of: module: add buffer overflow check in of_modalias()

Patched function waits for external events, which may prevent patching/unpatching.

Bluetooth: msft: fix slab-use-after-free in msft_do_close()

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

tracing: Free buffers when a used dynamic event is removed

hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails

net: tun: Fix use-after-free in tun_detach()

exec: Fix ToCToU between perm check and set-uid/gid usage

vhost/vsock: always initialize seqpacket_allow

vhost/vsock: always initialize seqpacket_allow

net: bridge: mcast: wait for previous gc cycles when removing port

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

ipv6: prevent UAF in ip6_send_skb()

scsi: aacraid: Fix double-free on probe failure

drm/amdgpu: Fix out-of-bounds write warning

idpf: fix memory leaks and crashes while performing a soft reset

Blamed commit 90912f9 ("idpf: convert header split mode to libeth + napi_build_skb()") is absent.

ext4: fix double brelse() the buffer of the extents path

ext4: aovid use-after-free in ext4_ext_insert_extent()

ext4: fix slab-use-after-free in ext4_split_extent_at()

ext4: avoid use-after-free in ext4_ext_show_leaf()

wifi: ath11k: fix array out-of-bound access in SoC stats

Bluetooth: L2CAP: Fix uaf in l2cap_connect

Bluetooth: hci_core: Fix calling mgmt_device_connected

ext4: fix timer use-after-free on failed mount

ext4: no need to continue when the number of entries is 1

ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free

drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer

drm/amdgpu: fix mc_data out-of-bounds read warning

drm/amdgpu: fix ucode out-of-bounds read warning

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

of/irq: Prevent device address out-of-bounds read in interrupt map walk

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

ACPI: sysfs: validate return type of _STR method

powercap: intel_rapl: Fix off by one in get_rpi()

wifi: rtw89: avoid reading out of bounds when loading TX power FW elements

slip: make slhc_remember() more robust against malicious packets

ppp: fix ppp_async_encode() illegal access

fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF

sch/netem: fix use after free in netem_dequeue

spi: nxp-fspi: fix the KASAN report out-of-bounds bug

vhost_vdpa: assign irq bypass producer token correctly

mm: call the security_mmap_file() LSM hook in remap_file_pages()

mm: split critical region in remap_file_pages() and invoke LSMs in between

iommufd: Protect against overflow of ALIGN() during iova allocation

sched: sch_cake: fix bulk flow accounting logic for host fairness

wifi: rtw88: always wait for both firmware loading attempts

macsec: Fix use-after-free while sending the offloading packet

net: sched: fix use-after-free in taprio_change()

udf: fix uninit-value use in udf_get_fileshortad

nvmet-auth: assign dh_key to NULL after kfree_sensitive

net: explicitly clear the sk pointer, when pf->create fails

smb: client: fix OOBs when building SMB2_IOCTL request

wifi: cfg80211: clear wdev->cqm_config pointer on free

drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

PCI: Fix use-after-free of slot->bus on hot remove

nfsd: make sure exp active before svc_export_show

net: inet: do not leave a dangling sk pointer in inet_create()

net: inet6: do not leave a dangling sk pointer in inet6_create()

Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync

drm/amdgpu: fix usage slab after free

Bluetooth: RFCOMM: avoid leaving dangling sk pointer in rfcomm_sock_alloc()

xsk: fix OOB map writes when deleting elements

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

Bluetooth: btmtk: avoid UAF in btmtk_process_coredump

scsi: sg: Fix slab-use-after-free read in sg_release()

drm/dp_mst: Ensure mst_primary pointer is valid in drm_dp_mst_handle_up_req()

tipc: guard against string buffer overrun

Bluetooth: hci_conn: helper

Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync

smb: client: fix UAF in async decryption

driver core: bus: Fix double free in driver API bus_register()

uprobe: avoid out-of-bounds memory access of fetching args

tty: n_gsm: Fix use-after-free in gsm_cleanup_mux

parport: Proper fix for array out-of-bounds access

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

net: sched: use RCU read-side critical section in taprio_dump()

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()

low-scored CVE which inevitably will cause verification conflicts with freezable kthread and cifs reading routines.

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

SUNRPC: make sure cache entry active before cache_show

Patch affects initramfs

block, bfq: fix bfqq uaf in bfq_limit_depth()

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Bluetooth: Ignore too large handle values in BIG

gpio: pca953x: fix pca953x_irq_bus_sync_unlock race

fs: prevent out-of-bounds array speculation when closing a file descriptor

ASoC: TAS2781: Fix tasdev_load_calibrated_data()

ice: Add a per-VF limit on number of FDIR filters

ice: Add a per-VF limit on number of FDIR filters

block: fix deadlock between sd_remove & sd_release

ext4: make sure the first directory block is not a hole

ext4: check dot and dotdot of dx_root before making dir indexed

sysctl: always initialize i_uid/i_gid

devres: Fix memory leakage caused by driver API devm_free_percpu()

