fix potential index out of bounds in color transformation function

RDMA/hns: Fix UAF for cq async event

net: bridge: mst: fix vlan use-after-free

Out of scope: User-mode Linux isn't supported for current kernel

mmc: davinci: Don't strip remove function when driver is builtin

watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

stm class: Fix a double free in stm_register_device()

Out of scope: not affected

drm: zynqmp_dpsub: Always register bridge

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

dma-mapping: benchmark: handle NUMA_NO_NODE correctly

Out of scope: RISC V architecture isn't supported for current kernel

9p: add missing locking around taking dentry fid list

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

Out of scope: not affected

drm/i915/hwmon: Get rid of devm

kdb: Fix buffer overflow during tab-complete

net/mlx5: Always stop health timer during driver removal

jfs: xattr: fix buffer overflow for invalid xattr

Postponed: complex analysis and adaptation required

Postponed: complex analysis and adaptation required

btrfs: zoned: fix use-after-free due to race with dev replace

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

ima: Fix use-after-free on a dentry's dname.name

net: fix __dst_negative_advice() race

scsi: mpi3mr: Sanitise num_phys

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

tcp_metrics: validate source addr length

tcp_metrics: validate source addr length

net: dsa: mv88e6xxx: Correct check for empty list

f2fs: check validation of fault attrs in f2fs_build_fault_attr()

f2fs: Add inline to f2fs_build_fault_attr() stub

Postponed: complex analysis and adaptation required

netem: fix return value if duplicate enqueue fails

nilfs2: add missing check for inode numbers on directory entries

net/iucv: Avoid explicit cpumask var allocation on stack

net/dpaa2: Avoid explicit cpumask var allocation on stack

PCI/MSI: Fix UAF in msi_capability_init

drm/i915/gt: Fix potential UAF by revoke of fence registers

bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD

cdrom: rearrange last_media_change check to avoid unintentional overflow

net: rswitch: Avoid use-after-free in rswitch_poll()

net/iucv: fix use after free in iucv_sock_close()

mISDN: Fix a use after free in hfcmulti_tx()

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header

net: ethernet: lantiq_etop: fix double free in detach

filelock: fix potential use-after-free in posix_lock_inode

drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport

CVE patch is for powerpc arch only

wifi: mac80211: Avoid address calculations via out of bounds array indexing

nvme: avoid double free special payload

ata: libata-core: Fix double free on error

netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

wifi: mt76: replace skb_put with skb_put_zero

jfs: Fix array-index-out-of-bounds in diFree

bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

hfsplus: fix uninit-value in copy_name

tap: add missing verification for short frame

tun: add missing verification for short frame

drm/drm_file: Fix pid refcounting race

sch/netem: fix use after free in netem_dequeue

exec: Fix ToCToU between perm check and set-uid/gid usage

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

dev/parport: fix the array out-of-bounds risk

net: microchip: vcap: Fix use-after-free error in kunit test

of/irq: Prevent device address out-of-bounds read in interrupt map walk

of/irq: Fix using uninitialized variable @addr_len in API of_irq_parse_one()

drm/amdgpu: fix ucode out-of-bounds read warning

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

drm/amd/pm: fix the Out-of-bounds read warning

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

mptcp: pm: Fix uaf in __timer_delete_sync

net: dpaa: Pad packets to ETH_ZLEN

Patched function waits for external events, which may prevent patching/unpatching.

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (ltc2991) re-order conditions to fix off by one bug

Out of scope: RISC V architecture isn't supported for current kernel

net: bridge: mcast: wait for previous gc cycles when removing port

media: xc2028: avoid use-after-free in load_firmware_cb()

drm/mgag200: Bind I2C lifetime to DRM device

drm/amdgpu: Validate TA binary size

drm/xe: Free job before xe_exec_queue_put

scsi: aacraid: Fix double-free on probe failure

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

drm/amdgpu: Fix out-of-bounds write warning

drm/amd/pm: Fix negative array index read

drm/amd/display: Check gpio_id before used as array index

drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]

drm/amd/display: Check msg_id before processing transcation

drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration

atm: idt77252: prevent use after free in dequeue_rx()

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

iio: Fix the sorting functionality in iio_gts_build_avail_time_table

vhost/vsock: always initialize seqpacket_allow

btrfs: fix extent map use-after-free when adding pages to compressed bio

media: venus: fix use after free in vdec_close

Squashfs: sanity check symbolic link size

misc: fastrpc: Fix double free of 'buf' in error path

binder: fix UAF caused by offsets overwrite

drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box

drm/amd/display: Check link_index before accessing dc->links[]

KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

tracing/timerlat: Only clear timer if a kthread exists

sched: sch_cake: fix bulk flow accounting logic for host fairness

usb: gadget: aspeed_udc: validate endpoint index for ast udc

HID: amd_sfh: free driver_data after destroying hid device

mm: list_lru: fix UAF for memory cgroup

f2fs: fix to cover read extent cache access with lock

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

Architecture is not supported

ipv6: fix possible UAF in ip6_finish_output2()

ipv6: prevent possible UAF in ip6_xmit()

smack: tcp: ipv4, fix incorrect labeling

ext4: no need to continue when the number of entries is 1

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

netfilter: ipset: add missing range check in bitmap_ip_uadt

net: sched: fix ordering of qlen adjustment

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

scsi: sd: Fix off-by-one error in sd_read_block_characteristics()

RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

ext4: return error on ext4_find_inline_entry

ext4: avoid OOB when system.data xattr changes underneath the filesystem

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

[PATCH] wifi: rtw88: always wait for both firmware loading attempts

crypto: hisilicon/qm - inject error before stopping queue

PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()

RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08

vhost_vdpa: assign irq bypass producer token correctly

firmware_loader: Block path traversal

x86/tdx: Fix "in-kernel MMIO" check

crypto: iaa - Fix potential use after free bug

mm: call the security_mmap_file() LSM hook in remap_file_pages()

iommufd: Protect against overflow of ALIGN() during iova allocation

Out of scope: ARM architecture isn't supported for current kernel

net: ethernet: lantiq_etop: fix memory disclosure

tipc: guard against string buffer overrun

ALSA: asihpi: Fix potential OOB array access

drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer

drm/amd/display: fix double free issue during amdgpu module unload

mac802154: Fix potential RCU dereference issue in mac802154_scan_worker

Out of scope: android related patch.

firmware: arm_scmi: Fix double free in OPTEE transport

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation

drm/amd/display: Fix index out of bounds in degamma hardware format translation

ext4: avoid use-after-free in ext4_ext_show_leaf()

ext4: aovid use-after-free in ext4_ext_insert_extent()

ext4: fix double brelse() the buffer of the extents path

ext4: fix off by one issue in alloc_flex_gd()

ext4: fix slab-use-after-free in ext4_split_extent_at()

Bluetooth: L2CAP: Fix uaf in l2cap_connect

net/xen-netback: prevent UAF in xenvif_flush_hash()

wifi: ath12k: fix array out-of-bound access in SoC stats

wifi: ath11k: fix array out-of-bound access in SoC stats

drm/amd/display: Fix index out of bounds in DCN30 color transformation

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

ext4: fix timer use-after-free on failed mount

ocfs2: cancel dqi_sync_work before freeing oinfo

aoe: fix the potential use-after-free problem in more places

fbdev: pxafb: Fix possible use after free in pxafb_task()

jfs: fix out-of-bounds in dbNextAG() and diAlloc()

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

nilfs2: fix potential oob read in nilfs_btree_check_delete()

nbd: fix race between timeout and normal completion

ACPI: sysfs: validate return type of _STR method

jfs: fix out-of-bounds in dbNextAG() and diAlloc()

powercap: intel_rapl: Fix off by one in get_rpi()

i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition

jfs: Fix uninit-value access of new_ea in ea_buffer

jfs: Fix uaf in dbFreeBits

wifi: rtw89: avoid reading out of bounds when loading TX power FW elements

media: venus: fix use after free bug in venus_remove due to race condition

btrfs: fix race setting file private on concurrent lseek using same fd

btrfs: fix race setting file private on concurrent lseek using same fd

[PATCH 1/1] ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()

[PATCH 1/1] USB: usbtmc: prevent kernel-usb-infoleak

[PATCH 1/1] wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead

[PATCH 1/1] wifi: iwlwifi: mvm: pause TCM when the firmware is stopped

[PATCH 1/1] exfat: resolve memory leak from exfat_create_upcase_table()

[PATCH 1/1] icmp: change the order of rate limits

[PATCH 1/1] icmp: change the order of rate limits

[PATCH 1/1] vfs: fix race between evice_inodes() and find_inode()&iput()

