cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status

exec: Limit arg stack to at most 75% of _STK_LIM

ocfs2: should wait dio before inode lock in ocfs2_setattr()

crypto: salsa20 - fix blkcipher_walk API usage

crypto: hmac - require that the underlying hash algorithm is unkeyed

n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ

mlock: fix mlock count can not decrease in race condition

Bluetooth: hidp: buffer overflow in hidp_process_report

Input: i8042 - fix crash at boot time

nl80211: check for the required netlink attributes presence

net/packet: fix a race in packet_bind() and packet_notifier()

KEYS: add missing permission check for request_key() destination

net: Set sk_prot_creator when cloning sockets to the right proto

MDS CPU Side-channel Attacks mitigation

binfmt_elf: switch to new creds when switching to new mm

USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data

fix out-of-bound memory read in crypto/asymmetric_keys/x509_cert_parser.c

fix possible division by zero in drivers/usb/serial/io_ti.c

fix buffer overflow in bluetooth hidp ioctl

fix possible use after free (NULL pointer dereference) in drivers/scsi/megaraid

fix possible use after free (UAF) in implementation of RDS over TCP

fix heap address information leak while using bluetooth L2CAP_GET_CONF_OPT

HID: debug: fix the ring buffer implementation

scsi: target: iscsi: Use hex2bin instead of a re-implementation

fix race condition and possible use-after-free in drivers/scsi/libsas/sas_expander.c

UBUNTU: SAUCE: tcp: limit payload size of sacked skbs

UBUNTU: SAUCE: tcp: tcp_fragment() should apply sane memory limits

tcp: add tcp_min_snd_mss sysctl

tcp: add tcp_min_snd_mss sysctl

tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()

tcp: add tcp_min_snd_mss sysctl

partially fix bypass of the "start time" protection mechanism while fork() (polkit should be updated >0.115)

tun: call dev_get_valid_name() before register_netdevice()

tun: allow positive return values on dev_get_valid_name() call

mm/madvise.c: fix madvise() infinite loop under special circumstances

USB: check usb_get_extra_descriptor for proper size

ext4: zero out the unused memory region in the extent tree block

ip_sockglue: Fix missing-check bug in ip_ra_control()

ip_sockglue: Fix missing-check bug in ip_ra_control()

N/A

N/A

x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations

Input: gtco - bounds check collection indent level

KVM: coalesced_mmio: add bounds checking

floppy: fix out-of-bounds read in copy_buffer

tcp: purge write queue in tcp_connect_init()

xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink

scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE

ext4: fix data exposure after a crash

ring-buffer: Prevent overflow of size in ring_buffer_resize()

netfilter: nfnetlink: correctly validate length of batch messages

xc2028: avoid use after free

HID: core: prevent out-of-bound readings

perf/core: Fix perf_event_open() vs. execve() race

tracing: Fix possible double free on failure of allocating trace buffer

perf: Fix race in swevent hash

ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()

tty: Prevent ldisc drivers from re-using stale tty fields

crypto: algif_skcipher - Load TX SG list after waiting

bpf: fix branch pruning logic

usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer

mac80211: accept key reinstall without changing anything

ALSA: seq: Fix use-after-free at creating a port

binfmt_elf: use ELF_ET_DYN_BASE only for PIE

drm/vmwgfx: Make sure backup_handle is always valid

media: imon: Fix null-ptr-deref in imon_probe

video: fbdev: aty: do not leak uninitialized padding in clk to userspace

isdn/i4l: fix buffer overflow

f2fs: sanity check checkpoint segno and blkoff

prevent creating a different user's keyrings

cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE (kpatch adaptation)

ALSA: msnd: Optimize / harden DSP and MIDI loops

bpf: don't let ldimm64 leak map addresses on unprivileged

f2fs: sanity check segment count

ipx: call ipxitf_put() in ioctl error path

xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present

media: uvcvideo: Prevent heap overflow when accessing mapped controls

ALSA: seq: Cancel pending autoload work at unbinding device

KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings

fbdev: color map copying bounds checking

drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl()

KVM: x86: Introduce segmented_write_std

USB: serial: kl5kusb105: fix line-state error handling

sctp: deny peeloff operation on asocs with threads sleeping on it

irda: Fix lockdep annotations in hashbin_delete().

