macsec: Fix use-after-free while sending the offloading packet

security/keys: fix slab-out-of-bounds in key_task_permission

NFSD: Async COPY result needs to return a write verifier

NFSD: Async COPY result needs to return a write verifier

NFSD: Limit the number of concurrent async COPY operations

NFSD: Limit the number of concurrent async COPY operations

NFSD: Initialize struct nfsd4_copy earlier

NFSD: Never decrement pending_async_copies on error

Patch affects __init

Complex adaptation required. Low impact CVE.

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

Patch affects initramfs

Out of scope: SuperH architecture isn't supported for current kernel

btrfs: ref-verify: fix use-after-free after invalid ref action

af_packet: avoid erroring out after sock_init_data() in packet_create()

xsk: fix OOB map writes when deleting elements

bpf: fix OOB devmap writes when deleting elements

mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file

vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans

wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service()

Architecture PARISC is not supported

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

tipc: fix NULL deref in cleanup_bearer()

media: s5p-jpeg: prevent buffer overflows

nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net

USB: serial: io_edgeport: fix use after free in debug printk

ALSA: usb-audio: Fix out of bounds reads when finding clock sources

Irrelevant for x64 kernels

net: do not delay dst_entries_add() in dst_release()

ALSA: 6fire: Release resources at card release

ALSA: 6fire: Release resources at card release

netfilter: x_tables: fix LED ID check in led_tg_check()

ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read

acpi: nfit: vmalloc-out-of-bounds Read in acpi_nfit_ctl

ocfs2: fix uninitialized value in ocfs2_file_read_iter()

bpf: Check validity of link->type in bpf_link_show_fdinfo()

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

dm cache: fix out-of-bounds access to the dirty bitset when resizing

dm cache: optimize dirty bit checking with find_next_bit when resizing

dm cache: fix potential out-of-bounds access on the first resume

net: bridge: xmit: make sure we have at least eth header len bytes

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp

netfilter: ipset: add missing range check in bitmap_ip_uadt

ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit

9p/xen: fix release of IRQ

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

jfs: fix array-index-out-of-bounds in jfs_readdir

crypto: hisilicon/qm - inject error before stopping queue

ima: Fix use-after-free on a dentry's dname.name

ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write

btrfs: rename and export __btrfs_cow_block()

btrfs: fix use-after-free when COWing tree bock and tracing is enabled

xen/netfront: fix crash when removing device

HID: core: zero-initialize the report buffer

net: wwan: iosm: Fix tainted pointer delete is case of region creation fail

btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc()

jfs: fix shift-out-of-bounds in dbSplit

Out of scope: User-mode Linux isn't supported for current kernel

ALSA: us122l: Use snd_card_free_when_closed() at disconnection

ocfs2: uncache inode which has failed entering the group

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

net/smc: fix LGR and link use-after-free issue

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

Bluetooth: L2CAP: do not leave dangling sk pointer on error in l2cap_sock_create()

net: inet: do not leave a dangling sk pointer in inet_create()

net: inet6: do not leave a dangling sk pointer in inet6_create()

jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree

fou: remove warn in gue_gro_receive on unsupported protocol

net/mlx5: Always stop health timer during driver removal

cifs: Fix buffer overflow when parsing NFS reparse points

driver core: bus: Fix double free in driver API bus_register()

usb: musb: sunxi: Fix accessing an released usb phy

Kernel is not affected

mm: resolve faulty mmap_region() error path behaviour

hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer

Bluetooth: fix use-after-free in device_for_each_child()

driver core: Introduce device_find_any_child() helper

jfs: array-index-out-of-bounds fix in dtReadFirst

net: af_can: do not leave a dangling sk pointer in can_create()

EDAC/igen6: Avoid segmentation fault on module unload

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN

io_uring: fix possible deadlock in io_register_iowq_max_workers()

sctp: properly validate chunk size in sctp_sf_ootb()

ubi: fastmap: Fix duplicate slab cache names while attaching

ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove

drm/dp_mst: Fix MST sideband message body length check

low-scored CVE which causes verification conflicts with freezable kthread and cifs reading routines.