[PATCH 1/1] nfsd: return -EINVAL when namelen is 0

[PATCH 1/1] IB/core: Fix ib_cache_setup_one error flow cleanup

[PATCH] ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

fbdev: sisfb: Fix strbuf array overflow

net: explicitly clear the sk pointer, when pf->create fails

btrfs: fix uninitialized pointer free in add_inode_ref()

tcp: fix mptcp DSS corruption due to large pmtu xmit

xsk: fix OOB map writes when deleting elements

wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Out of scope: SuperH architecture isn't supported for current kernel

btrfs: fix use-after-free in btrfs_encoded_read_endio()

drm/xe/vm: move xa_alloc to prevent UAF

driver core: bus: Fix double free in driver API bus_register()

smb: client: fix UAF in async decryption

Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()

parport: Proper fix for array out-of-bounds access

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

ice: Fix increasing MSI-X on VF

net: do not delay dst_entries_add() in dst_release()

ppp: fix ppp_async_encode() illegal access

slip: make slhc_remember() more robust against malicious packets

bpf: Prevent tail call between progs attached to different hooks

bpf: Prevent tail call between progs attached to different hooks

mm/mremap: fix move_normal_pmd/retract_page_tables race

Out of scope: patch for x86_32 arch

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

ksmbd: unset the binding mark of a reused connection

ksmbd: fix user-after-free from session log off

ksmbd: fix user-after-free from session log off

jfs: array-index-out-of-bounds fix in dtReadFirst

jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

HID: core: zero-initialize the report buffer

net: defer final 'struct net' free in netns dismantle

net: defer final 'struct net' free in netns dismantle

drm/dp_mst: Skip CSN if topology probing is not done yet (dependency)

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

blk-cgroup: Fix UAF in blkcg_unpin_online()

media: dvbdev: prevent the risk of out of memory access

uprobe: avoid out-of-bounds memory access of fetching args

tracing: Consider the NULL character when validating the event length

net: sched: fix use-after-free in taprio_change()

net: sched: use RCU read-side critical section in taprio_dump()

Bluetooth: SCO: Fix UAF on sco_sock_timeout

Bluetooth: ISO: Fix UAF on iso_sock_timeout

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

spi: mpc52xx: Add cancel_work_sync before module remove

RDMA/bnxt_re: Add a check for memory allocation

firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()

RDMA/bnxt_re: Fix out of bound check

netdevsim: use cond_resched() in nsim_dev_trap_report_work()

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

tcp: Fix use-after-free of nreq in reqsk_timer_handler().

smb: client: fix OOBs when building SMB2_IOCTL request

udf: fix uninit-value use in udf_get_fileshortad

Out of scope: ARM64 architecture issue

nvmet-auth: assign dh_key to NULL after kfree_sensitive

macsec: Fix use-after-free while sending the offloading packet

bpf: Fix out-of-bounds write in trie_get_next_key()

netfilter: Fix use-after-free in get_info()

fs/ntfs3: Add rough attr alloc_size check

fs/ntfs3: Additional check in ntfs_file_release

wifi: cfg80211: clear wdev->cqm_config pointer on free

iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP

nilfs2: fix kernel bug due to missing clearing of checked flag

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

media: s5p-jpeg: prevent buffer overflows

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

net: vertexcom: mse102x: Fix possible double free of TX skb

usb: musb: sunxi: Fix accessing an released usb phy

USB: serial: io_edgeport: fix use after free in debug printk

iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

wifi: iwlegacy: Clear stale interrupts before resuming device

security/keys: fix slab-out-of-bounds in key_task_permission

virtio_net: Add hash_key_length check

dm cache: fix out-of-bounds access to the dirty bitset when resizing

arm64/sve: Discard stale CPU state when handling SVE traps

media: mgb4: protect driver against spectre

bpf: Check validity of link->type in bpf_link_show_fdinfo()

drm/amd/display: Adjust VSDB parser for replay feature

crypto: qat/qat_4xxx - fix off by one in uof_get_name()

ocfs2: fix uninitialized value in ocfs2_file_read_iter()

netfilter: x_tables: fix LED ID check in led_tg_check()

The ADDRESS_MASKING config option cannot be turned off. LAM (linear address masking) would be fatal for applications using it.

block, bfq: fix bfqq uaf in bfq_limit_depth()

firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

smb: client: Fix use-after-free of network namespace.

smb: client: fix TCP timers deadlock after rmmod

sctp: fix possible UAF in sctp_v6_available()

vdpa: solidrun: Fix UB bug with devres

mm: avoid unsafe VMA hook invocation when error arises on mmap hook

mm: unconditionally close VMAs on error

mm: refactor map_deny_write_exec()

mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling

mm: resolve faulty mmap_region() error path behaviour

mm: reinstate ability to map write-sealed memfd mappings read-only

drm/amd/display: Handle dml allocation failure to avoid crash

Patch affects initramfs

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket

ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

SUNRPC: make sure cache entry active before cache_show

smb: client: fix NULL ptr deref in crypto_aead_setkey()

wifi: ath12k: fix warning when unbinding

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

Bluetooth: fix use-after-free in device_for_each_child()

