md: fix kmemleak of rdev->serial

Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout

firmware: arm_scmi: Harden accesses to the reset domains

dyndbg: fix old BUG_ON in >control parser

firewire: nosy: ensure user_length is taken into account when fetching packet contents

Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout

eeprom: at24: fix memory corruption race condition

drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper()

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

keys: Fix overwrite of key expiration on instantiation

net: core: reject skb_copy(_expand) for fraglist GSO skbs

nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment()

Commit d47151b is absent. Original error is in module __init function, it cannot be fixed.

fix rtm_phonet_notify() skb allocation

net: fix __dst_negative_advice() race

kdb: Fix buffer overflow during tab-complete

NFSD: Protect against send buffer overflow in NFSv2 READ

NFSD: Protect against send buffer overflow in NFSv2 READ

SUNRPC: Fix svcxdr_init_encode's buflen calculation

NFSD: Remove "inline" directives on op_rsize_bop helpers

NFSD: Cap rsize_bop result based on send buffer size

SUNRPC: Fix gss_free_in_token_pages()

SUNRPC: Fix loop termination condition in gss_free_in_token_pages()

ipv6: sr: fix invalid unregister error path

serial: max3100: Update uart_driver_registered on driver removal

ARM related patch

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: iwlwifi: mvm: check n_ssids before accessing the ssids

HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

MIPS related CVE.

drm/radeon: fix UBSAN warning in kv_dpm.c

block/ioctl: prefer different overflow check

drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found

nfsd: fix RELEASE_LOCKOWNER

nfsd: don't take fi_lock in nfsd_break_deleg_cb()

ppdev: Add an error check in register_device

netfilter: tproxy: bail out if IP has been disabled on the device

Out of scope as the patch is for NFC/Android

netrom: fix possible dead-lock in nr_rt_ioctl()

jffs2: prevent xattr node from overflowing the eraseblock

ALSA: core: Fix NULL module pointer assignment at card init

Out of scope: User-mode Linux isn't supported for current kernel

vmci: prevent speculation leaks by sanitizing event in event_deliver()

ecryptfs: Fix buffer size for tag 66 packet

scsi: qedf: Ensure the copied buf is NUL terminated

eth: sungem: remove .ndo_poll_controller to avoid deadlocks

eth: sungem: remove .ndo_poll_controller to avoid deadlocks

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

tls: fix missing memory barrier in tls_init

bpf: Allow delete from sockmap/sockhash only if update is allowed

f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()

nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors

drivers: core: synchronize really_probe() and dev_uevent()

cpufreq: exit() callback is optional

scsi: bfa: Ensure the copied buf is NUL terminated

serial: max3100: Lock port->lock when calling uart_handle_cts_change()

stm class: Fix a double free in stm_register_device()

Not affected

netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()

crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak

jfs: xattr: fix buffer overflow for invalid xattr

netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type

netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type

ionic: fix use after netif_napi_del()

fbdev: savage: Handle err return when savagefb_check_var failed

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

RDMA/hns: Modify the print level of CQE error

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

Out of scope: ARM64 architecture issue

ALSA: timer: Set lower bound of start tick time

ALSA: timer: Set lower bound of start tick time

net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

nilfs2: fix potential kernel bug due to lack of writeback flag waiting

usb: gadget: printer: fix races against disable

tcp_metrics: validate source addr length

tcp_metrics: validate source addr length

bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD

net: dsa: mv88e6xxx: Correct check for empty list

tap: add missing verification for short frame

tun: add missing verification for short frame

tipc: Return non-zero value from tipc_udp_addr2str() on error

dev/parport: fix the array out-of-bounds risk

ipv6: prevent UAF in ip6_send_skb()

atm: idt77252: prevent use after free in dequeue_rx()

scsi: aacraid: Fix double-free on probe failure

usb: dwc3: st: fix probed platform device ref count on probe error path

Squashfs: sanity check symbolic link size

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

Architecture um is not supported

mISDN: Fix a use after free in hfcmulti_tx()

