-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 Sep 2025 13:28:35 +0200
Source: linux-signed-arm64
Architecture: source
Version: 5.10.244+1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-arm64 (5.10.244+1) bullseye-security; urgency=high
.
* Sign kernel from linux 5.10.244-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.238
- ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (CVE-2025-37930)
- amd-xgbe: Fix to ensure dependent features are toggled with RX checksum
offload
- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
(CVE-2025-37990)
- dm-integrity: fix a warning on invalid table line
- dm: always update the array size in realloc_argv on success
- [amd64] iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
(CVE-2025-37927)
- [x86] iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
- tracing: Fix oob write in trace_seq_to_buffer() (CVE-2025-37923)
- net/sched: act_mirred: don't override retval if we already lost the skb
(CVE-2024-26739)
- net/mlx5: E-Switch, Initialize MAC Address for Default GID
- net/mlx5: Remove return statement exist at the end of void function
- net/mlx5: E-switch, Fix error handling for enabling roce
- net_sched: drr: Fix double list add in class with netem as child qdisc
(CVE-2025-37915)
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child
qdisc (CVE-2025-37890)
- net_sched: ets: Fix double list add in class with netem as child qdisc
(CVE-2025-37914)
- net_sched: qfq: Fix double list add in class with netem as child qdisc
(CVE-2025-37913)
- net: ipv6: fix UDPv6 GSO segmentation with NAT
- bnxt_en: Fix ethtool -d byte order for 32-bit values
- nvme-tcp: fix premature queue removal and I/O failover
- net: lan743x: Fix memleak issue when GSO enabled (CVE-2025-37909)
- [arm*] net: fec: ERR007885 Workaround for conventional TX
- [armhf] PCI: imx6: Skip controller_id generation logic for i.MX7D
- of: module: add buffer overflow check in of_modalias() (CVE-2024-38541)
- [arm64] Revert "drm/meson: vclk: fix calculation of 59.94 fractional
rates" (regression in 5.10.219)
- [arm*] irqchip/gic-v2m: Add const to of_device_id
- [arm*] irqchip/gic-v2m: Mark a few functions __init
- [arm*] irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
(CVE-2025-37819)
- [arm*] usb: chipidea: ci_hdrc_imx: use dev_err_probe()
- [arm*] usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error
handling
- dm: fix copying after src array boundaries
- scsi: target: Fix WRITE_SAME No Data Buffer crash (CVE-2022-21546)
- openvswitch: Fix unsafe attribute parsing in output_userspace()
(CVE-2025-37998)
- can: gw: use call_rcu() instead of costly synchronize_rcu()
- rcu/kvfree: Add kvfree_rcu_mightsleep() and kfree_rcu_mightsleep()
- can: gw: fix RCU/BH usage in cgw_create_job()
- netfilter: ipset: fix region locking in hash types (CVE-2025-37997)
- [armhf] net: dsa: b53: allow leaky reserved multicast
- [armhf] net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave
- [armhf] net: dsa: b53: fix learning on VLAN unaware bridges
- [x86] Input: synaptics - enable InterTouch on Dynabook Portege X30-D
- [x86] Input: synaptics - enable InterTouch on Dynabook Portege X30L-G
- [x86] Input: synaptics - enable InterTouch on Dell Precision M3800
- [x86] Input: synaptics - enable SMBus for HP Elitebook 850 G1
- [x86] Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14
v5
- iio: adc: ad7606: fix serial register access
- iio: adis16201: Correct inclinometer channel resolution
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo
(CVE-2025-37970)
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo
(CVE-2025-37969)
- [armhf] usb: uhci-platform: Make the clock really optional
- xenbus: Use kref to track req lifetime (CVE-2025-37949)
- module: ensure that kobject_put() is safe for module type kobjects
(CVE-2025-37995)
- ocfs2: switch osb->disable_recovery to enum
- ocfs2: implement handshaking with ocfs2 recovery thread
- ocfs2: stop quota recovery before disabling quotas
- [arm*] usb: host: tegra: Prevent host controller crash when OTG port is
used
- usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition
- usb: typec: ucsi: displayport: Fix NULL pointer access (CVE-2025-37994)
- USB: usbtmc: use interruptible sleep in usbtmc_read
- usb: usbtmc: Fix erroneous get_stb ioctl error returns
- usb: usbtmc: Fix erroneous wait_srq ioctl return
- usb: usbtmc: Fix erroneous generic_read ioctl return
- types: Complement the aligned types with signed 64-bit one
- [arm*] drm/panel: simple: Update timings for AUO G101EVN010
- nvme: unblock ctrl state transition for firmware update
- do_umount(): add missing barrier before refcount checks in sync case
- [x86] platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
- iio: adc: ad7768-1: Fix insufficient alignment of timestamp.