netfilter: ipset: Hold module reference while requesting a module

EDAC/bluefield: Fix potential integer overflow

ALSA: caiaq: Use snd_card_free_when_closed() at disconnection

ALSA: caiaq: Use snd_card_free_when_closed() at disconnection

oel9-uek7 kernels are compiled without CONFIG_HFSPLUS_FS

tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg

nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()

scsi: qedi: Fix a possible memory leak in qedi_alloc_and_init_sb()

net/mlx5e: Fix CT entry update leaks of modify header context

scsi: ufs: core: sysfs: Prevent div by zero

Out of scope: User-mode Linux isn't supported

NFSD: Prevent NULL dereference in nfsd4_process_cb_update()

media: v4l2-tpg: prevent the risk of a division by zero

nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint

gpio: grgpio: Add NULL check in grgpio_probe

Rejected and is no longer a valid CVE

io_uring/rw: fix missing NOWAIT check for O_DIRECT start write

media: atomisp: Add check for rgby_data memory allocation failure

octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c

bpf: fix recursive lock when verdict program return SK_PASS

fbdev: sh7760fb: Fix a possible memory leak in sh7760fb_alloc_mem()

ALSA: pcm: Add sanity NULL check for the default mmap fault handler

rtc: check if __rtc_read_time was successful in rtc_timer_do_work()

net/ipv6: release expired exception dst cached in socket

ionic: Fix netdev notifier unregister on failure

crypto: caam - Fix the pointer passed to caam_qi_shutdown()

net: hns3: fix kernel crash when uninstalling driver

The ndev->dev.parent mappings cannot be changed to ndev->dev.parent and driver is broken already

fs: Fix uninitialized value issue in from_kuid and from_kgid

ocfs2: free inode when ocfs2_get_init_inode() fails

This patch fixes kcsan issue on PREEMPT_RT kernels. Our customers don't have kernels with kcsan since it is a debugging feature

nfs: Fix KMSAN warning in decode_getfattr_attrs()

tracing: Prevent bad count for tracing_cpumask_write

i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs()

Complex adaptation required

net/mlx5: Fix missing lock on sync reset reload

exfat: fix potential deadlock on __exfat_get_dentry_se

SUNRPC: make sure cache entry active before cache_show

Patch targets ARM architecture, which this distro does not support.

net: hsr: avoid potential out-of-bound access in fill_frame_info()

net: lapb: increase LAPB_HEADER_LEN

crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY

netdevsim: prevent bad user input in nsim_dev_health_break_write()

blk-cgroup: Fix UAF in blkcg_unpin_online()

scsi: sg: Fix slab-use-after-free read in sg_release()

crypto: qat/qat_4xxx - fix off by one in uof_get_name()

gpiolib: cdev: Fix use after free in lineinfo_changed_notify

vdpa/mlx5: Fix invalid mr resource destroy

ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()

net: fix data-races around sk->sk_forward_alloc

scsi: mpi3mr: Fix corrupt config pages PHY state is switched in sysfs

vp_vdpa: fix id_table array not null terminated error

vp_vdpa: fix id_table array not null terminated error

PCI/MSI: Handle lack of irqdomain gracefully

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

netdevsim: use cond_resched() in nsim_dev_trap_report_work()

nvmet-auth: complete a request only after freeing the dhchap pointers

nvmet: always initialize cqe.result

bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init()

bnxt_en: Adjust logging of firmware messages in case of released token in __hwrm_send()

bnxt_en: Fix receive ring space parameters when XDP is active

bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips

net/mlx5: DR, prevent potential error pointer dereference

nvmet-auth: assign dh_key to NULL after kfree_sensitive

scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info

bnxt_en: Fix double DMA unmapping for XDP_REDIRECT

sched/deadline: Fix warning in migrate_enable for boosted tasks

Patch meant for use with microcode update

Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe()