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

drm/amd/display: Check gpio_id before used as array index

drm/amd/display: Check msg_id before processing transcation

drm/amdgpu: Fix out-of-bounds write warning

mptcp: pm: avoid possible UaF when selecting endp

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

jfs: Fix array-index-out-of-bounds in diFree

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

hwmon: (lm95234) Fix underflows seen when writing limit attributes

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

sch/netem: fix use after free in netem_dequeue

media: venus: fix use after free in vdec_close

rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow

Out of scope: Android/binder

drm/amd/display: Check index msg_id before read or write (dependency)

drm/amd/display: Add array index check for hdcp ddc access

netfilter: nf_tables: use timestamp to check for set element timeout

netfilter: nf_tables: use timestamp to check for set element timeout

block: initialize integrity buffer to zero before writing it to media

remoteproc: imx_rproc: Skip over memory region when node value is NULL

Patch introduced a deadlock and was reverted.

pinctrl: single: fix potential NULL dereference in pcs_get_function()

netfilter: nf_tables: prefer nft_chain_validate

nilfs2: replace snprintf in show functions with sysfs_emit

nilfs2: protect references to superblock parameters exposed in sysfs

fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE

ethtool: check device is present when getting link settings

drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes

ext4: check dot and dotdot of dx_root before making dir indexed

drm/amdgpu: fix ucode out-of-bounds read warning

drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number

drm/amd/pm: fix the Out-of-bounds read warning

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

of/irq: Prevent device address out-of-bounds read in interrupt map walk

drm/amdgpu: fix mc_data out-of-bounds read warning

gtp: pull network headers in gtp_dev_xmit()

exec: Fix ToCToU between perm check and set-uid/gid usage

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

ASoC: meson: axg-card: fix 'use-after-free'

ocfs2: add bounds checking to ocfs2_xattr_find_entry()

netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()

ext4: aovid use-after-free in ext4_ext_insert_extent()

ocfs2: cancel dqi_sync_work before freeing oinfo

smb: client: fix OOBs when building SMB2_IOCTL request

media: s5p-jpeg: prevent buffer overflows

cifs: Fix buffer overflow when parsing NFS reparse points

Bluetooth: fix use-after-free in device_for_each_child()

Bluetooth: fix use-after-free in device_for_each_child()

jfs: fix array-index-out-of-bounds in jfs_readdir

drm/amd/display: Fix index out of bounds in degamma hardware format translation

ext4: fix slab-use-after-free in ext4_split_extent_at()

net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT

NFSv4.0: Fix a use-after-free problem in the asynchronous open()

tipc: Fix use-after-free of kernel socket in cleanup_bearer().

net: ieee802154: do not leave a dangling sk pointer in ieee802154_create()

net: inet6: do not leave a dangling sk pointer in inet6_create()

hrtimers: Handle CPU state correctly on hotplug

hrtimers: Handle CPU state correctly on hotplug

blk-cgroup: Fix UAF in blkcg_unpin_online()

mtd: rawnand: fix double free in atmel_pmecc_create_user()

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format

rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

net: davicom: fix UAF in dm9000_drv_remove

NFC: nci: Add bounds checking in nci_hci_create_pipe()

Out of scope: ARM64 architecture isn't supported for current kernel

Postponed: complex analysis and adaptation required

drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().

net/mlx5e: Fix use-after-free of encap entry in neigh update handler

drm/amdgpu: Fix even more out of bound writes from debugfs

smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

dm cache: fix flushing uninitialized delayed_work on cache_ctr error

geneve: Fix use-after-free in geneve_find_dev().

geneve: Suppress list corruption splat in geneve_destroy_tunnels().

media: uvcvideo: Fix double free in error path

nilfs2: protect access to buffers with no active references

smb: client: fix UAF in async decryption

smb: client: fix NULL ptr deref in crypto_aead_setkey()

nbd: don't allow reconnect after disconnect

net: sched: Disallow replacing of child qdisc from one parent to another

padata: fix UAF in padata_reorder

rapidio: fix an API misues when rio_add_net() fails

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

drm/amd/pm: Fix negative array index read

tracing: Fix use-after-free in print_graph_function_flags during tracer switching

drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'

smb: client: fix potential UAF in cifs_debug_files_proc_show()

Restrict access to pagemap/kpageflags/kpagecount