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
(CVE-2025-38024)
- nfs: handle failure of nfs_get_lock_context in unlock path
(CVE-2025-38023)
- net_sched: Flush gso_skb list too during ->change() (CVE-2025-37992)
- [arm64] net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
(CVE-2025-38094)
- qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()
- NFSv4/pnfs: Reset the layout state after a layoutreturn
- [arm64] ACPI: PPTT: Fix processor subtable walk
- [x86] ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()
- [arm*] phy: Fix error handling in tegra_xusb_port_init
- wifi: mt76: disable napi on driver removal (CVE-2025-38009)
- [arm64] dmaengine: ti: k3-udma: Add missing locking (CVE-2025-38005)
- [x86] clocksource/i8253: Use raw_spinlock_irqsave() in
clockevent_i8253_disable()
- [arm*] ASoC: q6afe-clocks: fix reprobing of the driver (CVE-2021-47037)
- [x86] drm/vmwgfx: Fix a deadlock in dma buf fence polling
(CVE-2024-43863)
- usb: typec: altmodes/displayport: create sysfs nodes as driver's default
device attribute group (CVE-2024-35790)
- usb: typec: fix potential array underflow in ucsi_ccg_sync_control()
(CVE-2024-53203)
- usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control()
- btrfs: don't BUG_ON() when 0 reference count at
btrfs_lookup_extent_info() (CVE-2024-46751)
- netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx
- netfilter: nf_tables: wait for rcu grace period on net_device removal
- netfilter: nf_tables: do not defer rule destruction via call_rcu
- ice: arfs: fix use-after-free when freeing @rx_cpu_rmap (CVE-2022-49063)
- scsi: target: iscsi: Fix timeout on deleted connection (CVE-2025-38075)
- dma-mapping: avoid potential unused data compilation warning
- cgroup: Fix compilation issue due to cgroup_mutex not being exported
- NFSv4: Check for delegation validity in
nfs_start_delegation_return_locked()
- mailbox: use error ret code of of_parse_phandle_with_args()
- fbcon: Use correct erase colour for clearing in fbcon
- fbdev: core: tileblit: Implement missing margin clearing for tileblit
- NFSv4: Treat ENETUNREACH errors as fatal for state recovery
- SUNRPC: rpc_clnt_set_transport() must not change the autobind setting
- SUNRPC: rpcbind should never reset the port to the value '0'
- [arm64] thermal/drivers/qoriq: Power down TMU on system suspend
- dql: Fix dql->limit value when reset.
- pNFS/flexfiles: Report ENETDOWN as a connection error
- libnvdimm/labels: Fix divide error in nd_label_data_init()
(CVE-2025-38072)
- [x86] mmc: host: Wait for Vdd to settle on card power off
- [arm64] i2c: qup: Vote for interconnect bandwidth to DRAM
- i2c: pxa: fix call balance of i2c->clk handling routines
- btrfs: avoid linker error in btrfs_find_create_tree_block()
- btrfs: send: return -ENAMETOOLONG when attempting a path that is too long
- ext4: reorder capability check last
- scsi: st: Tighten the page format heuristics with MODE SELECT
- scsi: st: ERASE does not change tape location
- tcp: reorganize tcp_in_ack_event() and tcp_count_delivered()
- dm: restrict dm device size to 2^63-512 bytes
- [x86] xen: Add support for XenServer 6.1 platform device
- posix-timers: Add cond_resched() to posix_timer_add() search loop
- netfilter: conntrack: Bound nf_conntrack sysctl writes
- [arm64] mm: Check PUD_TYPE_TABLE in pud_bad()
- [arm64] tegra: p2597: Fix gpio for vdd-1v8-dis regulator
- tcp: bring back NUMA dispersion in inet_ehash_locks_alloc()
- [arm*] rtc: ds1307: stop disabling alarms on probe
- [armhf] tegra: Switch DSI-B clock parent to PLLD on Tegra114
- dm cache: prevent BUG_ON by blocking retries on failed device resumes
(CVE-2025-38066)
- orangefs: Do not truncate file size (CVE-2025-38065)
- drm/amdgpu: Do not program AGP BAR regs under SRIOV in gfxhub_v1_0.c
- media: cx231xx: set device_caps for 417 (CVE-2025-38044)
- [armhf] net: ethernet: ti: cpsw_new: populate netdev of_node
- net: pktgen: fix mpls maximum labels list parsing
- ipv4: fib: Move fib_valid_key_len() to rtm_to_fib_config().
