-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 29 Sep 2025 13:28:35 +0200 Source: linux Architecture: source Version: 5.10.244-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Closes: 1040901 1109891 Changes: linux (5.10.244-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.238 - ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset - drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (CVE-2025-37930) - amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload - wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (CVE-2025-37990) - dm-integrity: fix a warning on invalid table line - dm: always update the array size in realloc_argv on success - [amd64] iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (CVE-2025-37927) - [x86] iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) - tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923) - net/sched: act_mirred: don't override retval if we already lost the skb (CVE-2024-26739) - net/mlx5: E-Switch, Initialize MAC Address for Default GID - net/mlx5: Remove return statement exist at the end of void function - net/mlx5: E-switch, Fix error handling for enabling roce - net_sched: drr: Fix double list add in class with netem as child qdisc (CVE-2025-37915) - net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (CVE-2025-37890) - net_sched: ets: Fix double list add in class with netem as child qdisc (CVE-2025-37914) - net_sched: qfq: Fix double list add in class with netem as child qdisc (CVE-2025-37913) - net: ipv6: fix UDPv6 GSO segmentation with NAT - bnxt_en: Fix ethtool -d byte order for 32-bit values - nvme-tcp: fix premature queue removal and I/O failover - net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909) - [arm*] net: fec: ERR007885 Workaround for conventional TX - [armhf] PCI: imx6: Skip controller_id generation logic for i.MX7D - of: module: add buffer overflow check in of_modalias() (CVE-2024-38541) - [arm64] Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" (regression in 5.10.219) - [arm*] irqchip/gic-v2m: Add const to of_device_id - [arm*] irqchip/gic-v2m: Mark a few functions __init - [arm*] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (CVE-2025-37819) - [arm*] usb: chipidea: ci_hdrc_imx: use dev_err_probe() - [arm*] usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling - dm: fix copying after src array boundaries - scsi: target: Fix WRITE_SAME No Data Buffer crash (CVE-2022-21546) - openvswitch: Fix unsafe attribute parsing in output_userspace() (CVE-2025-37998) - can: gw: use call_rcu() instead of costly synchronize_rcu() - rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep() - can: gw: fix RCU/BH usage in cgw_create_job() - netfilter: ipset: fix region locking in hash types (CVE-2025-37997) - [armhf] net: dsa: b53: allow leaky reserved multicast - [armhf] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave - [armhf] net: dsa: b53: fix learning on VLAN unaware bridges - [x86] Input: synaptics - enable InterTouch on Dynabook Portege X30-D - [x86] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G - [x86] Input: synaptics - enable InterTouch on Dell Precision M3800 - [x86] Input: synaptics - enable SMBus for HP Elitebook 850 G1 - [x86] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 - iio: adc: ad7606: fix serial register access - iio: adis16201: Correct inclinometer channel resolution - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (CVE-2025-37970) - iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (CVE-2025-37969) - [armhf] usb: uhci-platform: Make the clock really optional - xenbus: Use kref to track req lifetime (CVE-2025-37949) - module: ensure that kobject_put() is safe for module type kobjects (CVE-2025-37995) - ocfs2: switch osb->disable_recovery to enum - ocfs2: implement handshaking with ocfs2 recovery thread - ocfs2: stop quota recovery before disabling quotas - [arm*] usb: host: tegra: Prevent host controller crash when OTG port is used - usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition - usb: typec: ucsi: displayport: Fix NULL pointer access (CVE-2025-37994) - USB: usbtmc: use interruptible sleep in usbtmc_read - usb: usbtmc: Fix erroneous get_stb ioctl error returns - usb: usbtmc: Fix erroneous wait_srq ioctl return - usb: usbtmc: Fix erroneous generic_read ioctl return - types: Complement the aligned types with signed 64-bit one - [arm*] drm/panel: simple: Update timings for AUO G101EVN010 - nvme: unblock ctrl state transition for firmware update - do_umount(): add missing barrier before refcount checks in sync case - [x86] platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection - iio: adc: ad7768-1: Fix insufficient alignment of timestamp. - RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (CVE-2025-38024) - nfs: handle failure of nfs_get_lock_context in unlock path (CVE-2025-38023) - net_sched: Flush gso_skb list too during ->change() (CVE-2025-37992) - [arm64] net: cadence: macb: Fix a possible deadlock in macb_halt_tx. (CVE-2025-38094) - qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() - NFSv4/pnfs: Reset the layout state after a layoutreturn - [arm64] ACPI: PPTT: Fix processor subtable walk - [x86] ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() - [arm*] phy: Fix error handling in tegra_xusb_port_init - wifi: mt76: disable napi on driver removal (CVE-2025-38009) - [arm64] dmaengine: ti: k3-udma: Add missing locking (CVE-2025-38005) - [x86] clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() - [arm*] ASoC: q6afe-clocks: fix reprobing of the driver (CVE-2021-47037) - [x86] drm/vmwgfx: Fix a deadlock in dma buf fence polling (CVE-2024-43863) - usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group (CVE-2024-35790) - usb: typec: fix potential array underflow in ucsi_ccg_sync_control() (CVE-2024-53203) - usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() (CVE-2024-46751) - netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx - netfilter: nf_tables: wait for rcu grace period on net_device removal - netfilter: nf_tables: do not defer rule destruction via call_rcu - ice: arfs: fix use-after-free when freeing @rx_cpu_rmap (CVE-2022-49063) - scsi: target: iscsi: Fix timeout on deleted connection (CVE-2025-38075) - dma-mapping: avoid potential unused data compilation warning - cgroup: Fix compilation issue due to cgroup_mutex not being exported - NFSv4: Check for delegation validity in nfs_start_delegation_return_locked() - mailbox: use error ret code of of_parse_phandle_with_args() - fbcon: Use correct erase colour for clearing in fbcon - fbdev: core: tileblit: Implement missing margin clearing for tileblit - NFSv4: Treat ENETUNREACH errors as fatal for state recovery - SUNRPC: rpc_clnt_set_transport() must not change the autobind setting - SUNRPC: rpcbind should never reset the port to the value '0' - [arm64] thermal/drivers/qoriq: Power down TMU on system suspend - dql: Fix dql->limit value when reset. - pNFS/flexfiles: Report ENETDOWN as a connection error - libnvdimm/labels: Fix divide error in nd_label_data_init() (CVE-2025-38072) - [x86] mmc: host: Wait for Vdd to settle on card power off - [arm64] i2c: qup: Vote for interconnect bandwidth to DRAM - i2c: pxa: fix call balance of i2c->clk handling routines - btrfs: avoid linker error in btrfs_find_create_tree_block() - btrfs: send: return -ENAMETOOLONG when attempting a path that is too long - ext4: reorder capability check last - scsi: st: Tighten the page format heuristics with MODE SELECT - scsi: st: ERASE does not change tape location - tcp: reorganize tcp_in_ack_event() and tcp_count_delivered() - dm: restrict dm device size to 2^63-512 bytes - [x86] xen: Add support for XenServer 6.1 platform device - posix-timers: Add cond_resched() to posix_timer_add() search loop - netfilter: conntrack: Bound nf_conntrack sysctl writes - [arm64] mm: Check PUD_TYPE_TABLE in pud_bad() - [arm64] tegra: p2597: Fix gpio for vdd-1v8-dis regulator - tcp: bring back NUMA dispersion in inet_ehash_locks_alloc() - [arm*] rtc: ds1307: stop disabling alarms on probe - [armhf] tegra: Switch DSI-B clock parent to PLLD on Tegra114 - dm cache: prevent BUG_ON by blocking retries on failed device resumes (CVE-2025-38066) - orangefs: Do not truncate file size (CVE-2025-38065) - drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c - media: cx231xx: set device_caps for 417 (CVE-2025-38044) - [armhf] net: ethernet: ti: cpsw_new: populate netdev of_node - net: pktgen: fix mpls maximum labels list parsing - ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config(). - [arm64] clk: imx8mp: inform CCF of maximum frequency of clocks - [armhf] hwmon: (gpio-fan) Add missing mutex locks - [arm64] PCI: brcmstb: Expand inbound window size up to 64GB - [arm64] PCI: brcmstb: Add a softdep to MIP MSI-X driver - net/mlx5: Avoid report two health errors on same syndrome - [amd64] drm/amdkfd: KFD release_work possible circular locking - [arm64] net: xgene-v2: remove incorrect ACPI_PTR annotation - bonding: report duplicate MAC address in all situations - [x86] nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() - cpuidle: menu: Avoid discarding useful information - libbpf: Fix out-of-bound read - scsi: mpt3sas: Send a diag reset if target reset fails - wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU - wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU - wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31 - net: pktgen: fix access outside of user given buffer in pktgen_thread_write() (CVE-2025-38061) - [x86] EDAC/ie31200: work around false positive build warning - [armhf] can: c_can: Use of_property_present() to test existence of DT property - eth: