New Debian linux 6.1.129-1 fixes: This update addresses the following issues: * In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for every NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev) { struct dsa_user_priv *p = netdev_priv(dev); return p->dp; } Which is obviously bogus, because not all net_devices have a netdev_priv() of type struct dsa_user_priv. But struct dsa_user_priv is fairly small, and p->dp means dereferencing 8 bytes starting with offset 16. Most drivers allocate that much private memory anyway, making our access not fault, and we discard the bogus data quickly afterwards, so this wasn't caught. But the dummy interface is somewhat special in that it calls alloc_netdev() with a priv size of 0. So every netdev_priv() dereference is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event with a VLAN as its new upper: $ ip link add dummy1 type dummy $ ip link add link dummy1 name dummy1.100 type vlan id 100 [ 43.309174] ================================================================== [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8 [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374 [ 43.330058] [ 43.342436] Call trace: [ 43.366542] dsa_user_prechangeupper+0x30/0xe8 [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8 [ 43.375768] notifier_call_chain+0xa4/0x210 [ 43.379985] raw_notifier_call_chain+0x24/0x38 [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8 [ 43.389120] netdev_upper_dev_link+0x70/0xa8 [ 43.393424] register_vlan_dev+0x1bc/0x310 [ 43.397554] vlan_newlink+0x210/0x248 [ 43.401247] rtnl_newlink+0x9fc/0xe30 [ 43.404942] rtnetlink_rcv_msg+0x378/0x580 Avoid the kernel oops by dereferencing after the type check, as customary. (CVE-2024-26596) * kernel: iommu: Return right value in iommu_sva_bind_device() (CVE-2024-40945) * kernel: net: mana: Fix possible double free in error handling path (CVE-2024-42069) * kernel: drm/amd/display: Add NULL pointer check for kzalloc (CVE-2024-42122) * kernel: net: mana: Fix RX buf alloc_size alignment and atomic op panic (CVE-2024-45001) * kernel: f2fs: fix to wait dio completion (CVE-2024-47726) * kernel: drm/amd/display: fix double free issue during amdgpu module unload (CVE-2024-49989) * kernel: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition (CVE-2024-50061) * kernel: scsi: ufs: bsg: Set bsg_queue to NULL after removal (CVE-2024-54458) * kernel: cachefiles: Fix NULL pointer dereference in object->file (CVE-2024-56549) * kernel: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread (CVE-2024-57834) * kernel: rdma/cxgb4: Prevent potential integer overflow on 32bit (CVE-2024-57973) * kernel: media: imx-jpeg: Fix potential error pointer dereference in detach_pm() (CVE-2024-57978) * kernel: pps: Fix a use-after-free (CVE-2024-57979) * kernel: media: uvcvideo: Fix double free in error path (CVE-2024-57980) * kernel: usb: xhci: Fix NULL pointer dereference on certain command aborts (CVE-2024-57981) * kernel: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections (CVE-2024-57986) * kernel: HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check (CVE-2024-57993) * kernel: net_sched: sch_sfq: don't allow 1 packet limit (CVE-2024-57996) * kernel: wifi: wcn36xx: fix channel survey memory allocation size (CVE-2024-57997) * kernel: OPP: add index check to assert to avoid buffer overflow in _read_freq() (CVE-2024-57998) * kernel: ocfs2: handle a symlink read error correctly (CVE-2024-58001) * kernel: soc: qcom: socinfo: Avoid out of bounds read of serial number (CVE-2024-58007) * kernel: Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc (CVE-2024-58009) * kernel: binfmt_flat: Fix integer overflow bug on 32 bit systems (CVE-2024-58010) * kernel: platform/x86: int3472: Check for adev == NULL (CVE-2024-58011) * kernel: Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync (CVE-2024-58013) * kernel: wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() (CVE-2024-58014) * kernel: safesetid: check size of policy writes (CVE-2024-58016) * kernel: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX (CVE-2024-58017) * kernel: HID: multitouch: Add NULL check in mt_input_configured (CVE-2024-58020) * kernel: memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code() (CVE-2024-58034) * kernel: ipmi: ipmb: Add check devm_kasprintf() returned value (CVE-2024-58051) * kernel: drm/amdgpu: Fix potential NULL pointer dereference in atomctrl_get_smc_sclk_range_table (CVE-2024-58052) * kernel: staging: media: max96712: fix kernel oops when removing module (CVE-2024-58054) * kernel: usb: gadget: f_tcm: Don't free command immediately (CVE-2024-58055) * kernel: remoteproc: core: Fix ida_free call while not allocated (CVE-2024-58056) * kernel: ubifs: skip dumping tnc tree when zroot is null (CVE-2024-58058) * kernel: wifi: mac80211: prohibit deactivating all links (CVE-2024-58061) * kernel: wifi: rtlwifi: fix memory leaks and invalid access at probe error path (CVE-2024-58063) * kernel: OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized (CVE-2024-58068) * kernel: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read (CVE-2024-58069) * kernel: team: prevent adding a device which is already a team device lower (CVE-2024-58071) * kernel: wifi: rtlwifi: remove unused check_buddy_priv (CVE-2024-58072) * kernel: clk: qcom: gcc-sm6350: Add missing parent_map for two clocks (CVE-2024-58076) * kernel: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback (CVE-2024-58077) * kernel: clk: qcom: dispcc-sm6350: Add missing parent_map for a clock (CVE-2024-58080) * kernel: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() (CVE-2024-58083) * kernel: tomoyo: don't emit warning in tomoyo_write_control() (CVE-2024-58085) * kernel: drm/v3d: Stop active perfmon if it is being destroyed (CVE-2024-58086) * kernel: gpio: xilinx: Convert gpio_lock to raw spinlock (CVE-2025-21684) * kernel: net: sched: Disallow replacing of child qdisc from one parent to another (CVE-2025-21700) * kernel: net: avoid race between device unregistration and ethnl ops (CVE-2025-21701) * kernel: netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() (CVE-2025-21703) * kernel: usb: cdc-acm: Check control transfer buffer size before access (CVE-2025-21704) * kernel: mptcp: handle fastopen disconnect correctly (CVE-2025-21705) * kernel: mptcp: pm: only set fullmesh for subflow endp (CVE-2025-21706) * kernel: mptcp: consolidate suboption status (CVE-2025-21707) * kernel: net: usb: rtl8150: enable basic endpoint checking (CVE-2025-21708) * kernel: net/rose: prevent integer overflows in rose_setsockopt() (CVE-2025-21711) * kernel: net: davicom: fix UAF in dm9000_drv_remove (CVE-2025-21715) * kernel: vxlan: Fix uninit-value in vxlan_vnifilter_dump() (CVE-2025-21716) * kernel: net: rose: fix timer races against user threads (CVE-2025-21718) * kernel: ipmr: do not call mr_mfc_uses_dev() for unres entries (CVE-2025-21719) * kernel: nilfs2: do not force clear folio if buffer is referenced (CVE-2025-21722) * kernel: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (CVE-2025-21724) * kernel: smb: client: fix oops due to unset link speed (CVE-2025-21725) * kernel: padata: avoid UAF for reorder_work (CVE-2025-21726) * kernel: padata: fix UAF in padata_reorder (CVE-2025-21727) * kernel: bpf: Send signals asynchronously if !preemptible (CVE-2025-21728) * kernel: nbd: don't allow reconnect after disconnect (CVE-2025-21731) * kernel: misc: fastrpc: Fix copy buffer page size (CVE-2025-21734) * kernel: NFC: nci: Add bounds checking in nci_hci_create_pipe() (CVE-2025-21735) * kernel: nilfs2: fix possible int overflows in nilfs_fiemap() (CVE-2025-21736) * kernel: ata: libata-sff: Ensure that we cannot write outside the allocated buffer (CVE-2025-21738) * kernel: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() (CVE-2025-21744) * kernel: blk-cgroup: Fix class @block_class's subsystem refcount leakage (CVE-2025-21745) * kernel: ksmbd: fix integer overflows on 32 bit systems (CVE-2025-21748) * kernel: net: rose: lock the socket in rose_bind() (CVE-2025-21749) * kernel: wifi: brcmfmac: Check the return value of of_property_read_string_index() (CVE-2025-21750) * kernel: btrfs: fix use-after-free when attempting to join an aborted transaction (CVE-2025-21753) * kernel: ipv6: mcast: add RCU protection to mld_newpack() (CVE-2025-21758) * kernel: ndisc: extend RCU protection in ndisc_send_skb() (CVE-2025-21760) * kernel: openvswitch: use RCU protection in ovs_vport_cmd_fill_info() (CVE-2025-21761) * kernel: arp: use RCU protection in arp_xmit() (CVE-2025-21762) * kernel: neighbour: use RCU protection in __neigh_notify() (CVE-2025-21763) * kernel: ndisc: use RCU protection in ndisc_alloc_skb() (CVE-2025-21764) * kernel: ipv6: use RCU protection in ip6_default_advmss() (CVE-2025-21765) * kernel: ipv4: use RCU protection in __ip_rt_update_pmtu() (CVE-2025-21766) * kernel: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context (CVE-2025-21767) * kernel: partitions: mac: fix handling of bogus partition table (CVE-2025-21772) * kernel: can: ctucanfd: handle skb allocation failure (CVE-2025-21775) * kernel: USB: hub: Ignore non-compliant devices with too many configs or interfaces (CVE-2025-21776) * kernel: KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't in-kernel (CVE-2025-21779) * kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() (CVE-2025-21780) * kernel: batman-adv: fix panic during interface removal (CVE-2025-21781) * kernel: orangefs: fix a oob in orangefs_debug_write (CVE-2025-21782) * kernel: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array (CVE-2025-21785) * kernel: team: better TEAM_OPTION_TYPE_STRING validation (CVE-2025-21787) * kernel: vxlan: check vxlan_vnigroup_init() return value (CVE-2025-21790) * kernel: vrf: use RCU protection in l3mdev_l3_out() (CVE-2025-21791) * kernel: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt (CVE-2025-21792) * kernel: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() (CVE-2025-21794) * kernel: NFSD: fix hang in nfsd4_shutdown_callback (CVE-2025-21795) * kernel: nfsd: clear acl_access/acl_default after releasing them (CVE-2025-21796) * kernel: net: ethernet: ti: am65-cpsw: fix freeing IRQ in am65_cpsw_nuss_remove_tx_chns() (CVE-2025-21799) * kernel: net: hns3: fix oops when unload drivers paralleling (CVE-2025-21802) * kernel: PCI: rcar-ep: Fix incorrect variable used when calling devm_request_mem_region() (CVE-2025-21804) * kernel: net: let net.core.dev_weight always be non-zero (CVE-2025-21806) * kernel: nilfs2: protect access to buffers with no active references (CVE-2025-21811) * kernel: ax25: rcu protect dev->ax25_ptr (CVE-2025-21812) * kernel: ptp: Ensure info->enable callback is always set (CVE-2025-21814) * kernel: Revert "drm/amd/display: Use HW lock mgr for PSR1" (CVE-2025-21819) * kernel: tty: xilinx_uartps: split sysrq handling (CVE-2025-21820) * kernel: fbdev: omap: use threaded IRQ for LCD DMA (CVE-2025-21821) * kernel: batman-adv: Drop unmanaged ELP metric worker (CVE-2025-21823) * kernel: netfilter: nf_tables: reject mismatching sum of field_len with set key length (CVE-2025-21826) * kernel: RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" (CVE-2025-21829) * kernel: landlock: Handle weird files (CVE-2025-21830) * kernel: block: don't revert iter for -EIOCBQUEUED (CVE-2025-21832) * kernel: usb: gadget: f_midi: fix MIDI Streaming descriptor lengths (CVE-2025-21835)