irda: Fix lockdep annotations in hashbin_delete(). (kpatch adaptation)

rds: fix an infoleak in rds_inc_info_copy

brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

tipc: fix an infoleak in tipc_nl_compat_link_dump

usb: misc: legousbtower: Fix NULL pointer deference

kvm: fix vhost_net log overflow

net: hsr: fix memory leak in hsr_dev_finalize()

ieee802154: enforce CAP_NET_RAW for raw sockets

enforce CAP_NET_RAW for AF_ISDN sockets

media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap

net: sit: fix memory leak in sit_init_net()

media: dvb: usb: fix use after free in dvb_usb_device_exit

media: cpia2_usb: first wake up, then free in disconnect

i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA

net-sysfs: Fix mem leak in netdev_register_kobject

x86: kvm: Do not release the page inside mmu_set_spte() (CVE-2018-12207 prerequirement)

CVE-2018-12207 prerequirement - code cleanup and simplification

x86: kvm: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON (CVE-2018-12207 prerequirement)

x86: kvm: vmx,svm: always run with EFER.NXE=1 when shadow paging is active (CVE-2018-12207 prerequirement)

kvm: Convert kvm_lock to a mutex (CVE-2018-12207 prerequirement)

kvm: mmu: ITLB_MULTIHIT mitigation (adaptation)

USB: sisusbvga: fix oops in error path of sisusb_probe

scsi: libsas: delete sas port if expander discover failed

potential NULL dereference in qla2xx SCSI driver.

KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID

rtlwifi: Fix potential overflow on P2P code

kvm: nVMX: fixed L2 guest possible tricking the L0 hypervisor to access sensitive L1 resources

media: b2c2-flexcop-usb: add sanity checking

fix a heap overflow in mmwifiex_process_tdls_action_frame()

net: qlogic: Fix memory leak in ql_alloc_large_buffers

printk: hash addresses printed with %p

vhost: Check docket sk_family instead of call getname

HID: hiddev: avoid opening a disconnected device

vgacon: Fix a UAF in vgacon_invert_region

mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings

slcan: Don't transmit uninitialized stack data in padding

floppy: check FDC index for errors before assigning it

vt: selection, close sel_buffer race

mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf

HID: Fix assumption that devices have inputs

brcmfmac: screening firmware event packet

USB: adutux: fix use-after-free on disconnect

media: stv06xx: add missing descriptor sanity checks

fix use-after-free in drivers/net/phy/mdio_bus.c

libertas: Fix two buffer overflows at parsing bss descriptor

USB: iowarrior: fix use-after-free on release

USB: core: Fix races in character device registration and deregistraion

mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring

mremap: properly flush TLB before releasing the page

Input: ff-memless - kill timer in destroy()

media: xirlink_cit: add missing descriptor sanity checks

Input: add safety guards to input_set_keycode()

media: ov519: add missing endpoint sanity checks

x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation

media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()

can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices

media: dvb-usb-v2: lmedm04: Improve logic checking of warm start

ALSA: core: Fix card races between register and disconnect

can: peak_usb: fix slab info leak

media: rc: prevent memory leak in cx23888_ir_probe

can, slip: Protect tty->disc_data in write_wakeup and close with RCU

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

vfio: access to disabled MMIO space of some devices may lead to DoS scenario

fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()

of: unittest: fix memory leak in unittest_data_add

crypto: user - fix memory leak in crypto_report

net-sysfs: call dev_hold if kobject_init_and_add success

hdpvr: Fix an error handling path in hdpvr_probe()

can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices

GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

net: arc_emac: fix koops caused by sk_buff free

USB: serial: io_ti: fix information leak in completion handler

USB: serial: omninet: fix reference leaks at open

pipe: add pipe_buf_get() helper

mm: add 'try_get_page()' helper function

fs: prevent page refcount overflow in pipe_buf_get

mm: make page ref count overflow check tighter and more explicit

mm, gup: ensure real head page is ref-counted when using hugepages

mm: prevent get_user_pages() from overflowing page refcount

mm: prevent get_user_pages() from overflowing page refcount

sunrpc: use-after-free in svc_process_common

CVE-2018-16884 kpatch adaptation

use-after-free

mwifiex: Abort at too short BSS descriptor element

sctp: implement memory accounting on tx path

cfg80211/mac80211: make ieee80211_send_layer2_update a public function

mac80211: Do not send Layer 2 Update frame before authorization

kvm: fix kvm_ioctl_create_device() reference counting

KVM: nVMX: unconditionally cancel preemption timer in free_nested

KVM: x86: work around leak of uninitialized stack contents

net-gro: fix use-after-free read in napi_gro_frags()