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

drm: zynqmp_kms: Unplug DRM device before removal

f2fs: fix race in concurrent f2fs_stop_gc_thread

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

drm/amdgpu: fix usage slab after free

Out of scope: IBM System/390 architecture isn't supported for current kernel

Out of scope: RISC V architecture isn't supported for current kernel

idpf: avoid vport access in idpf_get_link_ksettings

idpf: avoid vport access in idpf_get_link_ksettings

Out of scope: not affected

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

af_packet: avoid erroring out after sock_init_data() in packet_create()

drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'

bpf: fix OOB devmap writes when deleting elements

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

scsi: sg: Fix slab-use-after-free read in sg_release()

net: avoid potential UAF in default_operstate()

net/smc: fix LGR and link use-after-free issue

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

tipc: fix NULL deref in cleanup_bearer()

low-scored CVE which causes verification conflicts with freezable kthread and cifs reading routines.

can: hi311x: hi3110_can_ist(): fix potential use-after-free

powerpc arch not supported

brd: defer automatic disk creation until module initialization succeeds

EDAC/igen6: Avoid segmentation fault on module unload

powerpc: arch is not supported

9p/xen: fix release of IRQ

jffs2: Prevent rtime decompress memory corruption

jffs2: Fix rtime decompressor

kunit: string-stream: Fix a UAF bug in kunit_init_suite()

drm/amd/display: Fix handling of plane refcount

net: sched: Disallow replacing of child qdisc from one parent to another

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

iomap: improve shared block detection in iomap_unshare_iter

iomap: don't bother unsharing delalloc extents

iomap: share iomap_unshare_iter predicate code with fsdax

fsdax: remove zeroing code from dax_unshare_iter

fsdax: dax_unshare_iter needs to copy entire blocks

fs/ntfs3: Check if more than chunk-size bytes are written

dm cache: optimize dirty bit checking with find_next_bit when resizing

dm cache: fix potential out-of-bounds access on the first resume

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

xfs: add bounds checking to xlog_recover_process_data

net: wwan: fix global oob in wwan_rtnl_policy

net: wwan: fix global oob in wwan_rtnl_policy

PCI: Fix use-after-free of slot->bus on hot remove

PCI: Fix use-after-free of slot->bus on hot remove

ALSA: 6fire: Release resources at card release

ALSA: 6fire: Release resources at card release

hfsplus: don't query the device logical block size multiple times

hfsplus: don't query the device logical block size multiple times

smb: prevent use-after-free due to open_cached_dir error paths

smb: prevent use-after-free due to open_cached_dir error paths

net: inet6: do not leave a dangling sk pointer in inet6_create()

btrfs: ref-verify: fix use-after-free after invalid ref action

nfsd: make sure exp active before svc_export_show

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

net: af_can: do not leave a dangling sk pointer in can_create()

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

net: inet: do not leave a dangling sk pointer in inet_create()

jfs: fix array-index-out-of-bounds in jfs_readdir

netfilter: bpf: must hold reference on net namespace

netfilter: bpf: must hold reference on net namespace kpatch

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

drm/amd/display: Don't refer to dc_sink in is_dsc_need_re_compute

drm/amd/display: Add NULL pointer check for kzalloc

Out of scope: SuperH arch not supported.

arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL

i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request

i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock

f2fs: fix to shrink read extent node in batches

sched: fix warning in sched_setaffinity

net/ipv6: release expired exception dst cached in socket

quota: flush quota_release_work upon quota writeback

Out of scope: IBM System/390 architecture isn't supported for current kernel

Out of scope: IBM System/390 architecture isn't supported for current kernel

Out of scope as the patch is for i.MX SoC

virtio-net: fix overflow inside virtnet_rq_alloc

Out of scope: MIPS architecture isn't supported for current kernel

Out of scope: PowerPC architecture isn't supported for current kernel

ACPI: x86: Add adev NULL check to acpi_quirk_skip_serdev_enumeration()

scsi: ufs: pltfrm: Dellocate HBA during ufshcd_pltfrm_remove()

usb: typec: altmode should keep reference to parent

usb: typec: altmode should keep reference to parent

Revert "bpf, sockmap: Prevent lock inversion deadlock in map delete elem"

bpf, sockmap: Fix race between element replace and close()

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

Complex adaptation required

ipvlan: Fix use-after-free in ipvlan_get_iflink().

