{"id":"CLSA-2025-1764085382","summary":"kernel-uek: Fix of 252 CVEs","details":"- drm/amd/display: Skip on writeback when it's not applicable {CVE-2024-36914}\n- ASoC: topology: Fix references to freed memory {CVE-2024-41069}\n- Bluetooth: RFCOMM: Fix not validating setsockopt user input {CVE-2024-35966}\n- Bluetooth: SCO: Fix not validating setsockopt user input\n- drm/dp_mst: Fix MST sideband message body length check {CVE-2024-56616}\n- xfs: don't walk off the end of a directory data block {CVE-2024-41013}\n- wifi: cfg80211: check A-MSDU format more carefully {CVE-2024-35937}\n- Reapply \"wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()\"\n- net/rds: Fix rs_recv_pending counting issue\n- LTS tag: v5.4.301\n- net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg\n- media: s5p-mfc: remove an unused/uninitialized variable\n- NFSD: Fix last write offset handling in layoutcommit\n- NFSD: Minor cleanup in layoutcommit processing\n- padata: Reset next CPU when reorder sequence wraps around\n- KEYS: trusted_tpm1: Compare HMAC values in constant time\n- NFSD: Define a proc_layoutcommit for the FlexFiles layout type {CVE-2025-40087}\n- vfs: Don't leak disconnected dentries on umount {CVE-2025-40105}\n- jbd2: ensure that all ongoing I/O complete before freeing blocks\n- ext4: detect invalid INLINE_DATA + EXTENTS flag combination {CVE-2025-40167}\n- drm/amdgpu: use atomic functions with memory barriers for vm fault info\n- ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() {CVE-2025-40198}\n- spi: cadence-quadspi: Flush posted register writes before DAC access\n- spi: cadence-quadspi: Flush posted register writes before INDAC access\n- memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe\n- memory: samsung: exynos-srom: Correct alignment\n- arm64: errata: Apply workarounds for Neoverse-V3AE\n- arm64: cputype: Add Neoverse-V3AE definitions\n- comedi: fix divide-by-zero in comedi_buf_munge() {CVE-2025-40106}\n- binder: remove \"invalid inc weak\" check\n- xhci: dbc: enable back DbC in resume if it was enabled before suspend\n- usb/core/quirks: Add Huawei ME906S to wakeup quirk\n- USB: serial: option: add Telit FN920C04 ECM compositions\n- USB: serial: option: add Quectel RG255C\n- USB: serial: option: add UNISOC UIS7720\n- net: ravb: Ensure memory write completes before ringing TX doorbell\n- net: usb: rtl8150: Fix frame padding\n- ocfs2: clear extent cache after moving/defragmenting extents\n- MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering\n- Revert \"cpuidle: menu: Avoid discarding useful information\"\n- net: bonding: fix possible peer notify event loss or dup issue\n- sctp: avoid NULL dereference when chunk data buffer is missing\n- arm64, mm: avoid always making PTE dirty in pte_mkwrite()\n- net: enetc: correct the value of ENETC_RXB_TRUESIZE\n- rtnetlink: Allow deleting FDB entries in user namespace\n- net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del\n- net: add ndo_fdb_del_bulk\n- net: rtnetlink: add bulk delete support flag\n- net: netlink: add NLM_F_BULK delete request modifier\n- net: rtnetlink: use BIT for flag values\n- net: rtnetlink: add helper to extract msg type's kind\n- net: rtnetlink: add msg kind names\n- net: rtnetlink: remove redundant assignment to variable err\n- m68k: bitops: Fix find_*_bit() signatures\n- hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super()\n- hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()\n- dlm: check for defined force value in dlm_lockspace_release\n- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n- hfs: validate record offset in hfsplus_bmap_alloc\n- hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n- hfs: make proper initalization of struct hfs_find_data\n- hfs: clear offset and space out of valid records in b-tree node\n- exec: Fix incorrect type for ret\n- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() {CVE-2025-40088}\n- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings\n- sched/fair: Fix pelt lost idle time detection\n- sched/balancing: Rename newidle_balance() =\u003e sched_balance_newidle()\n- sched/fair: Trivial correction of the newidle_balance() comment\n- sched: Make newidle_balance() static again\n- tls: don't rely on tx_work during send()\n- tls: always set record_type in tls_process_cmsg\n- tg3: prevent use of uninitialized remote_adv and local_adv variables\n- tcp: fix tcp_tso_should_defer() vs large RTT\n- amd-xgbe: Avoid spurious link down messages during interface toggle\n- net/ip6_tunnel: Prevent perpetual tunnel growth {CVE-2025-40173}\n- net: dlink: handle dma_map_single() failure properly\n- net: dl2k: switch from 'pci_' to 'dma_' API\n- media: pci: ivtv: Add missing check after DMA map\n- media: pci/ivtv: switch from 'pci_' to 'dma_' API {CVE-2024-43877}\n- xen/events: Update virq_to_irq on migration\n- media: lirc: Fix error handling in lirc_register()\n- media: rc: Directly use ida_free()\n- drm/exynos: exynos7_drm_decon: remove ctx-\u003esuspended\n- btrfs: avoid potential out-of-bounds in btrfs_encode_fh() {CVE-2025-40205}\n- pwm: berlin: Fix wrong register in suspend/resume {CVE-2025-40188}\n- media: cx18: Add missing check after DMA map\n- xen/events: Cleanup find_virq() return codes\n- cramfs: Verify inode mode when loading from disk\n- fs: Add 'initramfs_options' to set initramfs mount options\n- pid: Add a judgment for ns null in pid_nr_ns {CVE-2025-40178}\n- minixfs: Verify inode mode when loading from disk\n- tracing: Fix race condition in kprobe initialization causing NULL pointer dereference {CVE-2025-40042}\n- dm: fix NULL pointer dereference in __dm_suspend() {CVE-2025-40134}\n- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag\n- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type\n- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value\n- Squashfs: reject negative file sizes in squashfs_read_inode() {CVE-2025-40200}\n- Squashfs: add additional inode sanity checking\n- media: mc: Clear minor number before put device {CVE-2025-40197}\n- mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()\n- fs: udf: fix OOB read in lengthAllocDescs handling {CVE-2025-40044}\n- KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O {CVE-2025-40026}\n- net/9p: fix double req put in p9_fd_cancelled {CVE-2025-40027}\n- ext4: guard against EA inode refcount underflow in xattr update {CVE-2025-40190}\n- ext4: correctly handle queries for metadata mappings\n- ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()\n- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry\n- x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)\n- x86/umip: Check that the instruction opcode is at least two bytes\n- PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on exit\n- PCI/AER: Fix missing uevent on recovery when a reset is requested\n- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\n- rseq/selftests: Use weak symbol reference, not definition, to link with glibc\n- rtc: interface: Fix long-standing race when setting alarm\n- rtc: interface: Ensure alarm irq is enabled when UIE is enabled\n- mmc: core: SPI mode remove cmd7\n- mtd: rawnand: fsmc: Default to autodetect buswidth\n- sparc: fix error handling in scan_one_device()\n- sparc64: fix hugetlb for sun4u\n- sctp: Fix MAC comparison to be constant-time {CVE-2025-40204}\n- scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()\n- parisc: don't reference obsolete termio struct for TC* constants\n- lib/genalloc: fix device leak in of_gen_pool_get()\n- iio: frequency: adf4350: Fix prescaler usage.\n- iio: dac: ad5421: use int type to store negative error codes\n- iio: dac: ad5360: use int type to store negative error codes\n- crypto: atmel - Fix dma_unmap_sg() direction\n- cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() {CVE-2025-40194}\n- drm/nouveau: fix bad ret code in nouveau_bo_move_prep\n- media: i2c: mt9v111: fix incorrect type for ret\n- firmware: meson_sm: fix device leak at probe\n- xen/manage: Fix suspend error path\n- arm64: dts: qcom: msm8916: Add missing MDSS reset\n- ACPI: debug: fix signedness issues in read/write helpers\n- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT\n- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single\n- tpm, tpm_tis: Claim locality before writing interrupt registers\n- crypto: essiv - Check ssize for decryption and in-place encryption {CVE-2025-40019}\n- mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes\n- mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call\n- tools build: Align warning options with perf\n- net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe\n- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). {CVE-2025-40186}\n- net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() {CVE-2025-40187}\n- drm/vmwgfx: Fix Use-after-free in validation {CVE-2025-40111}\n- net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()\n- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue {CVE-2025-40001}\n- scsi: mvsas: Use sas_task_find_rq() for tagging\n- scsi: mvsas: Delete mvs_tag_init()\n- scsi: libsas: Add sas_task_find_rq()\n- clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver\n- clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()\n- perf session: Fix handling when buffer exceeds 2 GiB\n- rtc: x1205: Fix Xicor X1205 vendor prefix\n- perf util: Fix compression checks returning -1 as bool\n- iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE\n- clocksource/drivers/clps711x: Fix resource leaks in error paths\n- pinctrl: check the return value of pinmux_ops::get_function_name() {CVE-2025-40030}\n- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak {CVE-2025-40035}\n- mm: hugetlb: avoid soft lockup when mprotect to large memory area {CVE-2025-40153}\n- uio_hv_generic: Let userspace take care of interrupt mask {CVE-2025-40048}\n- Squashfs: fix uninit-value in squashfs_get_parent {CVE-2025-40049}\n- net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable\n- nfp: fix RSS hash key size when RSS is not supported\n- drivers/base/node: fix double free in register_one_node()\n- ocfs2: fix double free in user_cluster_connect() {CVE-2025-40055}\n- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast {CVE-2025-40140}\n- RDMA/siw: Always report immediate post SQ errors\n- usb: vhci-hcd: Prevent suspending virtually attached devices\n- scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() {CVE-2025-40115}\n- ipvs: Defer ip_vs_ftp unregister during netns cleanup {CVE-2025-40018}\n- NFSv4.1: fix backchannel max_resp_sz verification check\n- remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice\n- sparc: fix accurate exception reporting in copy_{from,to}_user for M7\n- sparc: fix accurate exception reporting in copy_to_user for Niagara 4\n- sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara {CVE-2025-40112}\n- sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III {CVE-2025-40124}\n- sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC {CVE-2025-40126}\n- IB/sa: Fix sa_local_svc_timeout_ms read race\n- RDMA/core: Resolve MAC of next-hop device without ARP support\n- wifi: mt76: fix potential memory leak in mt76_wmac_probe()\n- drivers/base/node: handle error properly in register_one_node()\n- watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog\n- netfilter: ipset: Remove unused htable_bits in macro ahash_region\n- iio: consumers: Fix offset handling in iio_convert_raw_to_processed()\n- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping {CVE-2025-40121}\n- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping {CVE-2025-40154}\n- ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping\n- pps: fix warning in pps_register_cdev when register device fail {CVE-2025-40070}\n- misc: genwqe: Fix incorrect cmd field being reported in error\n- usb: gadget: configfs: Correctly set use_os_string at bind\n- usb: phy: twl6030: Fix incorrect type for ret\n- tcp: fix __tcp_close() to only send RST when required\n- PCI: tegra: Fix devm_kcalloc() argument order for port-\u003ephys allocation\n- wifi: mwifiex: send world regulatory domain to driver\n- ALSA: lx_core: use int type to store negative error codes\n- media: rj54n1cb0c: Fix memleak in rj54n1_probe()\n- scsi: myrs: Fix dma_alloc_coherent() error check\n- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod {CVE-2025-40118}\n- serial: max310x: Add error checking in probe()\n- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup {CVE-2025-40116}\n- drm/radeon/r600_cs: clean up of dead code in r600_cs\n- i2c: designware: Add disabling clocks when probe fails\n- i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD\n- bpf: Explicitly check accesses to bpf_sock_addr {CVE-2025-40078}\n- selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported\n- pwm: tiehrpwm: Fix corner case in clock divisor calculation\n- block: use int to store blk_stack_limits() return value\n- blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx {CVE-2025-40125}\n- pinctrl: meson-gxl: add missing i2c_d pinmux\n- soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS\n- ACPI: processor: idle: Fix memory leak when register cpuidle device failed\n- regmap: Remove superfluous check for !config in __regmap_init()\n- x86/vdso: Fix output operand size of RDPID\n- perf: arm_spe: Prevent overflow in PERF_IDX2OFF() {CVE-2025-40081}\n- driver core/PM: Set power.no_callbacks along with power.no_pm\n- staging: axis-fifo: flush RX FIFO on read errors\n- staging: axis-fifo: fix maximum TX packet length check\n- perf subcmd: avoid crash in exclude_cmds when excludes is empty\n- dm-integrity: limit MAX_TAG_SIZE to 255\n- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188\n- USB: serial: option: add SIMCom 8230C compositions\n- media: rc: fix races with imon_disconnect() {CVE-2025-39993}\n- media: imon: grab lock earlier in imon_ir_change_protocol()\n- media: imon: reorganize serialization\n- media: rc: Add support for another iMON 0xffdc device\n- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe {CVE-2025-39995}\n- media: tuner: xc5000: Fix use-after-free in xc5000_release {CVE-2025-39994}\n- media: tunner: xc5000: Refactor firmware load\n- udp: Fix memory accounting leak. {CVE-2025-22058}\n- media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove {CVE-2025-39996}\n- scsi: target: target_core_configfs: Add length check to avoid buffer overflow {CVE-2025-39998}\n- LTS tag: v5.4.300\n- KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active\n- mm/hugetlb: fix folio is still mapped when deleted {CVE-2025-40006}\n- i40e: add mask to apply valid bits for itr_idx\n- i40e: fix validation of VF state in get resources {CVE-2025-39969}\n- i40e: fix idx validation in config queues msg {CVE-2025-39971}\n- i40e: add validation for ring_len param {CVE-2025-39973}\n- i40e: increase max descriptors for XL710\n- mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() {CVE-2025-21861}\n- fbcon: Fix OOB access in font allocation\n- fbcon: fix integer overflow in fbcon_do_set_font {CVE-2025-39967}\n- i40e: add max boundary check for VF filters {CVE-2025-39968}\n- i40e: fix input validation logic for action_meta {CVE-2025-39970}\n- i40e: fix idx validation in i40e_validate_queue_map {CVE-2025-39972}\n- drm/gma500: Fix null dereference in hdmi teardown {CVE-2025-40011}\n- can: peak_usb: fix shift-out-of-bounds issue {CVE-2025-40020}\n- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow {CVE-2025-39985}\n- can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow {CVE-2025-39986}\n- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow {CVE-2025-39987}\n- can: rcar_can: rcar_can_resume(): fix s2ram with PSCI\n- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions\n- usb: core: Add 0x prefix to quirks debug output\n- ALSA: usb-audio: Fix build with CONFIG_INPUT=n\n- ALSA: usb-audio: Convert comma to semicolon\n- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5\n- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks\n- ALSA: usb-audio: Simplify NULL comparison in mixer_quirks\n- ALSA: usb-audio: Avoid multiple assignments in mixer_quirks\n- ALSA: usb-audio: Fix block comments in mixer_quirks\n- net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer {CVE-2025-39937}\n- net: rfkill: gpio: add DT support\n- serial: sc16is7xx: fix bug in flow control levels init\n- USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels\n- usb: gadget: dummy_hcd: remove usage of list iterator past the loop body\n- ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message\n- ASoC: wm8974: Correct PLL rate rounding\n- ASoC: wm8940: Correct typo in control name\n- mmc: mvsdio: Fix dma_unmap_sg() nents value\n- nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*\n- cnic: Fix use-after-free bugs in cnic_delete_task {CVE-2025-39945}\n- net: liquidio: fix overflow in octeon_init_instr_queue()\n- tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect(). {CVE-2025-39955}\n- i40e: remove redundant memory barrier when cleaning Tx descs\n- net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure\n- cgroup: split cgroup_destroy_wq into 3 workqueues {CVE-2025-39953}\n- pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch\n- wifi: mac80211: fix incorrect type for ret\n- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported\n- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory {CVE-2025-39883}\n- phy: ti-pipe3: fix device leak at unbind\n- dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees {CVE-2025-39923}\n- dmaengine: ti: edma: Fix memory allocation size for queue_priority_map {CVE-2025-39869}\n- can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails\n- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed\n- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path {CVE-2025-39911}\n- i40e: Use irq_update_affinity_hint()\n- genirq: Provide new interfaces for affinity hints\n- genirq: Export affinity setter for modules\n- genirq/affinity: Add irq_update_affinity_desc()\n- igb: fix link test skipping when interface is admin down\n- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() {CVE-2025-39876}\n- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions\n- USB: serial: option: add Telit Cinterion FN990A w/audio compositions\n- tty: hvc_console: Call hvc_kick in hvc_write unconditionally\n- mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing\n- mtd: nand: raw: atmel: Fix comment in timings preparation\n- mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer {CVE-2025-39907}\n- mm/khugepaged: fix the address passed to notifier on testing young\n- fuse: prevent overflow in copy_file_range return value\n- fuse: check if copy_file_range() returns larger than requested size\n- mtd: rawnand: stm32_fmc2: fix ECC overwrite\n- ocfs2: fix recursive semaphore deadlock in fiemap call {CVE-2025-39885}\n- EDAC/altera: Delete an inappropriate dma_free_coherent() call\n- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork. {CVE-2025-39913}\n- net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. {CVE-2025-23143}\n- device-dax: correct pgoff align in dax_set_mapping() {CVE-2024-50022}\n- Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"\n- KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer\n- rds: Free all frags when rds_ib_recv_cache_put() fails\n- bpf/bpf_get,set_sockopt: add option to set TCP-BPF sock ops flags\n- NFSv4: Don't clear capabilities that won't be reset\n- power: supply: bq27xxx: restrict no-battery detection to bq27000\n- power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery\n- usb: hub: Fix flushing of delayed work used for post resume purposes\n- soc: qcom: mdt_loader: Deal with zero e_shentsize\n- Revert \"net/mlx5e: Update and set Xon/Xoff upon port speed set\"\n- LTS tag: v5.4.299\n- scsi: lpfc: Fix buffer free/clear order in deferred receive path {CVE-2025-39841}\n- dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()\n- cifs: fix integer overflow in match_server()\n- spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort\n- spi: spi-fsl-lpspi: Set correct chip-select polarity bit\n- spi: spi-fsl-lpspi: Fix transmissions when using CONT\n- pcmcia: Add error handling for add_interval() in do_validate_mem() {CVE-2025-39920}\n- ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model\n- randstruct: gcc-plugin: Fix attribute addition\n- randstruct: gcc-plugin: Remove bogus void member\n- vmxnet3: update MTU after device quiesce\n- net: dsa: microchip: linearize skb for tail-tagging switches\n- net: dsa: microchip: update tag_ksz masks for KSZ9477 family\n- dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()\n- ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup\n- gpio: pca953x: fix IRQ storm on system wake up\n- iio: light: opt3001: fix deadlock due to concurrent flag access {CVE-2025-37968}\n- iio: chemical: pms7003: use aligned_s64 for timestamp\n- cpufreq/sched: Explicitly synchronize limits_changed flag handling\n- mm/slub: avoid accessing metadata when pointer is invalid in object_err() {CVE-2025-39902}\n- mm/khugepaged: fix -\u003eanon_vma race {CVE-2023-52935}\n- e1000e: fix heap overflow in e1000_set_eeprom {CVE-2025-39898}\n- batman-adv: fix OOB read/write in network-coding decode {CVE-2025-39839}\n- drm/amdgpu: drop hw access in non-DC audio fini\n- wifi: mwifiex: Initialize the chan_stats array to zero {CVE-2025-39891}\n- pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() {CVE-2025-39846}\n- ALSA: usb-audio: Add mute TLV for playback volumes on some devices\n- ppp: fix memory leak in pad_compress_skb {CVE-2025-39847}\n- net: atm: fix memory leak in atm_register_sysfs when device_register fail\n- ax25: properly unshare skbs in ax25_kiss_rcv() {CVE-2025-39848}\n- ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()\n- net: thunder_bgx: add a missing of_node_put\n- wifi: libertas: cap SSID len in lbs_associate()\n- wifi: cw1200: cap SSID length in cw1200_do_join()\n- net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets\n- i40e: Fix potential invalid access when MAC list is empty {CVE-2025-39853}\n- icmp: fix icmp_ndo_send address translation for reply direction\n- mISDN: Fix memory leak in dsp_hwec_enable()\n- xirc2ps_cs: fix register access when enabling FullDuplex\n- Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() {CVE-2025-39860}\n- netfilter: conntrack: helper: Replace -EEXIST by -EBUSY\n- wifi: cfg80211: fix use-after-free in cmp_bss() {CVE-2025-39864}\n- powerpc: boot: Remove leading zero in label in udelay()\n- hugetlbfs: take read_lock on i_mmap for PMD sharing\n- kallsyms: add module_kallsyms_on_each_symbol_locked\n- kallsyms: export module_kallsyms_on_each_symbol\n- clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns {CVE-2025-38499}\n- x86/vmscape: Warn when STIBP is disabled with SMT\n- x86/bugs: Move cpu_bugs_smt_update() down\n- x86/vmscape: Enable the mitigation\n- x86/vmscape: Add conditional IBPB mitigation\n- x86/vmscape: Add old Intel CPUs to affected list\n- x86/vmscape: Enumerate VMSCAPE bug\n- Documentation/hw-vuln: Add VMSCAPE documentation\n- LTS tag: v5.4.298\n- Revert \"drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS\"\n- net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions\n- Revert \"drm/amdgpu: fix incorrect vm flags to map bo\"\n- HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() {CVE-2025-39808}\n- HID: wacom: Add a new Art Pen 2\n- HID: asus: fix UAF via HID_CLAIMED_INPUT validation {CVE-2025-39824}\n- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare {CVE-2025-39817}\n- sctp: initialize more fields in sctp_v6_from_sk() {CVE-2025-39812}\n- net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts\n- net/mlx5e: Set local Xoff after FW update\n- net/mlx5e: Update and set Xon/Xoff upon port speed set\n- net/mlx5e: Update and set Xon/Xoff upon MTU set\n- net: dlink: fix multicast stats being counted incorrectly\n- atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). {CVE-2025-39828}\n- net/atm: remove the atmdev_ops {get, set}sockopt methods\n- Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced\n- powerpc/kvm: Fix ifdef to remove build warning\n- net: ipv4: fix regression in local-broadcast routes\n- vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()\n- scsi: core: sysfs: Correct sysfs attributes access rights\n- ftrace: Fix potential warning in trace_printk_seq during ftrace_dump {CVE-2025-39813}\n- pinctrl: STMFX: add missing HAS_IOMEM dependency\n- LTS tag: v5.4.297\n- alloc_fdtable(): change calling conventions.\n- s390/hypfs: Enable limited access during lockdown\n- s390/hypfs: Avoid unnecessary ioctl registration in debugfs\n- ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation\n- net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate\n- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit {CVE-2025-39766}\n- ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc\n- ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add\n- ALSA: usb-audio: Fix size validation in convert_chmap_v3()\n- scsi: qla4xxx: Prevent a potential error pointer dereference {CVE-2025-39676}\n- usb: xhci: Fix slot_id resource race conflict\n- nfs: fix UAF in direct writes {CVE-2024-26958}\n- NFS: Fix up commit deadlocks\n- cifs: Fix UAF in cifs_demultiplex_thread() {CVE-2023-52572}\n- Bluetooth: fix use-after-free in device_for_each_child() {CVE-2024-53237}\n- act_mirred: use the backlog for nested calls to mirred ingress {CVE-2022-4269}\n- net/sched: act_mirred: better wording on protection against excessive stack growth\n- net/sched: act_mirred: refactor the handle of xmit\n- selftests: forwarding: tc_actions.sh: add matchall mirror test\n- net: sched: don't expose action qstats to skb_tc_reinsert()\n- net: sched: extract qstats update code into functions\n- net: sched: extract bstats update code into function\n- net: sched: extract common action counters update code into function\n- mm: perform the mapping_map_writable() check after call_mmap()\n- mm: update memfd seal write check to include F_SEAL_WRITE\n- mm: drop the assumption that VM_SHARED always implies writable\n- codel: remove sch-\u003eq.qlen check before qdisc_tree_reduce_backlog() {CVE-2025-37798}\n- sch_qfq: make qfq_qlen_notify() idempotent\n- sch_hfsc: make hfsc_qlen_notify() idempotent {CVE-2025-38177}\n- sch_drr: make drr_qlen_notify() idempotent\n- btrfs: populate otime when logging an inode item\n- media: venus: hfi: explicitly release IRQ during teardown\n- f2fs: fix to avoid out-of-boundary access in dnode page {CVE-2025-38677}\n- media: venus: protect against spurious interrupts during probe {CVE-2025-39709}\n- media: qcom: camss: cleanup media device allocated resource on error path\n- media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.\n- drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS\n- pwm: mediatek: Fix duty and period setting\n- pwm: mediatek: Handle hardware enable and clock enable separately\n- pwm: mediatek: Implement .apply() callback\n- media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() {CVE-2025-39713}\n- media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()\n- media: v4l2-ctrls: always copy the controls on completion\n- ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig\n- soc: qcom: mdt_loader: Ensure we don't read past the ELF header {CVE-2025-39787}\n- rtc: ds1307: handle oscillator stop flag (OSF) for ds1341\n- usb: musb: omap2430: fix device leak at unbind\n- NFS: Fix the setting of capabilities when automounting a new filesystem {CVE-2025-39798}\n- NFS: Fix up handling of outstanding layoutcommit in nfs_update_inode()\n- NFSv4: Fix nfs4_bitmap_copy_adjust()\n- usb: typec: fusb302: cache PD RX state\n- cdc-acm: fix race between initial clearing halt and open\n- USB: cdc-acm: do not log successful probe on later errors\n- mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock {CVE-2025-39736}\n- mm/kmemleak: turn kmemleak_lock and object-\u003elock to raw_spinlock_t\n- ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()\n- x86/fpu: Delay instruction pointer fixup until after warning\n- mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery\n- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() {CVE-2025-38724}\n- pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov\n- tracing: Add down_write(trace_event_sem) when adding trace event {CVE-2025-38539}\n- usb: hub: Don't try to recover devices lost during warm reset.