mlx4: don't try to complete XDP frames in netpoll - PCI: Fix old_size lower bound in calculate_iosize() too - ACPI: HED: Always initialize before evged - net/mlx5: Modify LSB bitmask in temperature event to include only the first bit - net/mlx5: Apply rate-limiting to high temperature warning - ASoC: ops: Enforce platform maximum on initial value - ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot() - pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map - media: v4l: Memset argument to 0 before calling get_mbus_config pad op - net/mlx4_core: Avoid impossible mlx4_db_alloc() order value - phy: core: don't require set_mode() callback for phy_get_mode() to work - drm/amd/display: Initial psr_version with correct setting - net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB - net/mlx5e: set the tx_queue_len for pfifo_fast - net/mlx5e: reduce rep rxq depth to 256 for ECPF - ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). - wifi: rtw88: Fix download_firmware_validate() for RTL8814AU - [arm64] hwmon: (xgene-hwmon) use appropriate type for the latency value - vxlan: Annotate FDB data races (CVE-2025-38037) - scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine - scsi: st: Restore some drive settings after reset - drm/ast: Find VBIOS mode from regular display size - bpftool: Fix readlink usage in get_fd_type - [x86] perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt - wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate - drm: Add valid clones check - [arm*] pinctrl: meson: define the pull up/down resistor value as 60 kOhm - [x86] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 - [x86] ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx - nvmet-tcp: don't restore null sk_state_change (CVE-2025-38035) - btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref (CVE-2025-38034) - xenbus: Allow PVH dom0 a non-local xenstore - __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock (CVE-2025-38058) - xfrm: Sanitize marks before insert - bridge: netfilter: Fix forwarding of fragmented packets - [arm*] net: dwmac-sun8i: Use parsed internal PHY address instead of 1 - sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() (CVE-2025-38000) - net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done (CVE-2025-38052) - crypto: algif_hash - fix double free in hash_accept (CVE-2025-38079) - padata: do not leak refcount in reorder_work (CVE-2025-38031) - can: bcm: add locking for bcm_op runtime updates (CVE-2025-38004) - can: bcm: add missing rcu read protection for procfs content (CVE-2025-38003) - ALSA: pcm: Fix race of buffer access at PCM OSS layer (CVE-2025-38078) - llc: fix data loss when reading from a socket in llc_ui_recvmsg() - drm/edid: fixed the bug that hdr metadata was not reset - memcg: always call cond_resched() after fn() - mm/page_alloc.c: avoid infinite retries caused by cpuset race - [arm64] spi: spi-fsl-dspi: restrict register range for regmap access - [arm64] spi: spi-fsl-dspi: Halt the module after a new message transfer - [arm64] spi: spi-fsl-dspi: Reset SR flags before sending a new message - [x86] drm/i915/gvt: fix unterminated-string-initialization warning - smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051) - smb: client: Reset all search buffer pointers when releasing buffer - net_sched: hfsc: Address reentrant enqueue adding class to eltree twice (CVE-2025-38001) - coredump: fix error handling for replace_fd() - pid: add pidfd_prepare() - fork: use pidfd_prepare() - coredump: hand a pidfd to the usermode coredump helper (dependency for fixing CVE-2025-4598 in systemd) - HID: quirks: Add ADATA XPG alpha wireless mouse support - nfs: don't share pNFS DS connections between net namespaces - [x86] platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS - spi: spi-sun4i: fix early activation - tpm: tis: Double the timeout B to 4s - [x86] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys - [x86] platform/x86: thinkpad_acpi: Ignore battery threshold change event notification - xen/swiotlb: relax alignment requirements - [arm64] perf/arm-cmn: Initialise cmn->cpu earlier https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.239 - [arm64] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 - [arm64] pinctrl: armada-37xx: set GPIO output value before setting direction - [x86] acpi-cpufreq: Fix nominal_freq units to KHz in get_max_boost_ratio() - usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE - usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device - usb: usbtmc: Fix timeout value in get_stb - [x86] thunderbolt: Do not double dequeue a configuration request (CVE-2025-38174) - netfilter: nft_socket: fix sk refcount leaks (CVE-2024-46855) - gfs2: gfs2_create_inode error handling fix - perf/core: Fix broken throttling when max_samples_per_tick=1 - [x86] cpu: Sanitize CPUID(0x80000000) output - [arm*] crypto: marvell/cesa - Handle zero-length skcipher requests (CVE-2025-38173) - [arm*] crypto: marvell/cesa - Avoid empty transfer descriptor - crypto: lrw - Only add ecb if it is not already there - crypto: xts - Only add ecb if it is not already there - [arm64] crypto: sun8i-ce - move fallback ahash_request to the end of the struct - [amd64] EDAC/skx_common: Fix general protection fault (CVE-2025-38298) - [x86] mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() - ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" - [x86] drm/vmwgfx: Add seqno waiter for sync_files - [arm*] firmware: psci: Fix refcount leak in psci_dt_init - [arm*] drm/tegra: rgb: Fix the unbound reference count - [arm64] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES - wifi: ath11k: fix node corruption in ar->arvifs list (CVE-2025-38293) - f2fs: fix to do sanity check on sbi->total_valid_block_count (CVE-2025-38163) - [armhf] net: ncsi: Fix GCPS 64-bit member variables - wifi: rtw88: do not ignore hardware read error during DPK - f2fs: clean up w/ fscrypt_is_bounce_page() - netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it - RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction (CVE-2025-38161) - [arm*] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() (CVE-2025-38160) - libbpf: Use proper errno value in nlattr - [armhf] pinctrl: at91: Fix possible out-of-boundary access (CVE-2025-38286) - bpf: Fix WARN() in get_bpf_raw_tp_regs (CVE-2025-38285) - wifi: ath9k_htc: Abort software beacon handling if disabled (CVE-2025-38157) - netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy - vfio/type1: Fix error unwind in migration dirty bitmap allocation - netfilter: nft_tunnel: fix geneve_opt dump - net: usb: aqc111: fix error handling of usbnet read calls (CVE-2025-38153) - net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy - calipso: Don't call calipso functions for AF_INET sk. (CVE-2025-38147) - net: openvswitch: Fix the dead loop of MPLS parse (CVE-2025-38146) - net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames - f2fs: use d_inode(dentry) cleanup dentry->d_inode - f2fs: fix to correct check conditions in f2fs_cross_rename - [arm64] dts: imx8mm-beacon: Fix RTC capacitive load - Squashfs: check return result of sb_min_blocksize (CVE-2025-38415) - nilfs2: add pointer check for nilfs_direct_propagate() - nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() - [arm64] bus: fsl-mc: fix double-free on mc_dev (CVE-2025-38313) - [arm64] dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou - [armhf] soc: aspeed: lpc: Fix impossible judgment condition - [armhf] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() (CVE-2025-38145) - fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() (CVE-2025-38312) - perf ui browser hists: Set actions->thread before calling do_zoom_thread() - backlight: pm8941: Add NULL check in wled_configure() (CVE-2025-38143) - perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3 - perf tests switch-tracking: Fix timestamp comparison - perf record: Fix incorrect --user-regs comments - nfs: clear SB_RDONLY before getting superblock - nfs: ignore SB_RDONLY when remounting nfs - [arm64] dmaengine: ti: Add NULL check in udma_probe() (CVE-2025-38138) - PCI/DPC: Initialize aer_err_info before using it - rtc: Fix offset calculation for .start_secs < 0 - [arm*] usb: renesas_usbhs: Reorder clock handling and power management in probe (CVE-2025-38136) - [armhf] serial: Fix potential null-ptr-deref in mlb_usio_probe() (CVE-2025-38135) - iio: adc: ad7124: Fix 3dB filter frequency reading - vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl() - net: stmmac: platform: guarantee uniqueness of bus_id - gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt - net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38273) - net/mlx4_en: Prevent potential integer overflow calculating Hz - Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION - ice: create new Tx scheduler nodes for new queues only - [x86] vmxnet3: correctly report gso type for UDP tunnels - PM: sleep: Fix power.is_suspended cleanup for direct-complete devices - do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498) - pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id() - Input: synaptics-rmi4 - convert to use sysfs_emit() APIs - Input: synaptics-rmi - fix crash with unsupported versions of F34 - ath10k: add atomic protection for device recovery - ath10k: prevent deinitializing NAPI twice - ath10k: snoc: fix unbalanced IRQ enable in crash recovery - scsi: iscsi: Fix incorrect error path labels for flashnode operations - net_sched: sch_sfq: fix a potential crash on gso_skb handling (CVE-2025-38115) - i40e: return false from i40e_reset_vf if reset is in progress - i40e: retry VFLR handling if there is ongoing