selinux: Print 'sclass' as string when unrecognized netlink message occurs (CVE-2020-10751 dependency)

crypto: authenc - fix parsing key with misaligned rta_len

ext4: fix potential negative array index in do_split()

vgacon: Fix for missing check in scrollback handling

nl80211: fixed buffer overflow when handling beacon settings

fixed possible DoS in drivers/infiniband/hw/cxgb4/mem.c via directly calling dma_map_single() from a stack variable

btrfs: merge btrfs_find_device and find_device

can: gs_usb: gs_can_open(): prevent memory leak

ath9k_htc: release allocated buffer if timed out

blktrace: fix dereference after null check

scsi: libsas: stop discovering if oob mode is disconnected

mwifiex: Fix mem leak in mwifiex_tm_cmd

dccp: Fix memleak in __feat_register_sp

af_packet: set defaule value for tmo

net: ipv6: add net argument to ip6_dst_lookup_flow

net: ipv6: add net argument to ip6_dst_lookup_flow

nfs: Fix getxattr kernel panic and memory overflow

rbd: require global CAP_SYS_ADMIN for mapping and unmapping

mm/hugetlb: fix a race between hugetlb sysctl handlers

media: usb: siano: Fix general protection fault in smsusb

media: technisat-usb2: break out of loop at end of buffer

usb: cdc-acm: make sure a refcount is taken early enough

hdlc_ppp: add range checks in ppp_cp_parse_cr()

kexec, KEYS: kexec signature blacklist verify

netfilter: ctnetlink: add a range check for l3/l4 protonum

powercap: make attributes only readable by root

powercap: make attributes only readable by root (adaptation)

net: icmp: fix data-race in cmp_global_allow()

random32: update the net random state on interrupt and activity

random: fix circular include dependency on arm64 after addition of percpu.h

random32: remove net_rand_state from the latent entropy gcc plugin

random32: move the pseudo-random 32-bit definitions to prandom.h

mwifiex: fix possible heap overflow in mwifiex_process_country_ie()

netlabel: cope with NULL catmap

drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. (CVE-2020-12464 dependency)

scsi: mptfusion: Fix double fetch bug in ioctl

ext4: work around deleting a file with i_nlink == 0 safely

ext4: fix ext4_empty_dir() for directories with holes

kernel: memory corruption in Voice over IP nf_conntrack_h323 module

tty: make FONTX ioctl use the tty pointer they were actually passed

fbcon: Fix global-out-of-bounds read in fbcon_get_font()

fbcon: Fix global-out-of-bounds read in fbcon_get_font()

vt: Disable KD_FONT_OP_COPY

perf/core: Fix race in the perf_mmap_close() function

icmp: randomize the global rate limiter

sched/fair: Don't free p->numa_faults with concurrent readers

block: Fix use-after-free in blkdev_get()

target: fix XCOPY NAA identifier lookup

set ring->xenblkd to NULL explicitly

mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()

tty: core: Use correct spinlock flavor in tiocspgrp()

tty: Fix ->pgrp locking in tiocspgrp()

tty: Fix ->session locking

mwifiex: Fix possible buffer overflows in

ALSA: rawmidi: Fix racy buffer resize under concurrent accesses

ALSA: rawmidi: Fix racy buffer resize under concurrent accesses (adaptation)

limit size of watch_events dom0 queue.

handle xenwatch_thread patching.