tipc: fix memory leak in tipc_link_xmit

net: tls: explicitly disallow disconnect

net: ppp: Add bound checking for skb data on ppp_sync_txmung

Out of scope: not affected

page_pool: avoid infinite loop to schedule delayed worker

jfs: Fix uninit-value access of imap allocated in the diMount() function

fs/jfs: Prevent integer overflow in AG size calculation

jfs: Prevent copying of nlink with value 0 from disk inode

jfs: add sanity check for agwidth in dbMount

f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

ext4: ignore xattrs past end

scsi: st: Fix array overflow in st_setup()

net: vlan: don't propagate flags on open

pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config()

media: venus: hfi: add a check to handle OOB in sfr region

media: venus: hfi: add check to handle incorrect queue size

mtd: rawnand: brcmnand: fix PM resume warning

media: venus: hfi_parser: add check to avoid out of bound access

media: venus: hfi_parser: refactor hfi packet parsing logic

bus: mhi: host: Fix race between unprepare and queue_buf

ext4: fix off-by-one error in do_split

i3c: Add NULL pointer check in i3c_master_queue_ibi()

jbd2: remove wrong sb->s_sequence check

mfd: ene-kb3930: Fix a potential NULL pointer dereference

mtd: inftlcore: Add error check for inftl_read_oob()

ftrace: Add cond_resched() to ftrace_graph_set_hash()

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

wifi: at76c50x: fix use after free access in at76_disconnect

wifi: mac80211: Purge vif txq in ieee80211_do_stop()

wifi: wl1251: fix memory leak in wl1251_tx_work

RDMA/core: Silence oversized kvmalloc() warning

Bluetooth: btrtl: Prevent potential NULL dereference

igc: fix PTM cycle trigger logic

net: mctp: Set SOCK_RCU_FREE

net: openvswitch: fix nested key length validation in the set() action

cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path

net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered

i2c: cros-ec-tunnel: defer probe if parent EC is not present

isofs: Prevent the use of too small fid

virtiofs: add filesystem context source name check

drm/amd/pm: Prevent division by zero

drm/amd/pm/powerplay: Prevent division by zero

drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero

drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero

drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero

drm/nouveau: prime: fix ttm_bo_delayed_delete oops

misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error

filemap: Fix bounds checking in filemap_read()

phonet/pep: fix racy skb_queue_empty() use

bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

drm/amdgpu: fix usage slab after free

smb: client: fix potential UAF in cifs_dump_full_key()

CONFIG_SMB_SERVER is not enabled.

smb: client: fix UAF in async decryption

smb: client: fix NULL ptr deref in crypto_aead_setkey()

smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open()

[PATCH] smb: client: fix potential deadlock when releasing mids

[PATCH] smb: client: fix potential deadlock when releasing mids

smb: client: fix potential UAF in cifs_debug_files_proc_show()

smb: client: fix potential UAF in cifs_stats_proc_show()

bpf: avoid holding freeze_mutex during mmap operation

bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers

blk-iocost: do not WARN if iocg was already offlined

ext4: fix timer use-after-free on failed mount

ipvs: properly dereference pe in ip_vs_add_service

Patch for this CVE not required for versions we support

scsi: ufs: bsg: Set bsg_queue to NULL after removal

net: defer final 'struct net' free in netns dismantle

net: defer final 'struct net' free in netns dismantle

jfs: Fix shift-out-of-bounds in dbDiscardAG

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats

f2fs: check validation of fault attrs in f2fs_build_fault_attr()

pmdomain: ti: Add a null pointer check to the omap_prm_domain_init

Bluetooth: SCO: Fix UAF on sco_sock_timeout

cifs: avoid NULL pointer dereference in dbg call

cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()

cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate()

Complex adaptation required. Low impact CVE.

tipc: fix NULL pointer dereference in tipc_mon_reinit_self()

net_sched: hfsc: Fix a UAF vulnerability in class handling

net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too

mcb: fix a double free bug in chameleon_parse_gdd()