- [arm64] clk: imx8mp: inform CCF of maximum frequency of clocks
- [armhf] hwmon: (gpio-fan) Add missing mutex locks
- [arm64] PCI: brcmstb: Expand inbound window size up to 64GB
- [arm64] PCI: brcmstb: Add a softdep to MIP MSI-X driver
- net/mlx5: Avoid report two health errors on same syndrome
- [amd64] drm/amdkfd: KFD release_work possible circular locking
- [arm64] net: xgene-v2: remove incorrect ACPI_PTR annotation
- bonding: report duplicate MAC address in all situations
- [x86] nmi: Add an emergency handler in nmi_desc & use it in
nmi_shootdown_cpus()
- cpuidle: menu: Avoid discarding useful information
- libbpf: Fix out-of-bound read
- scsi: mpt3sas: Send a diag reset if target reset fails
- wifi: rtw88: Fix rtw_init_vht_cap() for RTL8814AU
- wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU
- wifi: rtw88: Fix rtw_desc_to_mcsrate() to handle MCS16-31
- net: pktgen: fix access outside of user given buffer in
pktgen_thread_write() (CVE-2025-38061)
- [x86] EDAC/ie31200: work around false positive build warning
- [armhf] can: c_can: Use of_property_present() to test existence of DT
property
- eth: mlx4: don't try to complete XDP frames in netpoll
- PCI: Fix old_size lower bound in calculate_iosize() too
- ACPI: HED: Always initialize before evged
- net/mlx5: Modify LSB bitmask in temperature event to include only the
first bit
- net/mlx5: Apply rate-limiting to high temperature warning
- ASoC: ops: Enforce platform maximum on initial value
- ASoC: soc-dai: check return value at snd_soc_dai_set_tdm_slot()
- pinctrl: devicetree: do not goto err when probing hogs in
pinctrl_dt_to_map
- media: v4l: Memset argument to 0 before calling get_mbus_config pad op
- net/mlx4_core: Avoid impossible mlx4_db_alloc() order value
- phy: core: don't require set_mode() callback for phy_get_mode() to work
- drm/amd/display: Initial psr_version with correct setting
- net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB
- net/mlx5e: set the tx_queue_len for pfifo_fast
- net/mlx5e: reduce rep rxq depth to 256 for ECPF
- ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure().
- wifi: rtw88: Fix download_firmware_validate() for RTL8814AU
- [arm64] hwmon: (xgene-hwmon) use appropriate type for the latency value
- vxlan: Annotate FDB data races (CVE-2025-38037)
- scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine
- scsi: st: Restore some drive settings after reset
- drm/ast: Find VBIOS mode from regular display size
- bpftool: Fix readlink usage in get_fd_type
- [x86] perf/amd/ibs: Fix perf_ibs_op.cnt_mask for CurCnt
- wifi: rtw88: Don't use static local variable in
rtw8822b_set_tx_power_index_by_rate
- drm: Add valid clones check
- [arm*] pinctrl: meson: define the pull up/down resistor value as 60 kOhm
- [x86] ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013
- [x86] ALSA: hda/realtek: Add quirk for HP Spectre x360 15-df1xxx
- nvmet-tcp: don't restore null sk_state_change (CVE-2025-38035)
- btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
(CVE-2025-38034)
- xenbus: Allow PVH dom0 a non-local xenstore
- __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
(CVE-2025-38058)
- xfrm: Sanitize marks before insert
- bridge: netfilter: Fix forwarding of fragmented packets
- [arm*] net: dwmac-sun8i: Use parsed internal PHY address instead of 1
- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()
(CVE-2025-38000)
- net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
(CVE-2025-38052)
- crypto: algif_hash - fix double free in hash_accept (CVE-2025-38079)
- padata: do not leak refcount in reorder_work (CVE-2025-38031)
- can: bcm: add locking for bcm_op runtime updates (CVE-2025-38004)
- can: bcm: add missing rcu read protection for procfs content
(CVE-2025-38003)
- ALSA: pcm: Fix race of buffer access at PCM OSS layer (CVE-2025-38078)
- llc: fix data loss when reading from a socket in llc_ui_recvmsg()
- drm/edid: fixed the bug that hdr metadata was not reset
- memcg: always call cond_resched() after fn()
- mm/page_alloc.c: avoid infinite retries caused by cpuset race