drm/mediatek: Set private->all_drm_private[i]->drm to NULL if mtk_drm_bind returns err

ksmbd: fix a missing return value check bug

iio: pressure: zpa2326: fix information leak in triggered buffer

iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered buffer

iio: light: vcnl4035: fix information leak in triggered buffer

iio: imu: kmx61: fix information leak in triggered buffer

iio: adc: rockchip_saradc: fix information leak in triggered buffer

iio: adc: ti-ads8688: fix information leak in triggered buffer

net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of bounds issue

bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors

ksmbd: fix racy issue from session lookup and expire

Postponed: complex analysis and adaptation required

ublk: detach gendisk from ublk device if add_disk() fails

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

smb: client: fix use-after-free of signing key

net/mlx5e: Skip restore TC rules for vport rep without loaded flag

ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv

Out of scope: ARM64 architecture isn't supported for current kernel

net/smc: protect link down work from execute after lgr freed

netdevsim: prevent bad user input in nsim_dev_health_break_write()

ionic: Fix netdev notifier unregister on failure

ceph: fix memory leak in ceph_direct_read_write()

dmaengine: at_xdmac: avoid null_prt_deref in at_xdmac_prep_dma_memset

tracing: Prevent bad count for tracing_cpumask_write

PCI/MSI: Handle lack of irqdomain gracefully

btrfs: check folio mapping after unlock in relocate_one_folio()

net: restrict SO_REUSEPORT to inet sockets

wifi: mac80211: fix mbss changed flags corruption on 32 bit systems

drm/amdkfd: Correct the migration DMA map direction

ksmbd: set ATTR_CTIME flags when setting mtime

wifi: cfg80211: clear link ID from bitmap during link delete after clean up

usb: gadget: f_fs: Remove WARN_ON in functionfs_bind

Out of scope: ARM architecture isn't supported for current kernel

bpf: Fix bpf_sk_select_reuseport() memory leak

openvswitch: fix lockup on tx to unregistering netdev with carrier

pktgen: Avoid out-of-bounds access in get_imix_entries

net: fec: handle page_pool_dev_alloc_pages error

net/mlx5: Clear port select structure when fail to create

net/mlx5e: Fix inversion dependency warning while enabling IPsec tunnel

drm/v3d: Ensure job pointer is set to NULL after job completion

filemap: avoid truncating 64-bit offset to 32 bits

net: sched: fix ets qdisc OOB Indexing

cachestat: fix page cache statistics permission checking

hrtimers: Handle CPU state correctly on hotplug

hrtimers: Handle CPU state correctly on hotplug

mac802154: check local interfaces before deleting sdata list

iomap: avoid avoid truncating 64-bit offset to 32 bits

vsock/bpf: return early if transport is not assigned

vsock/virtio: discard packets if the transport changes

vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]

fs/proc: fix softlockup in __read_vmcore

fs/proc: fix softlockup in __read_vmcore (part 2)

Out of scope as the patch is for i.MX SoC

Patch is on ARM64 architecture, which this distro does not support.

fs: relax assertions on failure to encode file handles

net: fix data-races around sk->sk_forward_alloc

eth: bnxt: always recalculate features after XDP clearing, fix null-deref

afs: Fix merge preference rule failure condition

gpio: aggregator: protect driver attr handlers against module unload

RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop

gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag

scsi: storvsc: Ratelimit warning logs to prevent VM denial of service

USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()

RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()

sch_htb: make htb_qlen_notify() idempotent

netfilter: ipset: fix region locking in hash types

codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()

sch_htb: make htb_deactivate() idempotent

sch_drr: make drr_qlen_notify() idempotent

sch_hfsc: make hfsc_qlen_notify() idempotent

sch_qfq: make qfq_qlen_notify() idempotent

sch_qfq: make qfq_qlen_notify() idempotent

sch_ets: make est_qlen_notify() idempotent

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

nbd: don't allow reconnect after disconnect

net_sched: sch_sfq: don't allow 1 packet limit

ax25: rcu protect dev->ax25_ptr

ax25: rcu protect dev->ax25_ptr

net/rose: prevent integer overflows in rose_setsockopt()

padata: fix UAF in padata_reorder

padata: add pd get/put refcnt helper

padata: avoid UAF for reorder_work

memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()

Hot-join not supported

nilfs2: protect access to buffers with no active references

rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

net: rose: fix timer races against user threads

net: davicom: fix UAF in dm9000_drv_remove

media: uvcvideo: Fix double free in error path

PPS for embedded GPS devices. Irrelevant for servers.