--- mirror/ftp/pool/main/l/linux/linux_6.1.128-1.dsc +++ apt/ucs_5.2-0-errata5.2-1/source/linux_6.1.129-1.dsc @@ -1,3 +1,599 @@ +6.1.129-1 [Thu, 06 Mar 2025 07:21:29 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.129 + - [powerpc*] book3s64/hugetlb: Fix disabling hugetlb when fadump is active + - afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY + - afs: Fix directory format encoding struct + - fs: fix proc_handler for sysctl_nr_open + - block: retry call probe after request_module in blk_request_module + - nbd: don't allow reconnect after disconnect + - pstore/blk: trivial typo fixes + - nvme: Add error check for xa_store in nvme_get_effects_log + - partitions: ldm: remove the initial kernel-doc notation + - select: Fix unbalanced user_access_end() + - afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call + - sched/psi: Use task->psi_flags to clear in CPU migration + - sched/fair: Fix value reported by hot tasks pulled in /proc/schedstat + - [arm64] drm/msm/dp: set safe_to_exit_level before printing it + - [arm64,armhf] drm/etnaviv: Fix page property being used for non + writecombine buffers + - HID: core: Fix assumption that Resolution Multipliers must be in Logical + Collections + - drm/amdgpu: Fix potential NULL pointer dereference in + atomctrl_get_smc_sclk_range_table + - [arm64] drm/rockchip: vop2: Fix cluster windows alpha ctrl regsiters + offset + - [arm64] drm/rockchip: vop2: Fix the mixer alpha setup for layer 0 + - [arm64] drm/rockchip: vop2: Set YUV/RGB overlay mode + - [arm64] drm/rockchip: vop2: set bg dly and prescan dly at vop2_post_config + - [arm64] drm/rockchip: vop2: Fix the windows switch between different + layers + - [arm64] drm/rockchip: vop2: Check linear format for Cluster windows on + rk3566/8 + - OPP: Rearrange entries in pm_opp.h + - OPP: Introduce dev_pm_opp_find_freq_{ceil/floor}_indexed() APIs + - OPP: Introduce dev_pm_opp_get_freq_indexed() API + - OPP: Add dev_pm_opp_find_freq_exact_indexed() + - OPP: Reuse dev_pm_opp_get_freq_indexed() + - OPP: add index check to assert to avoid buffer overflow in _read_freq() + - OPP: fix dev_pm_opp_find_bw_*() when bandwidth table not initialized + - genirq: Make handle_enforce_irqctx() unconditionally available + - ipmi: ipmb: Add check devm_kasprintf() returned value + - wifi: ath11k: Fix unexpected return buffer manager error for + WCN6750/WCN6855 + - wifi: rtlwifi: do not complete firmware loading needlessly + - wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step + - wifi: rtlwifi: wait for firmware loading before releasing memory + - wifi: rtlwifi: fix init_sw_vars leak when probe fails + - wifi: rtlwifi: usb: fix workqueue leak when probe fails + - wifi: wcn36xx: fix channel survey memory allocation size + - net_sched: sch_sfq: annotate data-races around q->perturb_period + - net_sched: sch_sfq: handle bigger packets + - net_sched: sch_sfq: don't allow 1 packet limit + - dt-bindings: mmc: controller: clarify the address-cells description + - dt-bindings: leds: class-multicolor: Fix path to color definitions + - wifi: rtlwifi: remove unused timer and related code + - wifi: rtlwifi: remove unused dualmac control leftovers + - wifi: rtlwifi: remove unused check_buddy_priv + - wifi: rtlwifi: destroy workqueue at rtl_deinit_core + - wifi: rtlwifi: fix memory leaks and invalid access at probe error path + - wifi: rtlwifi: pci: wait for firmware loading before releasing memory + - HID: multitouch: fix support for Goodix PID 0x01e9 + - regulator: dt-bindings: mt6315: Drop regulator-compatible property + - ACPI: fan: cleanup resources in the error path of .probe() + - cpupower: fix TSC MHz calculation + - dt-bindings: mfd: bd71815: Fix rsense and typos + - leds: netxbig: Fix an OF node reference leak in + netxbig_leds_get_of_pdata() + - inetpeer: remove create argument of inet_getpeer_v[46]() + - inetpeer: remove create argument of inet_getpeer() + - inetpeer: update inetpeer timestamp in inet_getpeer() + - inetpeer: do not get a refcount in inet_getpeer() + - [armhf] pwm: stm32-lp: Add check for clk_enable() + - cpufreq: schedutil: Fix superfluous updates caused by need_freq_update + - [arm64] clk: imx8mp: Fix clkout1/2 support + - team: prevent adding a device which is already a team device lower + - regulator: of: Implement the unwind path of of_regulator_match() + - OPP: OF: Fix an OF node leak in _opp_add_static_v2() + - [arm64] clk: qcom: gcc-sdm845: Do not use shared clk_ops for QUPs + - HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding + endpoint check + - mfd: syscon: Remove extern from function prototypes + - mfd: syscon: Add of_syscon_register_regmap() API + - mfd: syscon: Use scoped variables with memory allocators to simplify error + paths + - mfd: syscon: Fix race in device_node_get_regmap() + - samples/landlock: Fix possible NULL dereference in parse_path() + - wifi: wlcore: fix unbalanced pm_runtime calls + - wifi: mac80211: prohibit deactivating all links + - wifi: mac80211: Fix common size calculation for ML element + - net/smc: fix data error when recvmsg with MSG_PEEK flag + - landlock: Handle weird files + - wifi: mt76: mt76u_vendor_request: Do not print error messages when -EPROTO + - wifi: mt76: mt7921: fix using incorrect group cipher after disconnection. + - wifi: mt76: mt7915: fix register mapping + - cpufreq: ACPI: Fix max-frequency computation + - wifi: cfg80211: Handle specific BSSID in 6GHz scanning + - wifi: cfg80211: adjust