KVM: x86: Reset IRTE to host control if *new* route isn't postable

usb: cdns3: Fix deadlock when using NCM gadget

usb: dwc3: gadget: check that event count does not exceed event buffer length

USB: wdm: close race between wdm_open and wdm_wwan_port_stop

sound/virtio: Fix cancel_sync warnings on uninitialized work_structs

usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()

qibfs: fix _another_ leak

udmabuf: fix a buf size overflow issue during udmabuf creation

drm/amd/display: fix double free issue during amdgpu module unload

drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()

Out of scope: PA-RISC architecture isn't supported for current kernel

wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()

tracing: Fix oob write in trace_seq_to_buffer()

net/sched: act_mirred: don't override retval if we already lost the skb

net_sched: drr: Fix double list add in class with netem as child qdisc

net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc

net_sched: ets: Fix double list add in class with netem as child qdisc

net_sched: qfq: Fix double list add in class with netem as child qdisc

bnxt_en: Fix out-of-bound memcpy() during ethtool -w

of: module: add buffer overflow check in of_modalias()

firmware: arm_scmi: Balance device refcount when destroying devices

openvswitch: Fix unsafe attribute parsing in output_userspace()

netfilter: ipset: fix region locking in hash types

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo

iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo

module: ensure that kobject_put() is safe for module type kobjects

usb: typec: ucsi: displayport: Fix NULL pointer access

RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug

nfs: handle failure of nfs_get_lock_context in unlock path

wifi: mt76: disable napi on driver removal

dmaengine: ti: k3-udma: Add missing locking

usb: typec: ucsi: displayport: Fix deadlock

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

usb: typec: fix potential array underflow in ucsi_ccg_sync_control()

btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()

padata: do not leak refcount in reorder_work

sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

net_sched: sch_sfq: don't allow 1 packet limit

net_sched: sch_sfq: move the limit validation

nvme: tcp: avoid race between queue_lock lock and destroy

perf: Fix perf_event_validate_size()

perf: Fix perf_event_validate_size() lockdep splat

net: pktgen: fix access outside of user given buffer in pktgen_thread_write()

smb: client: Fix use-after-free in cifs_fill_dirent

dm cache: prevent BUG_ON by blocking retries on failed device resumes

orangefs: Do not truncate file size

__legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock

media: cx231xx: set device_caps for 417

nvmet-tcp: don't restore null sk_state_change

vxlan: Annotate FDB data races

scsi: target: iscsi: Fix timeout on deleted connection

Patch targets ARM architecture, which this distro does not support.

platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()

virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN

crypto: algif_hash - fix double free in hash_accept

sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

[PATCH] sch_htb: make htb_qlen_notify() idempotent

[PATCH] sch_qfq: make qfq_qlen_notify() idempotent

[PATCH] sch_htb: make htb_deactivate() idempotent

[PATCH] sch_ets: make est_qlen_notify() idempotent

[PATCH] sch_drr: make drr_qlen_notify() idempotent

[PATCH] sch_hfsc: make hfsc_qlen_notify() idempotent

[PATCH] net/sched: fix lockdep splat in qdisc_tree_reduce_backlog()

[PATCH] net/sched: Always pass notifications when child class becomes empty

wifi: ath11k: fix node corruption in ar->arvifs list

CONFIG_CLK_RASPBERRYPI is not enabled on UEK7

bpf: Fix WARN() in get_bpf_raw_tp_regs

wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds

wifi: ath9k_htc: Abort software beacon handling if disabled

bpf: Avoid __bpf_prog_ret0_warn when jit fails

calipso: Don't call calipso functions for AF_INET sk.

