hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

netfilter: ipset: add missing range check in bitmap_ip_uadt

net: sched: fix ordering of qlen adjustment

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

bpf: Fix use-after-free in bpf_uprobe_multi_link_attach()

scsi: sd: Fix off-by-one error in sd_read_block_characteristics()

RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

ext4: return error on ext4_find_inline_entry

ext4: avoid OOB when system.data xattr changes underneath the filesystem

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency

f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

[PATCH] wifi: rtw88: always wait for both firmware loading attempts

crypto: hisilicon/qm - inject error before stopping queue

PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()

RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08

vhost_vdpa: assign irq bypass producer token correctly

firmware_loader: Block path traversal

x86/tdx: Fix "in-kernel MMIO" check

crypto: iaa - Fix potential use after free bug

mm: call the security_mmap_file() LSM hook in remap_file_pages()

iommufd: Protect against overflow of ALIGN() during iova allocation

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

fbdev: sisfb: Fix strbuf array overflow

net: explicitly clear the sk pointer, when pf->create fails

btrfs: fix uninitialized pointer free in add_inode_ref()

mptcp: pm: fix UaF read in mptcp_pm_nl_rm_addr_or_subflow

tcp: fix mptcp DSS corruption due to large pmtu xmit

xsk: fix OOB map writes when deleting elements

wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Out of scope: SuperH architecture isn't supported for current kernel

btrfs: fix use-after-free in btrfs_encoded_read_endio()

drm/xe/vm: move xa_alloc to prevent UAF

driver core: bus: Fix double free in driver API bus_register()

smb: client: fix UAF in async decryption

Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

net: microchip: vcap api: Fix memory leaks in vcap_api_encode_rule_test()

parport: Proper fix for array out-of-bounds access

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

ice: Fix increasing MSI-X on VF

net: do not delay dst_entries_add() in dst_release()

ppp: fix ppp_async_encode() illegal access

slip: make slhc_remember() more robust against malicious packets

mm/mremap: fix move_normal_pmd/retract_page_tables race

Out of scope: patch for x86_32 arch

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

ksmbd: fix user-after-free from session log off

ksmbd: fix user-after-free from session log off

jfs: array-index-out-of-bounds fix in dtReadFirst

jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

HID: core: zero-initialize the report buffer

net: defer final 'struct net' free in netns dismantle

net: defer final 'struct net' free in netns dismantle

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

blk-cgroup: Fix UAF in blkcg_unpin_online()

media: dvbdev: prevent the risk of out of memory access

uprobe: avoid out-of-bounds memory access of fetching args

tracing: Consider the NULL character when validating the event length

net: sched: fix use-after-free in taprio_change()

net: sched: use RCU read-side critical section in taprio_dump()

Bluetooth: SCO: Fix UAF on sco_sock_timeout

Bluetooth: ISO: Fix UAF on iso_sock_timeout

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

spi: mpc52xx: Add cancel_work_sync before module remove

RDMA/bnxt_re: Add a check for memory allocation

firmware: arm_scmi: Fix the double free in scmi_debugfs_common_setup()

RDMA/bnxt_re: Fix out of bound check

netdevsim: use cond_resched() in nsim_dev_trap_report_work()

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

tcp: Fix use-after-free of nreq in reqsk_timer_handler().

smb: client: fix OOBs when building SMB2_IOCTL request

udf: fix uninit-value use in udf_get_fileshortad

Out of scope: ARM64 architecture issue

nvmet-auth: assign dh_key to NULL after kfree_sensitive

macsec: Fix use-after-free while sending the offloading packet

bpf: Fix out-of-bounds write in trie_get_next_key()

netfilter: Fix use-after-free in get_info()

fs/ntfs3: Add rough attr alloc_size check

fs/ntfs3: Additional check in ntfs_file_release

wifi: cfg80211: clear wdev->cqm_config pointer on free

iov_iter: fix copy_page_from_iter_atomic() if KMAP_LOCAL_FORCE_MAP

nilfs2: fix kernel bug due to missing clearing of checked flag

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

media: s5p-jpeg: prevent buffer overflows

ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

net: vertexcom: mse102x: Fix possible double free of TX skb

usb: musb: sunxi: Fix accessing an released usb phy

USB: serial: io_edgeport: fix use after free in debug printk

iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

wifi: iwlegacy: Clear stale interrupts before resuming device

security/keys: fix slab-out-of-bounds in key_task_permission

virtio_net: Add hash_key_length check

dm cache: fix out-of-bounds access to the dirty bitset when resizing

arm64/sve: Discard stale CPU state when handling SVE traps

media: mgb4: protect driver against spectre

bpf: Check validity of link->type in bpf_link_show_fdinfo()

drm/amd/display: Adjust VSDB parser for replay feature

crypto: qat/qat_4xxx - fix off by one in uof_get_name()

ocfs2: fix uninitialized value in ocfs2_file_read_iter()

x86/CPU/AMD: Terminate the erratum_1386_microcode array

netfilter: x_tables: fix LED ID check in led_tg_check()

