tap: add missing verification for short frame

tun: add missing verification for short frame

net: fix __dst_negative_advice() race

nilfs2: We cannot patch functions that sleep in kthread().

ppdev: Add an error check in register_device

nilfs2: fix potential hang in nilfs_detach_log_writer()

kdb: Fix buffer overflow during tab-complete

ipv6: sr: fix invalid unregister error path

tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

md: fix resync softlockup when bitmap size is less than array

crypto: bcm - Fix pointer arithmetic

jffs2: prevent xattr node from overflowing the eraseblock

wifi: carl9170: add a proper sanity check for endpoints

drm/mediatek: Add 0 size check to mtk_drm_gem_obj

drm/arm/malidp: fix a possible null pointer dereference

serial: max3100: Update uart_driver_registered on driver

netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu()

enic: Validate length of nl attributes in enic_set_vf_port

Out of scope as the patch is for s390 arch only, x86_64, arm64 is not affected

xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING

drm/amd/display: Fix potential index out of bounds in color transformation function

scsi: bfa: Ensure the copied buf is NUL terminated

af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg

greybus: lights: check return of get_channel_from_mode

virtio: delete vq in vp_find_vqs_msix() when request_irq() fails

ALSA: timer: Set lower bound of start tick time

netfilter: ipset: Fix race between namespace cleanup and gc

netfilter: ipset: Fix race between namespace cleanup and gc

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

tcp: Fix shift-out-of-bounds in dctcp_update_alpha().

wifi: ar5523: enable proper endpoint verification

ecryptfs: Fix buffer size for tag 66 packet

ring-buffer: Fix a race between readers and resize checks

serial: max3100: Lock port->lock when calling

ext4: fix mb_cache_entry's e_refcnt leak in

f2fs: fix to do sanity check on i_xattr_nid in

drm/amdgpu: add error handle to avoid out-of-bounds

ARM related CVE.

ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound

SUNRPC: Fix gss_free_in_token_pages()

SUNRPC: Fix loop termination condition in gss_free_in_token_pages()

netfilter: tproxy: bail out if IP has been disabled on the device

net: openvswitch: fix overwriting ct original tuple for ICMPv6

scsi: qedf: Ensure the copied buf is NUL terminated

soundwire: Skipped as code which CVE fixes doesn't exists in older releaes

net/9p: fix uninit-value in p9_client_rpc()

cpufreq: exit() callback is optional

Out of scope as the patch is for m68k arch only, x86_64, arm64 is not affected

netrom: fix possible dead-lock in nr_rt_ioctl()

stm class: Fix a double free in stm_register_device()

Out of scope: User-mode Linux isn't supported for current kernel

media: stk1160: fix bounds checking in stk1160_copy_video()

ipv6: sr: fix memleak in seg6_hmac_init_algo

dma-buf/sw-sync: don't enable IRQ from sync_print_obj()

netns: Make get_net_ns() handle zero refcount net

filelock: fix potential use-after-free in posix_lock_inode

netfilter: nftables: exthdr: fix 4-byte stack OOB write

net/iucv: Avoid explicit cpumask var allocation on stack

bonding: Fix out-of-bounds read in

net: ethernet: lantiq_etop: fix double free in detach

nilfs2: add missing check for inode numbers on directory

ipv6: annotate some data-races around sk->sk_prot

ipv6: Fix data races around sk->sk_prot.

tcp: Fix data races around icsk->icsk_af_ops.

nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors

vmci: prevent speculation leaks by sanitizing event in event_deliver()

liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet

USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages

drm/exynos/vidi: fix memory leak in .get_modes()

ipv6: prevent possible NULL dereference in rt6_probe()

drm/radeon: fix UBSAN warning in kv_dpm.c

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor

usb: atm: cxacru: fix endpoint checking in cxacru_bind()

net: can: j1939: Initialize unused data in j1939_send_one()

ocfs2: fix races between hole punching and AIO+DIO

net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

ppp: reject claimed-as-LCP but actually malformed packets

ASoC: fsl-asoc-card: set priv->pdev before using it

net: tcp: fix unexcepted socket die when snd_wnd is 0

tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()

tcp: avoid too many retransmit packets

x86: stop playing stack games in profile_pc()

scsi: qedi: Fix crash while reading debugfs attribute

inet_diag: Initialize pad field in struct inet_diag_req_v2

drm/amdgpu: fix UBSAN warning in kv_dpm.c

USB composite function controllers related patch

net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP

drivers: core: synchronize really_probe() and dev_uevent()

driver core: Fix uevent_show() vs driver detach race

ARM related patch

xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()

nilfs2 related patch

udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().