VF reset - tcp: factorize logic into tcp_epollin_ready() - bpf: Clean up sockmap related Kconfigs - net: Rename ->stream_memory_read to ->sock_is_readable - net: Fix TOCTOU issue in sk_is_readable() (CVE-2025-38112) - macsec: MACsec SCI assignment for ES = 0 - net: mdio: C22 is now optional, EOPNOTSUPP if not provided - net/mdiobus: Fix potential out-of-bounds read/write access (CVE-2025-38111) - net/mlx5: Ensure fw pages are always allocated on same NUMA - net/mlx5: Fix return value when searching for existing flow group - net_sched: prio: fix a race in prio_tune() (CVE-2025-38083) - net_sched: red: fix a race in __red_change() (CVE-2025-38108) - net_sched: tbf: fix a race in tbf_change() - sch_ets: make est_qlen_notify() idempotent - net_sched: ets: fix a race in ets_qdisc_change() (CVE-2025-38107) - fs/filesystems: Fix potential unsigned integer underflow in fs_name() - posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() (CVE-2025-38352) - [x86] boot/compressed: prefer cc-option for CFLAGS additions - kbuild: Update assembler calls to use proper flags and language target - kbuild: Add KBUILD_CPPFLAGS to as-option invocation - usb: Flush altsetting 0 endpoints before reinitializating them after reset. - [arm64] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall - [x86] iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100) - calipso: unlock rcu before returning -EAFNOSUPPORT - net: usb: aqc111: debug info before sanitation - tcp: tcp_data_ready() must look at SOCK_DONE - configfs: Do not override creating attribute file failure in populate_attrs() - [arm*] crypto: marvell/cesa - Do not chain submitted requests - gfs2: move msleep to sleepable context - net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr() - net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid() - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() (CVE-2025-38348) - nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request (CVE-2025-38430) - nfsd: Initialize ssc before laundromat_work to prevent NULL dereference (CVE-2025-38231) - jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() (CVE-2025-38337) - wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 - media: cxusb: no longer judge rbuf when the write fails (CVE-2025-38229) - media: gspca: Add error handling for stv06xx_read_sensor() - media: v4l2-dev: fix error handling in __video_register_device() - [arm64] media: venus: Fix probe error handling - media: videobuf2: use sgtable-based scatterlist wrappers - media: vidtv: Terminating the subsequent process of initialization failure (CVE-2025-38227) - media: vivid: Change the siize of the composing (CVE-2025-38226) - [armhf] 9447/1: arm/memremap: fix arch_memremap_can_ram_remap() - [armhf] omap: pmic-cpcap: do not mess around without CPCAP or OMAP4 - bus: mhi: host: Fix conflict between power_up and SYSERR - [x86] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 (CVE-2025-38336) - [arm64] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device - ext4: inline: fix len overflow in ext4_prepare_inline_data (CVE-2025-38222) - ext4: fix calculation of credits for extent tree modification - ext4: factor out ext4_get_maxbytes() - ext4: ensure i_size is smaller than maxbytes - Input: ims-pcu - check record size in ims_pcu_flash_firmware() (CVE-2025-38428) - f2fs: prevent kernel warning due to negative i_nlink from corrupted image (CVE-2025-38219) - f2fs: fix to do sanity check on sit_bitmap_size (CVE-2025-38218) - NFC: nci: uart: Set tty->disc_data only in success path (CVE-2025-38416) - fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var (CVE-2025-38214) - [arm64] clk: meson-g12a: add missing fclk_div2 to spicc - ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212) - mm: fix ratelimit_pages update error in dirty_ratio_handler() - [armhf] mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk - [armhf] mtd: nand: sunxi: Add randomizer configuration before randomizer enable - dm-mirror: fix a tiny race condition - ftrace: Fix UAF when lookup kallsym after ftrace disabled (CVE-2025-38346) - net: ch9200: fix uninitialised access during mii_nway_restart (CVE-2025-38086) - [x86] uio_hv_generic: Use correct size for interrupt and monitor pages - PCI: Fix lock symmetry in pci_slot_unlock() - iio: imu: inv_icm42600: Fix temperature calculation - iio: adc: ad7606_spi: fix reg write value mask - ACPICA: fix acpi operand cache leak in dswstate.c (CVE-2025-38345) - clocksource: Fix the CPUs' choice in the watchdog per CPU verification - ACPICA: Avoid sequence overread in call to strncmp() - ACPICA: fix acpi parse and parseext cache leaks (CVE-2025-38344) - power: supply: bq27xxx: Retrieve again when busy - ACPICA: utilities: Fix overflow check in vsnprintf() - PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() - drm/amdgpu/gfx6: fix CSIB handling - sunrpc: update nextcheck time when adding new cache entries - [arm*] drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq() - exfat: fix double free in delayed_free (CVE-2025-38206) - [arm64] drm/msm/hdmi: add runtime PM calls to DDC transfer function - media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition - drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() - [arm64] drm/msm/a6xx: Increase HFI response timeout - drm/amdgpu/gfx10: fix CSIB handling - media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition - drm/amdgpu/gfx7: fix CSIB handling - ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in ext4_ext_remove_space() - jfs: fix array-index-out-of-bounds read in add_missing_indices (CVE-2025-38204) - sunrpc: fix race in cache cleanup causing stale nextcheck time - ext4: prevent stale extent cache entries caused by concurrent get es_cache - drm/amdgpu/gfx8: fix CSIB handling - drm/amdgpu/gfx9: fix CSIB handling - jfs: Fix null-ptr-deref in jfs_ioc_trim (CVE-2025-38203) - [arm64] drm/msm/dpu: don't select single flush for active CTL blocks - [amd64] drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB - [arm*] media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() (CVE-2025-38237) - [arm64] thermal/drivers/qcom/tsens: Update conditions to strictly evaluate for IP v2+ - cpufreq: Force sync policy boost with global boost on sysfs update - [arm64] net: macb: Check return value of dma_set_mask_and_coherent() - tipc: use kfree_sensitive() for aead cleanup - emulex/benet: correct command version selection in be_cmd_get_stats() - wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R - sctp: Do not wake readers in __sctp_write_space() - net: dlink: add synchronization for stats update - tcp: always seek for minimal rtt in tcp_rcv_rtt_update() - tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows - ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT - net: atlantic: generate software timestamp just before the doorbell - [arm64] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() - [arm64] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() - [arm64] pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() - [arm64] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() - net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info - wifi: mac80211: do not offer a mesh path if forwarding is disabled - [arm*] clk: rockchip: rk3036: mark ddrphy as critical - scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands - [amd64] iommu/amd: Ensure GA log notifier callbacks finish running before module unload - vxlan: Do not treat dst cache initialization errors as fatal - software node: Correct a OOB check in software_node_get_reference_args() (CVE-2025-38342) - scsi: lpfc: Use memcpy() for BIOS version (CVE-2025-38332) - sock: Correct error checking condition for (assign|release)_proto_idx() - i40e: fix MMIO write access to an invalid page in i40e_clear_hw (CVE-2025-38200) - [armhf] watchdog: da9052_wdt: respect TWDMIN - [arm64] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value - [armhf] OMAP2+: Fix l4ls clk domain handling in STANDBY - [arm*] tee: Prevent size calculation wraparound on 32-bit kernels - [armhf] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first" - [x86] platform/x86: dell_rbu: Fix list usage (CVE-2025-38197) - [x86] platform/x86: dell_rbu: Stop overwriting data buffer - drivers/rapidio/rio_cm.c: prevent possible heap overwrite (CVE-2025-38090) - jffs2: check that raw node were preallocated before writing summary (CVE-2025-38194) - jffs2: check jffs2_prealloc_raw_node_refs() result in few other places (CVE-2025-38328) - [x86] scsi: storvsc: Increase the timeouts to storvsc_timeout - selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len - atm: Revert atm_account_tx() if copy_from_iter_full() fails. (CVE-2025-38190) - HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() (CVE-2025-38103) - ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card - [x86] ALSA: hda/intel: Add Thinkpad E15 to PM deny list - [x86] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged - hugetlb: unshare some PMDs when splitting VMAs - mm/hugetlb: unshare page tables during VMA split, not before (CVE-2025-38084) - mm: hugetlb: independent PMD page table shared count (CVE-2024-57883) - mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (CVE-2025-38085) - drm/nouveau/bl: increase buffer size to avoid truncate warning - [armhf] hwmon: (occ) Add new temperature sensor type - [armhf] hwmon: (occ) Add soft minimum power cap attribute - [armhf] hwmon: (occ) Rework attribute registration for stack usage - [armhf] hwmon: (occ) fix unaligned accesses - aoe: clean device rq_list in aoedev_downdev() (CVE-2025-38326) - net: ice: Perform accurate aRFS flow match - wifi: carl9170: do not ping device