Xen/x86: don't bail early from clear_foreign_p2m_mapping()

Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()

Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()

Xen/gntdev: correct error checking in gntdev_map_grant_pages()

xen-blkback: don't "handle" error by BUG()

xen-netback: don't "handle" error by BUG()

xen-scsiback: don't "handle" error by BUG()

xen-blkback: fix error handling in xen_blkbk_map()

HID: hid-input: clear unmapped usages.

scsi: iscsi: Restrict sessions and handles to admin

scsi: iscsi: Verify lengths on passthrough PDUs

sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs (dependency)

scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE

Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work

ixgbe: fix large MTU request from VF

igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU

sched/rt: pick_next_rt_entity(): check list_entry

net: sched: sch_qfq: Fix UAF in qfq_dequeue()

net: sched: sch_qfq: Fix UAF in qfq_dequeue()

netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()

Input: add bounds checking to input_set_capability()

ext4: improve error recovery code paths in __ext4_remount()

Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails

atm: Fix Use-After-Free in do_vcc_ioctl

futex: Remove unnecessary warning from get_futex_key

scsi: sg: add sg_remove_request in sg_write

fbcon: remove soft scrollback code

fbcon: remove soft scrollback code (adaptation)

media: v4l: ioctl: Fix memory leak in video_usercopy

mwifiex: Fix skb_over_panic in mwifiex_usb_recv()

inet: use bigger hash table for IP ID generation

inet: use bigger hash table for IP ID generation (adaptation)

ext4: fix kernel infoleak via ext4_extent_header

ext4: verify dir block before splitting it

ext4: verify dir block before splitting it (dependancy for older kernels)

[PATCH] af_key: Do not call xfrm_probe_algs in parallel (modified for old kernels)

CVE-2022-2964 dependancy

net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup

xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in

dm verity: set DM_TARGET_IMMUTABLE feature flag

dm verity: set DM_TARGET_IMMUTABLE feature flag (adaptation)

audit: fix error handling in audit_data_to_entry()

epoll: Keep a reference on files added to the check list

do_epoll_ctl(): clean the failure exits up a bit

HID: core: Sanitize event code and type when mapping input

fork: fix copy_process(CLONE_PARENT) race with the exiting

Xen/gnttab: handle p2m update errors on a per-slot basis

floppy: fix lock_fdc() signal handling

n_tty: Fix stall at n_tty_receive_char_special().

btrfs: fix race when cloning extent buffer during rewind of an old root

netfilter: x_tables: make xt_replace_table wait until old

netfilter: x_tables: Use correct memory barriers.

xen-blkback: don't leak persistent grants from xen_blkbk_map()

[net] Bluetooth: A2MP: Fix not initializing all members

dm ioctl: fix out of bounds array access when no devices

Bluetooth: verify AMP hci_chan before amp_destroy

Bluetooth: verify AMP hci_chan before amp_destroy (kcare adaptation)

Bluetooth: Fix slab-out-of-bounds read in

media: v4l: event: Prevent freeing event subscriptions while accessed

media: v4l: event: Prevent freeing event subscriptions while accessed (adaptation)

media: v4l: event: Add subscription to list before calling

Omitting for now: Android Pixel C USB monitor driver

kobject: Export kobject_get_unless_zero()

[fs] chardev: Avoid potential use-after-free in 'chrdev_open()'

cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE

cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE (adaptation)

can: bcm: fix infoleak in struct bcm_msg_head

UBUNTU: SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu

l2tp: Correctly return -EBADF from pppol2tp_getname.

net: l2tp: Make l2tp_ip6 namespace aware

l2tp: fix race in l2tp_recv_common()

l2tp: ensure session can't get removed during

l2tp: fix duplicate session creation

l2tp: Refactor the codes with existing macros instead of literal number

l2tp: ensure sessions are freed after their PPPOL2TP socket

l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall()

l2tp: fix race between l2tp_session_delete() and l2tp_tunnel_closeall() (adaptation)

vgacon: remove software scrollback support (adaptation)

net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high

net/mlx4: Fix EEPROM dump support

bluetooth: eliminate the potential race condition when

seq_file: Disallow extremely large seq buffer allocations

netfilter: x_tables: fix compat match/target pad out-of-bound write

btrfs only search for left_info if there is no right_info

cfg80211: wext: avoid copying malformed SSIDs

fs/namespace.c: fix mountpoint reference counter race

HID: make arrays usage and value to be the same

sctp: validate from_addr_param return

virtio_console: Assure used length from device is limited

ext4: fix race writing to an inline_data file while its

net_sched: cls_route: remove the right filter from hashtable

vhost-net: set packet weight of tx polling to 2 * vq size

vhost_net: use packet weight for rx handler, too

vhost_net: introduce vhost_exceeds_weight()

