Description Quality Assurance 2025-11-17 12:58:20 CET

New Debian linux-signed-amd64 6.1.158+1 fixes:
This update addresses the following issues:

Debian update 6.1.153+1
6.1.153+1 (Sat, 20 Sep 2025 20:53:10 +0200)
* Sign kernel from linux 6.1.153-1
* New upstream stable update:  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.149 - io_uring:  don't use int for ABI - ALSA: usb-audio: Validate UAC3 power domain  descriptors, too - ALSA: usb-audio: Validate UAC3 cluster segment  descriptors - ALSA: hda/realtek: Fix headset mic on HONOR BRB-X - ALSA:  hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks - smb3:  fix for slab out of bounds on mount to ksmbd - smb: client: remove  redundant lstrp update in negotiate protocol - gpio: virtio: Fix config  space reading. - [amd64,arm64] net: phy: micrel: fix KSZ8081/KSZ8091 cable  test - net: usb: asix_devices: add phy_mask for ax88772 mdio bus - nfsd:  handle get_client_locked() failure in nfsd4_setclientid_confirm() - NFSD:  detect mismatch of file handle and delegation stateid in OPEN op - NFS: Fix  the setting of capabilities when automounting a new filesystem - sunvdc:  Balance device refcount in vdc_port_mpgroup_check - fs: Prevent file  descriptor table allocations exceeding INT_MAX - eventpoll: Fix  semi-unbounded recursion (CVE-2025-38614) - Documentation: ACPI: Fix parent  device references - ACPI: processor: perflib: Fix initial _PPC limit  application - ACPI: processor: perflib: Move problematic pr->performance  check - [amd64] KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of  the STI shadow - [amd64] KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for  AMD (x2AVIC) - [amd64] KVM: x86: Plumb in the vCPU to  kvm_x86_ops.hwapic_isr_update() - [amd64] KVM: nVMX: Defer SVI update to  vmcs01 on EOI when L2 is active w/o VID - [amd64] KVM: x86: Snapshot the  host's DEBUGCTL in common x86 - [amd64] KVM: x86: Snapshot the host's  DEBUGCTL after disabling IRQs - [amd64] KVM: x86/pmu: Gate all  "unimplemented MSR" prints on report_ignored_msrs - [amd64] KVM: x86: Plumb  "force_immediate_exit" into kvm_entry() tracepoint - [amd64] KVM: VMX:  Re-enter guest in fastpath for "spurious" preemption timer exits - [amd64]  KVM: VMX: Handle forced exit due to preemption timer in fastpath - [amd64]  KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers -  [amd64] KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for  L2 - [amd64] KVM: x86: Fully defer to vendor code to decide how to force  immediate exit - [amd64] KVM: x86: Convert vcpu_run()'s immediate exit  param into a generic bitmap - [amd64] KVM: x86: Drop kvm_x86_ops.set_dr6()  in favor of a new KVM_RUN flag - [amd64] KVM: VMX: Allow guest to set  DEBUGCTL.RTM_DEBUG if RTM is supported - [amd64] KVM: VMX: Extract checking  of guest's DEBUGCTL into helper - [amd64] KVM: nVMX: Check  vmcs12->guest_ia32_debugctl on nested VM-Enter - [amd64] KVM: VMX: Wrap all  accesses to IA32_DEBUGCTL with getter/setter APIs - [amd64] KVM: VMX:  Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest - udp:  also consider secpath when evaluating ipsec use for checksumming -  netfilter: ctnetlink: fix refcount leak on table dump - hfs: fix  slab-out-of-bounds in hfs_bnode_read() - hfsplus: fix slab-out-of-bounds in  hfsplus_bnode_read() - hfsplus: fix slab-out-of-bounds read in  hfsplus_uni2asc() - hfsplus: don't use BUG_ON() in  hfsplus_create_attributes_file() - [arm64] Handle KCOV __init vs inline  mismatches - smb/server: avoid deadlock when linking with ReplaceIfExists -  udf: Verify partition map count - drbd: add missing kref_get in  handle_write_conflicts - hfs: fix not erasing deleted b-tree node issue -  better lockdep annotations for simple_recursive_removal() - ata:  libata-sata: Disallow changing LPM state if not supported - fs/ntfs3: Add  sanity check for file name - fs/ntfs3: correctly create symlink for  relative path - fix locking in efi_secret_unlink() - securityfs: don't pin  dentries twice, once is enough... - usb: xhci: print xhci->xhc_state when  queue_command failed - cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS  flag - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and  Default - usb: xhci: Avoid showing warnings for dying controller - usb:  xhci: Set avg_trb_len = 8 for EP0 during Address Device Command - usb:  xhci: Avoid showing errors during surprise removal - remoteproc: imx_rproc:  skip clock enable when M-core is managed by the SCU - cpufreq: Exit  governor when failed to start old governor - [armhf] rockchip: fix kernel  hang during smp initialization - PM / devfreq: governor: Replace sscanf()  with kstrtoul() in set_freq_store() - ASoC: soc-dapm: set bias_level if  snd_soc_dapm_set_bias_level() was successed - [arm64]  thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required  - tools/nolibc: define time_t in terms of __kernel_old_time_t - iio: adc:  ad_sigma_delta: don't overallocate scan buffer - [armhf] tegra: Use I/O  memcpy to write to IRAM - ACPI: PRM: Reduce unnecessary printing to avoid  user confusion - PM: runtime: Clear power.needs_force_resume in  pm_runtime_reinit() - thermal: sysfs: Return ENODATA instead of EAGAIN for  reads - PM: sleep: console: Fix the black screen issue - ACPI: processor:  fix acpi_object initialization - [arm64] mmc: sdhci-msm: Ensure SD card  power isn't ON when card removed - ACPI: APEI: GHES: add  TAINT_MACHINE_CHECK on GHES panic path - pps: clients: gpio: fix interrupt  handling order in remove path - reset: brcmstb: Enable reset drivers for  ARCH_BCM2835 - mei: bus: Check for still connected devices in  mei_cl_bus_dev_release() - mmc: rtsx_usb_sdmmc: Fix error-path in  sd_set_power_mode() - ALSA: hda: Handle the jack polling always via a work  - ALSA: hda: Disable jack polling at shutdown - [amd64] x86/bugs: Avoid  warning when overriding return thunk - ASoC: hdac_hdmi: Rate limit logging  on connection and disconnection - ALSA: intel8x0: Fix incorrect codec index  usage in mixer for ICH4 - ASoC: core: Check for rtd == NULL in  snd_soc_remove_pcm_runtime() - usb: typec: intel_pmc_mux: Defer probe if  SCU IPC isn't present - usb: core: usb_submit_urb: downgrade type check -  pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() -  [amd64] platform/x86: thinkpad_acpi: Handle KCOV __init vs inline  mismatches - platform/chrome: cros_ec_typec: Defer probe on missing EC  parent - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control -  ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop - ALSA:  usb-audio: Avoid precedence issues in mixer_quirks macros - iio: adc:  ad7768-1: Ensure SYNC_IN pulse minimum timing requirement - ASoC: codecs:  rt5640: Retry DEVICE_ID verification - xen/netfront: Fix TX response  spurious interrupts - net: usb: cdc-ncm: check for filtering capability -  wifi: cfg80211: reject HTC bit for management frames - [s390x] time: Use  monotonic clock in get_cycles() - be2net: Use correct byte order and format  string for TCP seq and ack_seq - wifi: rtw89: Lower the timeout in  rtw89_fw_read_c2h_reg() for USB - et131x: Add missing check after DMA map -  net: ag71xx: Add missing check after DMA map - net/mlx5e: Properly access  RCU protected qdisc_sleeping variable - [arm64] Mark kernel as tainted on  SAE and SError panic - rcu: Protect ->defer_qs_iw_pending from data race -  net: mctp: Prevent duplicate binds - wifi: cfg80211: Fix interface type  validation - net: ipv4: fix incorrect MTU in broadcast routes - net:  thunderx: Fix format-truncation warning in bgx_acpi_match_id() - wifi:  iwlwifi: mvm: fix scan request validation - [s390x] stp: Remove udelay from  stp_sync_clock() - sched/fair: Bump sd->max_newidle_lb_cost when newidle  balance fails - wifi: mac80211: don't complete management TX on SAE commit  - ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in  __ipv6_dev_mc_inc(). - [arm64] drm/msm: use trylock for debugfs - wifi:  rtw89: Fix rtw89_mac_power_switch() for USB - wifi: rtw89: Disable deep  power saving for USB/SDIO - [amd64] net: thunderbolt: Enable end-to-end  flow control also in transmit - [amd64] net: thunderbolt: Fix the parameter  passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() - net:  atlantic: add set_power to fw_ops for atl2 to fix wol - net: fec: allow  disable coalescing - drm/amd/display: Separate set_gsl from  set_gsl_source_select - wifi: iwlwifi: dvm: fix potential overflow in  rs_fill_link_cmd() - wifi: iwlwifi: fw: Fix possible memory leak in  iwl_fw_dbg_collect - drm/amd/display: Fix 'failed to blank crtc!' - wifi:  mac80211: update radar_required in channel context after channel switch -  wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. -  [powerpc*] floppy: Add missing checks after DMA map - netmem: fix  skb_frag_address_safe with unreadable skbs - wifi: iwlegacy: Check rate_idx  range after addition - neighbour: add support for NUD_PERMANENT proxy  entries - drm/amd: Allow printing VanGogh OD SCLK levels without setting  dpm to manual - net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_*  stubs - gve: Return error for unknown admin queue command - [armhf] net:  dsa: b53: fix b53_imp_vlan_setup for BCM5325 - [armhf] net: dsa: b53:  prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 - [armhf] net: dsa: b53:  prevent DIS_LEARNING access on BCM5325 - [armhf] net: dsa: b53: prevent  SWITCH_CTRL access on BCM5325 - ptp: Use ratelimite for freerun error  message - wifi: rtlwifi: fix possible skb memory leak in  _rtl_pci_init_one_rxdesc() - ionic: clean dbpage in de-init - net: ncsi:  Fix buffer overflow in fetching version id - drm/ttm: Should to return the  evict error - uapi: in6: restore visibility of most IPv6 socket options -  drm/ttm: Respect the shrinker core free target - net: dsa: b53: fix  IP_MULTICAST_CTRL on BCM5325 - vsock/virtio: Resize receive buffers so that  each SKB fits in a 4K page - vhost: fail early when __vhost_add_used()  fails - drm/amd/display: Only finalize atomic_obj if it was initialized -  watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race  condition - cifs: Fix calling CIFSFindFirst() for root path without msearch  - fbdev: fix potential buffer overflow in do_register_framebuffer() - ext4:  do not BUG when INLINE_DATA_FL lacks system.data xattr - scsi: libiscsi:  Initialize iscsi_conn->dd_data only if memory is allocated - fs/orangefs:  use snprintf() instead of sprintf() - watchdog: dw_wdt: Fix default timeout  - hwmon: (emc2305) Set initial PWM minimum value during probe based on  thermal state - watchdog: iTCO_wdt: Report error if timeout configuration  fails - scsi: bfa: Double-free fix - jfs: truncate good inode pages when  hard link is 0 - jfs: Regular file corruption check - jfs: upper bound  check of tree index in dbAllocAG - [mips*] Don't crash in stack_top() for  tasks without ABI or vDSO - media: v4l2-common: Reduce warnings about  missing V4L2_CID_LINK_FREQ control - leds: leds-lp50xx: Handle reg to get  correct multi_index - [armhf] dmaengine: stm32-dma: configure next sg only  if there are more than 2 sgs - [amd64] RDMA: hfi1: fix possible  divide-by-zero in find_hw_thread_mask() - RDMA/core: reduce stack using in  nldev_stat_get_doit() - scsi: lpfc: Check for hdwq null ptr when cleaning  up lpfc_vport structure - scsi: mpt3sas: Correctly handle ATA device errors  - scsi: mpi3mr: Correctly handle ATA device errors - pinctrl: stm32: Manage  irq affinity settings - media: tc358743: Check I2C succeeded during probe -  media: tc358743: Return an appropriate colorspace from tc358743_set_fmt -  media: tc358743: Increase FIFO trigger level to 374 - media: usb: hdpvr:  disable zero-length read messages - media: dvb-frontends: dib7090p: fix  null-ptr-deref in dib7090p_rw_on_apb() - media: dvb-frontends: w7090p: fix  null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar -  media: uvcvideo: Fix bandwidth issue for Alcor camera - md:  dm-zoned-target: Initialize return variable r to avoid uninitialized use -  module: Prevent silent truncation of module name in delete_module(2) - i3c:  add missing include to internal header - rtc: ds1307: handle oscillator  stop flag (OSF) for ds1341 - i3c: don't fail if GETHDRCAP is unsupported -  i3c: master: Initialize ret in i3c_i2c_notifier_call() - dm-mpath: don't  print the "loaded" message if registering fails - dm-table: fix checking  for rq stackable devices - apparmor: use the condition in AA_BUG_FMT even  with debug disabled - i2c: Force DLL0945 touchpad i2c freq to 100khz -  vfio/type1: conditional rescheduling while pinning - scsi: Fix  sas_user_scan() to handle wildcard and multi-channel scans - scsi: target:  core: Generate correct identifiers for PR OUT transport IDs - scsi:  aacraid: Stop using PCI_IRQ_AFFINITY - vfio/mlx5: fix possible overflow in  tracking max message size - ipmi: Use dev_warn_ratelimited() for incorrect  message warnings - ipmi: Fix strcpy source and destination the same - net:  phy: smsc: add proper reset flags for LAN8710A - block: avoid possible  overflow for chunk_sectors check in blk_stack_limits() - pNFS: Fix stripe  mapping in block/scsi layout - pNFS: Fix disk addr range check in  block/scsi layout - pNFS: Handle RPC size limit for layoutcommits - pNFS:  Fix uninited ptr deref in block/scsi layout - rtc: ds1307: remove clear of  oscillator stop flag (OSF) in probe - scsi: lpfc: Remove redundant  assignment to avoid memory leak - ASoC: soc-dai.c: add missing flag check  at snd_soc_pcm_dai_probe() - ASoC: soc-dai.h: merge DAI call back functions  into ops - [arm64,armhf] ASoC: fsl: merge DAI call back functions into ops  - [arm64,armhf] ASoC: fsl_sai: replace regmap_write with regmap_update_bits  - drm/amdgpu: fix incorrect vm flags to map bo - ext4: fix zombie groups in  average fragment size lists - ext4: fix largest free orders lists  corruption on mb_optimize_scan switch - usb: core: config: Prevent OOB read  in SS endpoint companion parsing - misc: rtsx: usb: Ensure mmc child device  is active when card is present - usb: typec: ucsi: Update power_supply on  power role change - [amd64] comedi: fix race between polling and detaching  - [amd64] thunderbolt: Fix copy+paste error in match_service_id() -  cdc-acm: fix race between initial clearing halt and open - btrfs: zoned:  use filesystem size not disk size for reclaim decision - btrfs: abort  transaction during log replay if walk_log_tree() failed - btrfs: zoned: do  not remove unwritten non-data block group - btrfs: fix log tree replay  failure due to file with 0 links and extents - btrfs: do not allow  relocation of partially dropped subvolumes - fbdev: Fix vmalloc  out-of-bounds write in fast_imageblit - hv_netvsc: Fix panic during  namespace deletion with VF - media: uvcvideo: Fix 1-byte out-of-bounds read  in uvc_parse_format() - media: uvcvideo: Do not mark valid metadata as  invalid - HID: magicmouse: avoid setting up battery timer when not needed -  HID: apple: avoid setting up battery timer for devices without battery -  serial: 8250: fix panic due to PSLVERR - cpufreq: armada-8k: Fix off by one  in armada_8k_cpufreq_free_table() - usb: atm: cxacru: Merge  cxacru_upload_firmware() into cxacru_heavy_init() - usb: gadget: udc:  renesas_usb3: fix device leak at unbind - [arm64,armhf] usb: dwc3:  meson-g12a: fix device leaks at unbind - bus: mhi: host: Fix endianness of  BHI vector table - bus: mhi: host: Detect events pointing to unexpected  TREs - vt: keyboard: Don't process Unicode characters in K_OFF mode - vt:  defkeymap: Map keycodes above 127 to K_HOLE - Revert "vgacon: Add check for  vc_origin address range in vgacon_scroll()" - ksmbd: extend the connection  limiting mechanism to support IPv6 - ext4: check fast symlink for ea_inode  correctly - ext4: fix fsmap end of range reporting with bigalloc - ext4:  fix reserved gdt blocks handling in fsmap - ext4: use kmalloc_array() for  array space allocation - ext4: fix hole length calculation overflow in  non-extent inodes - scsi: mpi3mr: Fix race between config read submit and  interrupt completion - ata: libata-scsi: Fix ata_to_sense_error() status  handling - scsi: ufs: ufs-pci: Fix hibernate state transition for Intel  MTL-like host controllers - scsi: ufs: ufs-pci: Fix default