net/mlx5e: fix a potential double-free in fs_any_create_groups

Bluetooth: Avoid potential use-after-free in hci_error_reset

net/mlx5: Properly link new fs rules into the tree

net: hns3: do not allow call hns3_nic_net_open repeatedly

net/mlx5e: Fix operation precedence bug in port timestamping napi_poll context

xen-netfront: Add missing skb_mark_for_recycle

smb: client: fix UAF in smb2_reconnect_server()

crypto: qat - resolve race condition during AER recovery

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

epoll: be better about file lifetimes

mlxbf_gige: stop interface during shutdown

net: amd-xgbe: Fix skb data length underflow

dm: call the resume method on internal suspend

nfp: flower: handle acti_netdevs allocation failure

net/ipv6: avoid possible UAF in ip6_route_mpath_notify()

icmp: prevent possible NULL dereferences from icmp_build_probe()

can: j1939: j1939_netdev_start(): fix UAF for

Squashfs: check the inode number is not the invalid value of zero

scsi: libfc: Fix potential NULL pointer

scsi: lpfc: Move NPIV's transport unregistration to after resource clean up

block: add check that partition length needs to be aligned with block size

mlxbf_gige: stop PHY during open() error paths

mlxbf_gige: call request_irq() after NAPI initialized

scsi: lpfc: Release hbalock before calling

ext4: avoid allocating blocks from corrupted group in ext4_mb_try_best_found()

octeontx2: CVE patch is outside the scope.

eBPF: low score UAF with CONFIG_BPF_UNPRIV_DEFAULT_OFF=y by default but needs complex adaptation.

VFIO: Add the SPR_DSA and SPR_IAX devices to the

cifs: fix underflow in parse_server_interfaces()

wifi: rtl8xxxu: add cancel_work_sync() for

wifi: iwlwifi: dbg-tlv: ensure NUL termination

net: annotate data-races around

net: fix __dst_negative_advice() race

bonding: Fix out-of-bounds read in

wifi: cfg80211: check A-MSDU format more

net: netlink: af_netlink: Prevent empty skb by

wifi: ath10k: fix NULL pointer dereference in

platform/x86: wmi: remove unnecessary initializations

platform/x86: wmi: Fix opening of char device

phy: ti: phy-omap-usb2: Fix NULL pointer

netfilter: nft_chain_filter: handle

nfs: fix panic when nfs4_ff_layout_prepare_ds()

wifi: mt76: mt7925e: fix use-after-free in

netfilter: nf_tables: do not compare internal

ipv6: fix potential "struct net" leak in

i40e: fix vf may be used uninitialized in this

wifi: iwlwifi: read txq->read_ptr under lock

ipv6: Fix potential uninit-value access in __ip6_make_skb()

wifi: iwlwifi: mvm: guard against invalid STA ID on removal

net: do not leave a dangling sk pointer, when socket creation fails

netns: Make get_net_ns() handle zero refcount net

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes

vt: fix unicode buffer corruption when deleting characters

eeprom: at24: fix memory corruption race condition

mlxsw: spectrum_acl_tcam: Fix memory leak when canceling rehash work

netfilter: nf_tables: flush pending destroy work before exit_net release

ice: fix memory corruption bug with suspend and rebuild

ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr

WiFi - Complex adaptation required.

ipv6: prevent possible NULL deref in fib6_nh_init()

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

net: openvswitch: fix overwriting ct original tuple for ICMPv6

igc: avoid returning frame twice in XDP_REDIRECT

wifi: brcmfmac: pcie: handle randbuf allocation failure

cxl/region: Fix cxlr_pmem leaks

net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()

wifi: iwlwifi: mvm: don't set the MFP flag for the GTK

Out of scope: boot time issue

tls: fix missing memory barrier in tls_init

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

wifi: nl80211: don't free NULL coalescing rule

net: core: reject skb_copy(_expand) for fraglist GSO skbs

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

netfilter: nf_tables: honor table dormant flag from netdev release event path

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

ice: fix LAG and VF lock dependency in

scsi: qla2xxx: Fix off by one in

md/raid5: fix deadlock that raid5d() wait for

md/raid5: remove pr_debug() in raid5d()

netfilter: nf_tables: release mutex after

netfilter: nft_set_rbtree: skip end interval

netfilter: nf_tables: Fix potential data-race in

tap: add missing verification for short frame

tun: add missing verification for short frame

netfilter: nft_limit: reject configurations that cause integer overflow

net: bridge: xmit: make sure we have at least eth

tty: n_gsm: require CAP_NET_ADMIN to attach

CVE marked as rejected by vendor

netfilter: flowtable: validate pppoe header

netfilter: nf_tables: Fix potential data-race in

netfilter: validate user input for expected length

netfilter: complete validation of user input

netfilter: nf_tables: discard table flag update

netfilter: nf_tables: discard table flag update

cxl/port: Fix delete_endpoint() vs parent

vfio/pci: Lock external INTx masking ops

nvmet: fix a possible leak when destroy a ctrl

net: ice: Fix potential NULL pointer dereference

NFSv4: Fix memory leak in nfs4_set_security_label

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()

seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors

scsi: qedi: Fix crash while reading debugfs attribute

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: cfg80211: Lock wiphy in cfg80211_get_station

net: wwan: iosm: Fix tainted pointer delete is case of region creation fail

ipv6: fix possible race in __fib6_drop_pcpu_from()

tipc: force a dst refcount before doing decryption

mm/huge_memory: don't unpoison huge_zero_folio

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

crypto: bcm - Fix pointer arithmetic

bnxt_re: avoid shift undefined behavior in

netfilter: nf_tables: Fix potential data-race in

net/mlx5e: Add wrapping for auxiliary_driver ops and remove unused args

net/mlx5e: Fix netif state handling

netfilter: bridge: confirm multicast packets

netfilter: bridge: confirm multicast packets kpatch

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

net: bridge: mst: fix vlan use-after-free

mm: cachestat: fix folio read-after-free in cache walk

PCI/MSI: Fix UAF in msi_capability_init

nvme: avoid double free special payload

net/sched: Fix UAF when resolving a clash

iommufd: Fix missing update of domains_itree after splitting iopt_area

mm: cachestat: fix two shmem bugs

nfsd: fix RELEASE_LOCKOWNER

kprobes/x86: Use copy_from_kernel_nofault() to read from unsafe address

mm/hugetlb: fix missing hugetlb_lock for resv

regmap: maple: Fix cache corruption in

This CVE introduces a regression and is reverted by CVE-2024-42102 in the same errata

efivarfs: force RO when remounting if SetVariable

efivarfs: force RO when remounting if SetVariable

KVM: SVM: Flush pages under kvm->lock to fix UAF

net: fix out-of-bounds access in ops_init

scsi: qedf: Ensure the copied buf is NUL

xhci: Handle TD clearing for multiple streams

cxl/region: Fix memregion leaks in devm_cxl_add_region()

ppp: reject claimed-as-LCP but actually malformed

mm, kmsan: fix infinite recursion due to RCU

mm: prevent derefencing NULL ptr in

xdp: Remove WARN() from __xdp_reg_mem_model()

x86: stop playing stack games in profile_pc()

Reverts CVE-2024-26720, which we don't use.

mm: avoid overflows in dirty throttling logic

x86/coco: Require seeding RNG with RDRAND on CoCo

x86/coco: Require seeding RNG with RDRAND on CoCo

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

Bluetooth: af_bluetooth: Fix deadlock

uio: Fix use-after-free in uio_open

gfs2: Remove ill-placed consistency check

gfs2: simplify gdlm_put_lock with out_free label

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

scsi: qla2xxx: Fix double free of fcport

scsi: qla2xxx: Fix double free of the ha->vp_map pointer

fork: defer linking file vma until vma is fully initialized

wifi: nl80211: Avoid address calculations via out of bounds array indexing

wifi: mac80211: Avoid address calculations via out of bounds array indexing

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

cppc_cpufreq: Fix possible null pointer dereference

wifi: mt76: replace skb_put with skb_put_zero

cpufreq: exit() callback is optional

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

bpf, sockmap: Prevent lock inversion deadlock in map delete elem

scsi: qla2xxx: Fix command flush on cable pull

ring-buffer: Fix a race between readers and resize checks

Input: cyapa - add missing input core locking to suspend/resume functions

ARM related CVE

ACPICA: Revert "ACPICA: avoid Info: mapping multiple BARs. Your kernel is fine."

KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributes

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

net/sched: act_mirred: Create function tcf_mirred_to_dev and improve readability

net/sched: act_mirred: don't override retval if we already lost the skb

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

tipc: Return non-zero value from tipc_udp_addr2str() on error

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field

dmaengine: idxd: Fix oops during rmmod on single-CPU platforms

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

RFDS: Medium score vulnerability affecting only Intel Atom CPUs, mitigated via microcode update.

Revert "net/mlx5: Block entering switchdev mode with ns inconsistency"

netfilter: nft_flow_offload: reset dst in route object after setting up flow

mptcp: ensure snd_nxt is properly initialized on connect

KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

el9 kernels are not vulnerable: no versions with commit 88c67aeb1407 only.