usb: gadget: f_tcm: Don't free command immediately

udp: Deal with race between UDP socket address change and rehash

wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc

wifi: mt76: mt7925: fix off by one in mt7925_load_clc()

not_affected

nilfs2: do not force clear folio if buffer is referenced

nilfs2: handle errors that nilfs_prepare_chunk() may return

xfrm: state: fix out-of-bounds read during lookup

not_affected

idpf: convert workqueues to unbound

rxrpc, afs: Fix peer hash locking vs RCU callback

net: ravb: Fix missing rtnl lock in suspend/resume path

RDMA/mlx5: Fix implicit ODP use after free

btrfs: do proper folio cleanup when run_delalloc_nocow() failed

f2fs: fix to handle segment allocation failure correctly

f2fs: fix to don't panic system for no free segment fault injection

btrfs: fix assertion failure when splitting ordered extent after transaction abort

btrfs: fix use-after-free when attempting to join an aborted transaction

nvkm/gsp: correctly advance the read pointer of GSP message queue

nvkm: correctly calculate the available space of the GSP cmdq buffer

Out of scope: boot time issue

safesetid: check size of policy writes

wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy()

tomoyo: don't emit warning in tomoyo_write_control()

wifi: brcmfmac: Check the return value of of_property_read_string_index()

Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync

platform/x86: int3472: Check for adev == NULL

ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback

tty: xilinx_uartps: split sysrq handling

net: rose: lock the socket in rose_bind()

binfmt_flat: Fix integer overflow bug on 32 bit systems

KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()

ksmbd: fix integer overflows on 32 bit systems

usbnet: ipheth: fix possible overflow in DPE length check

usbnet: ipheth: use static NDP16 location in URB

Out of scope: ARM architecture isn't supported for current kernel

scsi: ufs: core: Fix use-after free in init error and remove paths

scsi: ufs: core: Fix use-after free in init error and remove paths

media: uvcvideo: Fix crash during unbind if gpio unit is in use

media: uvcvideo: Fix crash during unbind if gpio unit is in use (kpatch adaptation)

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

media: uvcvideo: Remove dangling pointers

NFC: nci: Add bounds checking in nci_hci_create_pipe()

RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error

unsupported_arch_s390

net_sched: hfsc: Fix a UAF vulnerability in class handling

net_sched: prio: fix a race in prio_tune()

nfsd: clear acl_access/acl_default after releasing them

NFSD: fix hang in nfsd4_shutdown_callback

vrf: use RCU protection in l3mdev_l3_out()

Out of scope: ARM64 architecture isn't supported for current kernel

media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread

scsi: ufs: bsg: Set bsg_queue to NULL after removal

NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()

orangefs: fix a oob in orangefs_debug_write

drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()

partitions: mac: fix handling of bogus partition table

clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context

clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context kpatch

ndisc: use RCU protection in ndisc_alloc_skb()

neighbour: use RCU protection in __neigh_notify()

net: add dev_net_rcu() helper

arp: use RCU protection in arp_xmit()

openvswitch: use RCU protection in ovs_vport_cmd_fill_info()

ndisc: extend RCU protection in ndisc_send_skb()

ipv6: mcast: extend RCU protection in igmp6_send()

ipv6: mcast: add RCU protection to mld_newpack()

io_uring/kbuf: reallocate buf lists on upgrade

Complex adaptation required

usb: gadget: core: flush gadget workqueue after device removal

Out of scope: PowerPC architecture isn't supported for current kernel

geneve: Fix use-after-free in geneve_find_dev().

net/sched: cls_api: fix error handling causing NULL dereference

Out of scope: IBM System/390 architecture isn't supported for current kernel

ibmvnic: Don't reference skb after sending to VIOS

sockmap, vsock: For connectible sockets allow only connected

tcp: drop secpath at the same time as we currently drop dst

bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type()

bpf: Fix deadlock when freeing cgroup storage

io_uring: prevent opcode speculation

tee: optee: Fix supplicant wait loop

nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()

ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()

smb: client: Add check for next_buffer in receive_encrypted_standard()

Out of scope: PowerPC architecture isn't supported for current kernel

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

net/sched: Always pass notifications when child class becomes empty

net_sched: sch_sfq: move the limit validation

ksmbd: fix use-after-free in smb2_lock

ksmbd: fix bug on trap in smb2_lock

rapidio: fix an API misues when rio_add_net() fails

HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

cdx: Fix possible UAF error in driver_override_show()

wifi: cfg80211: cancel wiphy_work before freeing wiphy

wifi: cfg80211: init wiphy_work before allocating rfkill fails

drm/amd/display: Fix slab-use-after-free on hdcp_work

dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature

net: atm: fix use after free in lec_send()

uprobes: Reject the shared zeropage in uprobe_write_opcode()

tracing: Fix bad hist from corrupting named_triggers list

perf/core: Add RCU read lock protection to perf_iterate_ctx()

wifi: iwlwifi: limit printed string from FW file

net: gso: fix ownership in __udp_gso_segment

vlan: enforce underlying device type

vlan: enforce underlying device type

ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().

