nvme: tcp: avoid race between queue_lock lock and destroy

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep splat

net: pktgen: fix access outside of user given buffer in pktgen_thread_write()

smb: client: Fix use-after-free in cifs_fill_dirent

dm cache: prevent BUG_ON by blocking retries on failed device resumes

orangefs: Do not truncate file size

__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock

media: cx231xx: set device_caps for 417

nvmet-tcp: don't restore null sk_state_change

vxlan: Annotate FDB data races

scsi: target: iscsi: Fix timeout on deleted connection

Patch targets ARM architecture, which this distro does not support.

platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()

virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN

crypto: algif_hash - fix double free in hash_accept

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

[PATCH] sch_htb: make htb_qlen_notify() idempotent

[PATCH] sch_qfq: make qfq_qlen_notify() idempotent

[PATCH] sch_htb: make htb_deactivate() idempotent

[PATCH] sch_ets: make est_qlen_notify() idempotent

[PATCH] sch_drr: make drr_qlen_notify() idempotent

[PATCH] sch_hfsc: make hfsc_qlen_notify() idempotent

[PATCH] net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

[PATCH] net/sched: Always pass notifications when child class becomes empty

wifi: ath11k: fix node corruption in ar->arvifs list

CONFIG_CLK_RASPBERRYPI is not enabled on UEK7

bpf: Fix WARN() in get_bpf_raw_tp_regs

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

wifi: ath9k_htc: Abort software beacon handling if disabled

bpf: Avoid __bpf_prog_ret0_warn when jit fails

calipso: Don't call calipso functions for AF_INET sk.

calipso: unlock rcu before returning -EAFNOSUPPORT

net: openvswitch: Fix the dead loop of MPLS parse

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

bus: fsl-mc: fix double-free on mc_dev

fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()

dmaengine: ti: Add NULL check in udma_probe()

do_change_type(): refuse to operate on unmounted/not ours mounts

[PATCH] use uniform permission checks for all mount propagation

scsi: core: ufs: Fix a hang in the error handler

ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()

ptp: fix breakage after ptp_vclock_in_use() rework

net_sched: prio: fix a race in prio_tune()

net_sched: red: fix a race in __red_change()

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

x86/iopl: Cure TIF_IO_BITMAP inconsistencies

nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request

media: cxusb: no longer judge rbuf when the write fails

ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330

fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var

ipc: fix to protect IPCS lookups using RCU

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

net: ch9200: fix uninitialised access during mii_nway_restart

exfat: fix double free in delayed_free

jfs: fix array-index-out-of-bounds read in add_missing_indices

software node: Correct a OOB check in software_node_get_reference_args()

scsi: lpfc: Use memcpy() for BIOS version

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

platform/x86: dell_rbu: Fix list usage

drivers/rapidio/rio_cm.c: prevent possible heap overwrite

jffs2: check that raw node were preallocated before writing summary

jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

mm/hugetlb: unshare page tables during VMA split, not before

Complex adaptation required. High risk of regression.

wifi: carl9170: do not ping device which has failed to load firmware

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().

tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer

calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

drm/tegra: Fix a possible null pointer dereference

vsock/vmci: Clear the vmci transport packet properly when initializing it

platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks

scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()

ACPICA: Refuse to evaluate a method if arguments are missing

nvme-tcp: sanitize request list handling

nvme-tcp: sanitize request list handling

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

HID: core: ensure the allocated report buffer can contain the reserved report ID

HID: core: do not bypass hid_hw_raw_request

vsock: Do not allow binding to VMADDR_PORT_ANY

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

nbd: fix uaf in nbd_genl_connect() error path

raid10: cleanup memleak at raid10_make_request

aoe: avoid potential deadlock at set_capacity

drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

tipc: Fix use-after-free in tipc_conn_close().

net/sched: Abort __tc_modify_qdisc if parent class does not exist

md/raid1: Fix stack memory use after return in raid1_reshape

benet: fix BUG when creating VFs

Complex adaptation required. Livepatching of this vulnerability can harm the network subsystem..

vsock: Fix transport_{g2h,h2g} TOCTOU

vsock: Fix transport_* TOCTOU

virtio-net: ensure the received length does not exceed allocated size

fs: writeback: fix use-after-free in __mark_inode_dirty()

rseq: Fix segfault on registration when rseq_cs is non-zero

netlink: Fix wraparounds of sk->sk_rmem_alloc.

usb: gadget: u_serial: Fix race condition in TTY wakeup

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

netlink: avoid infinite retry looping in netlink_unicast()

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix infinite recursive call of clip_push().

atm: clip: Fix potential null-ptr-deref in to_atmarpd().

atm: clip: Fix memory leak of struct clip_vcc.