allocation of colocated AP data + - net: let net.core.dev_weight always be non-zero + - net: avoid race between device unregistration and ethnl ops + (CVE-2025-21701) + - net: sched: Disallow replacing of child qdisc from one parent to another + (CVE-2025-21700) + - netfilter: nft_flow_offload: update tcp state flags under lock + - net: ethernet: ti: am65-cpsw: fix freeing IRQ in + am65_cpsw_nuss_remove_tx_chns() + - tcp_cubic: fix incorrect HyStart round start detection + - net/rose: prevent integer overflows in rose_setsockopt() + - libbpf: don't adjust USDT semaphore address if .stapsdt.base addr is + missing + - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind + - libbpf: Fix segfault due to libelf functions not setting errno + - [armhf] ASoC: sun4i-spdif: Add clock multiplier settings + - crypto: hisilicon/sec2 - optimize the error return process + - crypto: hisilicon/sec2 - fix for aead icv error + - crypto: hisilicon/sec2 - fix for aead invalid authsize + - crypto: ixp4xx - fix OF node reference leaks in init_ixp_crypto() + - padata: fix sysfs store callback check + - ASoC: Intel: avs: Fix theoretical infinite loop + - [armhf] pinctrl: stm32: set default gpio line names using pin names + - [armhf] pinctrl: stm32: Add check for devm_kcalloc + - [armhf] pinctrl: stm32: check devm_kasprintf() returned value + - [armhf] pinctrl: stm32: Add check for clk_enable() + - bpf: Send signals asynchronously if !preemptible + - bpf: tcp: Mark bpf_load_hdr_opt() arg2 as read-write + - ALSA: hda/realtek - Fixed headphone distorted sound on Acer Aspire A115-31 + laptop + - padata: fix UAF in padata_reorder + - padata: add pd get/put refcnt helper + - padata: avoid UAF for reorder_work + - smb: client: fix oops due to unset link speed + - [arm64] dts: mt8183: set DMIC one-wire mode on Damu + - [arm64] dts: mediatek: mt8516: fix GICv2 range + - [arm64] dts: mediatek: mt8516: fix wdt irq type + - [arm64] dts: mediatek: mt8516: add i2c clock-div property + - [arm64] dts: mediatek: mt8516: reserve 192 KiB for TF-A + - RDMA/mlx4: Avoid false error about access to uninitialized gids array + - rdma/cxgb4: Prevent potential integer overflow on 32bit + - [arm64] dts: mediatek: mt8173-evb: Drop regulator-compatible property + - [arm64] dts: mediatek: mt8173-elm: Drop regulator-compatible property + - [arm64] dts: mediatek: mt8192-asurada: Drop regulator-compatible property + - [arm64] dts: mediatek: mt8195-cherry: Drop regulator-compatible property + - [arm64] dts: mediatek: mt8195-demo: Drop regulator-compatible property + - [arm64] dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names + - [arm64] dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names + - [arm64] dts: mediatek: mt8183: kenzo: Support second source touchscreen + - [arm64] dts: mediatek: mt8183: willow: Support second source touchscreen + - RDMA/srp: Fix error handling in srp_add_port + - memory: tegra20-emc: fix an OF node reference bug in + tegra_emc_find_node_by_ram_code() + - [arm64] dts: mediatek: mt8183-kukui-jacuzzi: Drop pp3300_panel voltage + settings + - [arm64] dts: qcom: msm8996-xiaomi-gemini: Fix LP5562 LED1 reg property + - [arm64] dts: qcom: msm8996: Fix up USB3 interrupts + - [arm64] dts: qcom: msm8994: Describe USB interrupts + - [arm64] dts: qcom: sm7225-fairphone-fp4: Drop extra qcom,msm-id value + - [arm64] dts: qcom: msm8916: correct sleep clock frequency + - [arm64] dts: qcom: msm8994: correct sleep clock frequency + - [arm64] dts: qcom: sc7280: correct sleep clock frequency + - [arm64] dts: qcom: sm6125: correct sleep clock frequency + - [arm64] dts: qcom: sm8250: correct sleep clock frequency + - [arm64] dts: qcom: sm8350: correct sleep clock frequency + - [arm64] dts: qcom: sm8450: correct sleep clock frequency + - [arm64] dts: ti: k3-am62: Remove duplicate GICR reg + - [arm64] dts: ti: k3-am62a: Remove duplicate GICR reg + - [arm64] dts: qcom: sc7180: Add compat qcom,sc7180-dsi-ctrl + - [arm64] dts: qcom: sc7180-idp: use just "port" in panel + - [arm64] dts: qcom: sc7180-trogdor-quackingstick: use just "port" in panel + - [arm64] dts: qcom: sc7180-trogdor-wormdingler: use just "port" in panel + - [arm64] dts: qcom: sc7180: Don't enable lpass clocks by default + - [arm64] dts: qcom: sc7180: Drop redundant disable in mdp + - [arm64] dts: qcom: sc7180-trogdor-quackingstick: add missing avee-supply + - [arm64] dts: qcom: pm6150l: add temp sensor and thermal zone config + - [arm64] dts: qcom: sc7180-*: Remove thermal zone polling delays + - [arm64] dts: qcom: sc7180-trogdor-pompom: rename 5v-choke thermal zone + - [arm64] dts: qcom: sm8150-microsoft-surface-duo: fix typos in da7280 + properties + - [arm64] dts: qcom: sc8280xp: Fix up remoteproc register space sizes + - [arm64] dts: arm64: mediatek: mt8195: Remove MT8183 compatible for OVL + - [arm64] dts: qcom: sdm845: Fix interrupt types of camss interrupts + - [arm64] dts: qcom: sm8250: Fix interrupt types of camss interrupts + - fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device() + - RDMA/mlx5: Fix indirect mkey ODP page count + - of: reserved-memory: Do not make kmemleak ignore freed address + - efi: sysfb_efi: fix W=1 warnings when EFI is not set + - RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" + - iommufd/iova_bitmap: Fix shift-out-of-bounds in + iova_bitmap_offset_to_index() + - media: rc: iguanair: handle timeouts + - media: lmedm04: Handle errors for lme2510_int_read + - PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy() + - media: marvell: Add check for clk_enable() + - media: i2c: imx412: Add missing newline to prints + - media: i2c: ov9282: Correct the