net/mlx5: Add a timeout to acquire the command queue semaphore

net/mlx5: Add a timeout to acquire the command queue semaphore

netfilter: flowtable: initialise extack before use

netpoll: Fix race condition in netpoll_owner_active

af_unix: Fix garbage collector racing against connect()

xfs: don't walk off the end of a directory data block

xfs: add bounds checking to xlog_recover_process_data

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

ipv6: prevent possible NULL dereference in rt6_probe()

ext4: fold quota accounting into ext4_xattr_inode_lookup_create()

ext4: do not create EA inode under buffer lock

ext4: turn quotas off if mount failed after enabling quotas

ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super()

wifi: mt76: mt7921s: fix potential hung tasks during chip recovery

tty: Fix out-of-bound vmalloc access in imageblit

tcp: add sanity checks to rx zerocopy

mptcp: fix data re-injection from stale subflow

scsi: core: Fix unremoved procfs host directory regression

mac802154: fix llsec key resources release in mac802154_llsec_key_del

mac802154: fix llsec key resources release in mac802154_llsec_key_del

net/sched: taprio: extend minimum interval restriction to entire cycle too

xfs: fix log recovery buffer allocation for the

netfilter: nft_inner: validate mandatory meta and payload

netfilter: nft_inner: validate mandatory meta and payload

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

mptcp: ensure snd_una is properly initialized on connect

kpatch add alt asm definitions

x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file

x86/bugs: x86/bhi: Add support for clearing branch history at syscall entry

PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()

ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work

string.h: add array-wrappers for (v)memdup_user()

i2c: dev: copy userspace array safely

io_uring: clear opcode specific data for an early failure

media: uvcvideo: Fix OOB read

PCI: Avoid potential out-of-bounds read in pci_dev_for_each_resource()

xsk: fix usage of multi-buffer BPF helpers for ZC XDP

function can sleep with no time out

maple_tree: fix mas_empty_area_rev() null pointer dereference

ipv4: Fix uninit-value access in __ip_make_skb()

ipv6: prevent NULL dereference in ip6_output()

block: fix overflow in blk_ioctl_discard()

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()

netfs, fscache: Prevent Oops in fscache_put_cache()

ext4: regenerate buddy after block freeing failed if under fc replay

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

vhost: use kzalloc() instead of kmalloc() followed by memset()

net: openvswitch: limit the number of recursions from action sets

ubi: Check for too small LEB size in VTBL code

bpf: Fix re-attachment branch in bpf_tracing_prog_attach

x86/fpu: Stop relying on userspace for info to fault in xsave buffer

tcp: make sure init the accept_queue's spinlocks once

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

media: cec: core: avoid recursive cec_claim_log_addrs kpatch

i2c: Fix a potential use after free

of: fdt: fix off-by-one error in unflatten_dt_nodes()

media: pvrusb2: fix use after free on context disconnection

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

Kernel versions older than 5.14.0-503.11.1.el9_5 are not affected

EDAC/thunderx: Fix possible out-of-bounds string access

net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()

md/raid5: fix atomicity violation in raid5_cache_count

bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS

RDMA/mlx5: Fix fortify source warning while accessing Eth segment

hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

x86/fpu: Keep xfd_state in sync with MSR_IA32_XFD

stm class: Fix a double free in stm_register_device()

net/mlx5: Discard command completions in internal error

USB: core: Fix deadlock in usb_deauthorize_interface()

Out of scope: not affected

tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer

drm/amdgpu/mes: fix use-after-free issue

usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in port "disable" sysfs attribute

USB: core: Fix deadlock in port "disable" sysfs attribute

net/mlx5: Always stop health timer during driver removal

firmware: cs_dsp: Fix overflow checking of wmfw header

firmware: cs_dsp: Fix overflow checking of wmfw header (adaptation)

filelock: fix potential use-after-free in posix_lock_inode

drm/i915/gt: Fix potential UAF by revoke of fence registers

scsi: mpi3mr: Sanitise num_phys

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

net/iucv: fix use after free in iucv_sock_close()

dev/parport: fix the array out-of-bounds risk

wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope: not affected

net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check

net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check kpatch

minmax: add umin(a, b) and umax(a, b)

swiotlb: Fix double-allocation of slots due to broken alignment handling

octeontx2-af: fix the double free in rvu_npc_freemem()

ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()

drm/amdgpu: add error handle to avoid out-of-bounds

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

drm/drm_file: Fix pid refcounting race

Out of scope: not affected

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

include/linux/generic-radix-tree.h: replace kernel.h with the necessary inclusions

lib/generic-radix-tree.c: Don't overflow in peek()

can: isotp: isotp_sendmsg(): add result check for wait_event_interruptible()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: isotp_sendmsg(): fix TX buffer concurrent access in isotp_sendmsg()

can: isotp: fix error path in isotp_sendmsg() to unlock wait queue

usbnet: sanity check for maxpacket

nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells

arm64/sme: Always exit sme_alloc() early with existing

hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations

asix: fix uninit-value in asix_mdio_read()

netfilter: nft_set_pipapo: do not free live element

ACPI: processor_idle: Fix memory leak in acpi_processor_power_exit()

atl1c: Work around the DMA RX overflow issue

atl1c: Work around the DMA RX overflow issue

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

cachefiles: fix slab-use-after-free in fscache_withdraw_volume()

Bluetooth: btrtl: fix out of bounds memory access

Bluetooth: btrtl: fix out of bounds memory access

CVE patch is for AMD Inception vulnerability related to Speculative Return Stack Overflow (SRSO)