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg kpatch

i40e: add validation for ring_len param

i40e: validate ring_len parameter against hardware-specific values

phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

usb: gadget: configfs: Fix OOB read on empty string write

usb: net: sierra: check for no status endpoint

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

PEEMPT_RT config isn't enabled

regulator: core: fix NULL dereference on unbind due to stale coupling data

regulator: core: fix NULL dereference on unbind due to stale coupling data

wifi: rtl818x: Kill URBs before clearing tx status queue

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

ipv6: reject malicious packets in ipv6_gso_segment()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

xfs: do not propagate ENODATA disk errors into xattr code

Out of scope: boot time issue

Out of scope: boot time issue

device-dax: correct pgoff align in dax_set_mapping()

wifi: mwifiex: Initialize the chan_stats array to zero

wifi: mwifiex: Initialize the chan_stats array to zero

net: pds_core: Fix possible double free in error handling path

pds_core: remove write-after-free of client_id

Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()

sctp: linearize cloned gso packets in sctp_rcv

net: bridge: fix soft lockup in br_multicast_query_expired()

net: bridge: fix soft lockup in br_multicast_query_expired()

Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()

e1000e: fix heap overflow in e1000_set_eeprom

iwlwifi: Add missing check for alloc_ordered_workqueue

wifi: ath11k: clear initialized flag for deinit-ed srng lists

pptp: ensure minimal skb length in pptp_xmit()

pptp: fix pptp_xmit() error path

net/packet: fix a race in packet_set_ring() and packet_notifier()

usb: gadget : fix use-after-free in composite_dev_cleanup()

ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()

ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

scsi: bfa: Double-free fix

scsi: bfa: Double-free fix

RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

netfilter: nf_reject: don't leak dst refcount for loopback packets

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

HID: asus: fix UAF via HID_CLAIMED_INPUT validation

wifi: cfg80211: fix use-after-free in cmp_bss()

i40e: Fix potential invalid access when MAC list is empty

scsi: lpfc: Fix buffer free/clear order in deferred receive path

dma-buf: insert memory barrier before updating num_fences

mm/slub: avoid accessing metadata when pointer is invalid in object_err()

crypto: essiv - Check ssize for decryption and in-place encryption

kpatch add alt asm definitions

kpatch add paravirt asm definitions

ocfs2: fix recursive semaphore deadlock in fiemap call

fbcon: fix integer overflow in fbcon_do_set_font

fbcon: fix integer overflow in fbcon_do_set_font

net/9p: fix double req put in p9_fd_cancelled

net/ip6_tunnel: Prevent perpetual tunnel growth

ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees

cnic: Fix use-after-free bugs in cnic_delete_task

nexthop: Forbid FDB status change while nexthop is in a group

drm/gma500: Fix null dereference in hdmi teardown

scsi: target: target_core_configfs: Add length check to avoid buffer overflow

perf: arm_spe: Prevent overflow in PERF_IDX2OFF()

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

uio_hv_generic: Let userspace take care of interrupt mask

mm: hugetlb: avoid soft lockup when mprotect to large memory area

pinctrl: check the return value of pinmux_ops::get_function_name()

drm/vmwgfx: Fix Use-after-free in validation

net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()

sctp: Fix MAC comparison to be constant-time

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

media: mc: Clear minor number before put device

dm: fix NULL pointer dereference in __dm_suspend()

pid: Add a judgment for ns null in pid_nr_ns

tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.

tracing: dynevent: Add a missing lockdown check on dynevent

media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove

crypto: rng - Ensure set_ent is always present

crypto: rng - Ensure set_ent is always present (kpatch adaptation)

blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx

bpf: Explicitly check accesses to bpf_sock_addr

ocfs2: fix double free in user_cluster_connect()

bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

netfilter: nf_tables: reject duplicate device on updates

Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak

vfs: Don't leak disconnected dentries on umount

usb: gadget: f_acm: Refactor bind path to use __free()

PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()

libceph: fix invalid accesses to ceph_connection_v1_info

i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

qed: Don't collect too many protection override GRC elements

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

udp: Fix memory accounting leak.

