vsock: Do not allow binding to VMADDR_PORT_ANY

net/sched: sch_qfq: Fix race condition on qfq_aggregate

net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class

net/packet: fix a race in packet_set_ring() and acket_notifier()

drm/amd/display: Fix MST Null Ptr for RV

wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()

wifi: wfx: repair open network AP mode

wifi: wfx: repair open network AP mode

netlink: avoid infinite retry looping in netlink_unicast()

firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier()

netfilter: nf_tables: reject duplicate device on updates

phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode

usb: gadget: configfs: Fix OOB read on empty string write

HID: core: ensure the allocated report buffer can contain the reserved report ID

HID: core: do not bypass hid_hw_raw_request

tracing: Add down_write(trace_event_sem) when adding trace event

dmaengine: nbpfaxi: Fix memory corruption in probe()

comedi: aio_iiro_16: Fix bit shift out of bounds

comedi: das16m1: Fix bit shift out of bounds

comedi: das6402: Fix bit shift out of bounds

bpf: Reject %p% format string in bprintf-like helpers

smb: client: fix use-after-free in cifs_oplock_break

usb: net: sierra: check for no status endpoint

Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()

ipv6: mcast: Delay put pmc->idev in mld_del_delrec()

net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree

clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

PEEMPT_RT config isn't enabled

regulator: core: fix NULL dereference on unbind due to stale coupling data

i2c: qup: jump out of the loop in case of timeout

nilfs2: reject invalid file types when reading inodes

jfs: reject on-disk inodes of an unsupported type

hfsplus: remove mutex_lock check in hfsplus_free_extents

staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()

PM / devfreq: Check governor before using governor->name

bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls

wifi: rtl818x: Kill URBs before clearing tx status queue

iwlwifi: Add missing check for alloc_ordered_workqueue

wifi: ath11k: clear initialized flag for deinit-ed srng lists

net/mlx5: Check device memory pointer before usage

net/sched: Restrict conditions for adding duplicating netems to qdisc tree

netfilter: xt_nfacct: don't assume acct name is null-terminated

clk: xilinx: vcu: unregister pll_post only if registered correctly

power: supply: cpcap-charger: Fix null check for power_supply_get_by_name

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

crypto: ccp - Fix crash when rebind ccp device for ccp.ko

fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref

Out of scope: powerpc: PowerNV PCI Hotplug: not supported

Out of scope: powerpc: PowerNV PCI Hotplug: not supported

NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()

pptp: ensure minimal skb length in pptp_xmit()

ipv6: reject malicious packets in ipv6_gso_segment()

benet: fix BUG when creating VFs

usb: gadget : fix use-after-free in composite_dev_cleanup()

ALSA: usb-audio: Validate UAC3 cluster segment descriptors

ALSA: usb-audio: Fix size validation in convert_chmap_v3()

net: usb: asix_devices: add phy_mask for ax88772 mdio bus

nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()

fs: Prevent file descriptor table allocations exceeding INT_MAX

sctp: linearize cloned gso packets in sctp_rcv

hfs: fix slab-out-of-bounds in hfs_bnode_read()

hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()

hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()

hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()

ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()

ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr

scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated

scsi: bfa: Double-free fix

scsi: bfa: Double-free fix

jfs: truncate good inode pages when hard link is 0

jfs: Regular file corruption check

jfs: upper bound check of tree index in dbAllocAG

RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()

scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure

media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()

media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar

block: avoid possible overflow for chunk_sectors check in blk_stack_limits()

fbdev: Fix vmalloc out-of-bounds write in fast_imageblit

media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()

PCI: endpoint: Fix configfs group list head handling

jbd2: prevent softlockup in jbd2_log_do_checkpoint()

media: usbtv: Lock resolution while streaming

media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()

net, hsr: reject HSR frame if skb can't hold tag

ipv6: sr: Fix MAC comparison to be constant-time

ice: Fix a null pointer dereference in ice_copy_and_init_pkg()

smb: client: fix use-after-free in crypt_message when using async crypto

bus: mhi: host: Detect events pointing to unexpected TREs

net/sched: ets: use old 'nbands' while purging unused classes

ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value

mptcp: do not queue data on closed subflows

drm/amd/display: Avoid a NULL pointer dereference

fs/buffer: fix use-after-free when call bh_read() helper

ftrace: Also allocate and copy hash for reading of filter files

f2fs: fix to avoid out-of-boundary access in dnode page

soc: qcom: mdt_loader: Ensure we don't read past the ELF header

scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE

net: bridge: fix soft lockup in br_multicast_query_expired()

net: bridge: fix soft lockup in br_multicast_query_expired()

scsi: qla4xxx: Prevent a potential error pointer dereference

drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()

ppp: fix race conditions in ppp_fill_forward_path

net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit

netfilter: nf_reject: don't leak dst refcount for loopback packets

efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

KVM: x86: use array_index_nospec with indices that come from guest

HID: asus: fix UAF via HID_CLAIMED_INPUT validation

HID: multitouch: fix slab out-of-bounds access in mt_report_fixup()