\n- usb: hub: avoid warm port reset during USB3 disconnect\n- x86/mce/amd: Add default names for MCA banks and blocks\n- iio: hid-sensor-prox: Fix incorrect OFFSET calculation\n- f2fs: fix to do sanity check on ino and xnid {CVE-2025-38347}\n- mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n\n- mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage()\n- drm/sched: Remove optimization that causes hang when killing dependent jobs\n- ice: Fix a null pointer dereference in ice_copy_and_init_pkg() {CVE-2025-38664}\n- net: usbnet: Fix the wrong netif_carrier_on() call\n- net: usbnet: Avoid potential RCU stall on LINK_CHANGE event\n- PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports\n- ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value {CVE-2022-50327}\n- comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large {CVE-2025-38481}\n- comedi: Fix initialization of data for instructions that write to subdevice {CVE-2025-38478}\n- kbuild: Add KBUILD_CPPFLAGS to as-option invocation\n- kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS\n- kbuild: Add CLANG_FLAGS to as-instr\n- mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation\n- kbuild: Update assembler calls to use proper flags and language target\n- ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS\n- usb: dwc3: Ignore late xferNotReady event to prevent halt timeout\n- USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles\n- usb: storage: realtek_cr: Use correct byte order for bcs-\u003eResidue\n- USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera\n- usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive\n- iio: proximity: isl29501: fix buffered read on big-endian systems\n- ftrace: Also allocate and copy hash for reading of filter files {CVE-2025-39689}\n- fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()\n- use uniform permission checks for all mount propagation changes\n- move_mount: allow to add a mount into an existing group\n- fs/buffer: fix use-after-free when call bh_read() helper {CVE-2025-39691}\n- drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs\n- drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3\n- memstick: Fix deadlock by moving removing flag earlier\n- media: venus: Add a check for packet size after reading from shared memory {CVE-2025-39710}\n- media: ov2659: Fix memory leaks in ov2659_probe()\n- media: usbtv: Lock resolution while streaming {CVE-2025-39714}\n- media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()\n- media: gspca: Add bounds checking to firmware parser\n- soc/tegra: pmc: Ensure power-domains are in a known state\n- jbd2: prevent softlockup in jbd2_log_do_checkpoint() {CVE-2025-39782}\n- PCI: endpoint: Fix configfs group removal on driver teardown\n- PCI: endpoint: Fix configfs group list head handling {CVE-2025-39783}\n- mtd: rawnand: fsmc: Add missing check after DMA map\n- pwm: imx-tpm: Reset counter if CMOD is 0\n- wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()\n- zynq_fpga: use sgtable-based scatterlist wrappers\n- ata: libata-scsi: Fix ata_to_sense_error() status handling\n- ext4: fix reserved gdt blocks handling in fsmap\n- ext4: fix fsmap end of range reporting with bigalloc\n- ext4: check fast symlink for ea_inode correctly\n- vt: defkeymap: Map keycodes above 127 to K_HOLE\n- vt: keyboard: Don't process Unicode characters in K_OFF mode\n- usb: dwc3: meson-g12a: fix device leaks at unbind\n- usb: gadget: udc: renesas_usb3: fix device leak at unbind\n- usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()\n- m68k: Fix lost column on framebuffer debug console\n- cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()\n- serial: 8250: fix panic due to PSLVERR {CVE-2025-39724}\n- media: uvcvideo: Do not mark valid metadata as invalid\n- media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() {CVE-2025-38680}\n- mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() {CVE-2025-39737}\n- parisc: Makefile: fix a typo in palo.conf\n- btrfs: fix log tree replay failure due to file with 0 links and extents\n- thunderbolt: Fix copy+paste error in match_service_id()\n- comedi: fix race between polling and detaching {CVE-2025-38687}\n- misc: rtsx: usb: Ensure mmc child device is active when card is present\n- drm/amdgpu: fix incorrect vm flags to map bo\n- scsi: lpfc: Remove redundant assignment to avoid memory leak\n- rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe\n- pNFS: Fix uninited ptr deref in block/scsi layout {CVE-2025-38691}\n- pNFS: Handle RPC size limit for layoutcommits\n- pNFS: Fix disk addr range check in block/scsi layout\n- pNFS: Fix stripe mapping in block/scsi layout\n- net: phy: smsc: add proper reset flags for LAN8710A\n- ipmi: Fix strcpy source and destination the same\n- kconfig: lxdialog: fix 'space' to (de)select options\n- kconfig: gconf: fix potential memory leak in renderer_edited()\n- kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()\n- ipmi: Use dev_warn_ratelimited() for incorrect message warnings\n- scsi: aacraid: Stop using PCI_IRQ_AFFINITY\n- scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans\n- kconfig: nconf: Ensure null termination where strncpy is used\n- kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c\n- i3c: don't fail if GETHDRCAP is unsupported\n- PCI: pnv_php: Work around switches with broken presence detection\n- i3c: add missing include to internal header\n- media: uvcvideo: Fix bandwidth issue for Alcor camera\n- media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar {CVE-2025-38693}\n- media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() {CVE-2025-38694}\n- media: usb: hdpvr: disable zero-length read messages\n- media: tc358743: Increase FIFO trigger level to 374\n- media: tc358743: Return an appropriate colorspace from tc358743_set_fmt\n- media: tc358743: Check I2C succeeded during probe\n- pinctrl: stm32: Manage irq affinity settings\n- scsi: mpt3sas: Correctly handle ATA device errors\n- scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure {CVE-2025-38695}\n- RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() {CVE-2025-39742}\n- MIPS: Don't crash in stack_top() for tasks without ABI or vDSO {CVE-2025-38696}\n- jfs: upper bound check of tree index in dbAllocAG {CVE-2025-38697}\n- jfs: Regular file corruption check {CVE-2025-38698}\n- jfs: truncate good inode pages when hard link is 0 {CVE-2025-39743}\n- scsi: bfa: Double-free fix {CVE-2025-38699}\n- MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}\n- watchdog: dw_wdt: Fix default timeout\n- fs/orangefs: use snprintf() instead of sprintf()\n- scsi: libiscsi: Initialize iscsi_conn-\u003edd_data only if memory is allocated {CVE-2025-38700}\n- ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr {CVE-2025-38701}\n- cifs: Fix calling CIFSFindFirst() for root path without msearch\n- vhost: fail early when __vhost_add_used() fails\n- net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325\n- uapi: in6: restore visibility of most IPv6 socket options\n- net: ncsi: Fix buffer overflow in fetching version id\n- net: dsa: b53: prevent SWITCH_CTRL access on BCM5325\n- net: dsa: b53: fix b53_imp_vlan_setup for BCM5325\n- net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs\n- wifi: iwlegacy: Check rate_idx range after addition\n- netmem: fix skb_frag_address_safe with unreadable skbs\n- wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.\n- wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect\n- wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()\n- net: fec: allow disable coalescing\n- (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer\n- s390/stp: Remove udelay from stp_sync_clock()\n- wifi: iwlwifi: mvm: fix scan request validation\n- net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()\n- net: ipv4: fix incorrect MTU in broadcast routes\n- wifi: cfg80211: Fix interface type validation\n- rcu: Protect -\u003edefer_qs_iw_pending from data race {CVE-2025-39749}\n- net: ag71xx: Add missing check after DMA map\n- et131x: Add missing check after DMA map\n- be2net: Use correct byte order and format string for TCP seq and ack_seq\n- s390/time: Use monotonic clock in get_cycles()\n- wifi: cfg80211: reject HTC bit for management frames\n- ktest.pl: Prevent recursion of default variable options\n- ASoC: codecs: rt5640: Retry DEVICE_ID verification\n- ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros\n- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control {CVE-2025-39751}\n- platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches\n- pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()\n- usb: core: usb_submit_urb: downgrade type check\n- ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4\n- ASoC: hdac_hdmi: Rate limit logging on connection and disconnection\n- mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()\n- ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path\n- ACPI: processor: fix acpi_object initialization\n- PM: sleep: console: Fix the black screen issue\n- thermal: sysfs: Return ENODATA instead of EAGAIN for reads\n- PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()\n- selftests: tracing: Use mutex_unlock for testing glob filter\n- ARM: tegra: Use I/O memcpy to write to IRAM {CVE-2025-39794}\n- gpio: tps65912: check the return value of regmap_update_bits()\n- ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed\n- ARM: rockchip: fix kernel hang during smp initialization {CVE-2025-39752}\n- cpufreq: Exit governor when failed to start old governor\n- usb: xhci: Avoid showing errors during surprise removal\n- usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command\n- usb: xhci: Avoid showing warnings for dying controller\n- selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t\n- usb: xhci: print xhci-\u003exhc_state when queue_command failed\n- securityfs: don't pin dentries twice, once is enough...\n- hfs: fix not erasing deleted b-tree node issue\n- drbd: add missing kref_get in handle_write_conflicts {CVE-2025-38708}\n- udf: Verify partition map count\n- arm64: Handle KCOV __init vs inline mismatches\n- hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() {CVE-2025-38712}\n- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() {CVE-2025-40082}\n- hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() {CVE-2025-38714}\n- hfs: fix slab-out-of-bounds in hfs_bnode_read() {CVE-2025-38715}\n- sctp: linearize cloned gso packets in sctp_rcv {CVE-2025-38718}\n- netfilter: ctnetlink: fix refcount leak on table dump {CVE-2025-38721}\n- udp: also consider secpath when evaluating ipsec use for checksumming\n- ACPI: processor: perflib: Move problematic pr-\u003eperformance check {CVE-2025-39799}\n- ACPI: processor: perflib: Fix initial _PPC limit application\n- Documentation: ACPI: Fix parent device references\n- fs: Prevent file descriptor table allocations exceeding INT_MAX {CVE-2025-39756}\n- sunvdc: Balance device refcount in vdc_port_mpgroup_check\n- NFSD: detect mismatch of file handle and delegation stateid in OPEN op\n- net: dpaa: fix device leak when querying time stamp info\n- net: gianfar: fix device leak when querying time stamp info\n- netlink: avoid infinite retry looping in netlink_unicast() {CVE-2025-38727}\n- ALSA: usb-audio: Validate UAC3 cluster segment descriptors {CVE-2025-39757}\n- ALSA: usb-audio: Validate UAC3 power domain descriptors, too {CVE-2025-38729}\n- io_uring: don't use int for ABI\n- usb: gadget : fix use-after-free in composite_dev_cleanup() {CVE-2025-38555}\n- MIPS: mm: tlb-r4k: Uniquify TLB entries on init\n- USB: serial: option: add Foxconn T99W709\n- vsock: Do not allow binding to VMADDR_PORT_ANY {CVE-2025-38618}\n- net/packet: fix a race in packet_set_ring() and packet_notifier() {CVE-2025-38617}\n- perf/core: Prevent VMA split of buffer mappings {CVE-2025-38563}\n- perf/core: Exit early on perf_mmap() fail {CVE-2025-38565}\n- perf/core: Don't leak AUX buffer refcount on allocation failure\n- pptp: fix pptp_xmit() error path\n- smb: client: let recv_done() cleanup before notifying the callers.\n- benet: fix BUG when creating VFs {CVE-2025-38569}\n- net: drop UFO packets in udp_rcv_segment() {CVE-2025-38622}\n- ipv6: reject malicious packets in ipv6_gso_segment() {CVE-2025-38572}\n- pptp: ensure minimal skb length in pptp_xmit() {CVE-2025-38574}\n- netpoll: prevent hanging NAPI when netcons gets enabled\n- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() {CVE-2025-39730}\n- pci/hotplug/pnv-php: Wrap warnings in macro\n- pci/hotplug/pnv-php: Improve error msg on power state change failure\n- usb: chipidea: udc: fix sleeping function called from invalid context\n- f2fs: fix to avoid out-of-boundary access in devs.path {CVE-2025-38652}\n- f2fs: fix to avoid panic in f2fs_evict_inode {CVE-2025-38577}\n- f2fs: fix to avoid UAF in f2fs_sync_inode_meta() {CVE-2025-38578}\n- rtc: pcf8563: fix incorrect maximum clock rate handling\n- rtc: hym8563: fix incorrect maximum clock rate handling\n- rtc: ds1307: fix incorrect maximum clock rate handling\n- module: Restore the moduleparam prefix length check\n- bpf: Check flow_dissector ctx accesses are aligned\n- mtd: rawnand: atmel: set pmecc data setup time\n- mtd: rawnand: atmel: Fix dma_mapping_error() address\n- jfs: fix metapage reference count leak in dbAllocCtl\n- fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref {CVE-2025-38630}\n- crypto: qat - fix seq_file position update in adf_ring_next()\n- dmaengine: nbpfaxi: Add missing check after DMA map\n- dmaengine: mv_xor: Fix missing check after DMA map and missing unmap\n- fs/orangefs: Allow 2 more characters in do_c_string()\n- soundwire: stream: restore params when prepare ports fail\n- crypto: img-hash - Fix dma_unmap_sg() nents value\n- hwrng: mtk - handle devm_pm_runtime_enable errors\n- watchdog: ziirave_wdt: check record length in ziirave_firm_verify()\n- scsi: isci: Fix dma_unmap_sg() nents value\n- scsi: mvsas: Fix dma_unmap_sg() nents value\n- scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value\n- clk: sunxi-ng: v3s: Fix de clock definition\n- perf tests bp_account: Fix leaked file descriptor\n- crypto: ccp - Fix crash when rebind ccp device for ccp.ko {CVE-2025-38581}\n- pinctrl: sunxi: Fix memory leak on krealloc failure\n- power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set\n- clk: davinci: Add NULL check in davinci_lpsc_clk_register() {CVE-2025-38635}\n- mtd: fix possible integer overflow in erase_xfer()\n- crypto: marvell/cesa - Fix engine load inaccuracy\n- PCI: rockchip-host: Fix \"Unexpected Completion\" log message\n- vrf: Drop existing dst reference in vrf_ip6_input_dst\n- selftests: rtnetlink.sh: remove esp4_offload after test\n- netfilter: xt_nfacct: don't assume acct name is null-terminated {CVE-2025-38639}\n- can: kvaser_usb: Assign netdev.dev_port based on device channel index\n- can: kvaser_pciefd: Store device channel index\n- wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE\n- mwl8k: Add missing check after DMA map\n- wifi: rtl8xxxu: Fix RX skb size for aggregation disabled\n- net/sched: Restrict conditions for adding duplicating netems to qdisc tree {CVE-2025-38553}\n- arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX\n- drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value\n- m68k: Don't unregister boot console needlessly\n- tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range\n- iwlwifi: Add missing check for alloc_ordered_workqueue {CVE-2025-38656}\n- wifi: iwlwifi: Fix memory leak in iwl_mvm_init()\n- wifi: rtl818x: Kill URBs before clearing tx status queue {CVE-2025-38604}\n- caif: reduce stack size, again\n- bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure\n- bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls {CVE-2025-38608}\n- staging: nvec: Fix incorrect null termination of battery manufacturer\n- samples: mei: Fix building on musl libc\n- cpufreq: Init policy-\u003erwsem before it may be possibly used\n- ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface\n- usb: early: xhci-dbc: Fix early_ioremap leak\n- Revert \"vmci: Prevent the dispatching of uninitialized payloads\" {CVE-2025-38611}\n- pps: fix poll support\n- vmci: Prevent the dispatching of uninitialized payloads {CVE-2025-38611}\n- staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() {CVE-2025-38612}\n- ARM: dts: vfxxx: Correctly use two tuples for timer address\n- hfsplus: remove mutex_lock check in hfsplus_free_extents {CVE-2025-38650}\n- ASoC: Intel: fix SND_SOC_SOF dependencies\n- ethernet: intel: fix building with large NR_CPUS\n- usb: phy: mxs: disconnect line when USB charger is attached\n- usb: chipidea: add USB PHY event\n- usb: chipidea: introduce CI_HDRC_CONTROLLER_VBUS_EVENT glue layer use\n- usb: chipidea: udc: protect usb interrupt enable\n- usb: chipidea: udc: add new API ci_hdrc_gadget_connect\n- ALSA: hda: Add missing NVIDIA HDA codec IDs\n- comedi: comedi_test: Fix possible deletion of uninitialized timers\n- nilfs2: reject invalid file types when reading inodes {CVE-2025-38663}\n- i2c: qup: jump out of the loop in case of timeout {CVE-2025-38671}\n- net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class\n- net: appletalk: Fix use-after-free in AARP proxy probe {CVE-2025-38666}\n- net: appletalk: fix kerneldoc warnings\n- RDMA/core: Rate limit GID cache warning messages\n- regulator: core: fix NULL dereference on unbind due to stale coupling data {CVE-2025-38668}\n- usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm\n- usb: hub: fix detection of high tier USB3 devices behind suspended hubs\n- net_sched: sch_sfq: reject invalid perturb period {CVE-2025-38193}\n- power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition {CVE-2023-33288}\n- power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync\n- power: supply: bq24190_charger: Fix runtime PM imbalance on error\n- xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS\n- virtio-net: ensure the received length does not exceed allocated size {CVE-2025-38375}\n- ASoC: fsl_sai: Force a software reset when starting in consumer mode\n- usb: dwc3: qcom: Don't leave BCR asserted\n- usb: musb: fix gadget state on disconnect\n- net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree {CVE-2025-38468}\n- net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime {CVE-2025-38470}\n- Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU\n- Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout\n- Bluetooth: SMP: If an unallowed command is received consider it a failure\n- Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() {CVE-2025-38473}\n- usb: net: sierra: check for no status endpoint {CVE-2025-38474}\n- net/sched: sch_qfq: Fix race condition on qfq_aggregate {CVE-2025-38477}\n- net: emaclite: Fix missing pointer increment in aligned_read()\n- comedi: Fix use of uninitialized data in insn_rw_emulate_bits() {CVE-2025-38480}\n- comedi: Fix some signed shift left operations\n- comedi: das6402: Fix bit shift out of bounds {CVE-2025-38482}\n- comedi: das16m1: Fix bit shift out of bounds {CVE-2025-38483}\n- comedi: aio_iiro_16: Fix bit shift out of bounds {CVE-2025-38529}\n- comedi: pcl812: Fix bit shift out of bounds {CVE-2025-38530}\n- iio: adc: stm32-adc: Fix race in installing chained IRQ handler\n- iio: adc: max1363: Reorder mode_list[] entries\n- iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]\n- soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled {CVE-2025-38487}\n- soc: aspeed: lpc-snoop: Cleanup resources in stack-order\n- mmc: sdhci_am654: Workaround for Errata i2312\n- mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models\n- mmc: bcm2835: Fix dma_unmap_sg() nents value\n- memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()\n- isofs: Verify inode mode when loading from disk\n- dmaengine: nbpfaxi: Fix memory corruption in probe() {CVE-2025-38538}\n- af_packet: fix soft lockup issue caused by tpacket_snd()\n- af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()\n- phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()\n- HID: core: do not bypass hid_hw_raw_request {CVE-2025-38494}\n- HID: core: ensure __hid_request reserves the report ID as the first byte\n- HID: core: ensure the allocated report buffer can contain the reserved report ID {CVE-2025-38495}\n- pch_uart: Fix dma_sync_sg_for_device() nents value\n- Input: xpad - set correct controller type for Acer NGR200\n- i2c: stm32: fix the device used for the DMA map\n- usb: gadget: configfs: Fix OOB read on empty string write {CVE-2025-38497}\n- USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI\n- USB: serial: option: add Foxconn T99W640\n- USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition\n- LTS tag: v5.4.296\n- x86/mm: Disable hugetlb page table sharing on 32-bit\n- Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID\n- HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras {CVE-2025-38540}\n- HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY\n- vt: add missing notification when switching back to text mode\n- net: usb: qmi_wwan: add SIMCom 8230C composition\n- atm: idt77252: Add missing `dma_map_error()`\n- bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT {CVE-2025-38439}\n- bnxt_en: Fix DCB ETS validation\n- can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level\n- net: phy: microchip: limit 100M workaround to link-down events on LAN88xx\n- net: appletalk: Fix device refcount leak in atrtr_create() {CVE-2025-38542}\n- md/raid1: Fix stack memory use after return in raid1_reshape {CVE-2025-38445}\n- wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() {CVE-2025-38513}\n- dma-buf: fix timeout handling in dma_resv_wait_timeout v2\n- Input: xpad - support Acer NGR 200 Controller\n- Input: xpad - add VID for Turtle Beach controllers\n- Input: xpad - add support for Amazon Game Controller\n- NFSv4/flexfiles: Fix handling of NFS level errors in I/O\n- flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes\n- RDMA/mlx5: Fix vport loopback for MPV device\n- netlink: Fix rmem check in netlink_broadcast_deliver().\n- netlink: make sure we allow at least one dump skb\n- Revert \"ACPI: battery: negate current when discharging\"\n- usb: gadget: u_serial: Fix race condition in TTY wakeup {CVE-2025-38448}\n- drm/sched: Increment job count before swapping tail spsc queue {CVE-2025-38515}\n- pinctrl: qcom: msm: mark certain pins as invalid for interrupts {CVE-2025-38516}\n- x86/mce: Make sure CMCI banks are cleared during shutdown on Intel\n- x86/mce: Don't remove sysfs if thresholding sysfs init fails\n- x86/mce/amd: Fix threshold limit reset\n- rxrpc: Fix oops due to non-existence of prealloc backlog struct {CVE-2025-38514}\n- net/sched: Abort __tc_modify_qdisc if parent class does not exist {CVE-2025-38457}\n- atm: clip: Fix NULL pointer dereference in vcc_sendmsg() {CVE-2025-38458}\n- atm: clip: Fix infinite recursive call of clip_push(). {CVE-2025-38459}\n- atm: clip: Fix memory leak of struct clip_vcc. {CVE-2025-38546}\n- atm: clip: Fix potential null-ptr-deref in to_atmarpd(). {CVE-2025-38460}\n- tipc: Fix use-after-free in tipc_conn_close(). {CVE-2025-38464}\n- netlink: Fix wraparounds of sk-\u003esk_rmem_alloc. {CVE-2025-38465}\n- fix proc_sys_compare() handling of in-lookup dentries\n- proc: Clear the pieces of proc_inode that proc_evict_inode cares about\n- drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling {CVE-2025-38467}\n- staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()\n- media: uvcvideo: Rollback non processed entities on error\n- media: uvcvideo: Send control events for partial succeeds\n- media: uvcvideo: Return the number of processed controls\n- ACPI: PAD: fix crash in exit_round_robin() {CVE-2024-49935}\n- usb: typec: displayport: Fix potential deadlock {CVE-2025-38404}\n- Logitech C-270 even more broken\n- rose: fix dangling neighbour pointers in rose_rt_device_down() {CVE-2025-38377}\n- net: rose: Fix fall-through warnings for Clang\n- drm/i915/gt: Fix timeline left held on VMA alloc error {CVE-2025-38389}\n- drm/i915/selftests: Change mock_request() to return error pointers\n- spi: spi-fsl-dspi: Clear completion counter before initiating transfer\n- spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path\n- spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write\n- dpaa2-eth: fix xdp_rxq_info leak\n- ethernet: atl1: Add missing DMA mapping error checks and count errors\n- btrfs: use btrfs_record_snapshot_destroy() during rmdir\n- btrfs: propagate last_unlink_trans earlier when doing a rmdir\n- RDMA/mlx5: Fix CC counters query for MPV\n- RDMA/core: Create and destroy counters in the ib_core\n- scsi: ufs: core: Fix spelling of a sysfs attribute name\n- drm/v3d: Disable interrupts before resetting the GPU {CVE-2025-38371}\n- mtk-sd: reset host-\u003emrq on prepare_data() error\n- mtk-sd: Prevent memory corruption from DMA map failure {CVE-2025-38401}\n- mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data()\n- regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods {CVE-2025-38395}\n- regulator: gpio: Add input_supply support in gpio_regulator_config\n- ACPICA: Refuse to evaluate a method if arguments are missing {CVE-2025-38386}\n- wifi: ath6kl: remove WARN on bad firmware input {CVE-2025-38406}\n- wifi: mac80211: drop invalid source address OCB frames\n- powerpc: Fix struct termio related ioctl macros\n- ata: pata_cs5536: fix build on 32-bit UML\n- ALSA: sb: Force to disable DMAs once when DMA mode is changed\n- nui: Fix dma_mapping_error() check\n- enic: fix incorrect MTU comparison in enic_change_mtu()\n- amd-xgbe: align CL37 AN sequence as per databook\n- lib: test_objagg: Set error message in check_expect_hints_stats()\n- drm/exynos: fimd: Guard display clock control with runtime PM calls\n- btrfs: fix missing error handling when searching for inode refs during log replay\n- scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()\n- nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. {CVE-2025-38400}\n- RDMA/mlx5: Initialize obj_event-\u003eobj_sub_list before xa_insert {CVE-2025-38387}\n- platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment\n- mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data\n- usb: typec: altmodes/displayport: do not index invalid pin_assignments {CVE-2025-38391}\n- mmc: sdhci: Add a helper function for dump register in dynamic debug mode\n- vsock/vmci: Clear the vmci transport packet properly when initializing it {CVE-2025-38403}\n- btrfs: don't abort filesystem when attempting to snapshot deleted subvolume {CVE-2024-26644}\n- arm64: Restrict pagetable teardown to avoid false warning\n- s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS\n- drm/bridge: cdns-dsi: Check return value when getting default PHY config\n- drm/bridge: cdns-dsi: Fix connecting to next bridge\n- drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()\n- drm/tegra: Assign plane type before registration\n- HID: wacom: fix kobject reference count leak\n- HID: wacom: fix memory leak on sysfs attribute creation failure\n- HID: wacom: fix memory leak on kobject creation failure\n- dm-raid: fix variable in journal device check\n- Bluetooth: L2CAP: Fix L2CAP MTU negotiation\n- atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). {CVE-2025-38245}\n- net: enetc: Correct endianness handling in _enetc_rd_reg64\n- um: ubd: Add missing error check in start_io_thread()\n- vsock/uapi: fix linux/vm_sockets.h userspace compilation errors\n- wifi: mac80211: fix beacon interval calculation overflow\n- attach_recursive_mnt(): do not lock the covering tree when sliding something under it\n- ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() {CVE-2025-38249}\n- i2c: robotfuzz-osif: disable zero-length read messages\n- i2c: tiny-usb: disable zero-length read messages\n- RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction {CVE-2025-38211}\n- RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private\n- media: vivid: Change the siize of the composing {CVE-2025-38226}\n- media: omap3isp: use sgtable-based scatterlist wrappers\n- media: cxusb: no longer judge rbuf when the write fails {CVE-2025-38229}\n- media: cxusb: use dev_dbg() rather than hand-rolled debug\n- jfs: validate AG parameters in dbMount() to prevent crashes {CVE-2025-38230}\n- fs/jfs: consolidate sanity checking in dbMount\n- ASoC: meson: meson-card-utils: use of_property_present() for DT parsing\n- of: Add of_property_present() helper\n- of: property: define of_property_read_u{8,16,32,64}_array() unconditionally\n- kbuild: hdrcheck: fix cross build with clang\n- kbuild: add --target to correctly cross-compile UAPI headers with Clang\n- bpfilter: match bit size of bpfilter_umh to that of the kernel\n- kbuild: use -MMD instead of -MD to exclude system headers from dependency\n- VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify {CVE-2025-38102}\n- VMCI: check context-\u003enotify_page after call to get_user_pages_fast() to avoid GPF {CVE-2023-53259}\n- ovl: Check for NULL d_inode() in ovl_dentry_upper()\n- ceph: fix possible integer overflow in ceph_zero_objects()\n- ALSA: hda: Ignore unsol events for cards being shut down\n- usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode {CVE-2025-38404}\n- usb: cdc-wdm: avoid setting WDM_READ for ZLP-s\n- usb: Add checks for snprintf() calls in usb_alloc_dev()\n- tty: serial: uartlite: register uart driver in init {CVE-2025-38262}\n- usb: potential integer overflow in usbg_make_tpg()\n- iio: pressure: zpa2326: Use aligned_s64 for the timestamp\n- md/md-bitmap: fix dm-raid max_write_behind setting\n- dmaengine: xilinx_dma: Set dma_device directions\n- mfd: max14577: Fix wakeup source leaks on device unbind\n- mailbox: Not protect module_put with spin_lock_irqsave\n- cifs: Fix cifs_query_path_info() for Windows NT servers\n- net/rds: Fix rs_recv_pending counting issue\n- LTS tag: v5.4.301\n- net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg\n- media: s5p-mfc: remove an unused/uninitialized variable\n- NFSD: Fix last write offset handling in layoutcommit\n- NFSD: Minor cleanup in layoutcommit processing\n- padata: Reset next CPU when reorder sequence wraps around\n- KEYS: trusted_tpm1: Compare HMAC values in constant time\n- NFSD: Define a proc_layoutcommit for the FlexFiles layout type\n- vfs: Don't leak disconnected dentries on umount\n- jbd2: ensure that all ongoing I/O complete before freeing blocks\n- ext4: detect invalid INLINE_DATA + EXTENTS flag combination\n- drm/amdgpu: use atomic functions with memory barriers for vm fault info\n- ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()\n- spi: cadence-quadspi: Flush posted register writes before DAC access\n- spi: cadence-quadspi: Flush posted register writes before INDAC access\n- memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe\n- memory: samsung: exynos-srom: Correct alignment\n- arm64: errata: Apply workarounds for Neoverse-V3AE\n- arm64: cputype: Add Neoverse-V3AE definitions\n- comedi: fix divide-by-zero in comedi_buf_munge()\n- binder: remove \"invalid inc weak\" check\n- xhci: dbc: enable back DbC in resume if it was enabled before suspend\n- usb/core/quirks: Add Huawei ME906S to wakeup quirk\n- USB: serial: option: add Telit FN920C04 ECM compositions\n- USB: serial: option: add Quectel RG255C\n- USB: serial: option: add UNISOC UIS7720\n- net: ravb: Ensure memory write completes before ringing TX doorbell\n- net: usb: rtl8150: Fix frame padding\n- ocfs2: clear extent cache after moving/defragmenting extents\n- MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering\n- Revert \"cpuidle: menu: Avoid discarding useful information\"\n- net: bonding: fix possible peer notify event loss or dup issue\n- sctp: avoid NULL dereference when chunk data buffer is missing\n- arm64, mm: avoid always making PTE dirty in pte_mkwrite()\n- net: enetc: correct the value of ENETC_RXB_TRUESIZE\n- rtnetlink: Allow deleting FDB entries in user namespace\n- net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del\n- net: add ndo_fdb_del_bulk\n- net: rtnetlink: add bulk delete support flag\n- net: netlink: add NLM_F_BULK delete request modifier\n- net: rtnetlink: use BIT for flag values\n- net: rtnetlink: add helper to extract msg type's kind\n- net: rtnetlink: add msg kind names\n- net: rtnetlink: remove redundant assignment to variable err\n- m68k: bitops: Fix find_*_bit() signatures\n- hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super()\n- hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()\n- dlm: check for defined force value in dlm_lockspace_release\n- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()\n- hfs: validate record offset in hfsplus_bmap_alloc\n- hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()\n- hfs: make proper initalization of struct hfs_find_data\n- hfs: clear offset and space out of valid records in b-tree node\n- exec: Fix incorrect type for ret\n- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()\n- ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings\n- sched/fair: Fix pelt lost idle time detection\n- sched/balancing: Rename newidle_balance() =\u003e sched_balance_newidle()\n- sched/fair: Trivial correction of the newidle_balance() comment\n- sched: Make newidle_balance() static again\n- tls: don't rely on tx_work during send()\n- tls: always set record_type in tls_process_cmsg\n- tg3: prevent use of uninitialized remote_adv and local_adv variables\n- tcp: fix tcp_tso_should_defer() vs large RTT\n- amd-xgbe: Avoid spurious link down messages during interface toggle\n- net/ip6_tunnel: Prevent perpetual tunnel growth\n- net: dlink: handle dma_map_single() failure properly\n- net: dl2k: switch from 'pci_' to 'dma_' API\n- media: pci: ivtv: Add missing check after DMA map\n- media: pci/ivtv: switch from 'pci_' to 'dma_' API\n- xen/events: Update virq_to_irq on migration\n- media: lirc: Fix error handling in lirc_register()\n- media: rc: Directly use ida_free()\n- drm/exynos: exynos7_drm_decon: remove ctx-\u003esuspended\n- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()\n- pwm: berlin: Fix wrong register in suspend/resume\n- media: cx18: Add missing check after DMA map\n- xen/events: Cleanup find_virq() return codes\n- cramfs: Verify inode mode when loading from disk\n- fs: Add 'initramfs_options' to set initramfs mount options\n- pid: Add a judgment for ns null in pid_nr_ns\n- minixfs: Verify inode mode when loading from disk\n- tracing: Fix race condition in kprobe initialization causing NULL pointer dereference\n- dm: fix NULL pointer dereference in __dm_suspend()\n- mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag\n- mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type\n- mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value\n- Squashfs: reject negative file sizes in squashfs_read_inode()\n- Squashfs: add additional inode sanity checking\n- media: mc: Clear minor number before put device\n- mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()\n- fs: udf: fix OOB read in lengthAllocDescs handling\n- KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O\n- net/9p: fix double req put in p9_fd_cancelled\n- ext4: guard against EA inode refcount underflow in xattr update\n- ext4: correctly handle queries for metadata mappings\n- ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch()\n- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry\n- x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)\n- x86/umip: Check that the instruction opcode is at least two bytes\n- PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on exit\n- PCI/AER: Fix missing uevent on recovery when a reset is requested\n- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV\n- rseq/selftests: Use weak symbol reference, not definition, to link with glibc\n- rtc: interface: Fix long-standing race when setting alarm\n- rtc: interface: Ensure alarm irq is enabled when UIE is enabled\n- mmc: core: SPI mode remove cmd7\n- mtd: rawnand: fsmc: Default to autodetect buswidth\n- sparc: fix error handling in scan_one_device()\n- sparc64: fix hugetlb for sun4u\n- sctp: Fix MAC comparison to be constant-time\n- scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()\n- parisc: don't reference obsolete termio struct for TC* constants\n- lib/genalloc: fix device leak in of_gen_pool_get()\n- iio: frequency: adf4350: Fix prescaler usage.\n- iio: dac: ad5421: use int type to store negative error codes\n- iio: dac: ad5360: use int type to store negative error codes\n- crypto: atmel - Fix dma_unmap_sg() direction\n- cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request()\n- drm/nouveau: fix bad ret code in nouveau_bo_move_prep\n- media: i2c: mt9v111: fix incorrect type for ret\n- firmware: meson_sm: fix device leak at probe\n- xen/manage: Fix suspend error path\n- arm64: dts: qcom: msm8916: Add missing MDSS reset\n- ACPI: debug: fix signedness issues in read/write helpers\n- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT\n- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single\n- tpm, tpm_tis: Claim locality before writing interrupt registers\n- crypto: essiv - Check ssize for decryption and in-place encryption\n- mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes\n- mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call\n- tools build: Align warning options with perf\n- net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe\n- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().\n- net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()\n- drm/vmwgfx: Fix Use-after-free in validation\n- net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()\n- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue\n- scsi: mvsas: Use sas_task_find_rq() for tagging\n- scsi: mvsas: Delete mvs_tag_init()\n- scsi: libsas: Add sas_task_find_rq()\n- clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver\n- clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()\n- perf session: Fix handling when buffer exceeds 2 GiB\n- rtc: x1205: Fix Xicor X1205 vendor prefix\n- perf util: Fix compression checks returning -1 as bool\n- iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE\n- clocksource/drivers/clps711x: Fix resource leaks in error paths\n- pinctrl: check the return value of pinmux_ops::get_function_name()\n- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak\n- mm: hugetlb: avoid soft lockup when mprotect to large memory area\n- uio_hv_generic: Let userspace take care of interrupt mask\n- Squashfs: fix uninit-value in squashfs_get_parent\n- net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable\n- nfp: fix RSS hash key size when RSS is not supported\n- drivers/base/node: fix double free in register_one_node()\n- ocfs2: fix double free in user_cluster_connect()\n- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast\n- RDMA/siw: Always report immediate post SQ errors\n- usb: vhci-hcd: Prevent suspending virtually attached devices\n- scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()\n- ipvs: Defer ip_vs_ftp unregister during netns cleanup\n- NFSv4.1: fix backchannel max_resp_sz verification check\n- remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice\n- sparc: fix accurate exception reporting in copy_{from,to}_user for M7\n- sparc: fix accurate exception reporting in copy_to_user for Niagara 4\n- sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara\n- sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III\n- sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC\n- IB/sa: Fix sa_local_svc_timeout_ms read race\n- RDMA/core: Resolve MAC of next-hop device without ARP support\n- wifi: mt76: fix potential memory leak in mt76_wmac_probe()\n- drivers/base/node: handle error properly in register_one_node()\n- watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog\n- netfilter: ipset: Remove unused htable_bits in macro ahash_region\n- iio: consumers: Fix offset handling in iio_convert_raw_to_processed()\n- ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping\n- ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping\n- ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping\n- pps: fix warning in pps_register_cdev when register device fail\n- misc: genwqe: Fix incorrect cmd field being reported in error\n- usb: gadget: configfs: Correctly set use_os_string at bind\n- usb: phy: twl6030: Fix incorrect type for ret\n- tcp: fix __tcp_close() to only send RST when required\n- PCI: tegra: Fix devm_kcalloc() argument order for port-\u003ephys allocation\n- wifi: mwifiex: send world regulatory domain to driver\n- ALSA: lx_core: use int type to store negative error codes\n- media: rj54n1cb0c: Fix memleak in rj54n1_probe()\n- scsi: myrs: Fix dma_alloc_coherent() error check\n- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod\n- serial: max310x: Add error checking in probe()\n- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup\n- drm/radeon/r600_cs: clean up of dead code in r600_cs\n- i2c: designware: Add disabling clocks when probe fails\n- i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD\n- bpf: Explicitly check accesses to bpf_sock_addr\n- selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported\n- pwm: tiehrpwm: Fix corner case in clock divisor calculation\n- block: use int to store blk_stack_limits() return value\n- blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx\n- pinctrl: meson-gxl: add missing i2c_d pinmux\n- soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS\n- ACPI: processor: idle: Fix memory leak when register cpuidle device failed\n- regmap: Remove superfluous check for !config in __regmap_init()\n- x86/vdso: Fix output operand size of RDPID\n- perf: arm_spe: Prevent overflow in PERF_IDX2OFF()\n- driver core/PM: Set power.no_callbacks along with power.no_pm\n- staging: axis-fifo: flush RX FIFO on read errors\n- staging: axis-fifo: fix maximum TX packet length check\n- perf subcmd: avoid crash in exclude_cmds when excludes is empty\n- dm-integrity: limit MAX_TAG_SIZE to 255\n- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188\n- USB: serial: option: add SIMCom 8230C compositions\n- media: rc: fix races with imon_disconnect()\n- media: imon: grab lock earlier in imon_ir_change_protocol()\n- media: imon: reorganize serialization\n- media: rc: Add support for another iMON 0xffdc device\n- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe\n- media: tuner: xc5000: Fix use-after-free in xc5000_release\n- media: tunner: xc5000: Refactor firmware load\n- udp: Fix memory accounting leak.\n- media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove\n- scsi: target: target_core_configfs: Add length check to avoid buffer overflow\n- LTS tag: v5.4.300\n- KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active\n- mm/hugetlb: fix folio is still mapped when deleted\n- i40e: add mask to apply valid bits for itr_idx\n- i40e: fix validation of VF state in get resources\n- i40e: fix idx validation in config queues msg\n- i40e: add validation for ring_len param\n- i40e: increase max descriptors for XL710\n- mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()\n- fbcon: Fix OOB access in font allocation\n- fbcon: fix integer overflow in fbcon_do_set_font\n- i40e: add max boundary check for VF filters\n- i40e: fix input validation logic for action_meta\n- i40e: fix idx validation in i40e_validate_queue_map\n- drm/gma500: Fix null dereference in hdmi teardown\n- can: peak_usb: fix shift-out-of-bounds issue\n- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow\n- can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow\n- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow\n- can: rcar_can: rcar_can_resume(): fix s2ram with PSCI\n- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions\n- usb: core: Add 0x prefix to quirks debug output\n- ALSA: usb-audio: Fix build with CONFIG_INPUT=n\n- ALSA: usb-audio: Convert comma to semicolon\n- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5\n- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks\n- ALSA: usb-audio: Simplify NULL comparison in mixer_quirks\n- ALSA: usb-audio: Avoid multiple assignments in mixer_quirks\n- ALSA: usb-audio: Fix block comments in mixer_quirks\n- net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer\n- net: rfkill: gpio: add DT support\n- serial: sc16is7xx: fix bug in flow control levels init\n- USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels\n- usb: gadget: dummy_hcd: remove usage of list iterator past the loop body\n- ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message\n- ASoC: wm8974: Correct PLL rate rounding\n- ASoC: wm8940: Correct typo in control name\n- mmc: mvsdio: Fix dma_unmap_sg() nents value\n- nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/*\n- cnic: Fix use-after-free bugs in cnic_delete_task\n- net: liquidio: fix overflow in octeon_init_instr_queue()\n- tcp: Clear tcp_sk(sk)-\u003efastopen_rsk in tcp_disconnect().