runtime and  system PM levels - iio: imu: bno055: fix OOB access of hw_xlate array -  iio: adc: ad_sigma_delta: change to buffer predisable - wifi: brcmsmac:  Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() -  wifi: ath11k: fix dest ring-buffer corruption - wifi: ath11k: fix source  ring-buffer corruption - wifi: ath11k: fix dest ring-buffer corruption when  ring is full - pwm: imx-tpm: Reset counter if CMOD is 0 - pwm: mediatek:  Handle hardware enable and clock enable separately - pwm: mediatek: Fix  duty and period setting - hwmon: (gsc-hwmon) fix fan pwm setpoint show  functions - mtd: spi-nor: Fix spi_nor_try_unlock_all() - PCI: endpoint: Fix  configfs group list head handling - PCI: endpoint: Fix configfs group  removal on driver teardown - vsock/virtio: Validate length in packet header  before skb_put() - vhost/vsock: Avoid allocating arbitrarily-sized SKBs -  jbd2: prevent softlockup in jbd2_log_do_checkpoint() - [arm64,armhf]  soc/tegra: pmc: Ensure power-domains are in a known state - media: gspca:  Add bounds checking to firmware parser - [armhf] media: imx: fix a  potential memory leak in imx_media_csc_scaler_device_init() - media: vivid:  fix wrong pixel_array control size - media: v4l2-ctrls: Don't reset  handler's error in v4l2_ctrl_handler_free() - media: usbtv: Lock resolution  while streaming - media: rainshadow-cec: fix TOCTOU race condition in  rain_interrupt() - media: ov2659: Fix memory leaks in ov2659_probe() -  drm/amd: Restore cached power limit during resume - drm/amdgpu: Avoid extra  evict-restore process. - drm/amdgpu: update mmhub 3.0.1 client id mappings  - drm/amdkfd: Destroy KFD debugfs after destroy KFD wq - drm/amd/display:  Don't overwrite dce60_clk_mgr - net, hsr: reject HSR frame if skb can't  hold tag - ipv6: sr: Fix MAC comparison to be constant-time - ACPI:  pfr_update: Fix the driver update version check - mptcp: drop skb if MPTCP  skb extension allocation fails - mptcp: pm: kernel: flush: do not reset  ADD_ADDR limit - f2fs: fix to do sanity check on ino and xnid  (CVE-2025-38347) - iio: hid-sensor-prox: Restore lost scale assignments -  iio: hid-sensor-prox: Fix incorrect OFFSET calculation - [amd64]  perf/x86/intel: Fix crash in icl_update_topdown_event() (CVE-2025-38322) -  [amd64] x86/mce/amd: Add default names for MCA banks and blocks - net: add  netdev_lockdep_set_classes() to virtual drivers - btrfs: fix qgroup  reservation leak on failure to allocate ordered extent - [arm64] entry:  Mask DAIF in cpu_switch_to(), call_on_irq_stack() - drm/sched: Remove  optimization that causes hang when killing dependent jobs - net: enetc: fix  device and OF node leak at probe - fscrypt: Don't use problematic  non-inline crypto engines - block: reject invalid operation in  submit_bio_noacct - block: Make REQ_OP_ZONE_FINISH a write operation -  PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports - cifs:  reset iface weights when we cannot find a candidate - usb: typec: fusb302:  cache PD RX state - btrfs: qgroup: fix race between quota disable and quota  rescan ioctl - btrfs: abort transaction on unexpected eb generation at  btrfs_copy_root() - xfs: fully decouple XFS_IBULK* flags from XFS_IWALK*  flags - btrfs: send: use fallocate for hole punching with send stream v2 -  net_sched: sch_ets: implement lockless ets_dump() - net/sched: ets: use old  'nbands' while purging unused classes - mm/ptdump: take the memory hotplug  lock inside ptdump_walk_pgd() - [armhf] usb: musb: omap2430: Convert to  platform remove callback returning void - [armhf] usb: musb: omap2430: fix  device leak at unbind - platform/chrome: cros_ec: Use per-device lockdep  key - platform/chrome: cros_ec: remove unneeded label and if-condition -  platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() -  [arm64] usb: dwc3: imx8mp: fix device leak at unbind - ata: Fix  SATA_MOBILE_LPM_POLICY description in Kconfig - btrfs: populate otime when  logging an inode item - tls: separate no-async decryption request handling  from async (CVE-2024-58240) - [amd64] crypto: qat - fix ring to service map  for QAT GEN4 - [arm64] cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in  ID_AA64MMFR1 register - [amd64] KVM: x86: Take irqfds.lock when  adding/deleting IRQ bypass producer - mptcp: make fallback action and  fallback decision atomic (CVE-2025-38491) - mptcp: plug races between  subflow fail and subflow creation (CVE-2025-38552) - mptcp: reset fallback  status gracefully at disconnect() time - mm: drop the assumption that  VM_SHARED always implies writable - mm: update memfd seal write check to  include F_SEAL_WRITE - mm: reinstate ability to map write-sealed memfd  mappings read-only - Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync -  kbuild: userprogs: use correct linker when mixing clang and GNU ld -  [amd64] x86/reboot: Harden virtualization hooks for emergency reboot -  [amd64] x86/reboot: KVM: Handle VMXOFF in KVM's reboot callback - [amd64]  KVM: VMX: Flush shadow VMCS on emergency reboot - [arm64] KVM: arm64: Fix  kernel BUG() due to bad backport of FPSIMD/SVE/SME fix - memstick: Fix  deadlock by moving removing flag earlier - mmc: sdhci-pci-gli: GL9763e:  Rename the gli_set_gl9763e() for consistency - squashfs: fix memory leak in  squashfs_fill_super - mm/debug_vm_pgtable: clear page table entries at  destroy_args() - ALSA: hda/realtek: Add support for HP EliteBook x360 830  G6 and EliteBook 830 G6 - [s390x] sclp: Fix SCCB present check -  drm/amd/display: Avoid a NULL pointer dereference - drm/amd/display: Fix  fractional fb divider in set_pixel_clock_v3 - drm/amd/display: Fix DP audio  DTO1 clock source on DCE 6. - drm/amd/display: Find first CRTC and its line  time in dce110_fill_display_configs - drm/amd/display: Fill display clock  and vblank time in dce110_fill_display_configs - smb: server: split  ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() - fs/buffer: fix  use-after-free when call bh_read() helper - use uniform permission checks  for all mount propagation changes - ftrace: Also allocate and copy hash for  reading of filter files - iio: pressure: bmp280: Use IS_ERR() in  bmp280_common_probe() - iio: proximity: isl29501: fix buffered read on  big-endian systems - most: core: Drop device reference after usage in  get_channel() - usb: quirks: Add DELAY_INIT quick for another SanDisk  3.2Gen1 Flash Drive - [amd64] comedi: Make insn_rw_emulate_bits() do  insn->n samples - [amd64] comedi: pcl726: Prevent invalid irq number -  [amd64] comedi: Fix use of uninitialized memory in do_insn_ioctl() and  do_insnlist_ioctl() - usb: core: hcd: fix accessing unmapped memory in  SINGLE_STEP_SET_FEATURE test - USB: storage: Add unusual-devs entry for  Novatek NTK96550-based camera - usb: storage: realtek_cr: Use correct byte  order for bcs->Residue - USB: storage: Ignore driver CD mode for Realtek  multi-mode Wi-Fi dongles - [arm64,armhf] usb: dwc3: Ignore late  xferNotReady event to prevent halt timeout - [arm64,armhf] usb: dwc3:  Remove WARN_ON for device endpoint command timeouts - [arm64] dts: ti:  k3-am62-main: Remove eMMC High Speed DDR support - scsi: ufs: exynos: Fix  programming of HCI_UTRL_NEXUS_TYPE - ext4: preserve SB_I_VERSION on remount  - scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers - scsi:  mpi3mr: Serialize admin queue BAR writes on 32-bit systems - [arm64] PCI:  rockchip: Use standard PCIe definitions - [arm64] PCI: rockchip: Set Target  Link Speed to 5.0 GT/s before retraining - [arm64] soc: qcom: mdt_loader:  Enhance split binary detection - [arm64] soc: qcom: mdt_loader: Ensure we  don't read past the ELF header - f2fs: fix to call  clear_page_private_reference in .