- [arm64] spi: spi-fsl-dspi: restrict register range for regmap access
- [arm64] spi: spi-fsl-dspi: Halt the module after a new message transfer
- [arm64] spi: spi-fsl-dspi: Reset SR flags before sending a new message
- [x86] drm/i915/gvt: fix unterminated-string-initialization warning
- smb: client: Fix use-after-free in cifs_fill_dirent (CVE-2025-38051)
- smb: client: Reset all search buffer pointers when releasing buffer
- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice
(CVE-2025-38001)
- coredump: fix error handling for replace_fd()
- pid: add pidfd_prepare()
- fork: use pidfd_prepare()
- coredump: hand a pidfd to the usermode coredump helper (dependency for
fixing CVE-2025-4598 in systemd)
- HID: quirks: Add ADATA XPG alpha wireless mouse support
- nfs: don't share pNFS DS connections between net namespaces
- [x86] platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS
- spi: spi-sun4i: fix early activation
- tpm: tis: Double the timeout B to 4s
- [x86] platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys
- [x86] platform/x86: thinkpad_acpi: Ignore battery threshold change event
notification
- xen/swiotlb: relax alignment requirements
- [arm64] perf/arm-cmn: Initialise cmn->cpu earlier
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.239
- [arm64] pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs
> 31
- [arm64] pinctrl: armada-37xx: set GPIO output value before setting
direction
- [x86] acpi-cpufreq: Fix nominal_freq units to KHz in
get_max_boost_ratio()
- usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE
- usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device
- usb: usbtmc: Fix timeout value in get_stb
- [x86] thunderbolt: Do not double dequeue a configuration request
(CVE-2025-38174)
- netfilter: nft_socket: fix sk refcount leaks (CVE-2024-46855)
- gfs2: gfs2_create_inode error handling fix
- perf/core: Fix broken throttling when max_samples_per_tick=1
- [x86] cpu: Sanitize CPUID(0x80000000) output
- [arm*] crypto: marvell/cesa - Handle zero-length skcipher requests
(CVE-2025-38173)
- [arm*] crypto: marvell/cesa - Avoid empty transfer descriptor
- crypto: lrw - Only add ecb if it is not already there
- crypto: xts - Only add ecb if it is not already there
- [arm64] crypto: sun8i-ce - move fallback ahash_request to the end of the
struct
- [amd64] EDAC/skx_common: Fix general protection fault (CVE-2025-38298)
- [x86] mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
- ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
- [x86] drm/vmwgfx: Add seqno waiter for sync_files
- [arm*] firmware: psci: Fix refcount leak in psci_dt_init
- [arm*] drm/tegra: rgb: Fix the unbound reference count
- [arm64] firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
- wifi: ath11k: fix node corruption in ar->arvifs list (CVE-2025-38293)
- f2fs: fix to do sanity check on sbi->total_valid_block_count
(CVE-2025-38163)
- [armhf] net: ncsi: Fix GCPS 64-bit member variables
- wifi: rtw88: do not ignore hardware read error during DPK
- f2fs: clean up w/ fscrypt_is_bounce_page()
- netfilter: bridge: Move specific fragmented packet to slow_path instead
of dropping it
- RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
(CVE-2025-38161)
- [arm*] clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
(CVE-2025-38160)
- libbpf: Use proper errno value in nlattr
- [armhf] pinctrl: at91: Fix possible out-of-boundary access
(CVE-2025-38286)
- bpf: Fix WARN() in get_bpf_raw_tp_regs (CVE-2025-38285)
- wifi: ath9k_htc: Abort software beacon handling if disabled
(CVE-2025-38157)
- netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
- vfio/type1: Fix error unwind in migration dirty bitmap allocation
- netfilter: nft_tunnel: fix geneve_opt dump
- net: usb: aqc111: fix error handling of usbnet read calls
(CVE-2025-38153)
- net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
- calipso: Don't call calipso functions for AF_INET sk. (CVE-2025-38147)
- net: openvswitch: Fix the dead loop of MPLS parse (CVE-2025-38146)
- net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