Input: powermate - fix use-after-free in powermate_config_complete

Bluetooth: Fix TOCTOU in HCI debugfs implementation

xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING

mlxsw: spectrum_acl_tcam: Fix memory leak during rehash

filelock: Remove locks reliably when fcntl/close race is detected

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security

mm/swap: fix race when skipping swapcache

cxl/pci: Fix disabling memory if DVSEC CXL Range does not match a CFMWS window

drm/amd/display: fixed integer types and null check locations

ext4: avoid allocating blocks from corrupted group

ext4: avoid dividing by 0 in mb_update_avg_fragment_size()

mptcp: fix double-free on socket dismantle

iommufd: Fix protection fault in iommufd_test_syz_conv_iova

iommufd: Fix iopt_access_list_id overwrite bug

net: veth: clear GRO when clearing XDP even when down MIME-Version: 1.0

Out of scope: boot time issue

bpf: Guard stack limits against 32bit overflow

of: Fix double free in of_parse_phandle_with_args_map

ALSA: scarlett2: Add clamp() in scarlett2_mixer_ctl_put()

ALSA: scarlett2: Add missing error checks to *_ctl_get()

x86/mm: Ensure input to pfn_to_kaddr() is treated as a 64-bit type

net: atlantic: eliminate double free in error handling logic

drm/vmwgfx: fix a memleak in vmw_gmrid_man_get_node

ASoC: SOF: amd: Fix memory leak in amd_sof_acp_probe()

drm/tegra: rgb: Fix some error handling paths in tegra_dc_rgb_probe()

drm/tegra: rgb: Fix missing clk_put() in the error handling paths of tegra_dc_rgb_probe()

Do not support powerpc build with kasan sanitizer 4a7aee96200ad281a5cc4cf5c7a2e2a49d2b97b0

RDMA/qedr: Fix qedr_create_user_qp error flow

HID: i2c-hid-of: fix NULL-deref on failed power up

HID: i2c-hid-of: fix NULL-deref on failed power up

RDMA/srpt: Support specifying the srpt_service_guid

arp: Prevent overflow in arp_req_get().

md: Don't ignore suspended array in md_check_recovery()

net/sched: act_mirred: use the backlog for mirred ingress

md: Don't ignore read-only array in md_check_recovery()

vt_ioctl: fix array_index_nospec in vt_setactivate

thermal: core: Fix NULL pointer dereference in zone registration error path

ring-buffer: Do not attempt to read past "commit"

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

bpf: fix check for attempt to corrupt spilled pointer

mfd: syscon: Fix null pointer dereference in of_syscon_register()

Out of scope: not affected

platform/x86: think-lmi: Fix reference leak

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

virtio-blk: fix implicit overflow on virtio_max_dma_size

bonding: stop the device in bond_setup_by_slave()

smb: client: fix use-after-free in smb2_query_info_compound()

i2c: core: Run atomic i2c xfer when !preemptible

i2c: core: Fix atomic xfer check for non-preempt config

Bug doesn't hit as enum values are just shifted numbers

crypto: pcrypt - Fix hungtask for PADATA_RESET

scsi: ibmvfc: Remove BUG_ON in the case of an empty event pool

net/smc: avoid data corruption caused by decline

cpu/hotplug: Prevent self deadlock on CPU hot-unplug

cpu/hotplug: Don't offline the last non-isolated CPU

Bluetooth: btusb: Add date->evt_skb is NULL check

Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()

perf: hisi: Fix use-after-free when register pmu fails

pstore/platform: Add check for kstrdup

can: dev: can_put_echo_skb(): don't crash kernel if can_priv::echo_skb is accessed out of bounds

nommu: kernel is not vulnerable. Commit 8220543("nommu: remove uses of VMA linked list") is absent

cachefiles: fix memory leak in cachefiles_add_cache()

geneve: make sure to pull inner header in geneve_rx()

hsr: Fix uninit-value access in hsr_get_node()

NFSv4.2: fix nfs4_listxattr kernel BUG at mm/usercopy.c:102

quota: Fix potential NULL pointer dereference

Bluetooth: hci_core: Fix possible buffer overflow

Current kernel is not vulnerable.

do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak

x86/sev-es: Allow copy_from_kernel_nofault() in earlier boot

x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

tracing/trigger: Fix to return error if failed to alloc snapshot

Live-patching will introduce network performance degradation in the best case scenario, or even some more serious issues. N/A or Low cvss3 score from NVD or vendors.

drm/i915/gt: Reset queue_priority_hint on parking

drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()

drm/i915/vma: Fix UAF on destroy against retire race

drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed

wireguard: netlink: access device through ctx instead of peer

wireguard: netlink: check for dangling peer via is_dead instead of empty list

net: esp: fix bad handling of pages from page_pool

nbd: fix uaf in nbd_open

nbd: fix uaf in nbd_open

Kernel is not vulnerable: commit f2d5dcb4 is absent.