{release,invalid}_folio - f2fs: fix to  avoid out-of-boundary access in dnode page (CVE-2025-38677) - mptcp:  disable add_addr retransmission when timeout is 0 - drm/dp: Change AUX DPCD  probe address from DPCD_REV to LANE0_1_STATUS - mmc: sdhci-pci-gli: Use PCI  AER definitions, not hard-coded values - mmc: sdhci-pci-gli: Add a new  function to simplify the code - mmc: sdhci-pci-gli: GL9763e: Mask the  replay timer timeout of AER - mm/memory-failure: fix infinite UCE for  VM_PFNMAP pfn - drm/amd/display: Don't overclock DCE 6 by 15% - wifi:  mac80211: avoid lockdep checking when removing deflink - wifi: mac80211:  check basic rates validity in sta_link_apply_parameters - tls: fix handling  of zero-length records on the rx_list - iio: imu: inv_icm42600: change  invalid data error to -EBUSY - tracing: Remove unneeded goto out logic -  tracing: Limit access to parser->buffer when trace_get_user failed - iio:  light: as73211: Ensure buffer holes are zeroed - iio: temperature:  maxim_thermocouple: use DMA-safe buffer for spi_read() - compiler: remove  __ADDRESSABLE_ASM{_STR,}() again - [amd64] x86/cpu/hygon: Add missing  resctrl_cpu_detect() in bsp_init helper - cgroup/cpuset: Use  static_branch_enable_cpuslocked() on cpusets_insane_config_key - iosys-map:  Fix undefined behavior in iosys_map_clear() - RDMA/bnxt_re: Fix to  initialize the PBL array - net: bridge: fix soft lockup in  br_multicast_query_expired() - scsi: qla4xxx: Prevent a potential error  pointer dereference - [amd64] iommu/amd: Avoid stack buffer overflow from  kernel cmdline (CVE-2025-38676) - Bluetooth: hci_conn: do return error from  hci_enhanced_setup_sync() - [arm64] drm/hisilicon/hibmc: fix the hibmc  loaded failed bug - ALSA: usb-audio: Fix size validation in  convert_chmap_v3() - drm/amd/display: Add null pointer check in  mod_hdcp_hdcp1_create_session() - net: gso: Forbid IPv6 TSO with extensions  on devices with only IPV6_CSUM - ipv6: sr: validate HMAC algorithm ID in  seg6_hmac_info_add - net: ethernet: mtk_ppe: add RCU lock around  dev_fill_forward_path - ppp: fix race conditions in ppp_fill_forward_path -  phy: mscc: Fix timestamping for vsc8584 - net: usb: asix_devices: Fix PHY  address mask in MDIO bus initialization - gve: prevent ethtool ops after  shutdown - ixgbe: xsk: resolve the negative overflow of budget in  ixgbe_xmit_zc - igc: fix disabling L1.2 PCI-E link substate on I226 on init  - net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit -  net/sched: Remove unnecessary WARNING condition for empty child qdisc in  htb_activate - bonding: update LACP activity flag after setting lacp_active  - bonding: Add independent control state machine - bonding: send LACPDUs  periodically in passive mode after receiving partner's LACPDU - ALSA:  usb-audio: Use correct sub-type for UAC3 feature unit validation - [s390x]  hypfs: Avoid unnecessary ioctl registration in debugfs - [s390x] hypfs:  Enable limited access during lockdown - netfilter: nf_reject: don't leak  dst refcount for loopback packets - alloc_fdtable(): change calling  conventions. https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.150  - ftrace: Fix potential warning in trace_printk_seq during ftrace_dump -  scsi: core: sysfs: Correct sysfs attributes access rights - smb: client:  fix race with concurrent opens in unlink(2) - smb: client: fix race with  concurrent opens in rename(2) - ACPI: EC: Add device to acpi_ec_no_wakeup[]  qurik list - nfs: fold nfs_page_group_lock_subrequests into  nfs_lock_and_join_requests - NFS: Fix a race when updating an existing  write - vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()  - net: ipv4: fix regression in local-broadcast routes - [arm64] drm/msm:  Defer fd_install in SUBMIT ioctl - [powerpc*] kvm: Fix ifdef to remove  build warning - HID: input: rename hidinput_set_battery_charge_status() -  HID: input: report battery status changes immediately - Bluetooth:  hci_event: Treat UNKNOWN_CONN_ID on disconnect as success - Bluetooth:  hci_event: Mark connection as closed during suspend disconnect - Bluetooth:  hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced - Bluetooth:  hci_sync: fix set_local_name race condition - atm: atmtcp: Prevent  arbitrary write in atmtcp_recv_control(). - net: dlink: fix multicast stats  being counted incorrectly - phy: mscc: Fix when PTP clock is register and  unregister - net/mlx5: Reload auxiliary drivers on fw_activate - net/mlx5e:  Update and set Xon/Xoff upon MTU set - net/mlx5e: Update and set Xon/Xoff  upon port speed set - net/mlx5e: Set local Xoff after FW update - net:  stmmac: xgmac: Do not enable RX FIFO Overflow interrupts - net: rose: split  remove and free operations in rose_remove_neigh() - net: rose: convert  'use' field to refcount_t - net: rose: include node references in  rose_neigh refcount - sctp: initialize more fields in sctp_v6_from_sk() -  efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare - [x86] KVM: x86:  use array_index_nospec with indices that come from guest - HID: asus: fix  UAF via HID_CLAIMED_INPUT validation - HID: multitouch: fix slab  out-of-bounds access in mt_report_fixup() - HID: wacom: Add a new Art Pen 2  - HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()  - Revert "drm/amdgpu: fix incorrect vm flags to map bo" - dma/pool: Ensure  DMA_DIRECT_REMAP allocations are decrypted - fs/smb: Fix inconsistent  refcnt update - net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new  compositions - smb3 client: fix return code mapping of remap_file_range -  drm/nouveau/disp: Always accept linear modifier - net: rose: fix a typo in  rose_clear_routes() - HID: mcp2221: Don't set bus speed on every transfer -  HID: mcp2221: Handle reads greater than 60 bytes - Revert "drm/dp: Change  AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS" - xfs: do not  propagate ENODATA disk errors into xattr code  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.151 - bpf: Add  cookie object to bpf maps - bpf: Move cgroup iterator helpers to bpf.h -  bpf: Move bpf map owner out of common struct - bpf: Fix oob access in  cgroup local storage (CVE-2025-38502) - btrfs: fix race between logging  inode and checking if it was logged before - btrfs: fix race between  setting last_dir_index_offset and inode logging - btrfs: avoid load/store  tearing races when checking if an inode was logged - cdc_ncm: Flag Intel  OEM version of Fibocom L850-GL as WWAN - drm/amd/display: Don't warn when  missing DCE encoder caps - Bluetooth: hci_sync: Avoid adding default  advertising on startup - fs: writeback: fix use-after-free in  __mark_inode_dirty() - [arm64] tee: fix NULL pointer dereference in  tee_shm_put - [arm64] dts: rockchip: Add vcc-supply to SPI flash on  rk3399-pinebook-pro - [arm64] tee: optee: ffa: fix a typo of  "optee_ffa_api_is_compatible" - wifi: cfg80211: fix use-after-free in  cmp_bss() - netfilter: br_netfilter: do not check confirmed bit in  br_nf_local_in() after confirm - netfilter: conntrack: helper: Replace  -EEXIST by -EBUSY - Bluetooth: Fix use-after-free in  l2cap_sock_cleanup_listen() - [x86] xirc2ps_cs: fix register access when  enabling FullDuplex - mISDN: Fix memory leak in dsp_hwec_enable() - icmp:  fix icmp_ndo_send address translation for reply direction - [arm64] net:  macb: Fix tx_ptr_lock locking - net/smc: fix one NULL pointer dereference  in smc_ib_is_sg_need_sync() - i40e: Fix potential invalid access when MAC  list is empty - net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets  - wifi: cw1200: cap SSID length in cw1200_do_join() - wifi: libertas: cap  SSID len in lbs_associate() - wifi: cfg80211: sme: cap SSID length in  __cfg80211_connect_result() - [arm64] net: thunder_bgx: add a missing  of_node_put - [arm64] net: thunder_bgx: decrement cleanup index before use  - ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() -  net/smc: Remove validation of reserved bits in CLC Decline message - mctp:  return -ENOPROTOOPT for unknown getsockopt options - ax25: properly unshare  skbs in ax25_kiss_rcv() - net: atm: fix memory leak in atm_register_sysfs  when device_register fail - ppp: fix memory leak in pad_compress_skb - phy:  mscc: Stop taking ts_lock for tx_queue and use its own lock - ALSA:  usb-audio: Add mute TLV for playback volumes on some devices - ACPI/IORT:  Fix memory leak in iort_rmr_alloc_sids() - pcmcia: Fix a NULL pointer  dereference in __iodyn_find_io_region() - [amd64] x86/mm/64: define  ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() - mm: move page  table sync