crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)

KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

bpf: Fix integer overflow in prealloc_elems_and_freelist()

fget: check that the fd still exists after getting a ref to it

xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like

vfs: fs_context: fix up param length parsing in legacy_parse_param

UBUNTU: SAUCE: vfs: test that one given mount param is not larger than PAGE_SIZE

cgroup-v1: Require capabilities to set release_agent

Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()

netfilter: nf_tables_offload: incorrect flow offload action array size

lib/iov_iter: initialize "flags" in new pipe_buffer

KVM: x86: nSVM: don't copy virt_ext from vmcb12

drm/i915: Flush TLBs before releasing backing store

drm/i915: Flush TLBs before releasing backing store (adaptation)

USB: gadget: zero allocate endpoint 0 buffers

USB: gadget: detect too-big endpoint 0 requests

USB: gadget: bRequestType is a bitfield, not a enum

tipc: improve size validations for received domain records

Out of scope as the patch is aarch64 related

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

UBUNTU: SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy

net/packet: rx_owner_map depends on pg_vec

NFSv4: Handle case where the lookup of a directory fails

udf: Fix NULL ptr deref when converting from inline format

udf: Restore i_lenAlloc when inode expansion fails

ipv4: avoid using shared IP generator for connected sockets

ipv4: tcp: send zero IPID in SYNACK messages

sr9700: sanity check for packet length

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use unprivileged eBPF.

netfilter: nf_tables: initialize registers in nft_do_chain()

KVM: x86/mmu: do compare-and-exchange of gPTE via the user

phonet: refcount leak in pep_sock_accep

net: sched: fix use-after-free in tc_new_tfilter()

esp: Fix possible buffer overflow in ESP transformation

io_uring: always use original task when preparing req identity

Not affected without certain conditions - Secure Boot, configured kgdb/kdb. Complex adaptation

af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls

ALSA: pcm: Fix races among concurrent read/write and buffer changes

ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls

ALSA: pcm: Fix races among concurrent prealloc proc writes

ALSA: pcm: Fix races among concurrent hw_params and hw_free calls (adaptation)

xen/xenbus: don't let xenbus_grant_ring() remove grants in error case

xen/grant-table: add gnttab_try_end_foreign_access()

xen/netfront: don't use gnttab_query_foreign_access() for mapped status

xen/scsifront: don't use gnttab_query_foreign_access() for mapped status

xen/gntalloc: don't use gnttab_query_foreign_access()

xen: remove gnttab_query_foreign_access()

xen/9p: use alloc/free_pages_exact()

xen/gnttab: fix gnttab_end_foreign_access() without page specified

xen/netfront: react properly to failing gnttab_end_foreign_access_ref()

xen/gnttab: fix gnttab_end_foreign_access() without page specified (adaptation)

xen/netfront: react properly to failing gnttab_end_foreign_access_ref() (adaptation)

cgroup: Use open-time credentials for process migraton perm checks

x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data

Kernel lockdown bypass when UEFI secure boot is disabled / unavailable and IMA appraisal is enabled.

net_sched: cls_route: remove from list when handle is 0

KVM: Add infrastructure and macro to mark VM as bugged

KVM: Add infrastructure and macro to mark VM as bugged (adaptation)

KVM: Add infrastructure and macro to mark VM as bugged

KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq

KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

Livepatching Retbleed may decrease kernel stability and performance. This vulnerability has medium security impact and applies to certain hardware environments only.

rds: copy_from_user only once per rds_sendmsg system call

ipc: replace costly bailout check in sysvipc_find_ipc()

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master

drm: add a locked version of drm_is_current_master (adaptation)

netfilter: nf_tables: do not allow SET_ID to refer to another

netfilter: nf_tables: do not allow SET_ID to refer to another

scsi: target: Fix WRITE_SAME No Data Buffer crash

lockdown: also lock down previous kgdb use

af_key: Do not call xfrm_probe_algs in parallel

mISDN: fix use-after-free bugs in l1oip timer handlers

mISDN: fix use-after-free bugs in l1oip timer handlers (adaptation)

io_uring/af_unix: defer registered files gc to io_uring release

io_uring/af_unix: defer registered files gc to io_uring release (adaptation)

proc: avoid integer type confusion in get_proc_long

proc: proc_skip_spaces() shouldn't think it is working on C strings

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

drm/i915/gt: Serialize TLB invalidates with GT resets

drm/i915: fix TLB invalidation for Gen12 video and compute engines

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

media: dvb-core: Fix UAF due to refcount races at releasing

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

Bluetooth: L2CAP: Fix u8 overflow

net: sched: atm: dont intepret cls results when asked to drop

net: sched: cbq: dont intepret cls results when asked to drop

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

net: sched: disallow noqueue for qdisc classes

media: dvbdev: adopts refcnt to avoid UAF

media: dvbdev: fix refcnt bug

media: dvbdev: adopts refcnt to avoid UAF (adaptation)

drm/amdkfd: Check for null pointer after calling kmemdup

KVM: VMX: Execute IBPB on emulated VM-exit when guest has IBRS

net: fix a concurrency bug in l2tp_tunnel_register()

l2tp: Serialize access to sk_user_data with sk_callback_lock

l2tp: Don't sleep and disable BH under writer-side sk_callback_lock

wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

x86/speculation: Identify processors vulnerable to SMT RSB predictions

KVM: x86: Mitigate the cross-thread return address predictions bug

KVM: x86: Mitigate the cross-thread return address predictions bug (adaptation)

netfilter: nf_tables: deactivate anonymous set from preparation phase

KVM: nVMX: add missing consistency checks for CR0 and CR4

netfilter: nf_tables: stricter validation of element data

KVM: x86: do not report a vCPU as preempted outside instruction boundaries (adaptation)

Complex adaptation required.

rds: Fix lack of reentrancy for connection reset with dst addr zero

netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c

A low priority AMD Inception vulnerability that affects Zen3/Zen4 & relates to RetBleed fixes requiring microcode updates, we can't do much about it in KCare Infra.

x86/CPU/AMD: Do not leak quotient data after a division by 0

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition

nvmet-tcp: Fix a possible UAF in queue intialization setup

kobject: Fix slab-out-of-bounds in fill_kobj_path()

An introduction of required changes through KernelCare could cause unavoidable problems to applications which use netfilter functionality.

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

vhost: use kzalloc() instead of kmalloc() followed by memset()

netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()

Requires microcode update. Can't be fixed with kernelcare live patching.

kpatch add alt asm definitions

kpatch add alternative2 asm definition

x86/bhi: Add support for clearing branch history at syscall entry

x86/xen: Add xenpv_restore_regs_and_return_to_usermode()

kpatch add paravirt asm definitions

Restrict access to pagemap/kpageflags/kpagecount

KVM: x86: avoid calling x86 emulator without a decoded

perf: Fix sys_perf_event_open() race against self