which has failed to load firmware (CVE-2025-38420) - mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). (CVE-2025-38324) - atm: atmtcp: Free invalid length skb in atmtcp_c_send(). (CVE-2025-38185) - tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior - tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer (CVE-2025-38184) - calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). (CVE-2025-38181) - net: atm: add lec_mutex (CVE-2025-38323) - net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180) - [armhf] dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board - [armhf] dts: am335x-bone-common: Increase MDIO reset deassert time - [armhf] dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms - [arm64] insn: Add barrier encodings - [arm64] move AARCH64_BREAK_FAULT into insn-def.h - [arm64] insn: add encoders for atomic operations - [arm64] insn: Add support for encoding DSB - [arm64] proton-pack: Expose whether the platform is mitigated by firmware - [arm64] errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB - [arm64] errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list - [arm64] errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists - [arm64] errata: Add missing sentinels to Spectre-BHB MIDR arrays - [arm64] proton-pack: Expose whether the branchy loop k value - [arm64] spectre: increase parameters that can be used to turn off bhb mitigation individually - [arm64] bpf: Add BHB mitigation to the epilogue for cBPF programs (CVE-2025-37948) - [arm64] bpf: Only mitigate cBPF programs loaded by unprivileged users (CVE-2025-37963) - [arm64] proton-pack: Add new CPUs 'k' values for branch mitigation - net/ipv4: fix type mismatch in inet_ehash_locks_alloc() causing build failure - net: Fix checksum update for ILA adj-transport - bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE - rtc: Improve performance of rtc_time64_to_tm(). Add tests. - rtc: Make rtc_time64_to_tm() support dates before 1970 - net_sched: sch_sfq: annotate data-races around q->perturb_period - net_sched: sch_sfq: handle bigger packets - net_sched: sch_sfq: don't allow 1 packet limit (CVE-2024-57996) - net_sched: sch_sfq: use a temporary work area for validating configuration - net_sched: sch_sfq: move the limit validation - mm/huge_memory: fix dereferencing invalid pmd migration entry (CVE-2025-37958) - [armhf] hwmon: (occ) Fix P10 VRM temp sensors - perf: Fix sample vs do_exit() (CVE-2025-38424) - [arm64] ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() (CVE-2025-38320) - bpf: fix precision backtracking instruction iteration - scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.240 - cifs: Fix cifs_query_path_info() for Windows NT servers - NFSv4.2: fix listxattr to return selinux security label - mailbox: Not protect module_put with spin_lock_irqsave - md/md-bitmap: fix dm-raid max_write_behind setting - bcache: fix NULL pointer in cache_set_flush() (CVE-2025-38263) - iio: pressure: zpa2326: Use aligned_s64 for the timestamp - [arm*] usb: common: usb-conn-gpio: use a unique name for usb connector device - usb: Add checks for snprintf() calls in usb_alloc_dev() - usb: cdc-wdm: avoid setting WDM_READ for ZLP-s - usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode - ALSA: hda: Ignore unsol events for cards being shut down - ALSA: hda: Add new pci id for AMD GPU display HD audio controller - ceph: fix possible integer overflow in ceph_zero_objects() - ovl: Check for NULL d_inode() in ovl_dentry_upper() - [x86] VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF (CVE-2023-53259) - [x86] VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify (CVE-2025-38102) - fs/jfs: consolidate sanity checking in dbMount - jfs: validate AG parameters in dbMount() to prevent crashes (CVE-2025-38230) - [armhf] media: omap3isp: use sgtable-based scatterlist wrappers - f2fs: don't over-report free space or inodes in statvfs - RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private - RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction (CVE-2025-38211) - [x86] uio: uio_hv_generic: use devm_kzalloc() for private data alloc - [x86] Drivers: hv: vmbus: Fix duplicate CPU assignments within a device - [x86] Drivers: hv: Rename 'alloced' to 'allocated' - [x86] Drivers: hv: vmbus: Add utility function for querying ring size - [x86] uio_hv_generic: Query the ringbuffer size for device - [x86] uio_hv_generic: Align ring size to system page - net_sched: sch_sfq: reject invalid perturb period (CVE-2025-38193) - i2c: tiny-usb: disable zero-length read messages - i2c: robotfuzz-osif: disable zero-length read messages - atm: clip: prevent NULL deref in clip_push() (CVE-2025-38251) - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() (CVE-2025-38249) - attach_recursive_mnt(): do not lock the covering tree when sliding something under it - libbpf: Fix null pointer dereference in btf_dump__free on allocation failure - wifi: mac80211: fix beacon interval calculation overflow - vsock/uapi: fix linux/vm_sockets.h userspace compilation errors - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). (CVE-2025-38245) - Bluetooth: L2CAP: Fix L2CAP MTU negotiation - dm-raid: fix variable in journal device check - btrfs: update superblock's device bytes_used when dropping chunk - HID: wacom: fix memory leak on kobject creation failure - HID: wacom: fix memory leak on sysfs attribute creation failure - HID: wacom: fix kobject reference count leak - [arm*] drm/tegra: Assign plane type before registration - [arm*] drm/tegra: Fix a possible null pointer dereference (CVE-2025-38363) - drm/udl: Unregister device before cleaning up on disconnect - [amd64] drm/amdkfd: Fix race in GWS queue scheduling - [amd64] PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time - [arm64] Restrict pagetable teardown to avoid false warning - rtc: cmos: use spin_lock_irqsave in cmos_interrupt - [x86] vsock/vmci: Clear the vmci transport packet properly when initializing it (CVE-2025-38403) - mmc: sdhci: Add a helper function for dump register in dynamic debug mode - usb: typec: altmodes/displayport: do not index invalid pin_assignments (CVE-2025-38391) - RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert (CVE-2025-38387) - nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. (CVE-2025-38400) - NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (CVE-2025-38393) - scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database() - scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu() - scsi: ufs: core: Fix spelling of a sysfs attribute name - RDMA/mlx5: Fix CC counters query for MPV - btrfs: fix missing error handling when searching for inode refs during log replay - [armhf] drm/exynos: fimd: Guard display clock control with runtime PM calls - [arm64] spi: spi-fsl-dspi: Clear completion counter before initiating transfer - [x86] drm/i915/gt: Fix timeline left held on VMA alloc error (CVE-2025-38389) - amd-xgbe: align CL37 AN sequence as per databook - enic: fix incorrect MTU comparison in enic_change_mtu() - rose: fix dangling neighbour pointers in rose_rt_device_down() (CVE-2025-38377) - nui: Fix dma_mapping_error() check - net/sched: Always pass notifications when child class becomes empty (CVE-2025-38350) - [i386] ALSA: sb: Force to disable DMAs once when DMA mode is changed - scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() (CVE-2025-38399) - wifi: mac80211: drop invalid source address OCB frames - wifi: ath6kl: remove WARN on bad firmware input (CVE-2025-38406) - ACPICA: Refuse to evaluate a method if arguments are missing (CVE-2025-38386) - rcu: Return early if callback is not specified - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods (CVE-2025-38395) - mtk-sd: Prevent memory corruption from DMA map failure (CVE-2025-38401) - [armhf] drm/v3d: Disable interrupts before resetting the GPU (CVE-2025-38371) - RDMA/mlx5: Fix vport loopback for MPV device - flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes - NFSv4/flexfiles: Fix handling of NFS level errors in I/O - btrfs: propagate last_unlink_trans earlier when doing a rmdir - btrfs: use btrfs_record_snapshot_destroy() during rmdir - [arm64] dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf - [arm64] dpaa2-eth: Update dpni_get_single_step_cfg command - [arm64] dpaa2-eth: Update SINGLE_STEP register access - [arm64] net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats - [arm64] dpaa2-eth: fix xdp_rxq_info leak - Logitech C-270 even more broken - usb: typec: displayport: Fix potential deadlock (CVE-2025-38404) - [x86] ACPI: PAD: fix crash in exit_round_robin() (CVE-2024-49935) - media: uvcvideo: Return the number of processed controls - media: uvcvideo: Send control events for partial succeeds - media: uvcvideo: Rollback non processed entities on error - staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher() - [arm*] drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling (CVE-2025-38467) - perf: Revert to requiring CAP_SYS_ADMIN for uprobes (CVE-2025-38466) - fix proc_sys_compare() handling of in-lookup dentries - netlink: Fix wraparounds of sk->sk_rmem_alloc. (CVE-2025-38465) - tipc: Fix use-after-free in tipc_conn_close(). (CVE-2025-38464) - vsock: Fix transport_{g2h,h2g} TOCTOU (CVE-2025-38462) - vm_sockets: Add flags field in the vsock address data structure - vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag - af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path - af_vsock: Assign the vsock transport considering the vsock address flags - vsock: Fix transport_* TOCTOU (CVE-2025-38461) - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local` - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX - atm: clip: Fix potential null-ptr-deref in to_atmarpd(). (CVE-2025-38460) - atm: clip: Fix memory leak of struct clip_vcc. (CVE-2025-38546) - atm: clip: Fix infinite recursive call of clip_push(). (CVE-2025-38459) - atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (CVE-2025-38458) - net/sched: Abort __tc_modify_qdisc if parent class does not exist (CVE-2025-38457) - fs/proc: do_task_stat: use __for_each_thread() - rxrpc: Fix oops due to non-existence of prealloc backlog struct (CVE-2025-38514) - [amd64] Mitigate Indirect Target Selection (CVE-2024-28956): + Documentation: x86/bugs/its: Add ITS documentation + x86/bhi: Define SPEC_CTRL_BHI_DIS_S + x86/its: Enumerate Indirect Target Selection (ITS) bug + x86/alternatives: Introduce int3_emulate_jcc() + x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions + x86/its: Add support for ITS-safe indirect thunk + x86/alternative: Optimize returns patching + x86/alternatives: Remove faulty optimization + x86/its: Add support for ITS-safe return thunk + x86/its: Fix undefined reference to cpu_wants_rethunk_at() + x86/its: Enable Indirect Target Selection mitigation + x86/its: Add "vmexit" option to skip mitigation on some CPUs + x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc() + x86/its: Use dynamic thunks for indirect branches + x86/its: Fix build errors when CONFIG_MODULES=n + x86/its: FineIBT-paranoid vs ITS - [x86] mce/amd: Fix threshold limit reset - [x86] mce: Don't remove sysfs if thresholding sysfs init fails - [x86] mce: Make sure CMCI banks are cleared during shutdown on Intel - [arm64] pinctrl: qcom: msm: mark certain pins as invalid for interrupts (CVE-2025-38516) - drm/sched: Increment job count before swapping tail spsc queue (CVE-2025-38515) - usb: gadget: u_serial: Fix race condition in TTY wakeup (CVE-2025-38448) - ethernet: atl1: Add missing DMA mapping error checks and count errors - netlink: Fix rmem check in netlink_broadcast_deliver(). - netlink: make sure we allow at least one dump skb - [x86] Input: xpad - add support for Amazon Game Controller - [x86] Input: xpad - add VID for Turtle Beach controllers - [x86] Input: xpad - support Acer NGR 200 Controller - dma-buf: fix timeout handling in dma_resv_wait_timeout v2 - wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() (CVE-2025-38513) - md/raid1: Fix stack memory use after return in raid1_reshape (CVE-2025-38445) - net: appletalk: Fix device refcount leak in atrtr_create() (CVE-2025-38542) - net: phy: microchip: limit 100M workaround to link-down events on LAN88xx - bnxt_en: Fix DCB ETS validation - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (CVE-2025-38439) - [x86] atm: idt77252: Add missing `dma_map_error()` - net: usb: qmi_wwan: add SIMCom 8230C composition - vt: add missing notification when switching back to text mode - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras (CVE-2025-38540) - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID - vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074) - [i386] mm: Disable hugetlb page table sharing on 32-bit - [x86] Mitigate Transient Scheduler Attacks (CVE-2024-36350, CVE-2024-36357): - x86/bugs: Rename MDS machinery to something more generic - x86/bugs: Add a Transient Scheduler Attacks mitigation - KVM: x86: add support for CPUID leaf 0x80000021 - KVM: SVM: Advertise TSA CPUID bits to guests - x86/process: Move the buffer clearing before MONITOR - rseq: Fix segfault on registration when rseq_cs is non-zero (CVE-2025-38067) https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.241 - [arm64] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode (CVE-2025-38535) - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition - USB: serial: option: add Foxconn T99W640 - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI - usb: gadget: configfs: Fix OOB read on empty string write (CVE-2025-38497) - [armhf] i2c: stm32: fix the device used for the DMA map - [x86] thunderbolt: Fix bit masking in tb_dp_port_set_hops() - [x86] Input: xpad - set correct controller type for Acer NGR200 - [i386] pch_uart: Fix dma_sync_sg_for_device() nents value - HID: core: ensure the allocated report buffer can contain the reserved report ID (CVE-2025-38495) - HID: core: ensure __hid_request reserves the report ID as the first byte - HID: core: do not bypass hid_hw_raw_request (CVE-2025-38494) - phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd() - af_packet: fix soft lockup issue caused by tpacket_snd() - [armhf] dmaengine: nbpfaxi: Fix memory corruption in probe() (CVE-2025-38538) - isofs: Verify inode mode when loading from disk - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id() - [arm*] mmc: bcm2835: Fix dma_unmap_sg() nents value - [x86] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based Positivo models - [armhf] soc: aspeed: lpc-snoop: Cleanup resources in stack-order - [armhf] soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled (CVE-2025-38487) - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[] - iio: adc: max1363: Reorder mode_list[] entries - [i386] comedi: pcl812: Fix bit shift out of bounds (CVE-2025-38530) - [i386] comedi: aio_iiro_16: Fix bit shift out of bounds (CVE-2025-38529) - [i386] comedi: das16m1: Fix bit shift out of bounds (CVE-2025-38483) - [i386] comedi: das6402: Fix bit shift out of bounds (CVE-2025-38482) - [x86] comedi: Fix some signed shift left operations - comedi: Fix use of uninitialized data in insn_rw_emulate_bits() (CVE-2025-38480) - comedi: Fix initialization of data for instructions that write to subdevice (CVE-2025-38478) - net/sched: sch_qfq: Fix race condition on qfq_aggregate (CVE-2025-38477) - rpl: Fix use-after-free in rpl_do_srh_inline(). (CVE-2025-38476) - hwmon: (corsair-cpro) Validate the size of the received input buffer (CVE-2025-38548) - usb: net: sierra: check for no status endpoint (CVE-2025-38474) - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (CVE-2025-38473) - Bluetooth: SMP: If an unallowed command is received consider it a failure - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout - Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU - net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime (CVE-2025-38470) - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree (CVE-2025-38468) - usb: hub: fix detection of high tier USB3 devices behind suspended hubs - usb: hub: Fix flushing and scheduling of delayed work that tunes runtime pm - usb: hub: Fix flushing of delayed work used for post resume purposes - [arm*] usb: musb: Add and use inline functions musb_{get,set}_state - [arm*] usb: musb: fix gadget state on disconnect - [arm64] usb: dwc3: qcom: Don't leave BCR asserted - [arm64] ASoC: fsl_sai: Force a software reset when starting in consumer mode - mm/vmalloc: leave lazy MMU mode on PTE mapping error - virtio-net: ensure the received length does not exceed allocated size (CVE-2025-38375) - [arm*] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS - regulator: core: fix NULL dereference on unbind due to stale coupling data (CVE-2025-38668) - RDMA/core: Rate limit GID cache warning messages - i40e: Add rx_missed_errors for buffer exhaustion - i40e: report VF tx_dropped with tx_errors instead of tx_discards - net: appletalk: Fix use-after-free in AARP proxy probe (CVE-2025-38666) - net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class - [arm64] net: hns3: refine the struct hane3_tc_info - [arm64] net: hns3: fixed vf get max channels bug - [arm64] i2c: qup: jump out of the loop in case of timeout (CVE-2025-38671) - [x86] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx - e1000e: disregard NVM checksum on tgp when valid checksum bit is not set - e1000e: ignore uninitialized checksum word on tgp - gve: Fix stuck TX queue for DQ queue format - nilfs2: reject invalid file types when reading inodes (CVE-2025-38663) - [amd64] x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() - comedi: comedi_test: Fix possible deletion of uninitialized timers - ALSA: hda: Add missing NVIDIA HDA codec IDs - [arm*] usb: chipidea: add USB PHY event - [armhf] usb: phy: mxs: disconnect line when USB charger is attached - fs_context: fix parameter name in infofc() macro - hfsplus: remove mutex_lock check in hfsplus_free_extents (CVE-2025-38650) - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() - ASoC: ops: dynamically allocate struct snd_ctl_elem_value - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() (CVE-2025-38612) - pps: fix poll support - [armhf] dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface - [arm64] dts: imx8mm-beacon: Fix HS400 USDHC clock speed - cpufreq: Initialize cpufreq-based frequency-invariance later - cpufreq: Init policy->rwsem before it may be possibly used - [arm*] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls (CVE-2025-38608) - bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure - wifi: rtl818x: Kill URBs before clearing tx status queue (CVE-2025-38604) - wifi: iwlwifi: Fix memory leak in iwl_mvm_init() - iwlwifi: Add missing check for alloc_ordered_workqueue (CVE-2025-38602) - wifi: ath11k: clear initialized flag for deinit-ed srng lists (CVE-2025-38601) - tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value - netfilter: nf_tables: adjust lockdep assertions handling - net/sched: Restrict conditions for adding duplicating netems to qdisc tree (CVE-2025-38553) - net_sched: act_ctinfo: use atomic64_t for three counters - xen/gntdev: remove struct gntdev_copy_batch from stack - wifi: rtl8xxxu: Fix RX skb size for aggregation disabled - mwl8k: Add missing check after DMA map - wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() - Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE - can: kvaser_usb: Assign netdev.dev_port based on device channel index - netfilter: xt_nfacct: don't assume acct name is null-terminated (CVE-2025-38639) - vrf: Drop existing dst reference in vrf_ip6_input_dst - [arm64] PCI: rockchip-host: Fix "Unexpected Completion" log message - [arm*] crypto: marvell/cesa - Fix engine load inaccuracy - mtd: fix possible integer overflow in erase_xfer() - [armhf] clk: davinci: Add NULL check in davinci_lpsc_clk_register() (CVE-2025-38635) - [arm*] pinctrl: sunxi: Fix memory leak on krealloc failure - [arm64] crypto: inside-secure - Fix `dma_unmap_sg()` nents value - crypto: ccp - Fix crash when rebind ccp device for ccp.ko (CVE-2025-38581) - [armhf] clk: sunxi-ng: v3s: Fix de clock definition - scsi: mvsas: Fix dma_unmap_sg() nents value - [x86] scsi: isci: Fix dma_unmap_sg() nents value - soundwire: stream: restore params when prepare ports fail - fs/orangefs: Allow 2 more characters in do_c_string() - [arm*] dmaengine: mv_xor: Fix missing check after DMA map and missing unmap - [x86] crypto: qat - fix seq_file position update in adf_ring_next() - jfs: fix metapage reference count leak in dbAllocCtl - vhost-scsi: Fix log flooding with target does not exist errors - bpf: Check flow_dissector ctx accesses are aligned - apparmor: ensure WB_HISTORY_SIZE value is a power of 2 - module: Restore the moduleparam prefix length check - [arm*] rtc: ds1307: fix incorrect maximum clock rate handling - [arm64] rtc: pcf85063: fix incorrect maximum clock rate handling - [arm*] rtc: pcf8563: fix incorrect maximum clock rate handling - f2fs: fix to avoid UAF in f2fs_sync_inode_meta() (CVE-2025-38578) - f2fs: fix to avoid panic in f2fs_evict_inode (CVE-2025-38577) - f2fs: fix to avoid out-of-boundary access in devs.path (CVE-2025-38652) - scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume - pNFS/flexfiles: Avoid spurious layout returns in ff_layout_choose_ds_for_read - pNFS/flexfiles: don't attempt pnfs on fatal DS errors - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() (CVE-2025-39730) - NFSv4.2: another fix for listxattr - mm: extract might_alloc() debug check - XArray: Add calls to might_alloc() - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY - netpoll: prevent hanging NAPI when netcons gets enabled - phy: mscc: Fix parsing of unicast frames - pptp: ensure minimal skb length in pptp_xmit() (CVE-2025-38574) - ipv6: reject malicious packets in ipv6_gso_segment() (CVE-2025-38572) - net: drop UFO packets in udp_rcv_segment() (CVE-2025-38622) - benet: fix BUG when creating VFs (CVE-2025-38569) (regression in 5.10.235) - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() - smb: client: let recv_done() cleanup before notifying the callers. - pptp: fix pptp_xmit() error path - perf/core: Don't leak AUX buffer refcount on allocation failure - perf/core: Exit early on perf_mmap() fail (CVE-2025-38565) - perf/core: Prevent VMA split of buffer mappings (CVE-2025-38563) - net/packet: fix a race in packet_set_ring() and packet_notifier() (CVE-2025-38617) - vsock: Do not allow binding to VMADDR_PORT_ANY (CVE-2025-38618) - USB: serial: option: add Foxconn T99W709 - mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery - usb: gadget : fix use-after-free in composite_dev_cleanup() (CVE-2025-38555) - io_uring: don't use int for ABI - ALSA: usb-audio: Validate UAC3 power domain descriptors, too (CVE-2025-38729) - ALSA: usb-audio: Validate UAC3 cluster segment descriptors (CVE-2025-39757) - netlink: avoid infinite retry looping in netlink_unicast() (CVE-2025-38727) - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() (CVE-2025-38724) - NFSD: detect mismatch of file handle and delegation stateid in OPEN op - fs: Prevent file descriptor table allocations exceeding INT_MAX (CVE-2025-39756) - ACPI: processor: perflib: Fix initial _PPC limit application - ACPI: processor: perflib: Move problematic pr->performance check - udp: also consider secpath when evaluating ipsec use for checksumming - netfilter: ctnetlink: fix refcount leak on table dump (CVE-2025-38721) - sctp: linearize cloned gso packets in sctp_rcv (CVE-2025-38718) - [x86] intel_idle: Allow loading ACPI tables for any family - cpuidle: governors: menu: Avoid using invalid recent intervals data - hfs: fix slab-out-of-bounds in hfs_bnode_read() (CVE-2025-38715) - hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (CVE-2025-38714) - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (CVE-2025-38713) - hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() (CVE-2025-38712) - udf: Verify partition map count - drbd: add missing kref_get in handle_write_conflicts (CVE-2025-38708) - hfs: fix not erasing deleted b-tree node issue - ata: libata-sata: Disallow changing LPM state if not supported - securityfs: don't pin dentries twice, once is enough... - usb: xhci: print xhci->xhc_state when queue_command failed - [arm64] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag - usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default - usb: xhci: Avoid showing warnings for dying controller - usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command - usb: xhci: Avoid showing errors during surprise removal - cpufreq: Exit governor when failed to start old governor - [armhf] rockchip: fix kernel hang during smp initialization (CVE-2025-39752) - ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed - [armhf] tegra: Use I/O memcpy to write to IRAM (CVE-2025-39794) - PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() - thermal: sysfs: Return ENODATA instead of EAGAIN for reads - PM: sleep: console: Fix the black screen issue - ACPI: processor: fix acpi_object initialization - [arm64] mmc: sdhci-msm: Ensure SD card power isn't ON when card removed - ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path - [x86] bugs: Avoid warning when overriding return thunk - [x86] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection - [x86] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 - ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() (CVE-2025-38706) - usb: core: usb_submit_urb: downgrade type check - [x86] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() - [arm64] platform/chrome: cros_ec_typec: Defer probe on missing EC parent - ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control (CVE-2025-39751) - ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop - ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros - iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement - ASoC: codecs: rt5640: Retry DEVICE_ID verification - xen/netfront: Fix TX response spurious interrupts - wifi: cfg80211: reject HTC bit for management frames - be2net: Use correct byte order and format string for TCP seq and ack_seq - et131x: Add missing check after DMA map - rcu: Protect ->defer_qs_iw_pending from data race (CVE-2025-39749) - wifi: cfg80211: Fix interface type validation - net: ipv4: fix incorrect MTU in broadcast routes - [arm64] net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() - wifi: iwlwifi: mvm: fix scan request validation - [arm*] net: fec: allow disable coalescing - drm/amd/display: Separate set_gsl from set_gsl_source_select - wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() - wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect - drm/amd/display: Fix 'failed to blank crtc!' - wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. - netmem: fix skb_frag_address_safe with unreadable skbs - wifi: iwlegacy: Check rate_idx range after addition - net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs - gve: Return error for unknown admin queue command - [armhf] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 - [armhf] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 - [armhf] net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 - wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() - [armhf] net: ncsi: Fix buffer overflow in fetching version id - drm/ttm: Should to return the evict error - uapi: in6: restore visibility of most IPv6 socket options - [amrhf] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 - vhost: fail early when __vhost_add_used() fails - cifs: Fix calling CIFSFindFirst() for root path without msearch - ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr (CVE-2025-38701) - scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated (CVE-2025-38700) - fs/orangefs: use snprintf() instead of sprintf() - [arm*] watchdog: dw_wdt: Fix default timeout - scsi: bfa: Double-free fix (CVE-2025-38699) - jfs: truncate good inode pages when hard link is 0 (CVE-2025-39743) - jfs: Regular file corruption check (CVE-2025-38698) - jfs: upper bound check of tree index in dbAllocAG (CVE-2025-38697) - [amd64] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() (CVE-2025-39742) - RDMA/core: reduce stack using in nldev_stat_get_doit() - scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure (CVE-2025-38695) - scsi: mpt3sas: Correctly handle ATA device errors - [armhf] pinctrl: stm32: Manage irq affinity settings - media: usb: hdpvr: disable zero-length read messages - media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() (CVE-2025-38694) - media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (CVE-2025-38693) - media: uvcvideo: Fix bandwidth issue for Alcor camera - md: dm-zoned-target: Initialize return variable r to avoid uninitialized use - [arm*] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 - dm-mpath: don't print the "loaded" message if registering fails - i2c: Force DLL0945 touchpad i2c freq to 100khz - scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans - scsi: aacraid: Stop using PCI_IRQ_AFFINITY - ipmi: Use dev_warn_ratelimited() for incorrect message warnings - ipmi: Fix strcpy source and destination the same - net: phy: smsc: add proper reset flags for LAN8710A - block: avoid possible overflow for chunk_sectors check in blk_stack_limits() (CVE-2025-39795) - pNFS: Fix stripe mapping in block/scsi layout - pNFS: Fix disk addr range check in block/scsi layout - pNFS: Handle RPC size limit for layoutcommits - pNFS: Fix uninited ptr deref in block/scsi layout (CVE-2025-38691) - [arm*] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe - scsi: lpfc: Remove redundant assignment to avoid memory leak - ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() - [arm64] ASoC: fsl_sai: replace regmap_write with regmap_update_bits - drm/amdgpu: fix incorrect vm flags to map bo - usb: core: config: Prevent OOB read in SS endpoint companion parsing (CVE-2025-39760) - misc: rtsx: usb: Ensure mmc child device is active when card is present - usb: typec: ucsi: Update power_supply on power role change - comedi: fix race between polling and detaching (CVE-2025-38687) - [x86] thunderbolt: Fix copy+paste error in match_service_id() - btrfs: fix log tree replay failure due to file with 0 links and extents - mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() (CVE-2025-39737) - mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock (CVE-2025-39736) - media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() (CVE-2025-38680) - media: uvcvideo: Do not mark valid metadata as invalid - serial: 8250: fix panic due to PSLVERR (CVE-2025-39724) - [x86] usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() - [arm*] usb: dwc3: meson-g12a: fix device leaks at unbind - bus: mhi: host: Fix endianness of BHI vector table - vt: keyboard: Don't process Unicode characters in K_OFF mode - vt: defkeymap: Map keycodes above 127 to K_HOLE - ext4: check fast symlink for ea_inode correctly - ext4: fix fsmap end of range reporting with bigalloc - ext4: fix reserved gdt blocks handling in fsmap - ata: libata-scsi: Fix ata_to_sense_error() status handling - wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() - wifi: ath11k: fix source ring-buffer corruption - PCI: endpoint: Fix configfs group list head handling (CVE-2025-39783) - jbd2: prevent softlockup in jbd2_log_do_checkpoint() (CVE-2025-39782) - [arm*] soc/tegra: pmc: Ensure power-domains are in a known state - media: gspca: Add bounds checking to firmware parser - [armhf] media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() - media: usbtv: Lock resolution while streaming (CVE-2025-39714) - media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() (CVE-2025-39713) - [arm*] media: venus: Add a check for packet size after reading from shared memory (CVE-2025-39710) - drm/amd: Restore cached power limit during resume - net, hsr: reject HSR frame if skb can't hold tag (CVE-2025-39703) - sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37932) - sch_drr: make drr_qlen_notify() idempotent - sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-38177) - sch_qfq: make qfq_qlen_notify() idempotent - codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog() (CVE-2025-37798) - sch_htb: make htb_deactivate() idempotent - memstick: Fix deadlock by moving removing flag earlier - mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency - squashfs: fix memory leak in squashfs_fill_super - ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 - drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 - drm/amd/display: Fix DP audio DTO1 clock source on DCE 6. - drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs - drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs - fs/buffer: fix use-after-free when call bh_read() helper (CVE-2025-39691) - move_mount: allow to add a mount into an existing group - use uniform permission checks for all mount propagation changes - ftrace: Also allocate and copy hash for reading of filter files (CVE-2025-39689) - iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() - iio: proximity: isl29501: fix buffered read on big-endian systems - usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive - USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera - usb: storage: realtek_cr: Use correct byte order for bcs->Residue - USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles - [arm*] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout - f2fs: fix to do sanity check on ino and xnid (CVE-2025-38347) - iio: hid-sensor-prox: Fix incorrect OFFSET calculation - [x86] mce/amd: Add default names for MCA banks and blocks - usb: hub: avoid warm port reset during USB3 disconnect - usb: hub: Don't try to recover devices lost during warm reset. - smb: client: fix use-after-free in crypt_message when using async crypto (CVE-2025-38488) - tracing: Add down_write(trace_event_sem) when adding trace event (CVE-2025-38539) - pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov - ice: Fix a null pointer dereference in ice_copy_and_init_pkg() (CVE-2025-38664) - drm/sched: Remove optimization that causes hang when killing dependent jobs - mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage() - [x86] fpu: Delay instruction pointer fixup until after warning - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event - usb: typec: fusb302: cache PD RX state - PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports - block: Make REQ_OP_ZONE_FINISH a write operation - [x86] hv_netvsc: Fix panic during namespace deletion with VF (CVE-2025-38683) - USB: cdc-acm: do not log successful probe on later errors - cdc-acm: fix race between initial clearing halt and open - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large (CVE-2025-38481) - ptp: Fix possible memory leak in ptp_clock_register() (CVE-2021-47455) - block: don't call rq_qos_ops->done_bio if the bio isn't tracked (CVE-2021-47412) - btrfs: fix deadlock when cloning inline extents and using qgroups (CVE-2021-46987) - [armhf] 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS - [arm64] dpaa2-mac: split up initializing the MAC object from connecting to it - [arm64] dpaa2-mac: export MAC counters even when in TYPE_FIXED - [arm64] dpaa2-eth: retry the probe when the MAC is not yet discovered on the bus - [arm64] dpaa2-eth: Fix device reference count leak in MAC endpoint handling - mm: drop the assumption that VM_SHARED always implies writable - mm: update memfd seal write check to include F_SEAL_WRITE - mm: reinstate ability to map write-sealed memfd mappings read-only - dma-buf: insert memory barrier before updating num_fences (CVE-2025-38095) - drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume (CVE-2021-47421) - RDMA/rxe: Return CQE error if invalid lkey was supplied (CVE-2021-47076) - scsi: lpfc: Fix link down processing to address NULL pointer dereference (CVE-2021-47183) - scsi: pm80xx: Fix memory leak during rmmod (CVE-2021-47193) - NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity - NFSv4: Fix nfs4_bitmap_copy_adjust() - NFS: Create an nfs4_server_set_init_caps() function - NFS: Fix the setting of capabilities when automounting a new filesystem (CVE-2025-39798) - net/sched: sch_ets: properly init all active DRR list handles - net_sched: sch_ets: implement lockless ets_dump() - net/sched: ets: use old 'nbands' while purging unused classes (CVE-2025-38684) - mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() (CVE-2025-38681) - ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig - [arm*] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE (CVE-2025-39788) - iio: adc: ad_sigma_delta: change to buffer predisable - [arm64] soc: qcom: mdt_loader: Ensure we don't read past the ELF header (CVE-2025-39787) - [armhf] usb: musb: omap2430: fix device leak at unbind - btrfs: populate otime when logging an inode item - ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value (CVE-2022-50327) - minmax: add umin(a, b) and umax(a, b) - ext4: fix hole length calculation overflow in non-extent inodes - [arm*] platform/chrome: cros_ec: Make cros_ec_unregister() return void - [arm*] platform/chrome: cros_ec: Use per-device lockdep key - [arm*] platform/chrome: cros_ec: remove unneeded label and if-condition - [arm*] platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() - locking/barriers, kcsan: Support generic instrumentation - asm-generic: Add memory barrier dma_mb() - wifi: ath11k: fix dest ring-buffer corruption when ring is full - media: v4l2-ctrls: always copy the controls on completion - media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() - [arm*} media: venus: don't de-reference NULL pointers at IRQ time - [arm*} media: venus: hfi: explicitly release IRQ during teardown - [arm*} media: venus: Add support for SSR trigger using fault injection - [arm*} media: venus: protect against spurious interrupts during probe (CVE-2025-39709) - drm/amd/display: Don't overclock DCE 6 by 15% - f2fs: fix to avoid out-of-boundary access in dnode page (CVE-2025-38677) - [arm*] media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. - [x86] uio_hv_generic: Fix another memory leak in error handling paths (CVE-2021-47070) - dm: rearrange core declarations for extended use from dm-zone.c - dm rq: don't queue request to blk-mq during DM suspend (CVE-2021-47498) - [arm*] usb: dwc3: Remove DWC3 locking during gadget suspend/resume - [arm*] usb: dwc3: core: remove lock of otg mode during gadget suspend/ resume to avoid deadlock - [arm*] gpio: rcar: Use raw_spinlock to protect register access (CVE-2025-21912) - net: usbnet: Fix the wrong netif_carrier_on() call - compiler: remove __ADDRESSABLE_ASM{_STR,}() again - usb: xhci: Fix slot_id resource race conflict - iio: imu: inv_icm42600: change invalid data error to -EBUSY - tracing: Remove unneeded goto out logic - tracing: Limit access to parser->buffer when trace_get_user failed (CVE-2025-39683) - iio: light: as73211: Ensure buffer holes are zeroed (CVE-2025-39687) - mm/page_alloc: detect allocation forbidden by cpuset and bail out early - cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key - scsi: qla4xxx: Prevent a potential error pointer dereference (CVE-2025-39676) - [amd64] iommu/amd: Avoid stack buffer overflow from kernel cmdline (CVE-2025-38676) - mlxsw: spectrum: Forward packets with an IPv4 link-local source IP - ALSA: usb-audio: Fix size validation in convert_chmap_v3() - ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add - ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc - net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit (CVE-2025-39766) - net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate - ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation - netfilter: nft_reject: unify reject init and dump into nft_reject - netfilter: nft_reject_inet: allow to use reject from inet ingress - netfilter: nf_reject: don't leak dst refcount for loopback packets (CVE-2025-38732) - alloc_fdtable(): change calling conventions. https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.242 - ftrace: Fix potential warning in trace_printk_seq during ftrace_dump (CVE-2025-39813) - scsi: core: sysfs: Correct sysfs attributes access rights - [x86] cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper (CVE-2025-39681) - nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests - NFS: Fix a race when updating an existing write (CVE-2025-39697) - vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put() - net: ipv4: fix regression in local-broadcast routes - Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced - atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). (CVE-2025-39828) - [x86] net: dlink: fix multicast stats being counted incorrectly - net/mlx5e: Update and set Xon/Xoff upon MTU set - net/mlx5e: Update and set Xon/Xoff upon port speed set - net/mlx5e: Set local Xoff after FW update - net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts - sctp: initialize more fields in sctp_v6_from_sk() (CVE-2025-39812) - efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CVE-2025-39817) - [x86] KVM: x86: use array_index_nospec with indices that come from guest (CVE-2025-39823) - HID: asus: fix UAF via HID_CLAIMED_INPUT validation (CVE-2025-39824) - HID: wacom: Add a new Art Pen 2 - HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version() (CVE-2025-39808) - Revert "drm/amdgpu: fix incorrect vm flags to map bo" - dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted - net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions - drm/nouveau/disp: Always accept linear modifier - [x86] ASoC: Intel: bxt_da7219_max98357a: shrink platform_id below 20 characters - [x86] ASoC: Intel: sof_rt5682: shrink platform_id names below 20 characters - [x86] ASoC: Intel: glk_rt5682_max98357a: shrink platform_id below 20 characters - [x86] ASoC: Intel: sof_da7219_max98373: shrink platform_id below 20 characters - xfs: do not propagate ENODATA disk errors into xattr code (CVE-2025-39835) https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.243 - drm/amd/display: Don't warn when missing DCE encoder caps - tee: fix NULL pointer dereference in tee_shm_put (CVE-2025-39865) - [arm64] dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro - wifi: cfg80211: fix use-after-free in cmp_bss() (CVE-2025-39864) - netfilter: conntrack: helper: Replace -EEXIST by -EBUSY - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() (CVE-2025-39860) - [x86] xirc2ps_cs: fix register access when enabling FullDuplex - [x86] mISDN: Fix memory leak in dsp_hwec_enable() - icmp: fix icmp_ndo_send address translation for reply direction - i40e: Fix potential invalid access when MAC list is empty (CVE-2025-39853) - wifi: libertas: cap SSID len in lbs_associate() - [arm64] net: thunder_bgx: add a missing of_node_put - [arm64] net: thunder_bgx: decrement cleanup index before use - ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() - ax25: properly unshare skbs in ax25_kiss_rcv() (CVE-2025-39848) - net: atm: fix memory leak in atm_register_sysfs when device_register fail - ppp: fix memory leak in pad_compress_skb (CVE-2025-39847) - ALSA: usb-audio: Add mute TLV for playback volumes on some devices - pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() (CVE-2025-39846) - wifi: mwifiex: Initialize the chan_stats array to zero - drm/amdgpu: drop hw access in non-DC audio fini - scsi: lpfc: Fix buffer free/clear order in deferred receive path (CVE-2025-39841) - batman-adv: fix OOB read/write in network-coding decode (CVE-2025-39839) - e1000e: fix heap overflow in e1000_set_eeprom - mm/khugepaged: fix ->anon_vma race (CVE-2023-52935) - mm/slub: avoid accessing metadata when pointer is invalid in object_err() - cpufreq/sched: Explicitly synchronize limits_changed flag handling - [x86] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer - iio: light: opt3001: fix deadlock due to concurrent flag access (CVE-2025-37968) - [arm*] gpio: pca953x: fix IRQ storm on system wake up - [x86] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup - [x86] vmxnet3: update MTU after device quiesce - [arm64] dts: marvell: uDPU: define pinctrl state for alarm LEDs - net: phy: microchip: implement generic .handle_interrupt() callback - net: phy: microchip: remove the use of .ack_interrupt() - net: phy: microchip: force IRQ polling mode for lan88xx - [x86] ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model - [x86] pcmcia: Add error handling for add_interval() in do_validate_mem() - [arm64] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL - cifs: fix integer overflow in match_server() https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.244 - [x86] Mitigate VMScape vulnerability (CVE-2025-40300): + Documentation/hw-vuln: Add VMSCAPE documentation + x86/vmscape: Enumerate VMSCAPE bug + x86/vmscape: Add conditional IBPB mitigation + x86/vmscape: Enable the mitigation + x86/bugs: Move cpu_bugs_smt_update() down + x86/vmscape: Warn when STIBP is disabled with SMT + x86/vmscape: Add old Intel CPUs to affected list . [ Ben Hutchings ] * Drop "Revert "xen/swiotlb: add alignment check for dma buffers"" which should not be needed after "xen/swiotlb: relax alignment requirements" * [x86] ACPI: Make ACPI_HED built-in since it can no longer be modular * Bump ABI to 36 * d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well * d/b/buildcheck.py: Check config of kernel to be signed * d/rules: Include target suite as an input to gencontrol.py * Generate kernel ABI name suffix automatically if not configured * d/c/defines: Delete ABI name suffix * d/salsa-ci.yml: Ignore pycodestyle error E241 * d/rules.real: Move module installation to the image build rule * certs: check-in the default x509 config file * [rt] Update to 5.10.241-rt135 * d/b/gencontrol.py: Extend the effect of $DEBIAN_KERNEL_DISABLE_INSTALLER . [ Bastian Blank ] * [arm64] Enable hyperv-daemons package. (Closes: #1109891) * Drop not needed extra step to add debug links * Sign modules using an ephemeral key: (closes: #1040901) - Set MODULE_SIG_ALL to sign all modules. - Not longer request Secure Boot signing for modules. - Don't trust Secure Boot key any longer. * Use abi name 0 for everything before unstable. * Store build time signing key encrypted. * Sign modules and support lockdown always. . [ Santiago Ruano Rincón ] * d/salsa-ci.yml: Merge the extract-source job into the build's job script * d/salsa-ci.yml: Early move orig tarballs back where they can be cached Checksums-Sha1: e7a1a7aa4cba962d829b4820c172221897376f90 209429 linux_5.10.244-1.dsc 62437e33e8b6f59ff8ef1933811a45edcd619ba7 122105040 linux_5.10.244.orig.tar.xz 63a1e8aa5e38692b019379586abd3a876759b194 1759388 linux_5.10.244-1.debian.tar.xz 925646a153347062d10e8db9c840b55ff01d42b2 6215 linux_5.10.244-1_source.buildinfo Checksums-Sha256: 00564a843655ac1f6e2fd7268177cfb858c967817ac763b5ac255892f9fb8141 209429 linux_5.10.244-1.dsc 94fe544015224ab7b5ca3b391576c0c84be3b655e5e11a49b1e7cea8aa1db6be 122105040 linux_5.10.244.orig.tar.xz 36ea2de74f287912a440239b6b612fa748fc5e5727c651d32abfb8e1359d696f 1759388 linux_5.10.244-1.debian.tar.xz ce5275a6aaa052b5b0da1f4ca93422603f41a352ef2d7c721a034907484154c0 6215 linux_5.10.244-1_source.buildinfo Files: 09ad8798a50b72267c4ee3cdc8ba802b 209429 kernel optional linux_5.10.244-1.dsc bc7934639845d35972c02a8c6fba9ad9 122105040 kernel optional linux_5.10.244.orig.tar.xz c4e63eba4dc7de076e876673360c3f09 1759388 kernel optional linux_5.10.244-1.debian.tar.xz 0c6f6252283b773c6042d5173c29c979 6215 kernel optional linux_5.10.244-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmjaiscACgkQ57/I7JWG EQlY/hAAnWF9AgUG9hIscyhX46QkZV7D//TTVmnjJway/TP8ZrvV2WKvwj3NMeAd hD/zP1e6+2ml/krEigA+DIjaUTtPvCQPuvKfjJRK8cM7iywrac58MSe2P0IdGPSo 8EvaPsa0WpL+0ijtW0SvBhtiVLBud3btzWYDmGEWsZ3FmsZOlU5TvOw7gAolFTLL pyduzMt4sJ8EBgmiDtupGagot5PCCFOZF777xy3PT8/Jnrq9Ov22vMMQ8dKuZQyP AMjkmPfArnt0STLxSdaag2J+Fb/mR8ufJjh5jSej5/mBrwruhGBxi15QJBEREXjy CgQCwM9dEaX7FFcvW+1XE3dhj2I2084RY/qYNwobBdLHDSME0GpovRZXNK7wucf8 KL3+FK1DX6JoY5Scod+2ipLyyrw3wlRrxF02AcibeWttwISFeAu6jZ4hxtjYwl2E CHaO9z2BLr05BtDVSIxoQBAsDVz0IO2nnPgfL9W/x/F+u+wzn/0yc0CFRx3cPOQ1 cEkGmRuK2B1AzCRc52Hbrw9IZRnU5mM0SXJ6kJOKtkcpZM6aXJ8bOuNcUTOx0huv Bgcu3ugcg9NS+LOM8kPNdekVvxN9ly93dEKErOFKQ2lniiiSXc5oVC7UwZScqTiy OQ0UwrVsC4Xwpod70P/rhWX2Ri9Zt/oiPbjFt+T388UKXsZbshU= =i9+s -----END PGP SIGNATURE-----