declarations to linux/pgtable.h - ocfs2: prevent release journal  inode after journal shutdown - wifi: mwifiex: Initialize the chan_stats  array to zero - drm/amdgpu: drop hw access in non-DC audio fini - scsi:  lpfc: Fix buffer free/clear order in deferred receive path - batman-adv:  fix OOB read/write in network-coding decode - cifs: prevent NULL pointer  dereference in UTF16 conversion - e1000e: fix heap overflow in  e1000_set_eeprom - mm/slub: avoid accessing metadata when pointer is  invalid in object_err() - PCI/MSI: Add an option to write MSIX ENTRY_DATA  before any reads - cpufreq/sched: Explicitly synchronize limits_changed  flag handling - btrfs: adjust subpage bit start based on sectorsize  (CVE-2025-37931) - iio: light: opt3001: fix deadlock due to concurrent flag  access (CVE-2025-37968) - [x86] i2c: designware: Fix an error handling path  in i2c_dw_pci_probe() - ALSA: hda/realtek - Add new HP ZBook laptop with  micmute led fixup - vmxnet3: update MTU after device quiesce -  [arm64,armhf] spi: tegra114: Remove unnecessary NULL-pointer checks -  [arm64,armhf] spi: tegra114: Don't fail set_cs_timing when delays are zero  - [x86] cpufreq: intel_pstate: Revise global turbo disable check - [x86]  cpufreq: intel_pstate: Fold intel_pstate_max_within_limits() into caller -  [x86] cpufreq: intel_pstate: Do not update global.turbo_disabled after  initialization - [x86] cpufreq: intel_pstate: Unchecked MSR aceess in  legacy mode - ALSA: hda/realtek: Add support for HP Agusta using CS35L41  HDA - fs: relax assertions on failure to encode file handles  (CVE-2024-57924) - drm/amd/display: Check link_res->hpo_dp_link_enc before  using it (CVE-2024-47704) - ALSA: hda/hdmi: Add pin fix for another HP  EliteDesk 800 G4 model - ALSA: hda/realtek: Fix headset mic for TongFang  X6[AF]R5xxY - Revert "drm/amdgpu: Avoid extra evict-restore process." -  pcmcia: omap: Add missing check for platform_get_resource - pcmcia: Add  error handling for add_interval() in do_validate_mem() - [arm64]  drm/bridge: ti-sn65dsi86: fix REFCLK setting - drm/amdgpu: Optimize RAS TA  initialization and TA unload funcs - drm/amdgpu: remove the check of init  status in psp_ras_initialize - drm/amd/amdgpu: Fix style problems in  amdgpu_psp.c - drm/amdgpu: Skip TMR allocation if not required - drm/amd:  Make flashing messages quieter - drm/amdgpu: Replace DRM_* with dev_* in  amdgpu_psp.c - drm/amd/amdgpu: Fix missing error return on kzalloc failure  - mm, slub: refactor free debug processing - slub: Reflow ___slab_alloc() -  mm: slub: avoid wake up kswapd in set_track_prepare - [arm64,armhf] spi:  tegra114: Use value to check for invalid delays - [x86] cpufreq:  intel_pstate: Rearrange show_no_turbo() and store_no_turbo() - [x86]  cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE() - [x86]  cpufreq: intel_pstate: Check turbo_is_disabled() in store_no_turbo()  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.152 - [amd64]  Add mitigations for VMSCAPE (CVE-2025-40300): - Documentation/hw-vuln: Add  VMSCAPE documentation - x86/vmscape: Enumerate VMSCAPE bug - x86/vmscape:  Add conditional IBPB mitigation - x86/vmscape: Enable the mitigation -  x86/bugs: Move cpu_bugs_smt_update() down - x86/vmscape: Warn when STIBP is  disabled with SMT - x86/vmscape: Add old Intel CPUs to affected list  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.153 - mm:  introduce and use {pgd,p4d}_populate_kernel() - media: mediatek: vcodec:  Fix a resource leak related to the scp device in FW initialization  (CVE-2025-23160) - net: Fix null-ptr-deref by  sock_lock_init_class_and_name() and rmmod. (CVE-2025-23143) - tracing: Do  not add length to print format in synthetic events - flexfiles/pNFS: fix  NULL checks on result of ff_layout_choose_ds_for_read - NFSv4: Don't clear  capabilities that won't be reset - NFSv4: Clear the NFS_CAP_FS_LOCATIONS  flag if it is not set - NFSv4: Clear the NFS_CAP_XATTR flag if not  supported by the server - tracing: Fix tracing_marker may trigger page  fault during preempt_disable - ftrace/samples: Fix function size  computation - NFSv4/flexfiles: Fix layout merge mirror check. - tracing:  Silence warning when chunk allocation fails in trace_pid_write - tcp_bpf:  Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate  psock->cork. - proc: fix type confusion in pde_set_flags() - [x86] KVM:  x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code - [x86]  KVM: SVM: Return TSA_SQ_NO and TSA_L1_NO bits in __do_cpuid_func() - [x86]  KVM: SVM: Set synthesized TSA CPUID flags - Revert "SUNRPC: Don't allow  waiting for exiting tasks" - mptcp: sockopt: make sync_socket_options  propagate SOCK_KEEPOPEN - ocfs2: fix recursive semaphore deadlock in fiemap  call - net: usb: asix: ax88772: drop phylink use in PM to avoid MDIO  runtime PM wakeups - [armhf] mtd: rawnand: stm32_fmc2: avoid overlapping  mappings on ECC buffer - [armhf] mtd: rawnand: stm32_fmc2: fix ECC  overwrite - fuse: check if copy_file_range() returns larger than requested  size - fuse: prevent overflow in copy_file_range return value - libceph:  fix invalid accesses to ceph_connection_v1_info - mm/damon/sysfs: fix  use-after-free in state_show() - mm/damon/reclaim: avoid divide-by-zero in  damon_reclaim_apply_parameters() - mm/damon/lru_sort: avoid divide-by-zero  in damon_lru_sort_apply_parameters() - mm/khugepaged: convert  hpage_collapse_scan_pmd() to use folios - mm/khugepaged: fix the address  passed to notifier on testing young - kernfs: Fix UAF in polling when open  file is released - mm/memory-failure: fix  VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory - Input: i8042 -  add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table - Revert "net:  usb: asix: ax88772: drop phylink use in PM to avoid MDIO runtime PM  wakeups" - tty: hvc_console: Call hvc_kick in hvc_write unconditionally -  dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks - USB: serial:  option: add Telit Cinterion FN990A w/audio compositions - USB: serial:  option: add Telit Cinterion LE910C4-WWX new compositions - [arm64,armhf]  net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() -  tunnels: reset the GSO metadata before reusing the skb - docs: networking:  can: change bcm_msg_head frames member to support flexible array - igb: fix  link test skipping when interface is admin down - i40e: fix IRQ freeing in  i40e_vsi_request_irq_msix error path - can: j1939: j1939_sk_bind(): call  j1939_priv_put() immediately when j1939_local_ecu_get() failed - can:  j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get()  fails - net: hsr: Disable promiscuous mode in offload mode - net: hsr: Add  support for MC filtering at the slave device - net: hsr: Add VLAN CTAG  filter support - hsr: use rtnl lock when iterating over ports - hsr: use  hsr_for_each_port_rtnl in hsr_port_get_hsr - [amd64] dmaengine: idxd: Fix  double free in idxd_setup_wqs() - [armhf] dmaengine: ti: edma: Fix memory  allocation size for queue_priority_map - hrtimer: Remove unused function -  hrtimer: Rename __hrtimer_hres_active() to hrtimer_hres_active() -  hrtimers: Unconditionally update target CPU base after offline timer  migration - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels -  [arm64] dmaengine: qcom: bam_dma: Fix DT error handling for  num-channels/ees - [arm64] phy: tegra: xusb: fix device and OF node leak at  probe - [armhf] phy: ti-pipe3: fix device leak at unbind - drm/amdgpu: fix  a memory leak in fence cleanup when unloading - [x86] drm/i915/power: fix  size for for_each_set_bit() in abox iteration - [arm64] soc: qcom:  mdt_loader: Fix error return values in mdt_header_valid() - [arm64] soc:  qcom: mdt_loader: Deal with zero e_shentsize - net: hsr: hsr_slave: Fix the  promiscuous mode in offload mode
[ Ben Hutchings ]
* Revert to using RSA for module signatures
* d/b/gencontrol.py: Extend the effect of $DEBIAN_KERNEL_DISABLE_INSTALLER
[ Santiago Ruano Rincón ]
* d/salsa-ci.yml: Merge the extract-source job into the build's job script
* d/salsa-ci.yml: Suppress unreleased changes and mismatching distribution  lintian tags.
