btrfs: zoned: fix use-after-free due to race with dev replace

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

ima: Fix use-after-free on a dentry's dname.name

f2fs: check validation of fault attrs in

netfilter: nf_tables: restore set elements when delete set fails

rxrpc: Fix delayed ACKs to not set the reference serial number

rxrpc: Fix delayed ACKs to not set the reference serial number (Adaptation)

bpf: Fix overrunning reservations in ringbuf

bpf: Fix overrunning reservations in ringbuf (adaptation)

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

gfs2: Fix potential glock use-after-free on unmount

watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger

netem: fix return value if duplicate enqueue fails

netfilter: netfilter: nf_tables: use timestamp to check for set element timeout

netfilter: netfilter: nf_tables: use timestamp to check for set element timeout kpatch

ipv6: fix possible UAF in ip6_finish_output2()

ipv6: prevent UAF in ip6_send_skb()

atm: idt77252: prevent use after free in dequeue_rx()

Architecture is not supported

scsi: aacraid: Fix double-free on probe failure

drm/amdgpu: Fix out-of-bounds write warning

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

binder: fix UAF caused by offsets overwrite

Squashfs: sanity check symbolic link size

HID: amd_sfh: free driver_data after destroying hid device

hfsplus: fix uninit-value in copy_name

gtp: pull network headers in gtp_dev_xmit()

tap: add missing verification for short frame

tun: add missing verification for short frame

drm/amd/pm: fix the Out-of-bounds read warning

drm/amdgpu: fix ucode out-of-bounds read warning

um: line: always fill *error_out in setup_one_line()

drm/amdgpu: fix mc_data out-of-bounds read warning

exec: Fix ToCToU between perm check and set-uid/gid usage

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

of/irq: Prevent device address out-of-bounds read in interrupt map walk

netfilter: flowtable: validate vlan header

net: relax socket state check at accept time.

ax25: Fix reference count leak issues of ax25_dev

CVE patch is for RISCV arch only

scsi: core: Fix a use-after-free

scsi: core: Fix a use-after-free

net/sched: flower: Fix chain template offload

net/sched: flower: Fix chain template offload

nvme: avoid double free special payload

CVE patch is for powerpc arch only

tipc: Return non-zero value from tipc_udp_addr2str() on error

mISDN: Fix a use after free in hfcmulti_tx()

net/iucv: fix use after free in iucv_sock_close()

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

wifi: mac80211: Avoid address calculations via out of bounds array indexing

smack: tcp: ipv4, fix incorrect labeling

rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

dev/parport: fix the array out-of-bounds risk

Patched function waits for external events, which may prevent patching/unpatching.

media: venus: fix use after free in vdec_close

jfs: Fix array-index-out-of-bounds in diFree

vhost/vsock: always initialize seqpacket_allow

vhost/vsock: always initialize seqpacket_allow

net: bridge: mcast: wait for previous gc cycles when removing port

mptcp: pm: avoid possible UaF when selecting endp

ipv6: prevent possible UAF in ip6_xmit()

ocfs2: add bounds checking to ocfs2_check_dir_entry()

jfs: don't walk off the end of ealist

fs/ntfs3: Validate ff offset

filelock: Remove locks reliably when fcntl/close race is detected

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

netfilter: nf_tables: prefer nft_chain_validate

drm/radeon: check bo_va->bo is non-NULL before using it

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Out of scope as the patch is for s390 arch only, x86_64 is not affected

wifi: cfg80211: wext: add extra SIOCSIWSCAN data check

null_blk: fix validation of block size

btrfs: qgroup: fix quota root leak after quota disable failure

ila: block BH in ila_output()

ata: libata-core: Fix null pointer dereference on error

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values

wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (Adaptation)

net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket

powerpc arch not supported.

drm/i915/gem: Fix Virtual Memory mapping boundaries calculation

bna: adjust 'name' buf size of bna_tcb and bna_ccb structures

ila: call nf_unregister_net_hooks() sooner

protect the fetch of ->fd[fd] in do_dup2() from mispredictions

RISCV arch not supported.

netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().

iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en

bpf: Fix a segment issue when downgrading gso_size

net: nexthop: Initialize all fields in dumped nexthops

f2fs: fix return value of f2fs_convert_inline_inode()

scsi: qla2xxx: Complete command early within lock

sched: act_ct: take care of padding in struct zones_ht_key

f2fs: fix to don't dirty inode for readonly filesystem

fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed

kobject_uevent: Fix OOB access within zap_modalias_env()

scsi: qla2xxx: Fix for possible memory corruption

scsi: qla2xxx: validate nvme_local_port correctly

nilfs2: handle inconsistent state in nilfs_btnode_create_block()

drm/amd/display: Add array index check for hdcp ddc access

drm/amd/display: Check gpio_id before used as array index

drm/amd/display: Check msg_id before processing transcation

sch/netem: fix use after free in netem_dequeue

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

apparmor: Fix null pointer deref when receiving skb during sock creation

media: pci: cx23885: check cx23885_vdev_init() return

drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()'

media: i2c: et8ek8: Don't strip remove function when driver is builtin

xfs: fix log recovery buffer allocation for the legacy h_size fixup

filelock: Remove locks reliably when fcntl/close race is detected

scsi: qla2xxx: During vport delete send async logout explicitly

fou: remove warn in gue_gro_receive on unsupported protocol

Out of scope: RISC V architecture isn't supported for current kernel

f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC

spi: nxp-fspi: fix the KASAN report out-of-bounds bug

dma-buf: heaps: Fix off-by-one in CMA heap fault handler

ASoC: meson: axg-card: fix 'use-after-free'

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

9p: add missing locking around taking dentry fid list

ocfs2: cancel dqi_sync_work before freeing oinfo

net/xen-netback: prevent UAF in xenvif_flush_hash()

wifi: ath11k: fix array out-of-bound access in SoC stats

fbdev: pxafb: Fix possible use after free in pxafb_task()

drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation

drm/amd/display: Fix index out of bounds in degamma hardware format translation

ext4: avoid use-after-free in ext4_ext_show_leaf()

ext4: fix slab-use-after-free in ext4_split_extent_at()

ext4: aovid use-after-free in ext4_ext_insert_extent()

ext4: fix double brelse() the buffer of the extents path

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

wifi: rtw88: always wait for both firmware loading attempts

ext4: avoid OOB when system.data xattr changes underneath the filesystem

drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error

drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error

scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del()

RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds

firmware_loader: Block path traversal

net: ethernet: lantiq_etop: fix memory disclosure

net: bridge: xmit: make sure we have at least eth header len bytes

tipc: guard against string buffer overrun

ALSA: asihpi: Fix potential OOB array access

ext4: no need to continue when the number of entries is 1

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

aoe: fix the potential use-after-free problem in more places

fbdev: sisfb: Fix strbuf array overflow

net: explicitly clear the sk pointer, when pf->create fails

drm/amd/display: Fix index out of bounds in DCN30 color transformation

mptcp: pm: Fix uaf in __timer_delete_sync

net: dpaa: Pad packets to ETH_ZLEN

jfs: fix out-of-bounds in dbNextAG() and diAlloc()

net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition

ACPI: sysfs: validate return type of _STR method

jfs: Fix uaf in dbFreeBits

jfs: Fix uninit-value access of new_ea in ea_buffer

ppp: fix ppp_async_encode() illegal access

slip: make slhc_remember() more robust against malicious packets

media: venus: fix use after free bug in venus_remove due to race condition

nilfs2: fix potential oob read in nilfs_btree_check_delete()

ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition

vhost_vdpa: assign irq bypass producer token correctly

ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()

nfsd: return -EINVAL when namelen is 0

media: usbtv: Remove useless locks in usbtv_video_free()

ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate()

RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt

IB/core: Fix ib_cache_setup_one error flow cleanup

net: mana: Fix TX CQE error handling

s390 architecture is not supported

ARM related CVE

Affects only __init function for a built-in component, so patching will have no effect

usb: typec: tcpm: Check for port partner validity before consuming it

vfio/pci: fix potential memory leak in vfio_intx_enable()

ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry()

gfs2: Fix NULL pointer dereference in gfs2_log_flush

Out of scope: s390 is not supported

Out of scope: s390 is not supported

gpio: prevent potential speculation leaks in gpio_device_get_desc()

selinux,smack: don't bypass permissions check in inode_setsecctx hook

UBUNTU: [Config] Disable BlueZ highspeed support

ax25: Fix refcount imbalance on inbound connections

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

media: mtk-vcodec: potential null pointer deference in SCP

Bluetooth: SCO: Fix not validating setsockopt user input

Bluetooth: RFCOMM: Fix not validating setsockopt user

Bluetooth: L2CAP: Fix not validating setsockopt user input

Bluetooth: hci_sock: Fix not validating setsockopt user input

net: fec: remove .ndo_poll_controller to avoid deadlocks

net: fec: remove .ndo_poll_controller to avoid deadlocks

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing

smb: client: set correct id, uid and cruid for multiuser automounts