- f2fs: use d_inode(dentry) cleanup dentry->d_inode
- f2fs: fix to correct check conditions in f2fs_cross_rename
- [arm64] dts: imx8mm-beacon: Fix RTC capacitive load
- Squashfs: check return result of sb_min_blocksize (CVE-2025-38415)
- nilfs2: add pointer check for nilfs_direct_propagate()
- nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
- [arm64] bus: fsl-mc: fix double-free on mc_dev (CVE-2025-38313)
- [arm64] dts: rockchip: disable unrouted USB controllers and PHY on
RK3399 Puma with Haikou
- [armhf] soc: aspeed: lpc: Fix impossible judgment condition
- [armhf] soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
(CVE-2025-38145)
- fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
(CVE-2025-38312)
- perf ui browser hists: Set actions->thread before calling
do_zoom_thread()
- backlight: pm8941: Add NULL check in wled_configure() (CVE-2025-38143)
- perf scripts python: exported-sql-viewer.py: Fix pattern matching with
Python 3
- perf tests switch-tracking: Fix timestamp comparison
- perf record: Fix incorrect --user-regs comments
- nfs: clear SB_RDONLY before getting superblock
- nfs: ignore SB_RDONLY when remounting nfs
- [arm64] dmaengine: ti: Add NULL check in udma_probe() (CVE-2025-38138)
- PCI/DPC: Initialize aer_err_info before using it
- rtc: Fix offset calculation for .start_secs < 0
- [arm*] usb: renesas_usbhs: Reorder clock handling and power management in
probe (CVE-2025-38136)
- [armhf] serial: Fix potential null-ptr-deref in mlb_usio_probe()
(CVE-2025-38135)
- iio: adc: ad7124: Fix 3dB filter frequency reading
- vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
- net: stmmac: platform: guarantee uniqueness of bus_id
- gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
- net: tipc: fix refcount warning in tipc_aead_encrypt (CVE-2025-38273)
- net/mlx4_en: Prevent potential integer overflow calculating Hz
- Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
- ice: create new Tx scheduler nodes for new queues only
- [x86] vmxnet3: correctly report gso type for UDP tunnels
- PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
- do_change_type(): refuse to operate on unmounted/not ours mounts
(CVE-2025-38498)
- pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()
- Input: synaptics-rmi4 - convert to use sysfs_emit() APIs
- Input: synaptics-rmi - fix crash with unsupported versions of F34
- ath10k: add atomic protection for device recovery
- ath10k: prevent deinitializing NAPI twice
- ath10k: snoc: fix unbalanced IRQ enable in crash recovery
- scsi: iscsi: Fix incorrect error path labels for flashnode operations
- net_sched: sch_sfq: fix a potential crash on gso_skb handling
(CVE-2025-38115)
- i40e: return false from i40e_reset_vf if reset is in progress
- i40e: retry VFLR handling if there is ongoing VF reset
- tcp: factorize logic into tcp_epollin_ready()
- bpf: Clean up sockmap related Kconfigs
- net: Rename ->stream_memory_read to ->sock_is_readable
- net: Fix TOCTOU issue in sk_is_readable() (CVE-2025-38112)
- macsec: MACsec SCI assignment for ES = 0
- net: mdio: C22 is now optional, EOPNOTSUPP if not provided
- net/mdiobus: Fix potential out-of-bounds read/write access
(CVE-2025-38111)
- net/mlx5: Ensure fw pages are always allocated on same NUMA
- net/mlx5: Fix return value when searching for existing flow group
- net_sched: prio: fix a race in prio_tune() (CVE-2025-38083)
- net_sched: red: fix a race in __red_change() (CVE-2025-38108)
- net_sched: tbf: fix a race in tbf_change()
- sch_ets: make est_qlen_notify() idempotent
- net_sched: ets: fix a race in ets_qdisc_change() (CVE-2025-38107)
- fs/filesystems: Fix potential unsigned integer underflow in fs_name()
- posix-cpu-timers: fix race between handle_posix_cpu_timers() and
posix_cpu_timer_del() (CVE-2025-38352)
- [x86] boot/compressed: prefer cc-option for CFLAGS additions
- kbuild: Update assembler calls to use proper flags and language target
- kbuild: Add KBUILD_CPPFLAGS to as-option invocation
- usb: Flush altsetting 0 endpoints before reinitializating them after
reset.