vhost: introduce vhost_exceeds_weight()

vhost_net: fix possible infinite loop

vhost: introduce vhost_exceeds_weight() (adaptation)

mac80211: assure all fragments are encrypted

mac80211: add fragment cache to sta_info (adaptation)

mac80211: prevent mixed key and fragment cache attacks

mac80211: prevent mixed key and fragment cache attacks (adaptation)

mac80211: properly handle A-MSDUs that start with an RFC 1042

cfg80211: mitigate A-MSDU aggregation attacks

mac80211: drop A-MSDUs on old ciphers

mac80211: check defrag PN against current frame

mac80211: prevent attacks on TKIP/WEP as well

mac80211: do not accept/forward invalid EAPOL frames

mac80211: extend protection against mixed key and fragment

ath9k: release allocated buffer if timed out

rtlwifi: prevent memory leak in rtl_usb_probe

l2tp: pass tunnel pointer to ->session_create()

ocfs2: subsystem.su_mutex is required while accessing the

bcache: fix potential deadlock problem in btree_gc_coalesce

bnx2x: disable GSO where gso_size is too big for hardware

net: create skb_gso_validate_mac_len()

btrfs: inode: Verify inode mode to avoid NULL pointer dereference

btrfs: fix return value mixup in btrfs_get_extent

Bluetooth: fix the erroneous flush_work() order

ovl: prevent private clone if bind mount is not allowed

fix regression in "epoll: Keep a reference on files added to the

af_unix: fix garbage collect vs MSG_PEEK

af_unix: fix garbage collect vs MSG_PEEK (adaptation)

xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like

Bluetooth: Add bt_dev logging macros

Bluetooth: use constant time memory comparison for secret

Bluetooth: SMP: Fail if remote and local public keys are

vt_kdsetmode: extend console locking (CVE-2021-3753)

ovl: fix missing negative dentry check in ovl_rename()

drm/i915: Reduce locking in execlist command submission

drm/i915: Flush TLBs before releasing backing store

drm/i915: Flush TLBs before releasing backing store (kpatch adaptation)

sctp: use init_tag from inithdr for ABORT chunk

sctp: add vtag check in sctp_sf_violation

route: also update fnhe_genid when updating a route cache

ipv4: make exception cache less predictible

ipv4: avoid using shared IP generator for connected sockets

sr9700: sanity check for packet length

Bluetooth: use correct lock to prevent UAF of hdev object

hugetlbfs: flush TLBs correctly after huge_pmd_unshare

phonet: refcount leak in pep_sock_accep

pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()

btrfs: unlock newly allocated extent buffer after error

udf: Fix NULL ptr deref when converting from inline format

udf: Restore i_lenAlloc when inode expansion fails

Initialize registers to avoid stack leak into userspace.

quota: check block number when reading the block in quota

quota: correct error number in free_dqentry()

af_unix: fix races in sk_peer_pid and sk_peer_cred accesses

af_unix: fix races in sk_peer_pid and sk_peer_cred accesses (adaptation)

Not affected without certain conditions - Secure Boot, configured kgdb/kdb. Complex adaptation

fix double dev_kfree_skb() in error path

can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in

floppy: use a statically allocated error counter

floppy: use a statically allocated error counter (kpatch adaptation)

cgroup-v1: Require capabilities to set release_agent

netfilter: nf_tables: disallow non-stateful expression in

floppy: disable FDRAWCMD by default

floppy: disable FDRAWCMD by default (adaptation)

UBUNTU: SAUCE: net_sched: cls_route: remove from list when handle is 0

mm: enforce min addr even if capable() in expand_downwards()

ip: constify ip_build_and_send_pkt() socket argument

inet: constify ip_dont_fragment() arguments

ipv4: Cache net in ip_build_and_send_pkt and ip_queue_xmit

ipv4: tcp: send zero IPID in SYNACK messages

vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console

vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console (adaptation)