\n- i40e: remove redundant memory barrier when cleaning Tx descs\n- net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure\n- cgroup: split cgroup_destroy_wq into 3 workqueues\n- pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch\n- wifi: mac80211: fix incorrect type for ret\n- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported\n- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory\n- phy: ti-pipe3: fix device leak at unbind\n- dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees\n- dmaengine: ti: edma: Fix memory allocation size for queue_priority_map\n- can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails\n- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed\n- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path\n- i40e: Use irq_update_affinity_hint()\n- genirq: Provide new interfaces for affinity hints\n- genirq: Export affinity setter for modules\n- genirq/affinity: Add irq_update_affinity_desc()\n- igb: fix link test skipping when interface is admin down\n- net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()\n- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions\n- USB: serial: option: add Telit Cinterion FN990A w/audio compositions\n- tty: hvc_console: Call hvc_kick in hvc_write unconditionally\n- mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing\n- mtd: nand: raw: atmel: Fix comment in timings preparation\n- mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer\n- mm/khugepaged: fix the address passed to notifier on testing young\n- fuse: prevent overflow in copy_file_range return value\n- fuse: check if copy_file_range() returns larger than requested size\n- mtd: rawnand: stm32_fmc2: fix ECC overwrite\n- ocfs2: fix recursive semaphore deadlock in fiemap call\n- EDAC/altera: Delete an inappropriate dma_free_coherent() call\n- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock-\u003ecork.\n- net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.\n- device-dax: correct pgoff align in dax_set_mapping() {CVE-2024-50022}\n- Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"\n- KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer\n- rds: Free all frags when rds_ib_recv_cache_put() fails\n- bpf/bpf_get,set_sockopt: add option to set TCP-BPF sock ops flags\n- NFSv4: Don't clear capabilities that won't be reset\n- power: supply: bq27xxx: restrict no-battery detection to bq27000\n- power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery\n- usb: hub: Fix flushing of delayed work used for post resume purposes\n- soc: qcom: mdt_loader: Deal with zero e_shentsize\n- Revert \"net/mlx5e: Update and set Xon/Xoff upon port speed set\"\n- LTS tag: v5.4.299\n- scsi: lpfc: Fix buffer free/clear order in deferred receive path\n- dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status()\n- cifs: fix integer overflow in match_server()\n- spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort\n- spi: spi-fsl-lpspi: Set correct chip-select polarity bit\n- spi: spi-fsl-lpspi: Fix transmissions when using CONT\n- pcmcia: Add error handling for add_interval() in do_validate_mem()\n- ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model\n- randstruct: gcc-plugin: Fix attribute addition\n- randstruct: gcc-plugin: Remove bogus void member\n- vmxnet3: update MTU after device quiesce\n- net: dsa: microchip: linearize skb for tail-tagging switches\n- net: dsa: microchip: update tag_ksz masks for KSZ9477 family\n- dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status()\n- ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup\n- gpio: pca953x: fix IRQ storm on system wake up\n- iio: light: opt3001: fix deadlock due to concurrent flag access\n- iio: chemical: pms7003: use aligned_s64 for timestamp\n- cpufreq/sched: Explicitly synchronize limits_changed flag handling\n- mm/slub: avoid accessing metadata when pointer is invalid in object_err()\n- mm/khugepaged: fix -\u003eanon_vma race\n- e1000e: fix heap overflow in e1000_set_eeprom\n- batman-adv: fix OOB read/write in network-coding decode\n- drm/amdgpu: drop hw access in non-DC audio fini\n- wifi: mwifiex: Initialize the chan_stats array to zero\n- pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()\n- ALSA: usb-audio: Add mute TLV for playback volumes on some devices\n- ppp: fix memory leak in pad_compress_skb\n- net: atm: fix memory leak in atm_register_sysfs when device_register fail\n- ax25: properly unshare skbs in ax25_kiss_rcv()\n- ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()\n- net: thunder_bgx: add a missing of_node_put\n- wifi: libertas: cap SSID len in lbs_associate()\n- wifi: cw1200: cap SSID length in cw1200_do_join()\n- net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets\n- i40e: Fix potential invalid access when MAC list is empty\n- icmp: fix icmp_ndo_send address translation for reply direction\n- mISDN: Fix memory leak in dsp_hwec_enable()\n- xirc2ps_cs: fix register access when enabling FullDuplex\n- Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()\n- netfilter: conntrack: helper: Replace -EEXIST by -EBUSY\n- wifi: cfg80211: fix use-after-free in cmp_bss()\n- powerpc: boot: Remove leading zero in label in udelay()\n- hugetlbfs: take read_lock on i_mmap for PMD sharing\n- kallsyms: add module_kallsyms_on_each_symbol_locked\n- kallsyms: export module_kallsyms_on_each_symbol\n- uek-rpm: Move ifb module to nano modules\n- clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns {CVE-2025-38499}\n- x86/vmscape: Warn when STIBP is disabled with SMT\n- x86/bugs: Move cpu_bugs_smt_update() down\n- x86/vmscape: Enable the mitigation\n- x86/vmscape: Add conditional IBPB mitigation\n- x86/vmscape: Add old Intel CPUs to affected list\n- x86/vmscape: Enumerate VMSCAPE bug\n- Documentation/hw-vuln: Add VMSCAPE documentation\n- LTS tag: v5.4.298\n- Revert \"drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS\"\n- net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions\n- Revert \"drm/amdgpu: fix incorrect vm flags to map bo\"\n- HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()\n- HID: wacom: Add a new Art Pen 2\n- HID: asus: fix UAF via HID_CLAIMED_INPUT validation\n- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare\n- sctp: initialize more fields in sctp_v6_from_sk()\n- net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts\n- net/mlx5e: Set local Xoff after FW update\n- net/mlx5e: Update and set Xon/Xoff upon port speed set\n- net/mlx5e: Update and set Xon/Xoff upon MTU set\n- net: dlink: fix multicast stats being counted incorrectly\n- atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().\n- net/atm: remove the atmdev_ops {get, set}sockopt methods\n- Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced\n- powerpc/kvm: Fix ifdef to remove build warning\n- net: ipv4: fix regression in local-broadcast routes\n- vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()\n- scsi: core: sysfs: Correct sysfs attributes access rights\n- ftrace: Fix potential warning in trace_printk_seq during ftrace_dump\n- pinctrl: STMFX: add missing HAS_IOMEM dependency\n- LTS tag: v5.4.297\n- alloc_fdtable(): change calling conventions.\n- s390/hypfs: Enable limited access during lockdown\n- s390/hypfs: Avoid unnecessary ioctl registration in debugfs\n- ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation\n- net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate\n- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit\n- ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc\n- ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add\n- ALSA: usb-audio: Fix size validation in convert_chmap_v3()\n- scsi: qla4xxx: Prevent a potential error pointer dereference\n- usb: xhci: Fix slot_id resource race conflict\n- nfs: fix UAF in direct writes\n- NFS: Fix up commit deadlocks\n- cifs: Fix UAF in cifs_demultiplex_thread()\n- Bluetooth: fix use-after-free in device_for_each_child()\n- act_mirred: use the backlog for nested calls to mirred ingress\n- net/sched: act_mirred: better wording on protection against excessive stack growth\n- net/sched: act_mirred: refactor the handle of xmit\n- selftests: forwarding: tc_actions.sh: add matchall mirror test\n- net: sched: don't expose action qstats to skb_tc_reinsert()\n- net: sched: extract qstats update code into functions\n- net: sched: extract bstats update code into function\n- net: sched: extract common action counters update code into function\n- mm: perform the mapping_map_writable() check after call_mmap()\n- mm: update memfd seal write check to include F_SEAL_WRITE\n- mm: drop the assumption that VM_SHARED always implies writable\n- codel: remove sch-\u003eq.qlen check before qdisc_tree_reduce_backlog()\n- sch_qfq: make qfq_qlen_notify() idempotent\n- sch_hfsc: make hfsc_qlen_notify() idempotent\n- sch_drr: make drr_qlen_notify() idempotent\n- btrfs: populate otime when logging an inode item\n- media: venus: hfi: explicitly release IRQ during teardown\n- f2fs: fix to avoid out-of-boundary access in dnode page\n- media: venus: protect against spurious interrupts during probe\n- media: qcom: camss: cleanup media device allocated resource on error path\n- media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.\n- drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS\n- pwm: mediatek: Fix duty and period setting\n- pwm: mediatek: Handle hardware enable and clock enable separately\n- pwm: mediatek: Implement .apply() callback\n- media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()\n- media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()\n- media: v4l2-ctrls: always copy the controls on completion\n- ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig\n- soc: qcom: mdt_loader: Ensure we don't read past the ELF header\n- rtc: ds1307: handle oscillator stop flag (OSF) for ds1341\n- usb: musb: omap2430: fix device leak at unbind\n- NFS: Fix the setting of capabilities when automounting a new filesystem\n- NFS: Fix up handling of outstanding layoutcommit in nfs_update_inode()\n- NFSv4: Fix nfs4_bitmap_copy_adjust()\n- usb: typec: fusb302: cache PD RX state\n- cdc-acm: fix race between initial clearing halt and open\n- USB: cdc-acm: do not log successful probe on later errors\n- mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock\n- mm/kmemleak: turn kmemleak_lock and object-\u003elock to raw_spinlock_t\n- ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()\n- x86/fpu: Delay instruction pointer fixup until after warning\n- mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery\n- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()\n- pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov\n- tracing: Add down_write(trace_event_sem) when adding trace event\n- usb: hub: Don't try to recover devices lost during warm reset.\n- usb: hub: avoid warm port reset during USB3 disconnect\n- x86/mce/amd: Add default names for MCA banks and blocks\n- iio: hid-sensor-prox: Fix incorrect OFFSET calculation\n- f2fs: fix to do sanity check on ino and xnid\n- mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n\n- mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage()\n- drm/sched: Remove optimization that causes hang when killing dependent jobs\n- ice: Fix a null pointer dereference in ice_copy_and_init_pkg()\n- net: usbnet: Fix the wrong netif_carrier_on() call\n- net: usbnet: Avoid potential RCU stall on LINK_CHANGE event\n- PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports\n- ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value\n- comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large\n- comedi: Fix initialization of data for instructions that write to subdevice\n- kbuild: Add KBUILD_CPPFLAGS to as-option invocation\n- kbuild: add $(CLANG_FLAGS) to KBUILD_CPPFLAGS\n- kbuild: Add CLANG_FLAGS to as-instr\n- mips: Include KBUILD_CPPFLAGS in CHECKFLAGS invocation\n- kbuild: Update assembler calls to use proper flags and language target\n- ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS\n- usb: dwc3: Ignore late xferNotReady event to prevent halt timeout\n- USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles\n- usb: storage: realtek_cr: Use correct byte order for bcs-\u003eResidue\n- USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera\n- usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive\n- iio: proximity: isl29501: fix buffered read on big-endian systems\n- ftrace: Also allocate and copy hash for reading of filter files\n- fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable()\n- use uniform permission checks for all mount propagation changes\n- move_mount: allow to add a mount into an existing group\n- fs/buffer: fix use-after-free when call bh_read() helper\n- drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs\n- drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3\n- memstick: Fix deadlock by moving removing flag earlier\n- media: venus: Add a check for packet size after reading from shared memory\n- media: ov2659: Fix memory leaks in ov2659_probe()\n- media: usbtv: Lock resolution while streaming\n- media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init()\n- media: gspca: Add bounds checking to firmware parser\n- soc/tegra: pmc: Ensure power-domains are in a known state\n- jbd2: prevent softlockup in jbd2_log_do_checkpoint()\n- PCI: endpoint: Fix configfs group removal on driver teardown\n- PCI: endpoint: Fix configfs group list head handling\n- mtd: rawnand: fsmc: Add missing check after DMA map\n- pwm: imx-tpm: Reset counter if CMOD is 0\n- wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table()\n- zynq_fpga: use sgtable-based scatterlist wrappers\n- ata: libata-scsi: Fix ata_to_sense_error() status handling\n- ext4: fix reserved gdt blocks handling in fsmap\n- ext4: fix fsmap end of range reporting with bigalloc\n- ext4: check fast symlink for ea_inode correctly\n- vt: defkeymap: Map keycodes above 127 to K_HOLE\n- vt: keyboard: Don't process Unicode characters in K_OFF mode\n- usb: dwc3: meson-g12a: fix device leaks at unbind\n- usb: gadget: udc: renesas_usb3: fix device leak at unbind\n- usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init()\n- m68k: Fix lost column on framebuffer debug console\n- cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table()\n- serial: 8250: fix panic due to PSLVERR\n- media: uvcvideo: Do not mark valid metadata as invalid\n- media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()\n- mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()\n- parisc: Makefile: fix a typo in palo.conf\n- btrfs: fix log tree replay failure due to file with 0 links and extents\n- thunderbolt: Fix copy+paste error in match_service_id()\n- comedi: fix race between polling and detaching\n- misc: rtsx: usb: Ensure mmc child device is active when card is present\n- drm/amdgpu: fix incorrect vm flags to map bo\n- scsi: lpfc: Remove redundant assignment to avoid memory leak\n- rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe\n- pNFS: Fix uninited ptr