xsk: fix an integer overflow in xp_create_and_assign_umem()

drm/sched: Fix fence reference count leak

proc: fix UAF in proc_get_inode()

proc: fix UAF in proc_get_inode()

nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()

Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd

Bluetooth: L2CAP: Fix corrupted list in hci_chan_del

x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes

Out of scope: not affected

sched/fair: Fix potential memory corruption in child_cfs_rq_on_list

ksmbd: fix use-after-free in ksmbd_free_work_struct

ksmbd: fix use-after-free in ksmbd_free_work_struct

ksmbd: prevent connection release during oplock break notification

ksmbd: prevent connection release during oplock break notification

ftrace: Avoid potential division by zero in function_stat_show()

i2c: npcm: disable interrupt enable bit before devm_request_irq

usbnet: gl620a: fix endpoint checking in genelink_bind()

mptcp: always handle address removal under msk socket lock

scsi: ufs: core: bsg: Fix crash when arpmb command fails

RDMA/mlx5: Fix the recovery flow of the UMR QP

RDMA/mlx5: Fix a WARN during dereg_mr for DM type

idpf: fix checksums set in idpf_rx_rsc()

drm/xe/userptr: fix EFAULT handling

x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()

rapidio: add check for rio_add_net() in rio_scan_alloc_net()

wifi: iwlwifi: mvm: don't try to talk to a dead firmware

caif_virtio: fix wrong pointer check in cfv_probe()

llc: do not use skb_get() before dev_queue_xmit()

mctp i3c: handle NULL header address

usb: typec: ucsi: Fix NULL pointer access

usb: renesas_usbhs: Flush the notify_hotplug_work

slimbus: messaging: Free transaction ID in delayed interrupt scenario

ipvlan: ensure network headers are in skb linear part

Complex adaptation required. Low impact CVE.

RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers

eth: bnxt: fix truesize for mb-xdp-pass case

eth: bnxt: do not update checksum in bnxt_xdp_build_skb()

ext4: fix OOB read when checking dotdot dir

vsock: Do not allow binding to VMADDR_PORT_ANY

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class

net: tls: explicitly disallow disconnect

net/packet: fix a race in packet_set_ring() and packet_notifier()

tls: fix handling of zero-length records on the rx_list

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()

udp: Fix memory accounting leak.

tracing: Fix use-after-free in print_graph_function_flags during tracer switching

iio: light: Add check for array bounds in veml6075_read_int_time_ms

ublk: make sure ubq->canceling is set when queue is frozen

idpf: fix adapter NULL pointer dereference on reboot

idpf: protect shutdown from reset

exfat: fix random stack corruption after get_block

atm: Fix NULL pointer dereference

netfilter: socket: Lookup orig tuple for IPv6 SNAT

nfsd: fix legacy client tracking initialization

bcachefs: bch2_ioctl_subvolume_destroy() fixes

watch_queue: fix pipe accounting mismatch

thermal: int340x: Add NULL check for adev

PCI: brcmstb: Fix error path after a call to regulator_bulk_get()

drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr

rtnetlink: Allocate vfinfo size for VF GUIDs when supported

ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans

ksmbd: validate zero num_subauth before sub_auth is accessed

ksmbd: fix overflow in dacloffset bounds check

ksmbd: fix use-after-free in ksmbd_sessions_deregister()

Postponed: complex analysis and adaptation required

ksmbd: use aead_request_free to match aead_request_alloc

drm/vkms: Fix use after free and double free on init error

drm/vkms: Fix use after free and double free on init error

Postponed: complex analysis and adaptation required

net: fix geneve_opt length integer overflow

net: fix geneve_opt length integer overflow

ksmbd: fix session use-after-free in multichannel connection

ksmbd: fix session use-after-free in multichannel connection

remoteproc: core: Clear table_sz when rproc_shutdown

RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow

vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint

fs/ntfs3: Fix a couple integer overflows on 32bit systems

fs/ntfs3: Prevent integer overflow in hdr_first_de()

ocfs2: validate l_tree_depth to avoid out-of-bounds access

ASoC: imx-card: Add NULL check in imx_card_probe()