Bluetooth: MGMT: Add error handling to pair_device()

ext4: sanity check for NULL pointer after ext4_force_shutdown

bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory accesses

md/raid5: avoid BUG_ON() while continue reshape after reassembling

gpio: prevent potential speculation leaks in gpio_device_get_desc()

driver core: Fix uevent_show() vs driver detach race

cgroup/cpuset: fix panic caused by partcmd_update

pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv

arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry

userfaultfd: fix checks for huge PMDs

tcp_bpf: fix return value of tcp_bpf_sendmsg()

drm/amdgpu: fix the waring dereferencing hive

drm/amdgpu: Fix the warning division or modulo by zero

drm/amd/amdgpu: Check tbo resource pointer

drm/amdgpu: the warning dereferencing obj for nbio_v7_4

drm/amdgpu: Fix smatch static checker warning

blk_iocost: fix more out of bound shifts

fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name

ACPI: PAD: fix crash in exit_round_robin()

wifi: cfg80211: Set correct chandef when starting CAC

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit

wifi: rtw89: avoid to add interface to list twice when SER

ppp: do not assume bh is held in ppp_channel_bridge_input()

net: add more sanity checks to qdisc_pkt_len_init()

Bluetooth: hci_sync: Add helper functions to manipulate cmd_sync queue

Bluetooth: MGMT: Fix possible crash on mgmt_index_removed

sched/smt: Introduce sched_smt_present_inc/dec() helper

sched/smt: Fix unbalance sched_smt_present dec/inc

pipe: wakeup wr_wait after setting max_usage

pipe: wakeup wr_wait after setting max_usage kpatch

watch_queue: fix pipe accounting mismatch

net: wwan: fix global oob in wwan_rtnl_policy

net: wwan: fix global oob in wwan_rtnl_policy

Vendor reverted in d1aa0c04294 as it causes deadlocks

dm cache: fix potential out-of-bounds access on the first resume

virtio_net: Add hash_key_length check

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame

serial: protect uart_port_dtr_rts() in uart_shutdown() too

blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race

blk-mq: setup queue ->tag_set before initializing hctx

iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices

Bluetooth: ISO: Fix multiple init when debugfs is disabled

Bluetooth: Call iso_exit() on module unload

thermal: intel: int340x: processor: Fix warning during module unload

zram: free secondary algorithms names

zram: don't free statically defined names

xhci: tegra: fix checked USB2 port number

NFSD: Prevent a potential integer overflow

rcu/kvfree: Fix data-race in __mod_timer / kvfree_call_rcu

EDAC/bluefield: Fix potential integer overflow

net: sched: fix ordering of qlen adjustment

wifi: rtlwifi: Drastically reduce the attempts to read efuse in case of failures

zram: fix NULL pointer in comp_algorithm_show()

PCI: keystone: Fix NULL pointer dereference in case of DT error in ks_pcie_setup_rc_app_regs()

exfat: fix potential deadlock on __exfat_get_dentry_set

net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE

net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE

dm-raid: Fix WARN_ON_ONCE check for sync_thread in raid_resume

ext4: fix infinite loop when replaying fast_commit

cgroup/cpuset: Prevent UAF in proc_cpuset_show()

lib: objagg: Fix general protection fault

scsi: lpfc: Fix a possible null pointer dereference

xdp: fix invalid wait context of page_pool_destroy()

workqueue: wq_watchdog_touch is always called with valid CPU

fsnotify: clear PARENT_WATCHED flags lazily

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

block: fix potential invalid pointer dereference in blk_add_partition

ext4: check stripe size compatibility on remount as well

icmp: change the order of rate limits

vdpa/mlx5: Fix invalid mr resource destroy

x86/sgx: Fix deadlock in SGX NUMA node search

cachefiles: fix dentry leak in cachefiles_open_file()

nfsd: map the EBADMSG to nfserr_io to avoid warning

resource: fix region_intersects() vs add_memory_driver_managed()

ext4: update orig_path in ext4_find_extent()

platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug

drm/amdgpu: add list empty check to avoid null pointer issue

x86/ioapic: Handle allocation failures gracefully

wifi: iwlwifi: mvm: avoid NULL pointer dereference

Complex adaptation required (too many dependency patches)

net: Make copy_safe_from_sockptr() match documentation

Bluetooth: hci_sock: Fix not validating setsockopt user input

Bluetooth: ISO: Fix not validating setsockopt user input

Bluetooth: L2CAP: Fix not validating setsockopt user input

Bluetooth: RFCOMM: Fix not validating setsockopt user input

Bluetooth: SCO: Fix not validating setsockopt user input

Bluetooth: Fix memory leak in hci_req_sync_complete()

Bluetooth: HCI: Fix potential null-ptr-deref

Bluetooth: qca: add missing firmware sanity checks

Bluetooth: qca: fix firmware check error path

bpf: Remove tst_run from lwt_seg6local_prog_ops.

bpf: Remove tst_run from lwt_seg6local_prog_ops.