Patch adds cross-module dependency: hid_ntrig -> usbhid (usb_hid_driver symbol). Cannot be resolved without userland modprobe modifications to ensure proper module loading order.

fs: writeback: fix use-after-free in __mark_inode_dirty()

tee: fix NULL pointer dereference in tee_shm_put

wifi: cfg80211: fix use-after-free in cmp_bss()

netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()

i40e: Fix potential invalid access when MAC list is empty

ppp: fix memory leak in pad_compress_skb

Out of scope: boot time issue

mm/khugepaged: fix ->anon_vma race

iio: light: opt3001: fix deadlock due to concurrent flag access

dma-buf: insert memory barrier before updating num_fences

mm/slub: avoid accessing metadata when pointer is invalid in object_err()

macsec: fix UAF bug for real_dev

macsec: fix UAF bug for real_dev

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

afs: Fix lock recursion

uprobe: avoid out-of-bounds memory access of fetching args

ibmvnic: Don't reference skb after sending to VIOS

ipvs: Defer ip_vs_ftp unregister during netns cleanup

media: rc: fix races with imon_disconnect()

f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()

f2fs: fix race in concurrent f2fs_stop_gc_thread

ksmbd: fix Preauh_HashValue race condition

crypto: essiv - Check ssize for decryption and in-place encryption

padata: Fix pd UAF once and for all

padata: Fix pd UAF once and for all

Vulnerability affects only ZynqMP SoCs.

tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork.

libceph: fix invalid accesses to ceph_connection_v1_info

net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()

i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path

can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB

dmaengine: ti: edma: Fix memory allocation size for queue_priority_map

dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees

mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory

qed: Don't collect too many protection override GRC elements

tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect().

cnic: Fix use-after-free bugs in cnic_delete_task

drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ

ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer

can: peak_usb: fix shift-out-of-bounds issue

nexthop: Forbid FDB status change while nexthop is in a group

drm/gma500: Fix null dereference in hdmi teardown

tracing: dynevent: Add a missing lockdown check on dynevent

fbcon: fix integer overflow in fbcon_do_set_font

fbcon: Fix OOB access in font allocation

Complex adaptation required. Livepatching of this vulnerability can harm the network subsystem..

mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()

scsi: target: target_core_configfs: Add length check to avoid buffer overflow

media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove

udp: Fix memory accounting leak.

media: tuner: xc5000: Fix use-after-free in xc5000_release

media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe

perf: arm_spe: Prevent overflow in PERF_IDX2OFF()

blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx

bpf: Explicitly check accesses to bpf_sock_addr

usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup

scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod

pps: fix warning in pps_register_cdev when register device fail

ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping

ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping

net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast

net: dlink: handle copy_thresh allocation failure

uio_hv_generic: Let userspace take care of interrupt mask

fs: udf: fix OOB read in lengthAllocDescs handling

mm: hugetlb: avoid soft lockup when mprotect to large memory area

pinctrl: check the return value of pinmux_ops::get_function_name()

bus: fsl-mc: Check return value of platform_get_resource()

drm/vmwgfx: Fix Use-after-free in validation

net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()

bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}

cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()

sctp: Fix MAC comparison to be constant-time

ext4: verify orphan file size is not too big

ext4: verify orphan file size is not too big

ext4: align max orphan file size with e2fsprogs limit

KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O

dm: fix NULL pointer dereference in __dm_suspend()

pid: Add a judgment for ns null in pid_nr_ns

ext4: detect invalid INLINE_DATA + EXTENTS flag combination

net/ip6_tunnel: Prevent perpetual tunnel growth

ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()

hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()

hfs: validate record offset in hfsplus_bmap_alloc

hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()

hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()

sctp: avoid NULL dereference when chunk data buffer is missing

ocfs2: clear extent cache after moving/defragmenting extents

vsock: fix lock inversion in vsock_assign_transport()

comedi: fix divide-by-zero in comedi_buf_munge()

most: usb: Fix use-after-free in hdm_disconnect

most: usb: hdm_probe: Fix calling put_device() before device initialization

most: usb: fix double free on late probe failure

fuse: fix livelock in synchronous file put from fuseblk workers

vfs: Don't leak disconnected dentries on umount

usb: gadget: f_ncm: Refactor bind path to use __free()

usb: gadget: f_acm: Refactor bind path to use __free()

usb: gadget: f_acm: Refactor bind path to use __free()

drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()

mmc: core: use sysfs_emit() instead of sprintf()