netfilter: nf_tables: don't unregister hook when table is dormant

netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets

net_sched: skbprio: Remove overly strict queue assertions

net: decrease cached dst counters in dst_release

arcnet: Add NULL check in com20020pci_probe()

net: ibmveth: make veth_pool_store stop hanging

x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs

acpi: nfit: fix narrowing conversion in acpi_nfit_ctl

ksmbd: add bounds check for create lease context

arm64: Don't call NULL in do_compat_alignment_fixup()

media: streamzap: fix race between device disconnection and urb callback

nfsd: put dl_stid if fail to queue dl_recall

Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete

Bluetooth: MGMT: Fix sparse errors

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

tls: handle data disappearing from under the TLS ULP

netfilter: nf_tables: reject duplicate device on updates

media: vidtv: Terminating the subsequent process of initialization failure

wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion

ipvs: Defer ip_vs_ftp unregister during netns cleanup

mm/huge_memory: fix dereferencing invalid pmd migration entry

media: rc: fix races with imon_disconnect()

io_uring/futex: ensure io_futex_wait() cleans up properly on failure

ksmbd: fix Preauh_HashValue race condition

crypto: essiv - Check ssize for decryption and in-place encryption

ksmbd: mark SMB2_SESSION_EXPIRED to session when destroying previous session

ksmbd: mark SMB2_SESSION_EXPIRED to session when destroying previous session

ksmbd: fix race condition between destroy_previous_session() and smb2 operations()

ksmbd: fix null pointer dereference in alloc_preauth_hash()

ksmbd: fix null pointer dereference in alloc_preauth_hash()

ksmbd: fix use-after-free in session logoff

tipc: fix memory leak in tipc_link_xmit

net: ppp: Add bound checking for skb data on ppp_sync_txmung

page_pool: avoid infinite loop to schedule delayed worker

wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi

drm/amdkfd: Fix mode1 reset crash issue

media: venus: hfi: add a check to handle OOB in sfr region

media: venus: hfi: add check to handle incorrect queue size

KVM: arm64: Tear down vGIC on failed vCPU creation

mtd: rawnand: brcmnand: fix PM resume warning

media: venus: hfi_parser: add check to avoid out of bound access

media: venus: hfi_parser: refactor hfi packet parsing logic

bus: mhi: host: Fix race between unprepare and queue_buf

ext4: fix off-by-one error in do_split

jbd2: remove wrong sb->s_sequence check

mtd: inftlcore: Add error check for inftl_read_oob()

ftrace: Add cond_resched() to ftrace_graph_set_hash()

wifi: at76c50x: fix use after free access in at76_disconnect

wifi: wl1251: fix memory leak in wl1251_tx_work

net: openvswitch: fix nested key length validation in the set() action

net: dsa: clean up FDB, MDB, VLAN entries on unbind

net: dsa: free routing table on probe failure

net: dsa: free routing table on probe failure

isofs: Prevent the use of too small fid

ovl: don't allow datadir only

Out of scope: ARM64 architecture isn't supported for current kernel

cpufreq: apple-soc: Fix null-ptr-deref in apple_soc_cpufreq_get_rate()

Complex adaptation required. Low impact CVE.

net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

mcb: fix a double free bug in chameleon_parse_gdd()

KVM: x86: Reset IRTE to host control if *new* route isn't postable

USB: wdm: close race between wdm_open and wdm_wwan_port_stop

qibfs: fix _another_ leak

udmabuf: fix a buf size overflow issue during udmabuf creation

perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init

vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

drm/xe: Use local fence in error path of xe_migrate_clear

wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process

drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

perf/x86/intel: KVM: Mask PEBS_ENABLE loaded for guest with vCPU's value.

irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs

wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

dm-bufio: don't schedule in atomic context

wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release

vxlan: vnifilter: Fix unlocked deletion of default FDB entry

net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll

net_sched: qfq: Fix double list add in class with netem as child qdisc

net: ethernet: mtk_eth_soc: fix SER panic with 4GB+ RAM

octeon_ep: Fix host hang issue during device reboot

firmware: arm_scmi: Balance device refcount when destroying devices

iommu: Fix two issues in iommu_copy_struct_from_user()

wifi: cfg80211: fix out-of-bounds access during multi-link element defragmentation

ksmbd: Fix UAF in __close_file_table_ids

openvswitch: Fix unsafe attribute parsing in output_userspace()

ipvs: fix uninit-value for saddr in do_output_route4

bpf: Scrub packet on bpf_redirect_peer

Input: mtk-pmic-keys - fix possible null pointer dereference

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo

drm/v3d: Add job to pending list if the reset was skipped

module: ensure that kobject_put() is safe for module type kobjects