Requires adaptation (missing commit e7b02296)

nfsd: return -EINVAL when namelen is 0

xen/netfront: stop tx queues during live migration

xen-netfront: Fix NULL sring after live migration

fscache: Fix oops due to race with cookie_lru and use_cookie

fscache: Fix oops due to race with cookie_lru and use_cookie

ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()

net: phy: micrel: Fix potential null pointer dereference

Bluetooth: btintel: Fix null ptr deref in btintel_read_version

net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list()

smb: Initialize cfid->tcon before performing network ops

sunrpc: clear XPRT_SOCK_UPD_TIMEOUT when reset transport

PCI/MSI: Handle lack of irqdomain gracefully

Bluetooth: hci_event: Fix using rcu_read_(un)lock while iterating

drm/i915: Fix NULL pointer dereference in capture_engine

nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur

Out of scope: ARM architecture isn't supported for current kernel

jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error

ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()

ext4: filesystems without casefold feature cannot be mounted with siphash

Older kernels don't have the affected src code

r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun"

r8169: add tally counter fields added with RTL8125

r8169: add tally counter fields added with RTL8125

NFSD: Force all NFSv4.2 COPY requests to be synchronous

uprobes: fix kernel info leak via "[uprobes]" vma

net: stmmac: Fix zero-division error when disabling tc cbs

iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count

block: fix integer overflow in BLKSECDISCARD

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX

secretmem: disable memfd_secret() if arch cannot set direct map

ext4: don't set SB_RDONLY after filesystem errors

device property: Introduce device_for_each_child_node_scoped()

pinctrl: intel: platform: fix error path in device_for_each_child_node()

mm/swapfile: skip HugeTLB pages for unuse_vma

maple_tree: correct tree corruption on spanning store

drm/radeon: Fix encoder->possible_clones

mm/page_alloc: let GFP_ATOMIC order-0 allocs access highatomic reserves

wifi: ath10k: Fix memory leak in management tx

bugfix for module from non-standard kernel-modules-partner package

static_call: Handle module init failure correctly in static_call_del_module()

ext4: fix i_data_sem unlock order in ext4_ind_migrate()

Patch not necessary, the size of the struct remains the same.

Kernels not vulnerable

exfat: fix memory leak in exfat_load_bitmap()

ext4: fix access to uninitialised lock in fc replay path

kthread: unpark only parked kthread

bpf, sockmap: Fix race between element replace and close()

sock_map: avoid race between sock_map_close and sk_psock_put

bpf, sockmap: Avoid using sk_socket after free when sending

bonding: fix xfrm real_dev null pointer dereference

fs/netfs/fscache_cookie: add missing "n_accesses" check

netem: fix return value if duplicate enqueue fails

mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0

usb: dwc3: core: Prevent USB core invalid event buffer address access

Input: uinput - reject requests with unreasonable number of slots

Complex adaptation required. Low impact CVE.

block, bfq: fix possible UAF for bfqq->bic with merge chain

nfsd: call cache_put if xdr_reserve_space returns NULL

sock_map: Add a cond_resched() in sock_hash_free()

tpm: Clean up TPM space after command failure

padata: use integer wrap around to prevent deadlock on seq_nr overflow

wifi: mac80211: don't use rate mask for offchannel TX either

wifi: mt76: mt7915: fix oops on non-dbdc mt7986

wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()

nvme-rdma: unquiesce admin_q before destroy it

wifi: rtw89: check return value of ieee80211_probereq_get() for RNR

platform/x86/intel/pmc: Fix pmc_core_iounmap to call iounmap for valid addresses

Out of scope: not affected

drm/amd: Guard against bad data for ATIF ACPI method

drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported

scsi: target: core: Fix null-ptr-deref in target_alloc_device()

bpf: devmap: provide rxq after redirect

smb: client: fix possible double free in smb2_set_ea()

vsock: Update rx_bytes on read_skb()

net: Fix an unsafe loop on the list

net: Fix an unsafe loop on the list

device-dax: correct pgoff align in dax_set_mapping()

net/sched: accept TCA_STAB only for root qdisc

Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change

net: phy: Remove LED entry from LEDs list on unregister

usb: typec: tipd: Free IRQ only if it was requested before

usb: typec: altmode should keep reference to parent

usb: typec: altmode should keep reference to parent

The vulnerable commit isn't present in the kernel

The vulnerable commit isn't present in the kernel

md: change the return value type of md_write_start to void

rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

low score CVE with complex adaptation

iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

soc: qcom: Add check devm_kasprintf() returned value

soc: qcom: socinfo: fix revision check in qcom_socinfo_probe()

soc: qcom: socinfo: Avoid out of bounds read of serial number

vsock: Keep the binding until socket destruction

vsock: Orphan socket after transport release

net: ppp: Add bound checking for skb data on ppp_sync_txmung

dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature

sched: sch_cake: add bounds checks to host bulk flow fairness counts

cifs: Fix integer overflow while processing acregmax mount option

misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os

ndisc: use rcu protection in ndisc_alloc_skb()

vlan: enforce underlying device type

net: gso: fix ownership in __udp_gso_segment

xsk: fix an integer overflow in xp_create_and_assign_umem()

net: fix geneve_opt length integer overflow

net: fix geneve_opt length integer overflow

wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi

ext4: fix OOB read when checking dotdot dir