wifi: rtw89: fix null pointer access when abort scan

wifi: rtw89: fix null pointer access when abort scan

dyndbg: fix old BUG_ON in >control parser

drm/client: Fully protect modes[] with dev->mode_config.mutex

drm/ast: Fix soft lockup

scsi: sg: Avoid sg device teardown race

scsi: sg: Avoid race in error handling & drop bogus warn

net/mlx5e: Fix mlx5e_priv_init() cleanup flow

geneve: fix header validation in geneve[6]_xmit_skb

geneve: Fix incorrect inner network header offset when innerprotoinherit is set

bareudp: Pull inner IP header on xmit

vxlan: Pull inner IP header in vxlan_xmit_one()

keys: Fix overwrite of key expiration on instantiation

USB: core: Fix access violation during port device removal

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash

Not a bug for a real-life RHEL9 setup

EFI Firmware: CVE patch is for EFI firmware which runs at boot time.

Kernel is not affected

Kernel is not affected

CVE patch is for powerpc arch only

tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets

ASoC: SOF: Add some bounds checking to firmware data

tcp_metrics: validate source addr length

net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame()

inet: read sk->sk_family once in inet_recv_error()

Boot time issue

KVM: arm64: Fix circular locking dependency

net: atlantic: Fix DMA mapping for PTP hwts ring

fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

ext4: fix double-free of blocks due to wrong

drm/amd/display: Fix MST Null Ptr for RV

ppp_async: limit MRU to 64K

smb: client: fix potential deadlock when releasing mids

drm/amdkfd: Fix lock dependency warning with srcu

Warning fix doesn't worth live-patching

Boot time fix cannot be fixed with live-patching

The patch for this CVE fixing vulnerability which was introduced in kernel v6.7

PM / devfreq: Synchronize devfreq_monitor_[start/stop]

drm/vmwgfx: Unmap the surface before resetting it on a plane state state

drm/vkms: Avoid reading beyond LUT array

drm/tegra: dsi: Add missing check for of_find_device_by_node

Complex adaptation required. x86 and amd64 architectures are not affected. Issues triggers while dumping after another crash.

fbdev: Fix invalid page access after closing deferred I/O devices

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for powerpc arch only

mmc: sdio: fix possible resource leaks in some error paths

net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path

ASoC: Intel: sof_sdw_rt_sdca_jack_common: ctx->headset_codec_dev = NULL

calipso: fix memory leak in netlbl_calipso_add_pass()

ALSA: scarlett2: Add missing mutex lock around get meter levels

nfs: fix UAF in direct writes

nfs: fix UAF in direct writes

mm: swap: fix race between free_swap_and_cache() and swapoff()

usb: xhci: Add error handling in xhci_map_urb_for_dma

fat: fix uninitialized field in nostale filehandles

powercap: intel_rapl: Fix a NULL pointer dereference

nouveau: fix instmem race condition around ptr stores

mm/memory-failure: fix deadlock when hugetlb_optimize_vmemmap is enabled

Out of scope as the patch is for vmlinux init sections which are discarded after the boot

arm64: hibernate: Fix level3 translation fault in swsusp_save()

nbd: null check for nla_nest_start

Fix commit isn't present

pstore: inode: Only d_invalidate() is needed

clk: Fix clk_core_get NULL dereference

drm/amdgpu: Fix potential out-of-bounds access in 'amdgpu_discovery_reg_base_init()'

wifi: brcm80211: handle pmk_op allocation failure

ASoC: SOF: ipc4-pcm: Workaround for crashed firmware on system suspend

net: openvswitch: Fix Use-After-Free in ovs_ct_exit

Complex adaptation required. Network services prevents update because they can sleep in subflow_finish_connect() function.

wifi: nl80211: reject iftype change with mesh ID change

rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back

md/md-bitmap: fix incorrect usage for sb_index

drm/amdgpu: fix deadlock while reading mqd from debugfs

cpumap: Zero-initialise xdp_rxq_info struct before running

ALSA: usb-audio: Stop parsing channels bits when all channels

genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline

KVM: Always flush async #PF workqueue when vCPU is being destroyed

KVM: Always flush async #PF workqueue when vCPU is being destroyed

Kernel is not affected

Bug triggers in kdump kernel which we don't patch

ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()

drm/amdgpu: fix use-after-free bug

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'

drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()'

tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()

net/sched: flower: Fix chain template offload kpatch

Out of scope: not affected

KVM: x86/mmu: Write-protect L2 SPTEs in TDP MMU when clearing dirty status

tun: limit printing rate when illegal packet received by tun dev

netfilter: flowtable: incorrect pppoe tuple

x86/mm/pat: fix VM_PAT handling in COW mappings

smb: client: fix potential UAF in smb2_is_valid_lease_break()

smb: client: fix potential UAF in cifs_dump_full_key()

smb: client: fix potential UAF in smb2_is_valid_oplock_break()

smb: client: fix potential UAF in cifs_stats_proc_show()

of: module: prevent NULL pointer dereference in vsnprintf()

mm/secretmem: fix GUP-fast succeeding on secretmem folios

x86/mce: Make sure to grab mce_sysfs_mutex in set_bank()

ipv6: Fix infinite recursion in fib6_dump_done().