deref in block/scsi layout\n- pNFS: Handle RPC size limit for layoutcommits\n- pNFS: Fix disk addr range check in block/scsi layout\n- pNFS: Fix stripe mapping in block/scsi layout\n- net: phy: smsc: add proper reset flags for LAN8710A\n- ipmi: Fix strcpy source and destination the same\n- kconfig: lxdialog: fix 'space' to (de)select options\n- kconfig: gconf: fix potential memory leak in renderer_edited()\n- kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed()\n- ipmi: Use dev_warn_ratelimited() for incorrect message warnings\n- scsi: aacraid: Stop using PCI_IRQ_AFFINITY\n- scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans\n- kconfig: nconf: Ensure null termination where strncpy is used\n- kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c\n- i3c: don't fail if GETHDRCAP is unsupported\n- PCI: pnv_php: Work around switches with broken presence detection\n- i3c: add missing include to internal header\n- media: uvcvideo: Fix bandwidth issue for Alcor camera\n- media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar\n- media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()\n- media: usb: hdpvr: disable zero-length read messages\n- media: tc358743: Increase FIFO trigger level to 374\n- media: tc358743: Return an appropriate colorspace from tc358743_set_fmt\n- media: tc358743: Check I2C succeeded during probe\n- pinctrl: stm32: Manage irq affinity settings\n- scsi: mpt3sas: Correctly handle ATA device errors\n- scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure\n- RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()\n- MIPS: Don't crash in stack_top() for tasks without ABI or vDSO\n- jfs: upper bound check of tree index in dbAllocAG\n- jfs: Regular file corruption check\n- jfs: truncate good inode pages when hard link is 0\n- scsi: bfa: Double-free fix\n- MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}\n- watchdog: dw_wdt: Fix default timeout\n- fs/orangefs: use snprintf() instead of sprintf()\n- scsi: libiscsi: Initialize iscsi_conn-\u003edd_data only if memory is allocated\n- ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr\n- cifs: Fix calling CIFSFindFirst() for root path without msearch\n- vhost: fail early when __vhost_add_used() fails\n- net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325\n- uapi: in6: restore visibility of most IPv6 socket options\n- net: ncsi: Fix buffer overflow in fetching version id\n- net: dsa: b53: prevent SWITCH_CTRL access on BCM5325\n- net: dsa: b53: fix b53_imp_vlan_setup for BCM5325\n- net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs\n- wifi: iwlegacy: Check rate_idx range after addition\n- netmem: fix skb_frag_address_safe with unreadable skbs\n- wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`.\n- wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect\n- wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()\n- net: fec: allow disable coalescing\n- (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer\n- s390/stp: Remove udelay from stp_sync_clock()\n- wifi: iwlwifi: mvm: fix scan request validation\n- net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()\n- net: ipv4: fix incorrect MTU in broadcast routes\n- wifi: cfg80211: Fix interface type validation\n- rcu: Protect -\u003edefer_qs_iw_pending from data race\n- net: ag71xx: Add missing check after DMA map\n- et131x: Add missing check after DMA map\n- be2net: Use correct byte order and format string for TCP seq and ack_seq\n- s390/time: Use monotonic clock in get_cycles()\n- wifi: cfg80211: reject HTC bit for management frames\n- ktest.pl: Prevent recursion of default variable options\n- ASoC: codecs: rt5640: Retry DEVICE_ID verification\n- ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros\n- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control\n- platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches\n- pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop()\n- usb: core: usb_submit_urb: downgrade type check\n- ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4\n- ASoC: hdac_hdmi: Rate limit logging on connection and disconnection\n- mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()\n- ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path\n- ACPI: processor: fix acpi_object initialization\n- PM: sleep: console: Fix the black screen issue\n- thermal: sysfs: Return ENODATA instead of EAGAIN for reads\n- PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()\n- selftests: tracing: Use mutex_unlock for testing glob filter\n- ARM: tegra: Use I/O memcpy to write to IRAM\n- gpio: tps65912: check the return value of regmap_update_bits()\n- ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed\n- ARM: rockchip: fix kernel hang during smp initialization\n- cpufreq: Exit governor when failed to start old governor\n- usb: xhci: Avoid showing errors during surprise removal\n- usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command\n- usb: xhci: Avoid showing warnings for dying controller\n- selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t\n- usb: xhci: print xhci-\u003exhc_state when queue_command failed\n- securityfs: don't pin dentries twice, once is enough...\n- hfs: fix not erasing deleted b-tree node issue\n- drbd: add missing kref_get in handle_write_conflicts\n- udf: Verify partition map count\n- arm64: Handle KCOV __init vs inline mismatches\n- hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()\n- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()\n- hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()\n- hfs: fix slab-out-of-bounds in hfs_bnode_read()\n- sctp: linearize cloned gso packets in sctp_rcv\n- netfilter: ctnetlink: fix refcount leak on table dump\n- udp: also consider secpath when evaluating ipsec use for checksumming\n- ACPI: processor: perflib: Move problematic pr-\u003eperformance check\n- ACPI: processor: perflib: Fix initial _PPC limit application\n- Documentation: ACPI: Fix parent device references\n- fs: Prevent file descriptor table allocations exceeding INT_MAX\n- sunvdc: Balance device refcount in vdc_port_mpgroup_check\n- NFSD: detect mismatch of file handle and delegation stateid in OPEN op\n- net: dpaa: fix device leak when querying time stamp info\n- net: gianfar: fix device leak when querying time stamp info\n- netlink: avoid infinite retry looping in netlink_unicast()\n- ALSA: usb-audio: Validate UAC3 cluster segment descriptors\n- ALSA: usb-audio: Validate UAC3 power domain descriptors, too\n- io_uring: don't use int for ABI\n- usb: gadget : fix use-after-free in composite_dev_cleanup()\n- MIPS: mm: tlb-r4k: Uniquify TLB entries on init\n- USB: serial: option: add Foxconn T99W709\n- vsock: Do not allow binding to VMADDR_PORT_ANY\n- net/packet: fix a race in packet_set_ring() and packet_notifier()\n- perf/core: Prevent VMA split of buffer mappings\n- perf/core: Exit early on perf_mmap() fail\n- perf/core: Don't leak AUX buffer refcount on allocation failure\n- pptp: fix pptp_xmit() error path\n- smb: client: let recv_done() cleanup before notifying the callers.\n- benet: fix BUG when creating VFs\n- net: drop UFO packets in udp_rcv_segment()\n- ipv6: reject malicious packets in ipv6_gso_segment()\n- pptp: ensure minimal skb length in pptp_xmit()\n- netpoll: prevent hanging NAPI when netcons gets enabled\n- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()\n- pci/hotplug/pnv-php: Wrap warnings in macro\n- pci/hotplug/pnv-php: Improve error msg on power state change failure\n- usb: chipidea: udc: fix sleeping function called from invalid context\n- f2fs: fix to avoid out-of-boundary access in devs.path\n- f2fs: fix to avoid panic in f2fs_evict_inode\n- f2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n- rtc: pcf8563: fix incorrect maximum clock rate handling\n- rtc: hym8563: fix incorrect maximum clock rate handling\n- rtc: ds1307: fix incorrect maximum clock rate handling\n- module: Restore the moduleparam prefix length check\n- bpf: Check flow_dissector ctx accesses are aligned\n- mtd: rawnand: atmel: set pmecc data setup time\n- mtd: rawnand: atmel: Fix dma_mapping_error() address\n- jfs: fix metapage reference count leak in dbAllocCtl\n- fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref\n- crypto: qat - fix seq_file position update in adf_ring_next()\n- dmaengine: nbpfaxi: Add missing check after DMA map\n- dmaengine: mv_xor: Fix missing check after DMA map and missing unmap\n- fs/orangefs: Allow 2 more characters in do_c_string()\n- soundwire: stream: restore params when prepare ports fail\n- crypto: img-hash - Fix dma_unmap_sg() nents value\n- hwrng: mtk - handle devm_pm_runtime_enable errors\n- watchdog: ziirave_wdt: check record length in ziirave_firm_verify()\n- scsi: isci: Fix dma_unmap_sg() nents value\n- scsi: mvsas: Fix dma_unmap_sg() nents value\n- scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value\n- clk: sunxi-ng: v3s: Fix de clock definition\n- perf tests bp_account: Fix leaked file descriptor\n- crypto: ccp - Fix crash when rebind ccp device for ccp.ko\n- pinctrl: sunxi: Fix memory leak on krealloc failure\n- power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set\n- clk: davinci: Add NULL check in davinci_lpsc_clk_register()\n- mtd: fix possible integer overflow in erase_xfer()\n- crypto: marvell/cesa - Fix engine load inaccuracy\n- PCI: rockchip-host: Fix \"Unexpected Completion\" log message\n- vrf: Drop existing dst reference in vrf_ip6_input_dst\n- selftests: rtnetlink.sh: remove esp4_offload after test\n- netfilter: xt_nfacct: don't assume acct name is null-terminated\n- can: kvaser_usb: Assign netdev.dev_port based on device channel index\n- can: kvaser_pciefd: Store device channel index\n- wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE\n- Reapply \"wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()\"\n- mwl8k: Add missing check after DMA map\n- wifi: rtl8xxxu: Fix RX skb size for aggregation disabled\n- net/sched: Restrict conditions for adding duplicating netems to qdisc tree\n- arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX\n- drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value\n- m68k: Don't unregister boot console needlessly\n- tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range\n- iwlwifi: Add missing check for alloc_ordered_workqueue\n- wifi: iwlwifi: Fix memory leak in iwl_mvm_init()\n- wifi: rtl818x: Kill URBs before clearing tx status queue\n- caif: reduce stack size, again\n- bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure\n- bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls\n- staging: nvec: Fix incorrect null termination of battery manufacturer\n- samples: mei: Fix building on musl libc\n- cpufreq: Init policy-\u003erwsem before it may be possibly used\n- ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface\n- usb: early: xhci-dbc: Fix early_ioremap leak\n- Revert \"vmci: Prevent the dispatching of uninitialized payloads\"\n- pps: fix poll support\n- vmci: Prevent the dispatching of uninitialized payloads\n- staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()\n- ARM: dts: vfxxx: Correctly use two tuples for timer address\n- hfsplus: remove mutex_lock check in hfsplus_free_extents\n- ASoC: Intel: fix SND_SOC_SOF dependencies\n- ethernet: intel: fix building with large NR_CPUS\n- usb: phy: mxs: disconnect line when USB charger is attached\n- usb: chipidea: add USB PHY event\n- usb: chipidea: introduce CI_HDRC_CONTROLLER_VBUS_EVENT glue layer use\n- usb: chipidea: udc: protect usb interrupt enable\n- usb: chipidea: udc: add new API ci_hdrc_gadget_connect\n- ALSA: hda: Add missing NVIDIA HDA codec IDs\n- comedi: comedi_test: Fix possible deletion of uninitialized timers\n- nilfs2: reject invalid file types when reading inodes\n- i2c: qup: jump out of the loop in case of timeout\n- net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class\n- net: appletalk: Fix use-after-free in AARP proxy probe\n- net: appletalk: fix kerneldoc warnings\n- RDMA/core: Rate limit GID cache warning messages\n- regulator: core: fix NULL dereference on unbind due to stale coupling data\n- usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm\n- usb: hub: fix detection of high tier USB3 devices behind suspended hubs\n- net_sched: sch_sfq: reject invalid perturb period\n- power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition\n- power: supply: bq24190_charger: using pm_runtime_resume_and_get instead of pm_runtime_get_sync\n- power: supply: bq24190_charger: Fix runtime PM imbalance on error\n- xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS\n- virtio-net: ensure the received length does not exceed allocated size\n- ASoC: fsl_sai: Force a software reset when starting in consumer mode\n- usb: dwc3: qcom: Don't leave BCR asserted\n- usb: musb: fix gadget state on disconnect\n- net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree\n- net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime\n- Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU\n- Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout\n- Bluetooth: SMP: If an unallowed command is received consider it a failure\n- Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()\n- usb: net: sierra: check for no status endpoint\n- net/sched: sch_qfq: Fix race condition on qfq_aggregate\n- net: emaclite: Fix missing pointer increment in aligned_read()\n- comedi: Fix use of uninitialized data in insn_rw_emulate_bits()\n- comedi: Fix some signed shift left operations\n- comedi: das6402: Fix bit shift out of bounds\n- comedi: das16m1: Fix bit shift out of bounds\n- comedi: aio_iiro_16: Fix bit shift out of bounds\n- comedi: pcl812: Fix bit shift out of bounds\n- iio: adc: stm32-adc: Fix race in installing chained IRQ handler\n- iio: adc: max1363: Reorder mode_list[] entries\n- iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]\n- soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled\n- soc: aspeed: lpc-snoop: Cleanup resources in stack-order\n- mmc: sdhci_am654: Workaround for Errata i2312\n- mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models\n- mmc: bcm2835: Fix dma_unmap_sg() nents value\n- memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()\n- isofs: Verify inode mode when loading from disk\n- dmaengine: nbpfaxi: Fix memory corruption in probe()\n- af_packet: fix soft lockup issue caused by tpacket_snd()\n- af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()\n- phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept()\n- HID: core: do not bypass hid_hw_raw_request\n- HID: core: ensure __hid_request reserves the report ID as the first byte\n- HID: core: ensure the allocated report buffer can contain the reserved report ID\n- pch_uart: Fix dma_sync_sg_for_device() nents value\n- Input: xpad - set correct controller type for Acer NGR200\n- i2c: stm32: fix the device used for the DMA map\n- usb: gadget: configfs: Fix OOB read on empty string write\n- USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI\n- USB: serial: option: add Foxconn T99W640\n- USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition\n- LTS tag: v5.4.296\n- x86/mm: Disable hugetlb page table sharing on 32-bit\n- Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID\n- HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras\n- HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY\n- vt: add missing notification when switching back to text mode\n- net: usb: qmi_wwan: add SIMCom 8230C composition\n- atm: idt77252: Add missing `dma_map_error()`\n- bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT\n- bnxt_en: Fix DCB ETS validation\n- can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level\n- net: phy: microchip: limit 100M workaround to link-down events on LAN88xx\n- net: appletalk: Fix device refcount leak in atrtr_create()\n- md/raid1: Fix stack memory use after return in raid1_reshape\n- wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()\n- dma-buf: fix timeout handling in dma_resv_wait_timeout v2\n- Input: xpad - support Acer NGR 200 Controller\n- Input: xpad - add VID for Turtle Beach controllers\n- Input: xpad - add support for Amazon Game Controller\n- NFSv4/flexfiles: Fix handling of NFS level errors in I/O\n- flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes\n- RDMA/mlx5: Fix vport loopback for MPV device\n- netlink: Fix rmem check in netlink_broadcast_deliver().