VT_RESIZEX: get rid of field-by-field copyin

vt: vt_ioctl: fix race in VT_RESIZEX

fbcon: Disallow setting font bigger than screen size

fuse: fix pipe buffer lifetime for direct_io

fuse: fix pipe buffer lifetime for direct_io (kpatch adaptation)

vt: drop old FONT ioctls

ipv4: igmp: guard against silly MTU values

usb: mon: make mmapped memory read only

sch_sfb: keep backlog updated with qlen

sch_sfb: Don't assume the skb is still around after enqueueing to child

sch_sfb: Also store skb len before calling child enqueue

netfilter: nf_conntrack_irc: Fix forged IP logic

r8152: Rate limit overflow messages

HID: roccat: Fix use-after-free in roccat_read()

proc: proc_skip_spaces() shouldn't think it is working on C strings

vsock: Fix memory leak in vsock_connect()

netfilter: nf_conntrack_irc: Tighten matching on DCC message

mISDN: fix use-after-free bugs in l1oip timer handlers

mISDN: fix use-after-free bugs in l1oip timer handlers (adaptation)

scsi: stex: Properly zero out the passthrough command structure

btrfs: Don't submit any btree write bio if the fs has errors

drm/ttm/nouveau: don't call tt destroy callback on alloc failure.

packet: in recvmsg msg_name return at least sizeof sockaddr_ll

net/packet: fix slab-out-of-bounds access in packet_recvmsg()

tcp/udp: Fix memory leak in ipv6_renew_options().

Bluetooth: remove unneeded variable in l2cap_stream_rx

Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu

Bluetooth: L2CAP: Introduce proper defines for PSM ranges

Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

wifi: brcmfmac: Fix potential buffer overflow in

USB: core: Prevent nested device-reset calls

USB: core: Prevent nested device-reset calls (adaptation)

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

drivers: net: slip: fix NPD bug in sl_tx_timeout()

Bluetooth: L2CAP: Fix u8 overflow

net: sched: atm: dont intepret cls results when asked to drop

ipv6: raw: Deduct extension header length in rawv6_push_pending_frames

mm/mincore.c: make mincore() more conservative

HID: check empty report_list in hid_validate_values()

netfilter: nf_tables: fix null deref due to zeroed list head

sctp: fail if no bound addresses can be used for a given scope

media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors

prlimit: do_prlimit needs to have a speculation check

prlimit: do_prlimit needs to have a speculation check

net: sched: sch_qfq: prevent slab-out-of-bounds in qfq_activate_agg

xirc2ps_cs: Fix use after free bug in xirc2ps_detach

net: sched: cbq: dont intepret cls results when asked to drop

media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()

scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress

nvme: restrict management ioctls to admin

staging: rtl8712: fix use after free bugs

staging: rtl8712: fix use after free bugs

kvm: initialize all of the kvm_debugregs structure before sending it to userspace

wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid

net: mpls: fix stale pointer if allocation fails during device rename

seq_buf: Fix overflow in seq_buf_putmem_hex()

ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum

ath9k: fix use-after-free in ath9k_hif_usb_rx_cb

igmp: Add ip_mc_list lock in ip_check_mc_rcu

media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()

fix nested locking in table_clear() to remove deadlock concern

firewire: fix potential uaf in outbound_phy_packet_callback()

misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os

rds: Fix lack of reentrancy for connection reset with dst addr zero

ipvlan:Fix out-of-bounds caused by unclear skb->cb

wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()

media: dm1105: Fix use after free bug in dm1105_remove due to race condition

memstick: r592: Fix UAF bug in r592_remove due to race condition

fbcon: Check font dimension limits

media: dvb_frontend: fix locking issues at dvb_frontend_get_event()

media: dvb-core: Fix kernel WARNING for blocking operation in wait_event*()

media: dvb-core: Fix UAF due to refcount races at releasing

net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free

net/sched: sch_qfq: account for stab overhead in qfq_enqueue

xfrm: add NULL check in xfrm_update_ae_params

net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()

net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()

net/sched: cls_fw: Fix improper refcount update leads to use-after-free

netfilter: nf_tables: prevent OOB access in nft_byteorder_eval

ext4: fix use-after-free in ext4_xattr_set_entry

ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h

netfilter: nf_tables: stricter validation of element data

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

kobject: Fix slab-out-of-bounds in fill_kobj_path()

net: xfrm: Fix xfrm_address_filter OOB read

netfilter: nf_tables: validate registers coming from userspace

netfilter: nf_tables: validate registers coming from userspace

vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF

xfrm: fix crash in XFRM_MSG_GETSA netlink handler

N/A