ALSA: emux: improve patch ioctl data validation

nilfs2 related patch

media: dvb-frontends: tda10048: Fix integer overflow

HID: logitech-dj: Fix memory leak in

iommu: Return right value in iommu_sva_bind_device()

drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()

drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes

drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep

drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes

drm/amd/display: Skip finding free audio for unknown engine_id

nilfs2 is not enabled

HID: core: remove unnecessary WARN_ON() in implement()

usb-storage: alauda: Check whether the media is initialized

usb-storage: alauda: Check whether the media is initialized (Adaptation)

scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory

wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()

wifi: iwlwifi: mvm: don't read past the mfuart notifcation

wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects

MIPS related CVE.

netfilter: ipset: Fix suspicious rcu_dereference_protected()

ftruncate: pass a signed offset

drm/lima: fix shared irq handling on driver remove

s390 architecture related CVE.

ipv6: fix possible race in __fib6_drop_pcpu_from()

netfilter: nf_tables: fully validate NFT_DATA_VALUE on store

Out of scope as the patch is for MIPS arch only, x86_64 is not affected

Out of scope as the patch is for powerpc arch only, x86_64 is not affected

IB/core: Implement a limit on UMAD receive List

IB/core: Implement a limit on UMAD receive List (adaptation)

net: sched: sch_multiq: fix possible OOB write in multiq_tune()

jfs: xattr: fix buffer overflow for invalid xattr

greybus: Fix use-after-free bug in gb_interface_release due to race condition.

net/dpaa2: Avoid explicit cpumask var allocation on stack

ata: libata-core: Fix double free on error

net: dsa: mv88e6xxx: Correct check for empty list

tcp_metrics: validate source addr length

tcp_metrics: validate source addr length

bnx2x: Fix multiple UBSAN array-index-out-of-bounds

ipv6: prevent possible NULL deref in fib6_nh_init()

batman-adv: bypass empty buckets in batadv_purge_orig_ref()

drm/nouveau/dispnv04: fix null pointer dereference in

gpio: davinci: Validate the obtained number of IRQs

jffs2: Fix potential illegal address access in

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

netrom: Fix a memory leak in nr_heartbeat_expiry()

usb: gadget: configfs: Prevent OOB read/write in

pinctrl: fix deadlock in create_pinctrl() when handling

iio: chemical: bme680: Fix overflows in compensate()

scsi: qedf: Make qedf_execute_tmf() non-preemptible

orangefs: fix out-of-bounds fsid access

Patches a sleepable function, there is a small but non-zero risk of livepatching failure

drop_monitor: replace spin_lock by raw_spin_lock

i2c: pnx: Fix potential deadlock warning from

i2c: pnx: Fix potential deadlock warning from

libceph: fix race between delayed_work() and ceph_monc_stop()

vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()

scsi: qla2xxx: Complete command early within lock

ALSA: line6: Fix racy access to midibuf

KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()

dev/parport: fix the array out-of-bounds risk

hfsplus: fix uninit-value in copy_name

media: venus: fix use after free in vdec_close

RDMA/iwcm: Fix a use-after-free related to destroying CM IDs

jfs: Fix array-index-out-of-bounds in diFree

tipc: Return non-zero value from tipc_udp_addr2str() on error

mISDN: Fix a use after free in hfcmulti_tx()

net/iucv: fix use after free in iucv_sock_close()

exec: Fix ToCToU between perm check and set-uid/gid usage

VMCI: Fix use-after-free when removing resource in vmci_resource_remove()

wifi: cfg80211: wext: add extra SIOCSIWSCAN data check

f2fs: fix to don't dirty inode for readonly filesystem

kobject_uevent: Fix OOB access within zap_modalias_env()

dma: fix call order in dmam_free_coherent

mm: avoid overflows in dirty throttling logic

drm/nouveau: prime: fix refcount underflow

s390 arch not supported.

drm/client: fix null pointer dereference in drm_client_modeset_probe

tracing: Fix overflow in get_free_elt()

netfilter: ctnetlink: use helper function to calculate expect ID

scsi: qla2xxx: During vport delete send async logout explicitly

mlxsw: spectrum_acl_erp: Fix object nesting warning

mlxsw: spectrum_acl_erp: Fix object nesting warning

lib: objagg: Fix general protection fault

protect the fetch of ->fd[fd] in do_dup2() from mispredictions

net: nexthop: Initialize all fields in dumped nexthops

Out of scope as the patch is for s390 arch only, x86_64 is not affected

leds: trigger: Unregister sysfs attributes before calling deactivate()

ocfs2: add bounds checking to ocfs2_check_dir_entry()

filelock: Remove locks reliably when fcntl/close race is detected

filelock: Fix fcntl/close race recovery compat path

filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64

scsi: qla2xxx: validate nvme_local_port correctly

ext4: check dot and dotdot of dx_root before making dir indexed

drm/amd/display: Check for NULL pointer

drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes

serial: core: check uartclk for zero to avoid divide by zero

drm/amdgpu: Fix the null pointer dereference to ras_manager

This CVE was introduced and fixed in the same kernel verison

devres: Fix memory leakage caused by driver API devm_free_percpu()

usb: vhci-hcd: Do not drop references before new references are gained

sctp: Fix null-ptr-deref in reuseport_add_sock().