* d/salsa-ci.yml: Early move orig tarballs back where they can be cached
6.1.148-1 (Tue, 26 Aug 2025 22:35:21 +0200)
* New upstream stable update:  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.148 - Input:  gpio-keys - fix a sleep while atomic with PREEMPT_RT (CVE-2025-38335) -  regulator: core: fix NULL dereference on unbind due to stale coupling data  - RDMA/core: Rate limit GID cache warning messages - iio: adc: ad7949: use  spi_is_bpw_supported() - regmap: fix potential memory leak of regmap_bus -  [x86] hyperv: Fix usage of cpu_online_mask to get valid cpu - [arm64,armhf]  staging: vc04_services: Drop VCHIQ_SUCCESS usage - [arm64,armhf] staging:  vc04_services: Drop VCHIQ_ERROR usage - [arm64,armhf] staging:  vc04_services: Drop VCHIQ_RETRY usage - [arm64,armhf] staging: vchiq_arm:  Make vchiq_shutdown never fail - xfrm: interface: fix use-after-free after  changing collect_md xfrm interface (CVE-2025-38500) - net/mlx5: Fix memory  leak in cmd_exec() - i40e: Add rx_missed_errors for buffer exhaustion -  i40e: report VF tx_dropped with tx_errors instead of tx_discards - i40e:  When removing VF MAC filters, only check PF-set MAC - net: appletalk: Fix  use-after-free in AARP proxy probe - can: dev: can_restart(): reverse logic  to remove need for goto - can: dev: can_restart(): move debug message and  stats after successful restart - can: netlink: can_changelink(): fix NULL  pointer deref of struct can_priv::do_set_mode - [arm64] drm/bridge:  ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() - [arm64] net:  hns3: fix concurrent setting vlan filter issue - [arm64] net: hns3: disable  interrupt when ptp init failed - [arm64] net: hns3: fixed vf get max  channels bug - [x86] platform/x86: ideapad-laptop: Fix kbd backlight not  remembered among boots - i2c: qup: jump out of the loop in case of timeout  - i2c: tegra: Fix reset error handling with ACPI - i2c: virtio: Avoid hang  by using interruptible completion wait - bus: fsl-mc: Fix potential double  device reference in fsl_mc_get_endpoint() - ALSA: hda/realtek - Add mute  LED support for HP Pavilion 15-eg0xxx - [arm64] dpaa2-eth: Fix device  reference count leak in MAC endpoint handling - e1000e: disregard NVM  checksum on tgp when valid checksum bit is not set - e1000e: ignore  uninitialized checksum word on tgp - gve: Fix stuck TX queue for DQ queue  format - ice: Fix a null pointer dereference in ice_copy_and_init_pkg() -  nilfs2: reject invalid file types when reading inodes - mm/zsmalloc: do not  pass __GFP_MOVABLE if CONFIG_COMPACTION=n - drm/amdkfd: Don't call mmput  from MMU notifier callback - usb: typec: tcpm: allow to use sink in  accessory mode - usb: typec: tcpm: allow switching to mode accessory to mux  properly - usb: typec: tcpm: apply vbus before data bringup in  tcpm_src_attach - jfs: reject on-disk inodes of an unsupported type  (CVE-2025-37925) - [x86] comedi: comedi_test: Fix possible deletion of  uninitialized timers - ALSA: hda/tegra: Add Tegra264 support - ALSA: hda:  Add missing NVIDIA HDA codec IDs - [x86] drm/i915/dp: Fix 2.7 Gbps  DP_LINK_BW value on g4x - mm: khugepaged: fix call  hpage_collapse_scan_file() for anonymous vma - erofs: get rid of  debug_one_dentry() - erofs: sunset erofs_dbg() - erofs: drop  z_erofs_page_mark_eio() - erofs: simplify z_erofs_transform_plain() -  erofs: address D-cache aliasing - usb: chipidea: add USB PHY event - usb:  phy: mxs: disconnect line when USB charger is attached - ethernet: intel:  fix building with large NR_CPUS - [x86] ASoC: amd: yc: Add DMI entries to  support HP 15-fb1xxx - ASoC: Intel: fix SND_SOC_SOF dependencies -  fs_context: fix parameter name in infofc() macro - ublk: use vmalloc for  ublk_device's __queues - hfsplus: remove mutex_lock check in  hfsplus_free_extents - ASoC: soc-dai: tidyup return value of  snd_soc_xlate_tdm_slot_mask() - ASoC: ops: dynamically allocate struct  snd_ctl_elem_value - soc: qcom: QMI encoding/decoding for big endian -  [arm64] dts: qcom: sdm845: Expand IMEM region - [arm64] dts: qcom: sc7180:  Expand IMEM region - [arm64,armhf] usb: host: xhci-plat: fix incorrect type  for of_match variable in xhci_plat_probe() - usb: misc:  apple-mfi-fastcharge: Make power supply names unique - vmci: Prevent the  dispatching of uninitialized payloads - pps: fix poll support - Revert  "vmci: Prevent the dispatching of uninitialized payloads" - powercap:  dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() - usb: early:  xhci-dbc: Fix early_ioremap leak - [armhf] dts: ti: omap: Fixup pinheader  typo - [arm64] dts: imx8mm-beacon: Fix HS400 USDHC clock speed - [arm64]  dts: imx8mn-beacon: Fix HS400 USDHC clock speed - PM / devfreq: Check  governor before using governor->name - cpufreq: intel_pstate: Always use  HWP_DESIRED_PERF in passive mode - cpufreq: Initialize cpufreq-based  frequency-invariance later - cpufreq: Init policy->rwsem before it may be  possibly used - [arm64,armhf] drm/rockchip: cleanup fb when  drm_gem_fb_afbc_init failed - bpf, sockmap: Fix psock incorrectly pointing  to sk - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in  ktls - net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain -  bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure - wifi:  rtl818x: Kill URBs before clearing tx status queue - wifi: iwlwifi: Fix  memory leak in iwl_mvm_init() - iwlwifi: Add missing check for  alloc_ordered_workqueue - wifi: ath11k: clear initialized flag for  deinit-ed srng lists - tcp: fix tcp_ofo_queue() to avoid including too much  DUP SACK range - net/mlx5: Check device memory pointer before usage -  drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value - fbcon:  Fix outdated registered_fb reference in comment - netfilter: nf_tables:  adjust lockdep assertions handling - net/sched: Restrict conditions for  adding duplicating netems to qdisc tree - net_sched: act_ctinfo: use  atomic64_t for three counters - xen/gntdev: remove struct gntdev_copy_batch  from stack - wifi: rtl8xxxu: Fix RX skb size for aggregation disabled -  mwl8k: Add missing check after DMA map - wifi: mac80211: reject TDLS  operations when station is not associated - wifi: plfxlc: Fix error  handling in usb driver probe - wifi: mac80211: Do not schedule stopped TXQs  - wifi: mac80211: Don't call fq_flow_idx() for management frames - wifi:  mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() -  Reapply "wifi: mac80211: Update skb's control block key in  ieee80211_tx_dequeue()" - wifi: brcmfmac: fix P2P discovery failure in P2P  peer due to missing P2P IE - can: peak_usb: fix USB FD devices potential  malfunction - can: kvaser_pciefd: Store device channel index - can:  kvaser_usb: Assign netdev.dev_port based on device channel index -  netfilter: xt_nfacct: don't assume acct name is null-terminated - vrf: Drop  existing dst reference in vrf_ip6_input_dst - ipv6: prevent infinite loop  in rt6_nlmsg_size() - ipv6: fix possible infinite loop in  fib6_info_uses_dev() - ipv6: annotate data-races around rt->fib6_nsiblings  - bpf/preload: Don't select USERMODE_DRIVER - PCI: rockchip-host: Fix  "Unexpected Completion" log message - [arm64] crypto: sun8i-ce - fix nents  passed to dma_unmap_sg() - [arm*] crypto: marvell/cesa - Fix engine load  inaccuracy - mtd: fix possible integer overflow in erase_xfer() - media:  v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check - power: supply:  cpcap-charger: Fix null check for power_supply_get_by_name - power: supply:  max14577: Handle NULL pdata when CONFIG_OF is not set - PCI: endpoint:  pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails -  [arm64,armhf] pinctrl: sunxi: Fix memory leak on krealloc failure - perf  sched: Fix memory leaks for evsel->priv in timehist - perf sched: Fix  memory leaks in 'perf sched latency' - [arm64] crypto: inside-secure - Fix  `dma_unmap_sg()` nents value - crypto: ccp - Fix crash when rebind ccp  device for ccp.ko - [arm64] RDMA/hns: Fix -Wframe-larger-than issue -  kernel: trace: preemptirq_delay_test: use offstack cpu mask - proc: use the  same treatment to check proc_lseek as ones for proc_read_iter et.al - perf  tests bp_account: Fix leaked file descriptor - [armhf] clk: sunxi-ng: v3s:  Fix de clock definition - [ppc64el] scsi: ibmvscsi_tgt: Fix dma_unmap_sg()  nents value - scsi: elx: efct: Fix dma_unmap_sg() nents value - scsi:  mvsas: Fix dma_unmap_sg() nents value - scsi: isci: Fix dma_unmap_sg()  nents value - soundwire: stream: restore params when prepare ports fail -  PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute -  fs/orangefs: Allow 2 more characters in do_c_string() - dmaengine: mv_xor:  Fix missing check after DMA map and missing unmap - [x86] crypto: qat - fix  seq_file position update in adf_ring_next() - fbdev: imxfb: Check  fb_add_videomode to prevent null-ptr-deref - jfs: fix metapage reference  count leak in dbAllocCtl - vhost-scsi: Fix log flooding with target does  not exist errors - bpf: Check flow_dissector ctx accesses are aligned -  apparmor: ensure WB_HISTORY_SIZE value is a power of 2 - module: Restore  the moduleparam prefix length check - ucount: fix atomic_long_inc_below()  argument type - rtc: ds1307: fix incorrect maximum clock rate handling -  rtc: hym8563: fix incorrect maximum clock rate handling - rtc: nct3018y:  fix incorrect maximum clock rate handling - rtc: pcf85063: fix incorrect  maximum clock rate handling - rtc: pcf8563: fix incorrect maximum clock  rate handling - rtc: rv3028: fix incorrect maximum clock rate handling -  f2fs: fix KMSAN uninit-value in extent_info usage - f2fs: doc: fix wrong  quota mount option description - f2fs: fix to avoid UAF in  f2fs_sync_inode_meta() - f2fs: fix to avoid panic in f2fs_evict_inode -  f2fs: fix to avoid out-of-boundary access in devs.path - f2fs:  vm_unmap_ram() may be called from an invalid context - f2fs: fix to update  upper_p in __get_secs_required() correctly - f2fs: fix to calculate dirty  data during has_not_enough_free_secs() - vfio/pci: Separate SR-IOV VF  dev_set - scsi: mpt3sas: Fix a fw_event memory leak - scsi: Revert "scsi:  iscsi: Fix HW conn removal use after free" - scsi: ufs: core: Use link  recovery when h8 exit fails during runtime resume - scsi: sd: Make sd  shutdown issue START STOP UNIT appropriately - PCI: pnv_php: Clean up  allocated IRQs on unplug - PCI: pnv_php: Work around switches with broken  presence detection - [powerpc*] eeh: Export eeh_unfreeze_pe() - [powerpc*]  eeh: Rely on dev->link_active_reporting - [powerpc*] eeh: Make EEH driver  device hotplug safe - PCI: pnv_php: Fix surprise plug detection and  recovery - pNFS/flexfiles: don't attempt pnfs on fatal DS errors - sched:  Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() - NFS: Fix  wakeup of __nfs_lookup_revalidate() in unblock_revalidate() - NFS: Fix  filehandle bounds checking in nfs_fh_to_dentry() - NFSv4.2: another fix for  listxattr - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY -  netpoll: prevent hanging NAPI when netcons gets enabled - phy: mscc: Fix  parsing of unicast frames - pptp: ensure minimal skb length in pptp_xmit()  - net/mlx5: Correctly set gso_segs when LRO is used - ipv6: reject  malicious packets in ipv6_gso_segment() - net: drop UFO packets in  udp_rcv_segment() - benet: fix BUG when creating VFs - irqchip: Build  IMX_MU_MSI only on ARM - ALSA: hda/ca0132: Fix missing error handling in  ca0132_alt_select_out() - smb: server: remove separate empty_recvmsg_queue  - smb: server: make sure we call ib_dma_unmap_single() only if we called  ib_dma_map_single already - smb: server: let recv_done() consistently call  put_recvmsg/smb_direct_disconnect_rdma_connection - smb: server: let  recv_done() avoid touching data_transfer after cleanup/move - smb: client:  let recv_done() cleanup before notifying the callers. - pptp: fix  pptp_xmit() error path - perf/core: Don't leak AUX buffer refcount on  allocation failure - perf/core: Exit early on perf_mmap() fail - perf/core:  Prevent VMA split of buffer mappings - net/packet: fix a race in  packet_set_ring() and packet_notifier() - vsock: Do not allow binding to  VMADDR_PORT_ANY - ksmbd: fix null pointer dereference error in  generate_encryptionkey - ksmbd: fix Preauh_HashValue race condition -  ksmbd: fix corrupted mtime and ctime in smb2_open - ksmbd: limit repeated  connections from clients with the same IP (CVE-2025-38501) - smb: server:  Fix extension string in ksmbd_extract_shortname() - USB: serial: option:  add Foxconn T99W709 - net: usbnet: Avoid potential RCU stall on LINK_CHANGE  event - net: usbnet: Fix the wrong netif_carrier_on() call - [x86] sev:  Evict cache lines during SNP memory validation (CVE-2024-36331) - ALSA:  intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() - ALSA:  scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() - [x86] fpu: Delay  instruction pointer fixup until after warning - [mips*] mm: tlb-r4k:  Uniquify TLB entries on init - mm/hmm: move pmd_to_hmm_pfn_flags() to the  respective #ifdeffery - usb: gadget : fix use-after-free in  composite_dev_cleanup()
[ Bastian Blank ]
* Drop not needed extra step to add debug links
* Sign modules using an ephemeral key: - Set MODULE_SIG_ALL to sign all  modules. - Not longer request Secure Boot signing for modules. - Don't  trust Secure Boot key any longer.
* Store build time signing key encrypted.
* Sign modules and support lockdown always.
* d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well
* d/b/buildcheck.py: Check config of kernel to be signed
* d/rules: Include target suite as an input to gencontrol.py
* Generate kernel ABI name suffix automatically if not configured
* Delete ABI name suffix and ABI reference
* d/salsa-ci.yml: Ignore pycodestyle error E241
* d/rules.real: Move module installation to the image build rule
* proc: fix missing pde_set_flags() for net proc files
[ Salvatore Bonaccorso ]
* [amd64] udeb: kernel-image: Include SPI drivers
* netlink: avoid infinite retry looping in netlink_unicast()
* ext4: don't try to clear the orphan_present feature block device is r/o

Debian update 6.1.158+1
6.1.158+1 (Sun, 09 Nov 2025 21:02:07 +0100)
* Sign kernel from linux 6.1.158-1
* New upstream stable update:  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.154 - ALSA:  firewire-motu: drop EPOLLOUT from poll return values as write is not  supported - wifi: mac80211: increase scan_ies_len for S1G - wifi: mac80211:  fix incorrect type for ret - cgroup: split cgroup_destroy_wq into 3  workqueues - btrfs: fix invalid extref key setup when replaying dentry -  qed: Don't collect too many protection override GRC elements - mptcp: set  remote_deny_join_id0 on SYN recv - net: natsemi: fix `rx_dropped` double  accounting on `netif_rx()` failure - i40e: remove redundant memory barrier  when cleaning Tx descs - bonding: don't set oif to bond dev when getting NS  target destination - tcp: Clear tcp_sk(sk)->fastopen_rsk in  tcp_disconnect(). - tls: make sure to abort the stream if headers are bogus  - Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" - net:  liquidio: fix overflow in octeon_init_instr_queue() - cnic: Fix  use-after-free bugs in cnic_delete_task - ksmbd: smbdirect: validate  data_offset and data_length field of smb_direct_data_transfer - ksmbd:  smbdirect: verify remaining_data_length respects max_fragmented_recv_size -  nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* - power:  supply: bq27xxx: fix error return in case of no bq27000 hdq battery -  power: supply: bq27xxx: restrict no-battery detection to bq27000 - [x86]  iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() -  btrfs: tree-checker: fix the incorrect inode ref size check - mmc: mvsdio:  Fix dma_unmap_sg() nents value - [x86] KVM: SVM: Sync TPR from LAPIC into  VMCB::V_TPR even if AVIC is active - rds: ib: Increment i_fastreg_wrs  before bailing out - ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx  - io_uring: backport io_should_terminate_tw() - io_uring: include dying  ring in task_work "should cancel" state - [x86] ASoC: SOF: Intel:  hda-stream: Fix incorrect variable used in error message - [arm64] drm:  bridge: cdns-mhdp8546: Fix missing mutex unlock on error path - crypto:  af_alg: Indent the loop in af_alg_sendmsg() - crypto: af_alg - Set merge to  zero early in af_alg_sendmsg - smb: client: fix smbdirect_recv_io leak in  smbd_negotiate() error path - mptcp: pm: nl: announce deny-join-id0 flag -  phy: Use device_get_match_data() - [armhf] phy: ti: omap-usb2: fix device  leak at unbind - xhci: dbc: decouple endpoint allocation from  initialization - xhci: dbc: Fix full DbC transfer ring after several  reconnects - mptcp: propagate shutdown to subflows when possible - net:  rfkill: gpio: add DT support - net: rfkill: gpio: Fix crash due to  dereferencering uninitialized pointer - crypto: af_alg: Convert  af_alg_sendpage() to use MSG_SPLICE_PAGES - crypto: af_alg - Disallow  concurrent writes in af_alg_sendmsg  https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.155 - ALSA:  usb-audio: Fix block comments in mixer_quirks - ALSA: usb-audio: Drop  unnecessary parentheses in mixer_quirks - ALSA: usb-audio: Avoid multiple  assignments in mixer_quirks - ALSA: usb-audio: Simplify NULL comparison in  mixer_quirks - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks -  ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 - ALSA: usb-audio:  Convert comma to semicolon - ALSA: usb-audio: Fix build with CONFIG_INPUT=n  - usb: core: Add 0x prefix to quirks debug output - ALSA: usb-audio: Add  DSD support for Comtrue USB Audio device - ALSA: usb-audio: move  mixer_quirks' min_mute into common quirk - ALSA: usb-audio: Add mute TLV  for playback volumes on more devices - IB/mlx5: Fix obj_type mismatch for  SRQ event subscriptions - mm/gup: revert "mm: gup: fix infinite loop within  __get_longterm_locked" - mm: add folio_expected_ref_count() for reference  count calculation - mm/gup: check ref_count instead of lru before migration  - mm/gup: local lru_add_drain() to avoid lru_add_drain_all() - mm:  folio_may_be_lru_cached() unless folio_test_large() - cpufreq: Initialize  cpufreq-based invariance before subsys - smb: server: don't use  delayed_work for post_recv_credits_work - bpf: Reject bpf_timer for  PREEMPT_RT - can: hi311x: populate ndo_change_mtu() to prevent buffer  overflow - [armhf] can: sun4i_can: populate ndo_change_mtu() to prevent  buffer overflow - can: mcba_usb: populate ndo_change_mtu() to prevent  buffer overflow - can: peak_usb: fix shift-out-of-bounds issue - Bluetooth:  hci_sync: Fix hci_resume_advertising_sync - Bluetooth: hci_event: Fix UAF  in hci_acl_create_conn_sync - bnxt_en: correct offset handling for IPv6  destination address - nexthop: Forbid FDB status change while nexthop is in  a group - [x86] drm/gma500: Fix null dereference in hdmi teardown - futex:  Prevent use-after-free during requeue-PI - i40e: fix idx validation in  i40e_validate_queue_map - i40e: fix input validation logic for action_meta  - i40e: add max boundary check for VF filters - i40e: add mask to apply  valid bits for itr_idx - i40e: improve VF MAC filters accounting - crypto:  af_alg - Fix incorrect boolean values in af_alg_ctx - tracing: dynevent:  Add a missing lockdown check on dynevent - afs: Fix potential null pointer  dereference in afs_put_server - mm/hugetlb: fix folio is still mapped when  deleted - fbcon: fix integer overflow in fbcon_do_set_font - fbcon: Fix OOB  access in font allocation - [s390x] cpum_cf: Fix uninitialized warning  after backport of ce971233242b - mm: migrate_device: use more folio in  migrate_device_finalize() - mm/migrate_device: don't add folio to be freed  to LRU in migrate_device_finalize() (CVE-2025-21861) - minmax: add  in_range() macro - minmax: Introduce {min,max}_array() - minmax:  deduplicate __unconst_integer_typeof() - minmax: fix indentation of  __cmp_once() and __clamp_once() - minmax: avoid overly complicated constant  expressions in VM code - drm/ast: Use msleep instead of mdelay for edid  read - i40e: fix validation of VF state in get resources - i40e: fix idx  validation in config queues msg - i40e: increase max descriptors for XL710  - i40e: add validation for ring_len param - minmax: make generic MIN() and  MAX() macros available everywhere - minmax: add a few more MIN_T/MAX_T  users - minmax: simplify and clarify min_t()/max_t() implementation - [x86]  drm/i915/backlight: Return immediately when scale() finds invalid  parameters https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.156 -  crypto: sha256 - fix crash at kexec - scsi: target: target_core_configfs:  Add length check to avoid buffer overflow (CVE-2025-39998) - media: b2c2:  Fix use-after-free causing by irq_check_work in flexcop_pci_remove  (CVE-2025-39996) - media: rc: fix races with imon_disconnect()  (CVE-2025-39993) - [arm64] KVM: arm64: Fix softirq masking in FPSIMD  register saving sequence - media: tunner: xc5000: Refactor firmware load -  media: tuner: xc5000: Fix use-after-free in xc5000_release (CVE-2025-39994)  - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in  probe (CVE-2025-39995) - minmax: don't use max() in situations that want a  C constant expression - minmax: simplify min()/max()/clamp() implementation  - minmax: improve macro expansion and type checking - minmax: fix up min3()  and max3() too - minmax.h: add whitespace around operators and after commas  - minmax.h: update some comments - minmax.h: reduce the #define expansion  of min(), max() and clamp() - minmax.h: use BUILD_BUG_ON_MSG() for the lo <  hi test in clamp() - minmax.h: move all the clamp() definitions after the  min/max() ones - minmax.h: simplify the variants of clamp() - minmax.h:  remove some #defines that are only expanded once - USB: serial: option: add  SIMCom 8230C compositions - wifi: rtlwifi: rtl8192cu: Don't claim USB ID  07b8:8188 - dm-integrity: limit MAX_TAG_SIZE to 255 - perf subcmd: avoid  crash in exclude_cmds when excludes is empty - [x86] ASoC: rt5682s: Adjust  SAR ADC button mode to fix noise issue - btrfs: ref-verify: handle damaged  extent root tree - can: hi311x: fix null pointer dereference when resuming  from sleep before interface was enabled - hid: fix I2C read buffer overflow  in raw_event() for mcp2221 - driver core/PM: Set power.no_callbacks along  with power.no_pm - crypto: rng - Ensure set_ent is always present - net/9p:  fix double req put in p9_fd_cancelled - filelock: add FL_RECLAIM to  show_fl_flags() macro - init: INITRAMFS_PRESERVE_MTIME should depend on  BLK_DEV_INITRD - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer  replies too fast - [arm64] coresight: trbe: Prevent overflow in  PERF_IDX2OFF() - [arm64] perf: arm_spe: Prevent overflow in PERF_IDX2OFF()  - smb: server: fix IRD/ORD negotiation with the client - [x86] vdso: Fix  output operand size of RDPID - regmap: Remove superfluous check for !config  in __regmap_init() - bpf: Remove migrate_disable in  kprobe_multi_link_prog_run - libbpf: Fix reuse of DEVMAP - ACPI: processor:  idle: Fix memory leak when register cpuidle device failed - [arm64] soc:  qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS - [arm64]  pinctrl: meson-gxl: add missing i2c_d pinmux - blk-mq: check kobject  state_in_sysfs before deleting in blk_mq_unregister_hctx - block: use int  to store blk_stack_limits() return value - PM: sleep: core: Clear  power.must_resume in noirq suspend error path - [arm64] power: supply:  cw2015: Fix a alignment coding style issue - [arm64] pinctrl: renesas: Use  int type to store negative error codes - null_blk: Fix the description of  the cache_size module argument - nbd: restrict sockets to TCP and UDP -  [armhf] pwm: tiehrpwm: Fix corner case in clock divisor calculation -  nvmet-fc: move lsop put work to nvmet_fc_ls_req_op - i3c: master: svc: Use  manual response for IBI events - i3c: master: svc: Recycle unused IBI slot  - bpf: Explicitly check accesses to bpf_sock_addr - smp: Fix up and expand  the smp_call_function_many() kerneldoc - tools/nolibc: make time_t robust  if __kernel_old_time_t is missing in host headers - i2c: designware: Add  disabling clocks when probe fails - bpf: Enforce expected_attach_type for  tailcall compatibility - drm/radeon/r600_cs: clean up of dead code in  r600_cs - drm/amd/display: Remove redundant semicolons - scsi: pm80xx: Fix  array-index-out-of-of-bounds on rmmod - scsi: myrs: Fix  dma_alloc_coherent() error check - ALSA: lx_core: use int type to store  negative error codes - media: st-delta: avoid excessive stack usage -  drm/amdgpu: Power up UVD 3 for FW validation (v2) - drm/amd/pm: Disable ULV  even if unsupported (v3) - drm/amd/pm: Fix si_up