Introduced and fixed in v5.15.0-315.196.3, no live patching needed.

can: peak_usb: fix shift-out-of-bounds issue

media: rc: fix races with imon_disconnect()

media: tuner: xc5000: Fix use-after-free in xc5000_release

scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

pps: fix warning in pps_register_cdev when register device fail

ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

net: dlink: handle copy_thresh allocation failure

fs: udf: fix OOB read in lengthAllocDescs handling

ext4: verify orphan file size is not too big

ext4: verify orphan file size is not too big (kpatch adaptation)

ext4: guard against EA inode refcount underflow in xattr update

fs/proc: fix uaf in proc_readdir_de()

tipc: Fix use-after-free in tipc_mon_reinit_self().

vsock: Ignore signal/timeout on connect() if already established

net/mlx5: Clean up only new IRQ glue on request_irq() failure

sunrpc: fix client side handling of tls alerts

SUNRPC: call xs_sock_process_cmsg for all cmsg

mptcp: fix race condition in mptcp_schedule_work()

bpf: Sync pending IRQ work before freeing ring buffer

net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd

mm/ksm: fix flag-dropping behavior in ksm_madvise

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

be2net: pass wrb_params in case of OS2BMC

scsi: sg: Do not sleep in atomic context

NFSD: Fix crash in nfsd4_read_release()

ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

nvme-fc: use lock accessing port_state and rport state

net: ipv6: fix field-spanning memcpy warning in AH output

nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing

Bluetooth: SCO: Fix UAF on sco_conn_free

Bluetooth: bcsp: receive data only if registered

nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()

libceph: prevent potential out-of-bounds writes in handle_auth_session_key()

fbdev: bitblit: bound-check glyph index in bit_putcs*

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

mm/secretmem: fix use-after-free race in fault handler

net: atlantic: fix fragment overflow handling in RX path

usb: storage: sddr55: Reject out-of-bound new_pba

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

scsi: megaraid_sas: Fix invalid node index

net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()

net: qlogic/qede: fix potential out-of-bounds read in qede_tpa_cont() and qede_tpa_end()

net: sched: act_connmark: initialize struct tc_ife to fix kernel leak

wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode

scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()

usbnet: Prevents free active kevent

sctp: Prevent TOCTOU out-of-bounds write

usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer

mptcp: Fix proto fallback detection with BPF

jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted

ext4: refresh inline data size before write operations

ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()

gpu: host1x: Fix race in syncpt alloc/free

drm/vgem-fence: Fix potential deadlock on release

crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse

wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()

wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()

NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid

NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags

ALSA: dice: fix buffer overflow in detect_stream_formats()

Out of scope: not affected

net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()

media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()

ocfs2: fix kernel BUG in ocfs2_find_victim_chain

libceph: make decode_pool() more resilient against corrupted osdmaps

iavf: fix off-by-one issues in iavf_config_rss_reg()

ip6_gre: make ip6gre_header() robust

arp: do not assume dev_hard_header() does not change skb->head

team: fix check for port enabled in team_queue_override_port_prio_changed()

smc91x: fix broken irq-context in PREEMPT_RT

net: usb: asix: validate PHY address before use

ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()

ipv4: Fix reference count leak when using error routes with nexthop objects

e1000: fix OOB in e1000_tbi_should_accept()

RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem

drm/vmwgfx: Fix a null-ptr access in the cursor snooper

usb: xhci: move link chain bit quirk checks into one helper function.

usb: xhci: Apply the link chain quirk on NEC isoc endpoints

wifi: mac80211: Discard Beacon frames to non-broadcast address

page_pool: Fix use-after-free in page_pool_recycle_in_ring

KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS

HID: core: Harden s32ton() against conversion to 0 bits

net: 3com: 3c59x: fix possible null dereference in vortex_probe1()

libceph: replace overzealous BUG_ON in osdmap_apply_incremental()

libceph: make free_choose_arg_map() resilient to partial allocation

libceph: make calc_target() set t->paused, not just clear it

Out of scope: not affected

ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()

dmaengine: bcm-sba-raid: fix device leak on probe

l2tp: avoid one data-race in l2tp_tunnel_del_work()

net/sched: Enforce that teql can only be used as root qdisc

crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

regmap: Fix race condition in hwspinlock irqsave routine

mISDN: annotate data-race around dev->work

ipv6: annotate data-race in ndisc_router_discovery()

be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list

leds: led-class: Only Add LED to leds_list when it is fully ready

ALSA: ctxfi: Fix potential OOB access in audio mixer handling

ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()

wifi: ath10k: fix dma_free_coherent() pointer

can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak

can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak

can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak

migrate: correct lock ordering for hugetlb file folios

bpf: Do not let BPF test infra emit invalid GSO types to stack

bpf: Reject narrower access to pointer ctx fields

Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work

rocker: fix memory leak in rocker_world_port_post_fini()

scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()

usbnet: Fix using smp_processor_id() in preemptible code warnings

Out of scope: not affected

Out of scope: not affected

sfc: fix NULL dereferences in ef100_process_design_param()