exposure offset + - media: mipi-csis: Add check for clk_enable() + - media: camif-core: Add check for clk_enable() + - media: uvcvideo: Propagate buf->error to userspace + - mtd: hyperbus: hbmc-am654: Convert to platform remove callback returning + void + - mtd: hyperbus: hbmc-am654: fix an OF node reference leak + - staging: media: imx: fix OF node leak in imx_media_add_of_subdevs() + - scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1 + - scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails + - ocfs2: mark dquot as inactive if failed to start trans while releasing + dquot + - module: Extend the preempt disabled section in + dereference_symbol_descriptor(). + - serial: 8250: Adjust the timeout for FIFO mode + - NFSv4.2: fix COPY_NOTIFY xdr buf size calculation + - NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE + - tools/bootconfig: Fix the wrong format specifier + - xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO + - [armhf] dmaengine: ti: edma: fix OF node reference leaks in edma_driver + - [arm64] rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read + - ubifs: skip dumping tnc tree when zroot is null + - regulator: core: Add missing newline character + - [arm64] net: hns3: fix oops when unload drivers paralleling + - gpio: mxc: remove dead code after switch to DT-only + - net: fec: implement TSO descriptor cleanup + - ipmr: do not call mr_mfc_uses_dev() for unres entries + - PM: hibernate: Add error handling for syscore_suspend() + - iavf: allow changing VLAN state without calling PF + - net: rose: fix timer races against user threads + - net: netdevsim: try to close UDP port harness races + - vxlan: Fix uninit-value in vxlan_vnifilter_dump() + - net: davicom: fix UAF in dm9000_drv_remove + - bgmac: reduce max frame size to support just MTU 1500 + - net: sh_eth: Fix missing rtnl lock in suspend/resume path + - net: hsr: fix fill_frame_info() regression vs VLAN packets + - genksyms: fix memory leak when the same symbol is added from source + - genksyms: fix memory leak when the same symbol is read from *.symref file + - [arm64] ASoC: rockchip: i2s_tdm: Re-add the set_sysclk callback + - kconfig: fix file name in warnings when loading KCONFIG_DEFCONFIG_LIST + - kconfig: add warn-unknown-symbols sanity check + - kconfig: require a space after '#' for valid input + - kconfig: remove unused code for S_DEF_AUTO in conf_read_simple() + - kconfig: deduplicate code in conf_read_simple() + - kconfig: WERROR unmet symbol dependency + - kconfig: fix memory leak in sym_warn_unmet_dep() + - f2fs: Introduce linear search for dentries + - NFSD: Reset cb_seq_status after NFS4ERR_DELAY (Closes: #1071562) + - kbuild: switch from lz4c to lz4 for compression + - netfilter: nf_tables: reject mismatching sum of field_len with set key + length + - nvme: fix metadata handling in nvme-passthrough + - drm/amd/display: fix double free issue during amdgpu module unload + (CVE-2024-49989) + - ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro + - net: usb: rtl8150: enable basic endpoint checking + - usb: xhci: Fix NULL pointer dereference on certain command aborts + - drivers/card_reader/rtsx_usb: Restore interrupt based detection + - usb: gadget: f_tcm: Fix Get/SetInterface return value + - usb: dwc3-am62: Fix an OF node leak in phy_syscon_pll_refclk() + - usb: dwc3: core: Defer the probe until USB power supply ready + - usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to + PD_T_SENDER_RESPONSE + - usb: typec: tcpci: Prevent Sink disconnection before vPpsShutdown in SPR + PPS + - mptcp: consolidate suboption status + - mptcp: handle fastopen disconnect correctly + - remoteproc: core: Fix ida_free call while not allocated + - media: uvcvideo: Fix double free in error path + - usb: gadget: f_tcm: Don't free command immediately + - staging: media: max96712: fix kernel oops when removing module + - media: imx-jpeg: Fix potential error pointer dereference in detach_pm() + - btrfs: output the reason for open_ctree() failure + - ptp: Properly handle compat ioctls + - [s390x] Add '-std=gnu11' to decompressor and purgatory CFLAGS + - [armhf] pinctrl: stm32: fix array read out of bound + - btrfs: fix use-after-free when attempting to join an aborted transaction + - [arm64] mm: Ensure adequate HUGE_MAX_HSTATE + - exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case + - btrfs: fix data race when accessing the inode's disk_i_size at + btrfs_drop_extents() + - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling + - sched: Don't try to catch up excess steal time. + - lockdep: Fix upper limit for LOCKDEP_*_BITS configs + - [x86] amd_nb: Restrict init function to AMD-based systems + - drm/virtio: New fence for every plane update + - printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX + - drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor + - safesetid: check size of policy writes + - tun: fix group permission check + - mmc: core: Respect quirk_max_rate for non-UHS SDIO card + - wifi: brcmsmac: add gain range check to wlc_phy_iqcal_gainparams_nphy() + - tomoyo: don't emit warning in tomoyo_write_control() + - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id + - HID: Wacom: Add PCI Wacom device support + - net/mlx5: use do_aux_work for PHC overflow checks + - wifi: brcmfmac: Check the return value of of_property_read_string_index() + - wifi: iwlwifi: avoid memory leak + - i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz + - APEI: GHES: Have GHES honor the panic= setting + - Bluetooth: MGMT: Fix slab-use-after-free Read in + mgmt_remove_adv_monitor_sync + - net: wwan: iosm: Fix