x86/mtrr: Check if fixed MTRRs exist before saving them

scsi: qla2xxx: Fix for possible memory corruption

drm/qxl: Add check for drm_cvt_mode

net: usb: qmi_wwan: fix memory leak for not ip packets

md/raid5: avoid BUG_ON() while continue reshape after reassembling

usb: gadget: core: Check for unset descriptor

x86/mm: Fix pti_clone_pgtable() alignment assumption

remoteproc: imx_rproc: Skip over memory region when node value is NULL

nilfs2: handle inconsistent state in nilfs_btnode_create_block()

ext4: make sure the first directory block is not a hole

jfs: don't walk off the end of ealist

drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes

netfilter: nf_tables: prefer nft_chain_validate

bpf: Fix a segment issue when downgrading gso_size

wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()

bna: adjust 'name' buf size of bna_tcb and bna_ccb structures

ila: block BH in ila_output()

CVE patch is for powerpc arch only

CVE patch is for powerpc arch only

Bluetooth: hci_core: cancel all works upon hci_unregister_dev()

hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()

nvme-pci: add missing condition check for existence of mapped data

drm/i915/gem: Fix Virtual Memory mapping boundaries calculation

wifi: virt_wifi: avoid reporting connection success with wrong SSID

wifi: virt_wifi: avoid reporting connection success with wrong SSID

Affects only boot __init stage, already booted kernels are not affected

mm: clarify a confusing comment for remap_pfn_range()

mm: fix ambiguous comments for better code readability

mm/memory.c: make remap_pfn_range() reject unaligned addr

mm: add remap_pfn_range_notrack

mm: avoid leaving partial pfn mappings around in error case

binder: fix UAF caused by offsets overwrite

atm: idt77252: prevent use after free in dequeue_rx()

gtp: pull network headers in gtp_dev_xmit()

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

usb: dwc3: st: fix probed platform device ref count on probe error path

scsi: aacraid: Fix double-free on probe failure

drm/amd/display: Check gpio_id before used as array index

drm/amdgpu: fix ucode out-of-bounds read warning

drm/amdgpu: fix mc_data out-of-bounds read warning

ila: call nf_unregister_net_hooks() sooner

hwmon: (w83627ehf) Fix underflows seen when writing limit attributes

HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup

of/irq: Prevent device address out-of-bounds read in interrupt map walk

nilfs2 module is not included

module is not included

Architecture is not supported

Architecture um is not supported

nilfs2: fix missing cleanup on rollforward recovery error

kcm: Serialise kcm_sendmsg() for the same socket.

net: dsa: mv88e6xxx: Fix out-of-bound access

usb: dwc3: core: Prevent USB core invalid event buffer address access

cgroup/cpuset: Prevent UAF in proc_cpuset_show()

Input: MT - limit max slots

fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE

drm/amd/display: Skip wbscl_set_scaler_filter if filter is null

usb: typec: ucsi: Fix null pointer dereference in trace

PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)

ipv6: prevent UAF in ip6_send_skb()

drm/amdkfd: don't allow mapping the MMIO HDP page with large pages

sch/netem: fix use after free in netem_dequeue

ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object

hwmon: (adc128d818) Fix underflows seen when writing limit attributes

hwmon: (lm95234) Fix underflows seen when writing limit attributes

hwmon: (nct6775-core) Fix underflows seen when writing limit attributes

Squashfs: sanity check symbolic link size

sched: sch_cake: fix bulk flow accounting logic for host fairness

xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration

mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio()

netem: fix return value if duplicate enqueue fails

drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6

drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]

block: initialize integrity buffer to zero before writing it to media

tcp_bpf: fix return value of tcp_bpf_sendmsg()

btrfs: clean up our handling of refs == 0 in snapshot delete

lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()

staging: iio: frequency: ad9834: Validate frequency parameter value

ethtool: check device is present when getting link settings

wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()

arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry

ocfs2: reserve space for inline xattr before attaching reflink tree

Bluetooth: MGMT: Add error handling to pair_device()

ata: libata-core: Fix null pointer dereference on error

virtio_net: Fix napi_skb_cache_put warning

Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

mmc: mmc_test: Fix NULL dereference on allocation failure

gtp: fix a potential NULL pointer dereference

pinctrl: single: fix potential NULL dereference in pcs_get_function()

uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind

Input: uinput - reject requests with unreasonable number of slots

Complex adaptation required. Low impact CVE.

Out of scope: CVE patch is for PCI Hotplug Driver for PowerPC PowerNV platform

can: bcm: Remove proc entry when dev is unregistered.

vfs: Don't evict inode under the inode lru traversing context

nfc: pn533: Add poll mod list filling check

nilfs2: protect references to superblock parameters exposed in sysfs

fuse: Initialize beyond-EOF page contents before setting uptodate

Patches a function that is sleepable due to a call to vfs_poll

net: hns3: fix a deadlock problem when config TC during resetting

apparmor: fix possible NULL pointer dereference

nilfs2: fix state management in error path of log writing function

udf: Avoid excessive partition lengths

nvmet-tcp: fix kernel crash if commands allocation fails

x86/xen: Add xenpv_restore_regs_and_return_to_usermode()

kpatch add alt asm definitions

kpatch add paravirt asm definitions

Restrict access to pagemap/kpageflags/kpagecount