erspan: make sure erspan_base_hdr is present in skb->head

net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

mptcp: prevent BPF accessing lowat from a subflow socket.

netfilter: nf_tables: reject new basechain after table flag update

bpf: Fix verification of indirect var-off stack access

bpf: Protect against int overflow for stack access size

tls: get psock ref after taking rxlock to avoid leak

wifi: iwlwifi: mvm: rfi: fix potential response leaks

wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF

It is not possible to fix this vulnerability using kernel livepatching because it lies below the system call level.

Existing kernels aren't affected

Existing kernels aren't affected

soundwire: cadence: fix invalid PDI offset

ALSA: timer: Set lower bound of start tick time

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races around sk->sk_shutdown.

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()

ALSA: Fix deadlocks with kctl removals at disconnection

dmaengine: idxd: Avoid unnecessary destruction of file_ida

ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup

md: fix resync softlockup when bitmap size is less than array size

scsi: qedf: Make qedf_execute_tmf() non-preemptible

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

ftruncate: pass a signed offset

pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

kernel version 5.14 not affected

kernel version 5.14 not affected

kernel version 5.14 not affected

bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

clk: Get runtime PM before walking tree during disable_unused

clk: Get runtime PM before walking tree during disable_unused

mptcp: really cope with fastopen race

Get runtime PM before walking tree for clk_summaryatch-description:

nouveau: lock the client object tree

nouveau: lock the client object tree

Affects only __init function for a built-in component, so patching will have no effect

None of the kernels is affected

net/mlx5e: fix a double-free in arfs_create_groups

mptcp: use OPTION_MPTCP_MPJ_SYNACK in subflow_finish_connect()

mlxsw: spectrum_acl_tcam: Fix possible use-after-free during activity update

wifi: mac80211: fix potential sta-link leak

irqchip/gic-v3-its: Prevent double free on error

io_uring: Fix release of pinned pages when __io_uaddr_map fails

smb: client: fix potential UAF in cifs_debug_files_proc_show()

smb: client: fix potential UAF in cifs_signal_cifsd_for_reconnect()

smb: client: fix potential UAF in smb2_is_network_name_deleted()

smb: client: fix potential UAF in is_valid_oplock_break()

net: bridge: switchdev: Skip MDB replays of deferred events on offload

Out of scope as the patch is for i.MX SoC

wifi: mt76: mt7921e: fix use-after-free in free_irq()

mm/memory-failure: fix handling of dissolved but not taken off from buddy pages

ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension

mm/vmalloc: fix vmalloc which may return null if called with

Out of scope: ARM64 architecture issue

drm/shmem-helper: Fix BUG_ON() on mmap(PROT_WRITE, MAP_PRIVATE)

Kernel is not affected.

vmci: prevent speculation leaks by sanitizing event in event_deliver()

Existing kernels aren't affected

serial: imx: Introduce timeout when waiting on transmitter empty

iommu: Return right value in iommu_sva_bind_device()

net/mlx5: Fix tainted pointer delete is case of flow rules creation fail

drm/radeon: fix UBSAN warning in kv_dpm.c

mm/page_table_check: fix crash on ZONE_DEVICE

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

cpufreq: amd-pstate: fix memory leak on CPU EPP exit

ALSA: hda: cs35l56: Fix lifetime of cs_dsp instance

nfs: handle error of rpc_proc_register() in init_nfs_fs()

[PATCH] pinctrl: core: delete incorrect free in pinctrl_enable()

Kernel is not affected

net/smc: fix neighbour and rtable leak in smc_ib_find_route()

Thermal debugfs isn't present on redhat kernels.

[PATCH 1/1] drm/vmwgfx: Fix invalid reads in fence signaled events

Thermal debugfs isn't present on redhat kernels.

[PATCH] KEYS: trusted: Fix memory leak in tpm2_key_encode()

[PATCH] net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

usb: dwc3: Wait unconditionally after issuing EndXfer command

Intoduced in the same kernel version with the fix

Complex adaptation required

Intoduced in the same kernel version with the fix

net: hns3: fix kernel crash problem in concurrent scenario

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

io_uring/rsrc: don't lock while !TASK_RUNNING

vmxnet3: disable rx data ring on dma allocation failure

Complex adaptation required, low score patch for non critical subsystem amdgpu

filelock: Fix fcntl/close race recovery compat path

Kernel not vulnerable: blamed commit is absent

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers

netfilter: nf_tables: prefer nft_chain_validate

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

RDMA/irdma: Fix KASAN issue with tasklet

nvme-fc: do not wait in vain when unloading module

nvme-fc: do not wait in vain when unloading module

RDMA/srpt: Do not register event handler until srpt device is fully setup

drm/amdgpu: validate the parameters of bo mapping operations more clearly

vfio/pci: Disable auto-enable of exclusive INTx IRQ

wireguard: receive: annotate data-race around receiving_counter.counter

drivers: core: synchronize really_probe() and dev_uevent()

