nvme-tcp: sanitize request list handling

nvme-tcp: sanitize request list handling

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

HID: core: ensure the allocated report buffer can contain the reserved report ID

HID: core: do not bypass hid_hw_raw_request

vsock: Do not allow binding to VMADDR_PORT_ANY

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

nbd: fix uaf in nbd_genl_connect() error path

raid10: cleanup memleak at raid10_make_request

aoe: avoid potential deadlock at set_capacity

drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

tipc: Fix use-after-free in tipc_conn_close().

net/sched: Abort __tc_modify_qdisc if parent class does not exist

md/raid1: Fix stack memory use after return in raid1_reshape

benet: fix BUG when creating VFs

Complex adaptation required. Livepatching of this vulnerability can harm the network subsystem..

vsock: Fix transport_{g2h,h2g} TOCTOU

vsock: Fix transport_* TOCTOU

virtio-net: ensure the received length does not exceed allocated size

fs: writeback: fix use-after-free in __mark_inode_dirty()

rseq: Fix segfault on registration when rseq_cs is non-zero

netlink: Fix wraparounds of sk->sk_rmem_alloc.

usb: gadget: u_serial: Fix race condition in TTY wakeup

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

netlink: avoid infinite retry looping in netlink_unicast()

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix infinite recursive call of clip_push().

atm: clip: Fix potential null-ptr-deref in to_atmarpd().

atm: clip: Fix memory leak of struct clip_vcc.

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg kpatch

i40e: add validation for ring_len param

i40e: validate ring_len parameter against hardware-specific values

phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

usb: gadget: configfs: Fix OOB read on empty string write

usb: net: sierra: check for no status endpoint

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

PEEMPT_RT config isn't enabled

regulator: core: fix NULL dereference on unbind due to stale coupling data

regulator: core: fix NULL dereference on unbind due to stale coupling data

wifi: rtl818x: Kill URBs before clearing tx status queue

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

ipv6: reject malicious packets in ipv6_gso_segment()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

xfs: do not propagate ENODATA disk errors into xattr code

Out of scope: boot time issue

Out of scope: boot time issue

device-dax: correct pgoff align in dax_set_mapping()

crypto: essiv - Check ssize for decryption and in-place encryption

kpatch add alt asm definitions

kpatch add paravirt asm definitions

ocfs2: fix recursive semaphore deadlock in fiemap call

fbcon: fix integer overflow in fbcon_do_set_font

fbcon: fix integer overflow in fbcon_do_set_font

net/9p: fix double req put in p9_fd_cancelled

net/ip6_tunnel: Prevent perpetual tunnel growth

ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees

cnic: Fix use-after-free bugs in cnic_delete_task

nexthop: Forbid FDB status change while nexthop is in a group

drm/gma500: Fix null dereference in hdmi teardown

scsi: target: target_core_configfs: Add length check to avoid buffer overflow

perf: arm_spe: Prevent overflow in PERF_IDX2OFF()

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

uio_hv_generic: Let userspace take care of interrupt mask

mm: hugetlb: avoid soft lockup when mprotect to large memory area

pinctrl: check the return value of pinmux_ops::get_function_name()

drm/vmwgfx: Fix Use-after-free in validation

net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()

sctp: Fix MAC comparison to be constant-time

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

media: mc: Clear minor number before put device

dm: fix NULL pointer dereference in __dm_suspend()

pid: Add a judgment for ns null in pid_nr_ns

tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.

tracing: dynevent: Add a missing lockdown check on dynevent

media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove

crypto: rng - Ensure set_ent is always present

crypto: rng - Ensure set_ent is always present (kpatch adaptation)

blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx

bpf: Explicitly check accesses to bpf_sock_addr

ocfs2: fix double free in user_cluster_connect()

bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

netfilter: nf_tables: reject duplicate device on updates

Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak

vfs: Don't leak disconnected dentries on umount

usb: gadget: f_acm: Refactor bind path to use __free()

PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()

libceph: fix invalid accesses to ceph_connection_v1_info

i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

qed: Don't collect too many protection override GRC elements

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

udp: Fix memory accounting leak.

Introduced and fixed in v5.15.0-315.196.3, no live patching needed.

can: peak_usb: fix shift-out-of-bounds issue

media: rc: fix races with imon_disconnect()

media: tuner: xc5000: Fix use-after-free in xc5000_release

scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

pps: fix warning in pps_register_cdev when register device fail

ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

net: dlink: handle copy_thresh allocation failure

fs: udf: fix OOB read in lengthAllocDescs handling

ext4: verify orphan file size is not too big

ext4: verify orphan file size is not too big (kpatch adaptation)

ext4: guard against EA inode refcount underflow in xattr update

fs/proc: fix uaf in proc_readdir_de()

tipc: Fix use-after-free in tipc_mon_reinit_self().

net/mlx5: Clean up only new IRQ glue on request_irq() failure

mptcp: fix race condition in mptcp_schedule_work()

bpf: Sync pending IRQ work before freeing ring buffer

net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd

mm/ksm: fix flag-dropping behavior in ksm_madvise

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

be2net: pass wrb_params in case of OS2BMC

scsi: sg: Do not sleep in atomic context

NFSD: Fix crash in nfsd4_read_release()

ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

nvme-fc: use lock accessing port_state and rport state

net: ipv6: fix field-spanning memcpy warning in AH output

nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing

Bluetooth: SCO: Fix UAF on sco_conn_free

Bluetooth: bcsp: receive data only if registered

nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()

libceph: prevent potential out-of-bounds writes in handle_auth_session_key()

PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()

fbdev: bitblit: bound-check glyph index in bit_putcs*

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

mm/secretmem: fix use-after-free race in fault handler

net: atlantic: fix fragment overflow handling in RX path

usb: storage: sddr55: Reject out-of-bound new_pba

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

scsi: megaraid_sas: Fix invalid node index