The ADDRESS_MASKING config option cannot be turned off. LAM (linear address masking) would be fatal for applications using it.

block, bfq: fix bfqq uaf in bfq_limit_depth()

firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

smb: client: Fix use-after-free of network namespace.

smb: client: fix TCP timers deadlock after rmmod

sctp: fix possible UAF in sctp_v6_available()

vdpa: solidrun: Fix UB bug with devres

mm: avoid unsafe VMA hook invocation when error arises on mmap hook

mm: unconditionally close VMAs on error

mm: refactor map_deny_write_exec()

mm: refactor arch_calc_vm_flag_bits() and arm64 MTE handling

mm: resolve faulty mmap_region() error path behaviour

mm: reinstate ability to map write-sealed memfd mappings read-only

drm/amd/display: Handle dml allocation failure to avoid crash

Patch affects initramfs

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

sunrpc: fix one UAF issue caused by sunrpc kernel tcp socket

ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

SUNRPC: make sure cache entry active before cache_show

smb: client: fix NULL ptr deref in crypto_aead_setkey()

wifi: ath12k: fix warning when unbinding

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

ALSA: usb-audio: Fix a DMA to stack memory bug

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

Bluetooth: fix use-after-free in device_for_each_child()

scsi: bfa: Fix use-after-free in bfad_im_module_exit()

drm: zynqmp_kms: Unplug DRM device before removal

f2fs: fix race in concurrent f2fs_stop_gc_thread

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

drm/amdgpu: fix usage slab after free

Out of scope: IBM System/390 architecture isn't supported for current kernel

Out of scope: RISC V architecture isn't supported for current kernel

idpf: avoid vport access in idpf_get_link_ksettings

idpf: avoid vport access in idpf_get_link_ksettings

Out of scope: not affected

cxl/port: Fix use-after-free, permit out-of-order decoder shutdown

af_packet: avoid erroring out after sock_init_data() in packet_create()

drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'

bpf: fix OOB devmap writes when deleting elements

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

scsi: sg: Fix slab-use-after-free read in sg_release()

net: avoid potential UAF in default_operstate()

net/smc: fix LGR and link use-after-free issue

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

tipc: fix NULL deref in cleanup_bearer()

can: hi311x: hi3110_can_ist(): fix potential use-after-free

powerpc arch not supported

brd: defer automatic disk creation until module initialization succeeds

EDAC/igen6: Avoid segmentation fault on module unload

powerpc: arch is not supported

9p/xen: fix release of IRQ

jffs2: Prevent rtime decompress memory corruption

jffs2: Fix rtime decompressor

kunit: string-stream: Fix a UAF bug in kunit_init_suite()

drm/amd/display: Fix handling of plane refcount

net: sched: Disallow replacing of child qdisc from one parent to another

KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory

iomap: improve shared block detection in iomap_unshare_iter

iomap: don't bother unsharing delalloc extents

iomap: share iomap_unshare_iter predicate code with fsdax

fsdax: remove zeroing code from dax_unshare_iter

fsdax: dax_unshare_iter needs to copy entire blocks

fs/ntfs3: Check if more than chunk-size bytes are written

dm cache: optimize dirty bit checking with find_next_bit when resizing

dm cache: fix potential out-of-bounds access on the first resume

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

xfs: add bounds checking to xlog_recover_process_data

net: wwan: fix global oob in wwan_rtnl_policy

net: wwan: fix global oob in wwan_rtnl_policy

PCI: Fix use-after-free of slot->bus on hot remove

PCI: Fix use-after-free of slot->bus on hot remove

ALSA: 6fire: Release resources at card release

ALSA: 6fire: Release resources at card release

hfsplus: don't query the device logical block size multiple times

hfsplus: don't query the device logical block size multiple times

smb: prevent use-after-free due to open_cached_dir error paths

smb: prevent use-after-free due to open_cached_dir error paths

net: inet6: do not leave a dangling sk pointer in inet6_create()

btrfs: ref-verify: fix use-after-free after invalid ref action

nfsd: make sure exp active before svc_export_show

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc

Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

net: af_can: do not leave a dangling sk pointer in can_create()

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

net: inet: do not leave a dangling sk pointer in inet_create()

jfs: fix array-index-out-of-bounds in jfs_readdir