- [arm64] xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
- [x86] iopl: Cure TIF_IO_BITMAP inconsistencies (CVE-2025-38100)
- calipso: unlock rcu before returning -EAFNOSUPPORT
- net: usb: aqc111: debug info before sanitation
- tcp: tcp_data_ready() must look at SOCK_DONE
- configfs: Do not override creating attribute file failure in
populate_attrs()
- [arm*] crypto: marvell/cesa - Do not chain submitted requests
- gfs2: move msleep to sleepable context
- net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr()
- net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
- wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
(CVE-2025-38348)
- nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
(CVE-2025-38430)
- nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
(CVE-2025-38231)
- jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
(CVE-2025-38337)
- wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
- media: cxusb: no longer judge rbuf when the write fails (CVE-2025-38229)
- media: gspca: Add error handling for stv06xx_read_sensor()
- media: v4l2-dev: fix error handling in __video_register_device()
- [arm64] media: venus: Fix probe error handling
- media: videobuf2: use sgtable-based scatterlist wrappers
- media: vidtv: Terminating the subsequent process of initialization
failure (CVE-2025-38227)
- media: vivid: Change the siize of the composing (CVE-2025-38226)
- [armhf] 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()
- [armhf] omap: pmic-cpcap: do not mess around without CPCAP or OMAP4
- bus: mhi: host: Fix conflict between power_up and SYSERR
- [x86] ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
(CVE-2025-38336)
- [arm64] bus: fsl-mc: do not add a device-link for the UAPI used DPMCP
device
- ext4: inline: fix len overflow in ext4_prepare_inline_data
(CVE-2025-38222)
- ext4: fix calculation of credits for extent tree modification
- ext4: factor out ext4_get_maxbytes()
- ext4: ensure i_size is smaller than maxbytes
- Input: ims-pcu - check record size in ims_pcu_flash_firmware()
(CVE-2025-38428)
- f2fs: prevent kernel warning due to negative i_nlink from corrupted image
(CVE-2025-38219)
- f2fs: fix to do sanity check on sit_bitmap_size (CVE-2025-38218)
- NFC: nci: uart: Set tty->disc_data only in success path (CVE-2025-38416)
- fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
(CVE-2025-38214)
- [arm64] clk: meson-g12a: add missing fclk_div2 to spicc
- ipc: fix to protect IPCS lookups using RCU (CVE-2025-38212)
- mm: fix ratelimit_pages update error in dirty_ratio_handler()
- [armhf] mtd: rawnand: sunxi: Add randomizer configuration in
sunxi_nfc_hw_ecc_write_chunk
- [armhf] mtd: nand: sunxi: Add randomizer configuration before randomizer
enable
- dm-mirror: fix a tiny race condition
- ftrace: Fix UAF when lookup kallsym after ftrace disabled
(CVE-2025-38346)
- net: ch9200: fix uninitialised access during mii_nway_restart
(CVE-2025-38086)
- [x86] uio_hv_generic: Use correct size for interrupt and monitor pages
- PCI: Fix lock symmetry in pci_slot_unlock()
- iio: imu: inv_icm42600: Fix temperature calculation
- iio: adc: ad7606_spi: fix reg write value mask
- ACPICA: fix acpi operand cache leak in dswstate.c (CVE-2025-38345)
- clocksource: Fix the CPUs' choice in the watchdog per CPU verification
- ACPICA: Avoid sequence overread in call to strncmp()
- ACPICA: fix acpi parse and parseext cache leaks (CVE-2025-38344)
- power: supply: bq27xxx: Retrieve again when busy
- ACPICA: utilities: Fix overflow check in vsnprintf()
- PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()
- drm/amdgpu/gfx6: fix CSIB handling
- sunrpc: update nextcheck time when adding new cache entries
- [arm*] drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of
calling disable_irq()