KVM: x86/pmu: Disable support for adaptive PEBS

KVM: x86/pmu: Disable support for adaptive PEBS

[PATCH 1/1] leds: trigger: Unregister sysfs attributes before calling

dma: fix call order in dmam_free_coherent

Affects only the s390 architecture.

net/mlx5: Always drain health in shutdown callback

wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

[PATCH 5063/5129] mm/memcg: minor cleanup for MEM_CGROUP_ID_MAX

[PATCH] memcg: protect concurrent access to mem_cgroup_idr

wifi: mac80211: fix NULL dereference at band check in starting tx ba session

fuse: Initialize beyond-EOF page contents before setting uptodate

complex adaptation required for el9-arm64, el9-x86 not affected

spi: Fix null dereference on suspend

spi: Fix null dereference on suspend

tty: add the option to have a tty reject a new ldisc

tty: add the option to have a tty reject a new ldisc

Affected p2sb driver is not present in kernel v5.14.0

Bluetooth: ISO: Check socket flag instead of hcon

firmware: cs_dsp: Return error if block header overflows file

firmware: cs_dsp: Validate payload length before processing block

Revert "sched/fair: Make sure to try to detach at least one movable task"

Out of scope: 64-bit systems not affected.

net/mlx5: Fix missing lock on sync reset reload

nvme-pci: add missing condition check for existence of mapped data

netfilter: nf_tables: restore set elements when delete set fails

mlxsw: spectrum_acl_tcam: Fix incorrect list API usage

mm: use memalloc_nofs_save() in page_cache_ra_order()

ppdev: Add an error check in register_device

iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()

mm/userfaultfd: reset ptes when close() for wr-protected ones

ACPI: CPPC: Use access_width over bit_width for system memory accesses

drm/vmwgfx: Fix the lifetime of the bo cursor memory

dm snapshot: fix lockup in dm_exception_table_exit

ext4: fix corruption during on-line resize

md: export helpers to stop sync_thread

md/dm-raid: don't call md_reap_sync_thread() directly

PCI/PM: Drain runtime-idle callbacks before driver removal

Patch for this CVE has been reverted. Hence skipped

drm/amdgpu: amdgpu_ttm_gart_bind set gtt bound flag

usb: udc: remove warning when queue disabled ep

misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume

s390 arch not supported.

Existing kernels aren't affected

Already fixed in the existing el9 kernels.

tusb: gadget: core: Check for unset descriptor

packet: annotate data-races around ignore_outgoing

x86/mm: Fix pti_clone_pgtable() alignment assumption

netfilter: nf_tables: set dormant flag on hook register failure

net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink

hwrng: core - Fix page fault dead lock on mmap-ed hwrng

bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

iio: core: fix memleak in iio_device_register_sysfs

nbd: Low-score CVE. Patched function is called from a kthread and sleeps, which may prevent patching/unpatching.

tracing: Ensure visibility when inserting an element into tracing_map

Affects only boot __init stage, already booted kernels are not affected

Kernel not vulnerable.

netfilter: nf_tables: fix memleak in map from abort path

commit that introduces CVE is not present

older kernels do not have support for DisplayCoreNext 3.5

older kernels do not have support for DisplayCoreNext 3.5

usb: typec: ucsi: Limit read size on v1.2

block: prevent division by zero in blk_rq_stat_sum()

drm: Check output polling initialized before disabling

The patch was later reverted in eb4f139888f6

scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()

wifi:ath11k, low score CVE that needs complex adaptation but decreasing MHI Bus' buf-len isn't a typical security fix.

dma-direct: Leak pages on dma_set_decrypted() failure

VMCI: Use struct_size() in kmalloc()

VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()

VMCI: Fix possible memcpy() run-time warning in vmci_datagram_invoke_guest_handler()

None of the existing kernels is affected

Low-score CVE which might introduce problems in net subsystem

io_uring/sqpoll: work around a potential audit memory leak

Complex adaptation required, not worth the effort for 4.4 score CVE

CVE patch is for powerpc arch only

None of our RHEL9 kernels are affected by the bug

nvmet: always initialize cqe.result

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

null_blk: fix validation of block size

cxl/mem: Fix no cxl_nvd during pmem region auto-assembling

nvme-fabrics: use reserved tag for reg read/write command

drm/fbdev-dma: Only set smem_start is enable per module option

drm/amdgpu: avoid using null object of framebuffer

Patch introduced regression and was reverted later.

tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc

usb: hub: Guard against accesses to uninitialized BOS descriptors

dmaengine: fix NULL pointer in channel unregistration function

PM: sleep: Fix possible deadlocks in core system-wide PM code

PM: sleep: Fix possible deadlocks in core system-wide PM code

PM: sleep: Fix possible deadlocks in core system-wide PM code

RDMA/siw: Fix connection failure handling

net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg

wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()

wifi: rt2x00: restart beacon queue when hardware reset

PM / devfreq: Fix buffer overflow in trans_stat_show

io_uring/net: fix overflow check in io_recvmsg_mshot_prep()

net/sched: Fix mirred deadlock on device recursion

net/sched: Fix mirred deadlock on device recursion

net/mlx5e: Prevent deadlock while disabling aRFS

net/mlx5e: Prevent deadlock while disabling aRFS

drm/amdgpu : Add hive ras recovery check

drm/amdgpu : Add hive ras recovery check

drm/amdgpu: Skip do PCI error slot reset during RAS recovery

netfilter: nft_set_pipapo: walk over current view on netlink dump

nf_tables: missing iterator type in lookup walk

Out of scope: not affected

io_uring/io-wq: Use set_bit() and test_bit() at worker->flags

drm/i915/dpt: Make DPT object unshrinkable

raid1: fix use-after-free for original bio in raid1_write_request()

ext4: avoid online resizing failures due to oversized flex bg

ext4: avoid online resizing failures due to oversized flex bg

io_uring/unix: drop usage of io_uring socket

io_uring/unix: drop usage of io_uring socket

io_uring: drop any code related to SCM_RIGHTS

io_uring: drop any code related to SCM_RIGHTS

igb: Fix string truncation warnings in igb_set_fw_version

A complex adaptation is needed which is not possible to implement safely. Only Android OS is affected. Low score CVE.

Complex adaptation required.

drm/amdgpu: Init zone device and drm client after mode-1 reset on reload

Existing kernels aren't affected

This CVE has been rejected upstream

net: nexthop: Initialize all fields in dumped nexthops

mptcp: pm: Fix uaf in __timer_delete_sync

bpf: Fix overrunning reservations in ringbuf

bpf: Fix overrunning reservations in ringbuf

USB: serial: mos7840: fix crash on resume

USB: serial: mos7840: fix crash on resume

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

netfilter: nft_payload: sanitize offset and length before calling skb_checksum()

net/smc: fix illegal rmb_desc access in SMC-D connection dump

block: initialize integrity buffer to zero before writing it to media

selinux,smack: don't bypass permissions check in inode_setsecctx hook

net: avoid potential underflow in qdisc_pkt_len_init() with UFO

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

arm64: probes: Remove broken LDR (literal) uprobe support

bpf: Fix out-of-bounds write in trie_get_next_key()

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

xfrm: fix one more kernel-infoleak in algo dumping

xfrm: validate new SA's prefixlen using SA family when sel.family is unset

Bluetooth: bnep: fix wild-memory-access in proto_unregister

Bluetooth subsystem. Patched function may wait for a while, which may prevent patching/unpatching.

Bluetooth: SCO: Fix UAF on sco_sock_timeout

Bluetooth: ISO: Fix UAF on iso_sock_timeout

bpf: Fix a sdiv overflow issue

arm64: Low-score CVE requiring adaptation that is hard to implement; targets very rare hardware

RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages

mptcp: cope racing subflow creation in mptcp_rcv_space_adjust

mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address

perf/aux: Fix AUX buffer serialization

perf/aux: Fix AUX buffer serialization (Adaptation)

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink()

Discard stale CPU state when handling SVE traps

i40e: fix i40e_count_filters() to count only active/new filters

fix race condition by adding filter's intermediate sync state

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

mm: fix NULL pointer dereference in alloc_pages_bulk_noprof

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

can: bcm: Fix UAF in bcm_proc_show()

CVE Rejected

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

HID: core: zero-initialize the report buffer

Out of scope: ARM64 architecture isn't supported for current kernel

blk-cgroup: fix list corruption from resetting io

net/mlx5e: Use a memory barrier to enforce PTP WQ

netfilter: nf_tables: use timestamp to check for

netfilter: nf_tables: use timestamp to check for

nvme: fix reconnection fail due to reserved tag

lib/test_hmm.c: handle src_pfns and dst_pfns

net: micrel: Fix receiving the timestamp in the

mm/vmscan: fix a bug calling wakeup_kswapd() with

tipc: fix UAF in error path

ethernet: hisilicon: hns: hns_dsaf_misc: fix a

octeontx2-af: avoid off-by-one read from

net: ena: Fix incorrect descriptor free behavior

vt: fix memory overlapping when deleting chars in

tcp: Use refcount_inc_not_zero() in

can: j1939: prevent deadlock by changing

can: j1939: prevent deadlock by changing

r8169: Fix possible ring buffer corruption on

net: hns3: fix use-after-free bug in

netfilter: tproxy: bail out if IP has been