calipso: unlock rcu before returning -EAFNOSUPPORT

net: openvswitch: Fix the dead loop of MPLS parse

Squashfs: check return result of sb_min_blocksize

squashfs: fix memory leak in squashfs_fill_super

bus: fsl-mc: fix double-free on mc_dev

fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()

dmaengine: ti: Add NULL check in udma_probe()

do_change_type(): refuse to operate on unmounted/not ours mounts

[PATCH] use uniform permission checks for all mount propagation

scsi: core: ufs: Fix a hang in the error handler

ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()

ptp: fix breakage after ptp_vclock_in_use() rework

net_sched: prio: fix a race in prio_tune()

net_sched: red: fix a race in __red_change()

posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

x86/iopl: Cure TIF_IO_BITMAP inconsistencies

nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request

media: cxusb: no longer judge rbuf when the write fails

ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330

fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var

ipc: fix to protect IPCS lookups using RCU

RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction

net: ch9200: fix uninitialised access during mii_nway_restart

exfat: fix double free in delayed_free

jfs: fix array-index-out-of-bounds read in add_missing_indices

software node: Correct a OOB check in software_node_get_reference_args()

scsi: lpfc: Use memcpy() for BIOS version

i40e: fix MMIO write access to an invalid page in i40e_clear_hw

platform/x86: dell_rbu: Fix list usage

drivers/rapidio/rio_cm.c: prevent possible heap overwrite

jffs2: check that raw node were preallocated before writing summary

jffs2: check jffs2_prealloc_raw_node_refs() result in few other places

mm/hugetlb: unshare page tables during VMA split, not before

Complex adaptation required. High risk of regression.

wifi: carl9170: do not ping device which has failed to load firmware

mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().

tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer

calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().

arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()

drm/tegra: Fix a possible null pointer dereference

vsock/vmci: Clear the vmci transport packet properly when initializing it

platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks

scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()

ACPICA: Refuse to evaluate a method if arguments are missing

nvme-tcp: sanitize request list handling

nvme-tcp: sanitize request list handling

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

HID: core: ensure the allocated report buffer can contain the reserved report ID

HID: core: do not bypass hid_hw_raw_request

vsock: Do not allow binding to VMADDR_PORT_ANY

perf: Revert to requiring CAP_SYS_ADMIN for uprobes

netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()

nbd: fix uaf in nbd_genl_connect() error path

raid10: cleanup memleak at raid10_make_request

aoe: avoid potential deadlock at set_capacity

drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling

tipc: Fix use-after-free in tipc_conn_close().

net/sched: Abort __tc_modify_qdisc if parent class does not exist

md/raid1: Fix stack memory use after return in raid1_reshape

Complex adaptation required. Livepatching of this vulnerability can harm the network subsystem..

vsock: Fix transport_{g2h,h2g} TOCTOU

vsock: Fix transport_* TOCTOU

virtio-net: ensure the received length does not exceed allocated size

fs: writeback: fix use-after-free in __mark_inode_dirty()

rseq: Fix segfault on registration when rseq_cs is non-zero

netlink: Fix wraparounds of sk->sk_rmem_alloc.

usb: gadget: u_serial: Fix race condition in TTY wakeup

bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT

netlink: avoid infinite retry looping in netlink_unicast()

wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix NULL pointer dereference in vcc_sendmsg()

atm: clip: Fix infinite recursive call of clip_push().

atm: clip: Fix potential null-ptr-deref in to_atmarpd().

atm: clip: Fix memory leak of struct clip_vcc.

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg kpatch

i40e: add validation for ring_len param

i40e: validate ring_len parameter against hardware-specific values

phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

usb: gadget: configfs: Fix OOB read on empty string write

usb: net: sierra: check for no status endpoint

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

PEEMPT_RT config isn't enabled

regulator: core: fix NULL dereference on unbind due to stale coupling data

regulator: core: fix NULL dereference on unbind due to stale coupling data

wifi: rtl818x: Kill URBs before clearing tx status queue

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

ipv6: reject malicious packets in ipv6_gso_segment()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

xfs: do not propagate ENODATA disk errors into xattr code

Out of scope: boot time issue

Out of scope: boot time issue

device-dax: correct pgoff align in dax_set_mapping()