- exfat: fix double free in delayed_free (CVE-2025-38206)
- [arm64] drm/msm/hdmi: add runtime PM calls to DDC transfer function
- media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition
- drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit()
- [arm64] drm/msm/a6xx: Increase HFI response timeout
- drm/amdgpu/gfx10: fix CSIB handling
- media: uapi: v4l: Change V4L2_TYPE_IS_CAPTURE condition
- drm/amdgpu/gfx7: fix CSIB handling
- ext4: ext4: unify EXT4_EX_NOCACHE|NOFAIL flags in ext4_ext_remove_space()
- jfs: fix array-index-out-of-bounds read in add_missing_indices
(CVE-2025-38204)
- sunrpc: fix race in cache cleanup causing stale nextcheck time
- ext4: prevent stale extent cache entries caused by concurrent get
es_cache
- drm/amdgpu/gfx8: fix CSIB handling
- drm/amdgpu/gfx9: fix CSIB handling
- jfs: Fix null-ptr-deref in jfs_ioc_trim (CVE-2025-38203)
- [arm64] drm/msm/dpu: don't select single flush for active CTL blocks
- [amd64] drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB
- [arm*] media: platform: exynos4-is: Add hardware sync wait to
fimc_is_hw_change_mode() (CVE-2025-38237)
- [arm64] thermal/drivers/qcom/tsens: Update conditions to strictly
evaluate for IP v2+
- cpufreq: Force sync policy boost with global boost on sysfs update
- [arm64] net: macb: Check return value of dma_set_mask_and_coherent()
- tipc: use kfree_sensitive() for aead cleanup
- emulex/benet: correct command version selection in be_cmd_get_stats()
- wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
- sctp: Do not wake readers in __sctp_write_space()
- net: dlink: add synchronization for stats update
- tcp: always seek for minimal rtt in tcp_rcv_rtt_update()
- tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows
- ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT
- net: atlantic: generate software timestamp just before the doorbell
- [arm64] pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_set_by_name()
- [arm64] pinctrl: armada-37xx: propagate error from
armada_37xx_gpio_get_direction()
- [arm64] pinctrl: armada-37xx: propagate error from
armada_37xx_pmx_gpio_set_direction()
- [arm64] pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()
- net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info
- wifi: mac80211: do not offer a mesh path if forwarding is disabled
- [arm*] clk: rockchip: rk3036: mark ddrphy as critical
- scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands
- [amd64] iommu/amd: Ensure GA log notifier callbacks finish running before
module unload
- vxlan: Do not treat dst cache initialization errors as fatal
- software node: Correct a OOB check in software_node_get_reference_args()
(CVE-2025-38342)
- scsi: lpfc: Use memcpy() for BIOS version (CVE-2025-38332)
- sock: Correct error checking condition for (assign|release)_proto_idx()
- i40e: fix MMIO write access to an invalid page in i40e_clear_hw
(CVE-2025-38200)
- [armhf] watchdog: da9052_wdt: respect TWDMIN
- [arm64] bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
- [armhf] OMAP2+: Fix l4ls clk domain handling in STANDBY
- [arm*] tee: Prevent size calculation wraparound on 32-bit kernels
- [armhf] Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect
devices first"
- [x86] platform/x86: dell_rbu: Fix list usage (CVE-2025-38197)
- [x86] platform/x86: dell_rbu: Stop overwriting data buffer
- drivers/rapidio/rio_cm.c: prevent possible heap overwrite
(CVE-2025-38090)
- jffs2: check that raw node were preallocated before writing summary
(CVE-2025-38194)
- jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
(CVE-2025-38328)
- [x86] scsi: storvsc: Increase the timeouts to storvsc_timeout
- selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
- atm: Revert atm_account_tx() if copy_from_iter_full() fails.