\n- netlink: make sure we allow at least one dump skb\n- Revert \"ACPI: battery: negate current when discharging\"\n- usb: gadget: u_serial: Fix race condition in TTY wakeup\n- drm/sched: Increment job count before swapping tail spsc queue\n- pinctrl: qcom: msm: mark certain pins as invalid for interrupts\n- x86/mce: Make sure CMCI banks are cleared during shutdown on Intel\n- x86/mce: Don't remove sysfs if thresholding sysfs init fails\n- x86/mce/amd: Fix threshold limit reset\n- rxrpc: Fix oops due to non-existence of prealloc backlog struct\n- net/sched: Abort __tc_modify_qdisc if parent class does not exist\n- atm: clip: Fix NULL pointer dereference in vcc_sendmsg()\n- atm: clip: Fix infinite recursive call of clip_push().\n- atm: clip: Fix memory leak of struct clip_vcc.\n- atm: clip: Fix potential null-ptr-deref in to_atmarpd().\n- tipc: Fix use-after-free in tipc_conn_close().\n- netlink: Fix wraparounds of sk-\u003esk_rmem_alloc.\n- fix proc_sys_compare() handling of in-lookup dentries\n- proc: Clear the pieces of proc_inode that proc_evict_inode cares about\n- drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling\n- staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()\n- media: uvcvideo: Rollback non processed entities on error\n- media: uvcvideo: Send control events for partial succeeds\n- media: uvcvideo: Return the number of processed controls\n- ACPI: PAD: fix crash in exit_round_robin()\n- usb: typec: displayport: Fix potential deadlock\n- Logitech C-270 even more broken\n- rose: fix dangling neighbour pointers in rose_rt_device_down()\n- net: rose: Fix fall-through warnings for Clang\n- drm/i915/gt: Fix timeline left held on VMA alloc error\n- drm/i915/selftests: Change mock_request() to return error pointers\n- spi: spi-fsl-dspi: Clear completion counter before initiating transfer\n- spi: spi-fsl-dspi: Fix interrupt-less DMA mode taking an XSPI code path\n- spi: spi-fsl-dspi: Rename fifo_{read,write} and {tx,cmd}_fifo_write\n- dpaa2-eth: fix xdp_rxq_info leak\n- ethernet: atl1: Add missing DMA mapping error checks and count errors\n- btrfs: use btrfs_record_snapshot_destroy() during rmdir\n- btrfs: propagate last_unlink_trans earlier when doing a rmdir\n- RDMA/mlx5: Fix CC counters query for MPV\n- RDMA/core: Create and destroy counters in the ib_core\n- scsi: ufs: core: Fix spelling of a sysfs attribute name\n- drm/v3d: Disable interrupts before resetting the GPU\n- mtk-sd: reset host-\u003emrq on prepare_data() error\n- mtk-sd: Prevent memory corruption from DMA map failure\n- mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data()\n- regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods\n- regulator: gpio: Add input_supply support in gpio_regulator_config\n- ACPICA: Refuse to evaluate a method if arguments are missing\n- wifi: ath6kl: remove WARN on bad firmware input\n- wifi: mac80211: drop invalid source address OCB frames\n- powerpc: Fix struct termio related ioctl macros\n- ata: pata_cs5536: fix build on 32-bit UML\n- ALSA: sb: Force to disable DMAs once when DMA mode is changed\n- nui: Fix dma_mapping_error() check\n- enic: fix incorrect MTU comparison in enic_change_mtu()\n- amd-xgbe: align CL37 AN sequence as per databook\n- lib: test_objagg: Set error message in check_expect_hints_stats()\n- drm/exynos: fimd: Guard display clock control with runtime PM calls\n- btrfs: fix missing error handling when searching for inode refs during log replay\n- scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()\n- nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.\n- RDMA/mlx5: Initialize obj_event-\u003eobj_sub_list before xa_insert\n- platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment\n- mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data\n- usb: typec: altmodes/displayport: do not index invalid pin_assignments\n- mmc: sdhci: Add a helper function for dump register in dynamic debug mode\n- vsock/vmci: Clear the vmci transport packet properly when initializing it\n- btrfs: don't abort filesystem when attempting to snapshot deleted subvolume\n- arm64: Restrict pagetable teardown to avoid false warning\n- s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS\n- drm/bridge: cdns-dsi: Check return value when getting default PHY config\n- drm/bridge: cdns-dsi: Fix connecting to next bridge\n- drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()\n- drm/tegra: Assign plane type before registration\n- HID: wacom: fix kobject reference count leak\n- HID: wacom: fix memory leak on sysfs attribute creation failure\n- HID: wacom: fix memory leak on kobject creation failure\n- dm-raid: fix variable in journal device check\n- Bluetooth: L2CAP: Fix L2CAP MTU negotiation\n- atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().\n- net: enetc: Correct endianness handling in _enetc_rd_reg64\n- um: ubd: Add missing error check in start_io_thread()\n- vsock/uapi: fix linux/vm_sockets.h userspace compilation errors\n- wifi: mac80211: fix beacon interval calculation overflow\n- attach_recursive_mnt(): do not lock the covering tree when sliding something under it\n- ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()\n- i2c: robotfuzz-osif: disable zero-length read messages\n- i2c: tiny-usb: disable zero-length read messages\n- RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction\n- RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private\n- media: vivid: Change the siize of the composing\n- media: omap3isp: use sgtable-based scatterlist wrappers\n- media: cxusb: no longer judge rbuf when the write fails\n- media: cxusb: use dev_dbg() rather than hand-rolled debug\n- jfs: validate AG parameters in dbMount() to prevent crashes\n- fs/jfs: consolidate sanity checking in dbMount\n- ASoC: meson: meson-card-utils: use of_property_present() for DT parsing\n- of: Add of_property_present() helper\n- of: property: define of_property_read_u{8,16,32,64}_array() unconditionally\n- kbuild: hdrcheck: fix cross build with clang\n- kbuild: add --target to correctly cross-compile UAPI headers with Clang\n- bpfilter: match bit size of bpfilter_umh to that of the kernel\n- kbuild: use -MMD instead of -MD to exclude system headers from dependency\n- VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify\n- VMCI: check context-\u003enotify_page after call to get_user_pages_fast() to avoid GPF\n- ovl: Check for NULL d_inode() in ovl_dentry_upper()\n- ceph: fix possible integer overflow in ceph_zero_objects()\n- ALSA: hda: Ignore unsol events for cards being shut down\n- usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode\n- usb: cdc-wdm: avoid setting WDM_READ for ZLP-s\n- usb: Add checks for snprintf() calls in usb_alloc_dev()\n- tty: serial: uartlite: register uart driver in init\n- usb: potential integer overflow in usbg_make_tpg()\n- iio: pressure: zpa2326: Use aligned_s64 for the timestamp\n- md/md-bitmap: fix dm-raid max_write_behind setting\n- dmaengine: xilinx_dma: Set dma_device directions\n- mfd: max14577: Fix wakeup source leaks on device unbind\n- mailbox: Not protect module_put with spin_lock_irqsave\n- cifs: Fix cifs_query_path_info() for Windows NT servers","modified":"2026-06-01T00:33:14.307748891Z","published":"2025-11-25T16:01:11Z","upstream":["CVE-2024-36914","CVE-2024-41069","CVE-2024-35966","CVE-2024-56616","CVE-2024-41013","CVE-2024-35937","CVE-2025-40087","CVE-2025-40105","CVE-2025-40167","CVE-2025-40198","CVE-2025-40106","CVE-2025-40088","CVE-2025-40173","CVE-2024-43877","CVE-2025-40205","CVE-2025-40188","CVE-2025-40178","CVE-2025-40042","CVE-2025-40134","CVE-2025-40200","CVE-2025-40197","CVE-2025-40044","CVE-2025-40026","CVE-2025-40027","CVE-2025-40190","CVE-2025-40204","CVE-2025-40194","CVE-2025-40019","CVE-2025-40186","CVE-2025-40187","CVE-2025-40111","CVE-2025-40001","CVE-2025-40030","CVE-2025-40035","CVE-2025-40153","CVE-2025-40048","CVE-2025-40049","CVE-2025-40055","CVE-2025-40140","CVE-2025-40115","CVE-2025-40018","CVE-2025-40112","CVE-2025-40124","CVE-2025-40126","CVE-2025-40121","CVE-2025-40154","CVE-2025-40070","CVE-2025-40118","CVE-2025-40116","CVE-2025-40078","CVE-2025-40125","CVE-2025-40081","CVE-2025-39993","CVE-2025-39995","CVE-2025-39994","CVE-2025-22058","CVE-2025-39996","CVE-2025-39998","CVE-2025-40006","CVE-2025-39969","CVE-2025-39971","CVE-2025-39973","CVE-2025-21861","CVE-2025-39967","CVE-2025-39968","CVE-2025-39970","CVE-2025-39972","CVE-2025-40011","CVE-2025-40020","CVE-2025-39985","CVE-2025-39986","CVE-2025-39987","CVE-2025-39937","CVE-2025-39945","CVE-2025-39955","CVE-2025-39953","CVE-2025-39883","CVE-2025-39923","CVE-2025-39869","CVE-2025-39911","CVE-2025-39876","CVE-2025-39907","CVE-2025-39885","CVE-2025-39913","CVE-2025-23143","CVE-2024-50022","CVE-2025-39841","CVE-2025-39920","CVE-2025-37968","CVE-2025-39902","CVE-2023-52935","CVE-2025-39898","CVE-2025-39839","CVE-2025-39891","CVE-2025-39846","CVE-2025-39847","CVE-2025-39848","CVE-2025-39853","CVE-2025-39860","CVE-2025-39864","CVE-2025-38499","CVE-2025-39808","CVE-2025-39824","CVE-2025-39817","CVE-2025-39812","CVE-2025-39828","CVE-2025-39813","CVE-2025-39766","CVE-2025-39676","CVE-2024-26958","CVE-2023-52572","CVE-2024-53237","CVE-2022-4269","CVE-2025-37798","CVE-2025-38177","CVE-2025-38677","CVE-2025-39709","CVE-2025-39713","CVE-2025-39787","CVE-2025-39798","CVE-2025-39736","CVE-2025-38724","CVE-2025-38539","CVE-2025-38347","CVE-2025-38664","CVE-2022-50327","CVE-2025-38481","CVE-2025-38478","CVE-2025-39689","CVE-2025-39691","CVE-2025-39710","CVE-2025-39714","CVE-2025-39782","CVE-2025-39783","CVE-2025-39724","CVE-2025-38680","CVE-2025-39737","CVE-2025-38687","CVE-2025-38691","CVE-2025-38693","CVE-2025-38694","CVE-2025-38695","CVE-2025-39742","CVE-2025-38696","CVE-2025-38697","CVE-2025-38698","CVE-2025-39743","CVE-2025-38699","CVE-2025-38700","CVE-2025-38701","CVE-2025-39749","CVE-2025-39751","CVE-2025-39794","CVE-2025-39752","CVE-2025-38708","CVE-2025-38712","CVE-2025-40082","CVE-2025-38714","CVE-2025-38715","CVE-2025-38718","CVE-2025-38721","CVE-2025-39799","CVE-2025-39756","CVE-2025-38727","CVE-2025-39757","CVE-2025-38729","CVE-2025-38555","CVE-2025-38618","CVE-2025-38617","CVE-2025-38563","CVE-2025-38565","CVE-2025-38569","CVE-2025-38622","CVE-2025-38572","CVE-2025-38574","CVE-2025-39730","CVE-2025-38652","CVE-2025-38577","CVE-2025-38578","CVE-2025-38630","CVE-2025-38581","CVE-2025-38635","CVE-2025-38639","CVE-2025-38553","CVE-2025-38656","CVE-2025-38604","CVE-2025-38608","CVE-2025-38611","CVE-2025-38612","CVE-2025-38650","CVE-2025-38663","CVE-2025-38671","CVE-2025-38666","CVE-2025-38668","CVE-2025-38193","CVE-2023-33288","CVE-2025-38375","CVE-2025-38468","CVE-2025-38470","CVE-2025-38473","CVE-2025-38474","CVE-2025-38477","CVE-2025-38480","CVE-2025-38482","CVE-2025-38483","CVE-2025-38529","CVE-2025-38530","CVE-2025-38487","CVE-2025-38538","CVE-2025-38494","CVE-2025-38495","CVE-2025-38497","CVE-2025-38540","CVE-2025-38439","CVE-2025-38542","CVE-2025-38445","CVE-2025-38513","CVE-2025-38448","CVE-2025-38515","CVE-2025-38516","CVE-2025-38514","CVE-2025-38457","CVE-2025-38458","CVE-2025-38459","CVE-2025-38546","CVE-2025-38460","CVE-2025-38464","CVE-2025-38465","CVE-2025-38467","CVE-2024-49935","CVE-2025-38404","CVE-2025-38377","CVE-2025-38389","CVE-2025-38371","CVE-2025-38401","CVE-2025-38395","CVE-2025-38386","CVE-2025-38406","CVE-2025-38400","CVE-2025-38387","CVE-2025-38391","CVE-2025-38403","CVE-2024-26644","CVE-2025-38245","CVE-2025-38249","CVE-2025-38211","CVE-2025-38226","CVE-2025-38229","CVE-2025-38230","CVE-2025-38102","CVE-2023-53259","CVE-2025-38262"],"references":[{"type":"ADVISORY","url":"https://errata.tuxcare.com/els_os/oraclelinux7els/CLSA-2025-1764085382.html"}],"affected":[{"package":{"name":"bpftool","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/bpftool?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-container","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-container?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-container-debug","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-container-debug?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-debug","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-debug?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-debug-devel","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-debug-devel?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-devel","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-devel?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-headers","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-headers?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"kernel-uek-tools","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-tools?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"perf","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/perf?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}},{"package":{"name":"python-perf","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/python-perf?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els4"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1764085382.json"}}],"schema_version":"1.7.5"}