crypto: essiv - Check ssize for decryption and in-place encryption

kpatch add alt asm definitions

kpatch add paravirt asm definitions

ocfs2: fix recursive semaphore deadlock in fiemap call

fbcon: fix integer overflow in fbcon_do_set_font

fbcon: fix integer overflow in fbcon_do_set_font

net/9p: fix double req put in p9_fd_cancelled

net/ip6_tunnel: Prevent perpetual tunnel growth

ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()

dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees

cnic: Fix use-after-free bugs in cnic_delete_task

nexthop: Forbid FDB status change while nexthop is in a group

drm/gma500: Fix null dereference in hdmi teardown

scsi: target: target_core_configfs: Add length check to avoid buffer overflow

perf: arm_spe: Prevent overflow in PERF_IDX2OFF()

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

uio_hv_generic: Let userspace take care of interrupt mask

mm: hugetlb: avoid soft lockup when mprotect to large memory area

pinctrl: check the return value of pinmux_ops::get_function_name()

drm/vmwgfx: Fix Use-after-free in validation

net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()

tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().

cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()

sctp: Fix MAC comparison to be constant-time

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

media: mc: Clear minor number before put device

dm: fix NULL pointer dereference in __dm_suspend()

pid: Add a judgment for ns null in pid_nr_ns

tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.

tracing: dynevent: Add a missing lockdown check on dynevent

media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove

crypto: rng - Ensure set_ent is always present

crypto: rng - Ensure set_ent is always present (kpatch adaptation)

blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx

bpf: Explicitly check accesses to bpf_sock_addr

ocfs2: fix double free in user_cluster_connect()

bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

netfilter: nf_tables: reject duplicate device on updates

Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak

vfs: Don't leak disconnected dentries on umount

usb: gadget: f_acm: Refactor bind path to use __free()

PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()

libceph: fix invalid accesses to ceph_connection_v1_info

i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

qed: Don't collect too many protection override GRC elements

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

udp: Fix memory accounting leak.

Introduced and fixed in v5.15.0-315.196.3, no live patching needed.

can: peak_usb: fix shift-out-of-bounds issue

media: rc: fix races with imon_disconnect()

media: tuner: xc5000: Fix use-after-free in xc5000_release

scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

net: dlink: handle copy_thresh allocation failure

fs: udf: fix OOB read in lengthAllocDescs handling

ext4: verify orphan file size is not too big

ext4: verify orphan file size is not too big (kpatch adaptation)

ext4: guard against EA inode refcount underflow in xattr update

fs/proc: fix uaf in proc_readdir_de()

tipc: Fix use-after-free in tipc_mon_reinit_self().

net/mlx5: Clean up only new IRQ glue on request_irq() failure

mptcp: fix race condition in mptcp_schedule_work()

bpf: Sync pending IRQ work before freeing ring buffer

net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup

drm/i915: Avoid lock inversion when pinning to GGTT on CHV/BXT+VTD

Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF

sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto

ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd

mm/ksm: fix flag-dropping behavior in ksm_madvise

ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe

be2net: pass wrb_params in case of OS2BMC

scsi: sg: Do not sleep in atomic context

NFSD: Fix crash in nfsd4_read_release()

ACPI: video: Fix use-after-free in acpi_video_switch_brightness()

nvme-fc: use lock accessing port_state and rport state

net: ipv6: fix field-spanning memcpy warning in AH output

nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing

Bluetooth: SCO: Fix UAF on sco_conn_free

Bluetooth: bcsp: receive data only if registered

nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()

libceph: prevent potential out-of-bounds writes in handle_auth_session_key()

fbdev: bitblit: bound-check glyph index in bit_putcs*

fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds

drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

mm/secretmem: fix use-after-free race in fault handler

net: atlantic: fix fragment overflow handling in RX path

usb: storage: sddr55: Reject out-of-bound new_pba

usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths

libceph: fix potential use-after-free in have_mon_and_osd_map()

libceph: fix potential use-after-free in have_mon_and_osd_map()

scsi: megaraid_sas: Fix invalid node index