hibernation by re-binding the driver around it + - mmc: sdhci-msm: Correctly set the load for the regulator + - tipc: re-order conditions in tipc_crypto_key_rcv() + - [x86] kexec: Allocate PGD for x86_64 transition page tables separately + - [arm64] iommu/arm-smmu-v3: Clean up more on probe failure + - [x86] platform/x86: int3472: Check for adev == NULL + - ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback + - ASoC: amd: Add ACPI dependency to fix build error + - Input: allocate keycode for phone linking + - [x86] platform/x86: acer-wmi: Ignore AC events + - [powerpc*] KVM: PPC: e500: Mark "struct page" dirty in + kvmppc_e500_shadow_map() + - [powerpc*] KVM: PPC: e500: Mark "struct page" pfn accessed before dropping + mmu_lock + - [powerpc*] KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults + - KVM: e500: always restore irqs + - usb: chipidea/ci_hdrc_imx: Convert to platform remove callback returning + void + - usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and + in the error path of .probe() + - net/ncsi: Add NC-SI 1.2 Get MC MAC Address command + - net/ncsi: fix locking in Get MAC Address handling + - gpio: xilinx: Convert to immutable irq_chip + - gpio: xilinx: Convert gpio_lock to raw spinlock (CVE-2025-21684) + - xfs: report realtime block quota limits on realtime directories + - xfs: don't over-report free space or inodes in statvfs + - nvme: handle connectivity loss in nvme_set_queue_count + - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry + - gpu: drm_dp_cec: fix broken CEC adapter properties check + - tg3: Disable tg3 PCIe AER on system reboot + - udp: gso: do not drop small packets when PMTU reduces + - gpio: pca953x: Improve interrupt support + - net: atlantic: fix warning during hot unplug + - net: rose: lock the socket in rose_bind() + - [x86] xen: fix xen_hypercall_hvm() to not clobber %rbx (Closes: #1095435) + - [x86] xen: add FRAME_END to xen_hypercall_hvm() + - ACPI: property: Fix return value for nval == 0 in acpi_data_prop_read() + - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog() + (CVE-2025-21703) + - tun: revert fix group permission check + - net: sched: Fix truncation of offloaded action statistics + - cpufreq: s3c64xx: Fix compilation warning + - leds: lp8860: Write full EEPROM, not only half of it + - ALSA: hda/realtek: Enable Mute LED on HP Laptop 14s-fq1xxx + - drm/modeset: Handle tiled displays in pan_display_atomic. + - smb: client: change lease epoch type from unsigned int to __u16 + - [s390x] futex: Fix FUTEX_OP_ANDN implementation + - fs/proc: do_task_stat: Fix ESP not readable during coredump + - binfmt_flat: Fix integer overflow bug on 32 bit systems + - [arm64] drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event() + - [arm64] dts: rockchip: increase gmac rx_delay on rk3399-puma + - KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() + - [s390x] KVM: s390: vsie: fix some corner-cases when grabbing vsie pages + - ksmbd: fix integer overflows on 32 bit systems + - drm/amd/pm: Mark MM activity as unsupported + - Revert "drm/amd/display: Use HW lock mgr for PSR1" + - [x86] drm/i915/guc: Debug print LRC state entries only if the context is + pinned + - drm/komeda: Add check for komeda_get_layer_fourcc_list() + - [x86] drm/i915: Drop 64bpp YUV formats from ICL+ SDR planes + - Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc + - Bluetooth: L2CAP: accept zero as a special value for MTU auto-selection + - [arm64] clk: sunxi-ng: a100: enable MMC clock reparenting + - [arm64] clk: qcom: clk-alpha-pll: fix alpha mode configuration + - [arm64] clk: qcom: gcc-sm6350: Add missing parent_map for two clocks + - [arm64] clk: qcom: dispcc-sm6350: Add missing parent_map for a clock + - [arm64] clk: qcom: gcc-mdm9607: Fix cmd_rcgr offset for blsp1_uart6 rcg + - [arm64] clk: qcom: clk-rpmh: prevent integer overflow in recalc_rate + - blk-cgroup: Fix class @block_class's subsystem refcount leakage + - efi: libstub: Use '-std=gnu11' to fix build with GCC 15 + - scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions + - of: Correct child specifier used as input of the 2nd nexus node + - of: Fix of_find_node_opts_by_path() handling of alias+path+options + - of: reserved-memory: Fix using wrong number of cells to get property + 'alignment' + - HID: hid-sensor-hub: don't use stale platform-data on remove + - wifi: rtlwifi: rtl8821ae: Fix media status report + - wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() + - usb: gadget: f_tcm: Translate error to sense + - usb: gadget: f_tcm: Decrement command ref count on cleanup + - usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint + - usb: gadget: f_tcm: Don't prepare BOT write request twice + - ASoC: acp: Support microphone from Lenovo Go S + - soc: qcom: socinfo: Avoid out of bounds read of serial number + - serial: sh-sci: Drop __initdata macro for port_cfg + - serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is + in use + - [mips*] Loongson64: remove ROM Size unit in boardinfo + - [powerpc*] pseries/eeh: Fix get PE state translation + - dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit() + - dm-crypt: track tag_offset in convert_context + - mips/math-emu: fix emulation of the prefx instruction (Closes: #1091858) + - block: don't revert iter for -EIOCBQUEUED + - Revert "media: uvcvideo: Require entities to have a non-zero unique ID" + (Closes: #1095764) + - ALSA: hda/realtek: Enable headset mic on Positivo C6400 + - ALSA: hda: Fix headset detection failure due to unstable sort + - [arm64] tegra: Fix Tegra234 PCIe interrupt-map + - PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf() + - nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk + - nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk + - scsi: qla2xxx: Move FCE Trace buffer allocation to user control + - scsi: storvsc: Set correct data length for sending SCSI command without + payload + - kbuild: Move -Wenum-enum-conversion to W=2 + - [x86] boot: Use '-std=gnu11' to fix build with GCC 15 + - [arm64] dts: qcom: sm6350: Fix ADSP memory length + - [arm64] dts: qcom: sm6350: Fix MPSS memory length + - [arm64] dts: qcom: sm8350: Fix MPSS memory length + - [arm64] dts: qcom: sm8450: Fix MPSS memory length + - crypto: qce - fix priority to be less than ARMv8 CE + - [arm64] tegra: Disable Tegra234 sce-fabric node + - xfs: Add error handling for xfs_reflink_cancel_cow_range + - ACPI: PRM: Remove unnecessary strict handler address checks + - rv: Reset per-task monitors also for idle tasks + - kfence: skip __GFP_THISNODE allocations on NUMA systems + - media: ccs: Clean up parsed CCS static data on parse failure + - iio: light: as73211: fix channel handling in only-color triggered buffer + - soc: qcom: smem_state: fix missing of_node_put in error path + - media: mc: fix endpoint iteration + - media: ov5640: fix get_light_freq on auto + - media: ccs: Fix CCS static data parsing for large block sizes + - media: ccs: Fix cleanup order in ccs_probe() + - media: uvcvideo: Fix event flags in uvc_ctrl_send_events + - media: uvcvideo: Remove redundant NULL assignment + - mm: kmemleak: fix upper boundary check for physical address objects + - ata: libata-sff: Ensure that we cannot write outside the allocated buffer + - crypto: qce - fix goto jump in error path + - crypto: qce - unregister previously registered algos in error path + - nvmem: qcom-spmi-sdam: Set size in struct nvmem_config + - nvmem: core: improve range check for nvmem_cell_write() + - io_uring/net: don't retry connect operation on EPOLLERR + - vfio/platform: check the bounds of read/write syscalls + - pnfs/flexfiles: retry getting layout segment for reads + - ocfs2: fix incorrect CPU endianness conversion causing mount failure + - ocfs2: handle a symlink read error correctly + - nilfs2: fix possible int overflows in nilfs_fiemap() + - mailbox: tegra-hsp: Clear mailbox before using message + - NFC: nci: Add bounds checking in nci_hci_create_pipe() + - i3c: master: Fix missing 'ret' assignment in set_speed() + - irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so + - mtd: onenand: Fix uninitialized retlen in do_otp_read() + - misc: fastrpc: Deregister device nodes properly in error scenarios + - misc: fastrpc: Fix registered buffer page address + - misc: fastrpc: Fix copy buffer page size + - net/ncsi: wait for the last response to Deselect Package before + configuring channel + - net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset + - rtla/osnoise: Distinguish missing workload option + - rtla: Add trace_instance_stop + - rtla/timerlat_hist: Stop timerlat tracer on signal + - rtla/timerlat_top: Stop timerlat tracer on signal + - [armhf] pinctrl: samsung: fix fwnode refcount cleanup if + platform_get_irq_optional() fails + - ptp: Ensure info->enable callback is always set + - rtc: zynqmp: Fix optional clock name property + - io_uring: fix multishots with selected buffers + - io_uring: fix io_req_prep_async with provided buffers + - io_uring/rw: commit provided buffer state on async + - [mips*] ftrace: Declare ftrace_get_parent_ra_addr() as static + - net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling + - gpio: xilinx: remove excess kernel doc + - ocfs2: check dir i_size in ocfs2_find_entry + - cachefiles: Fix NULL pointer dereference in object->file (CVE-2024-56549) + - mptcp: pm: only set fullmesh for subflow endp + - mptcp: prevent excessive coalescing on receive + - tty: xilinx_uartps: split sysrq handling + - maple_tree: fix static analyser cppcheck issue + - maple_tree: simplify split calculation + - pps: Fix a use-after-free + - Revert "btrfs: avoid monopolizing a core when activating a swap file" + - btrfs: avoid monopolizing a core when activating a swap file + - nfsd: clear acl_access/acl_default after releasing them + - NFSD: fix hang in nfsd4_shutdown_callback (Closes: #1071562) + - HID: multitouch: Add NULL check in mt_input_configured + - HID: hid-thrustmaster: fix stack-out-of-bounds read in + usb_check_int_endpoints() + - ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu() + - vrf: use RCU protection in l3mdev_l3_out() + - vxlan: check vxlan_vnigroup_init() return value + - team: better TEAM_OPTION_TYPE_STRING validation + - [arm64] cacheinfo: Avoid out-of-bounds write to cacheinfo array + - cgroup: Remove steal time from usage_usec + - xen/swiotlb: relax alignment requirements (Closes: #1093371, #1088159, + #1087807) + - xen: remove a confusing comment on auto-translated guest I/O + - [x86] xen: allow larger contiguous memory regions in PV guests + (Closes: #1093371, #1088159, #1087807) + - fbdev: omap: use threaded IRQ for LCD DMA + - media: cxd2841er: fix 64-bit division on gcc-9 + - media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread + - PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P + - PCI: switchtec: Add Microchip PCI100X device IDs + - scsi: ufs: bsg: Set bsg_queue to NULL after removal + - rtla/timerlat_hist: Abort event processing on second signal + - rtla/timerlat_top: Abort event processing on second signal + - vfio/pci: Enable iowrite64 and ioread64 for vfio pci + - Grab mm lock before grabbing pt lock + - [x86] mm/tlb: Only trim the mm_cpumask once a second + - orangefs: fix a oob in orangefs_debug_write + - [x86] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 + tablet 5V + - batman-adv: fix panic during interface removal + - batman-adv: Ignore neighbor throughput metrics in error case + - batman-adv: Drop unmanaged ELP metric worker + - drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table() + - [x86] KVM: x86: Reject Hyper-V's SEND_IPI hypercalls if local APIC isn't + in-kernel + - [x86] KVM: nSVM: Enter guest mode before initializing nested NPT MMU + - [x86] perf/x86/intel: Ensure LBRs are disabled when a CPU is starting + - usb: dwc3: Fix timeout issue during controller enter/exit from halt state + - usb: roles: set switch registered flag early on + - usb: gadget: udc: renesas_usb3: Fix compiler warning + - usb: dwc2: gadget: remove of_node reference upon udc_stop + - USB: pci-quirks: Fix HCCPARAMS register error for LS7A EHCI + - usb: core: fix pipe creation for get_bMaxPacketSize0 + - USB: quirks: add USB_QUIRK_NO_LPM quirk for Teclast dist + - USB: Add USB_QUIRK_NO_LPM quirk for sony xperia xz1 smartphone + (Closes: #1091517) + - usb: gadget: f_midi: fix MIDI Streaming descriptor lengths + - USB: hub: Ignore non-compliant devices with too many configs or interfaces + - USB: cdc-acm: Fill in Renesas R-Car D3 USB Download mode quirk + - usb: cdc-acm: Check control transfer buffer size before access + (CVE-2025-21704) + - usb: cdc-acm: Fix handling of oversized fragments + - USB: serial: option: add MeiG Smart SLM828 + - USB: serial: option: add Telit Cinterion FN990B compositions + - USB: serial: option: fix Telit Cinterion FN990A name + - USB: serial: option: drop MeiG Smart defines + - can: ctucanfd: handle skb allocation failure + - can: c_can: fix unbalanced runtime PM disable in error path + - can: j1939: j1939_sk_send_loop(): fix unable to send messages with data + length zero + - efi: Avoid cold plugged memory for placing the kernel + - cgroup: fix race between fork and cgroup.kill + - serial: 8250: Fix fifo underflow on flush + - gpiolib: acpi: Add a quirk for Acer Nitro ANV14 + - gpio: stmpe: Check return value of stmpe_reg_read in + stmpe_gpio_irq_sync_unlock + - partitions: mac: fix handling of bogus partition table + - regmap-irq: Add missing kfree() + - [arm64] Handle .ARM.attributes section in linker scripts + - mmc: mtk-sd: Fix register settings for hs400(es) mode + - btrfs: fix hole expansion when writing at an offset beyond EOF + - clocksource: Use pr_info() for "Checking clocksource synchronization" + message + - clocksource: Use migrate_disable() to avoid calling get_random_u32() in + atomic context + - ipv4: add RCU protection to ip4_dst_hoplimit() + - net: treat possible_net_t net pointer as an RCU one and add + read_pnet_rcu() + - net: add dev_net_rcu() helper + - ipv4: use RCU protection in ipv4_default_advmss() + - ipv4: use RCU protection in rt_is_expired() + - ipv4: use RCU protection in inet_select_addr() + - net: ipv4: Cache pmtu for all packet paths if multipath enabled + - ipv4: use RCU protection in __ip_rt_update_pmtu() + - ipv4: icmp: convert to dev_net_rcu() + - flow_dissector: use RCU protection to fetch dev_net() + - ipv6: use RCU protection in ip6_default_advmss() + - ndisc: use RCU protection in ndisc_alloc_skb() + - neighbour: delete redundant judgment statements + - neighbour: use RCU protection in __neigh_notify() + - arp: use RCU protection in arp_xmit() + - openvswitch: use RCU protection in ovs_vport_cmd_fill_info() + - ndisc: extend RCU protection in ndisc_send_skb() + - ipv6: mcast: add RCU protection to mld_newpack() + - [arm64] drm/v3d: Stop active perfmon if it is being destroyed + - kdb: Do not assume write() callback available + - [x86] static-call: Remove early_boot_irqs_disabled check to fix Xen PVH + dom0 + - iommu: Return right value in iommu_sva_bind_device() (CVE-2024-40945) + - [arm64] tegra: Fix typo in Tegra234 dce-fabric compatible + - mm: gup: fix infinite loop within __get_longterm_locked + - i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master + Driver Due to Race Condition (CVE-2024-50061) + - nilfs2: do not output warnings when clearing dirty buffers + - nilfs2: do not force clear folio if buffer is referenced + - nilfs2: protect access to buffers with no active references + - can: ems_pci: move ASIX AX99100 ids to pci_ids.h + - serial: 8250_pci: add support for ASIX AX99100 + - parport_pc: add support for ASIX AX99100 + - net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice + events + - netdevsim: print human readable IP address + - f2fs: fix to wait dio completion (CVE-2024-47726) + - drm/amd/display: Add NULL pointer check for kzalloc (CVE-2024-42122) + - [x86] i8253: Disable PIT timer 0 when not in use + + [ Salvatore Bonaccorso ] + * Bump ABI to 32 + * [arm64] phy: rockchip: naneng-combphy: compatible reset with old DT + (Closes: #1095745, #1098250, #1098354) + * net: mana: Fix possible double free in error handling path (CVE-2024-42069) + (Closes: #1099138) + * net: mana: Fix RX buf alloc_size alignment and atomic op panic + (CVE-2024-45001) (Closes: #1099138) + * ptrace: Introduce exception_ip arch hook + * mm/memory: Use exception ip to search exception tables + (Closes: #1093200, #1087809, #1086028) + 6.1.128-1 [Fri, 07 Feb 2025 10:43:47 +0100] Salvatore Bonaccorso <carnil@debian.org>: * New upstream stable update: <http://piuparts.knut.univention.de/5.2-1/#8694923494431557133>
OK: bug OK: yaml OK: announce_errata OK: patch ~OK: piuparts manual test installing the header packages fine [5.2-1] 32e66a99a20 Bug #58106: linux 6.1.129-1 doc/errata/staging/linux.yaml | 175 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.2x46>