(CVE-2025-38190)
- HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
(CVE-2025-38103)
- ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound
card
- [x86] ALSA: hda/intel: Add Thinkpad E15 to PM deny list
- [x86] ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
- hugetlb: unshare some PMDs when splitting VMAs
- mm/hugetlb: unshare page tables during VMA split, not before
(CVE-2025-38084)
- mm: hugetlb: independent PMD page table shared count (CVE-2024-57883)
- mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race (CVE-2025-38085)
- drm/nouveau/bl: increase buffer size to avoid truncate warning
- [armhf] hwmon: (occ) Add new temperature sensor type
- [armhf] hwmon: (occ) Add soft minimum power cap attribute
- [armhf] hwmon: (occ) Rework attribute registration for stack usage
- [armhf] hwmon: (occ) fix unaligned accesses
- aoe: clean device rq_list in aoedev_downdev() (CVE-2025-38326)
- net: ice: Perform accurate aRFS flow match
- wifi: carl9170: do not ping device which has failed to load firmware
(CVE-2025-38420)
- mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
(CVE-2025-38324)
- atm: atmtcp: Free invalid length skb in atmtcp_c_send(). (CVE-2025-38185)
- tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen()
behavior
- tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
(CVE-2025-38184)
- calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
(CVE-2025-38181)
- net: atm: add lec_mutex (CVE-2025-38323)
- net: atm: fix /proc/net/atm/lec handling (CVE-2025-38180)
- [armhf] dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board
- [armhf] dts: am335x-bone-common: Increase MDIO reset deassert time
- [armhf] dts: am335x-bone-common: Increase MDIO reset deassert delay to
50ms
- [arm64] insn: Add barrier encodings
- [arm64] move AARCH64_BREAK_FAULT into insn-def.h
- [arm64] insn: add encoders for atomic operations
- [arm64] insn: Add support for encoding DSB
- [arm64] proton-pack: Expose whether the platform is mitigated by firmware
- [arm64] errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
- [arm64] errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe
list
- [arm64] errata: Add newer ARM cores to the spectre_bhb_loop_affected()
lists
- [arm64] errata: Add missing sentinels to Spectre-BHB MIDR arrays
- [arm64] proton-pack: Expose whether the branchy loop k value
- [arm64] spectre: increase parameters that can be used to turn off bhb
mitigation individually
- [arm64] bpf: Add BHB mitigation to the epilogue for cBPF programs
(CVE-2025-37948)
- [arm64] bpf: Only mitigate cBPF programs loaded by unprivileged users
(CVE-2025-37963)
- [arm64] proton-pack: Add new CPUs 'k' values for branch mitigation
- net/ipv4: fix type mismatch in inet_ehash_locks_alloc() causing build
failure
- net: Fix checksum update for ILA adj-transport
- bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE
- rtc: Improve performance of rtc_time64_to_tm(). Add tests.
- rtc: Make rtc_time64_to_tm() support dates before 1970
- net_sched: sch_sfq: annotate data-races around q->perturb_period
- net_sched: sch_sfq: handle bigger packets
- net_sched: sch_sfq: don't allow 1 packet limit (CVE-2024-57996)
- net_sched: sch_sfq: use a temporary work area for validating
configuration
- net_sched: sch_sfq: move the limit validation
- mm/huge_memory: fix dereferencing invalid pmd migration entry
(CVE-2025-37958)
- [armhf] hwmon: (occ) Fix P10 VRM temp sensors
- perf: Fix sample vs do_exit() (CVE-2025-38424)
- [arm64] ptrace: Fix stack-out-of-bounds read in
regs_get_kernel_stack_nth() (CVE-2025-38320)
- bpf: fix precision backtracking instruction iteration
- scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.240
- cifs: Fix cifs_query_path_info() for Windows NT servers
- NFSv4.2: fix listxattr to return selinux security label
- mailbox: Not protect module_put with spin_lock_irqsave
- md/md-bitmap: fix dm-raid max_write_behind setting
- bcache: fix NULL pointer in cache_set_flush() (CVE-2025-38263)
- iio: pressure: zpa2326: Use aligned_s64 for the timestamp
- [arm*] usb: common: usb-conn-gpio: use a unique name for usb connector
device
- usb: Add checks for snprintf() calls in usb_alloc_dev()
- usb: cdc-wdm: avoid setting WDM_READ for ZLP-s
- usb: typec: displayport: Receive DP Status Update NAK request exit dp
altmode
- ALSA: hda: Ignore unsol events for cards being shut down
- ALSA: hda: Add new pci id for AMD GPU display HD audio controller
- ceph: fix possible integer overflow in ceph_zero_objects()
- ovl: Check for NULL d_inode() in ovl_dentry_upper()
- [x86] VMCI: check context->notify_page after call to
get_user_pages_fast() to avoid GPF (CVE-2023-53259)
- [x86] VMCI: fix race between vmci_host_setup_notify and
vmci_ctx_unset_notify (CVE-2025-38102)
- fs/jfs: consolidate sanity checking in dbMount
- jfs: validate AG parameters in dbMount() to prevent crashes
(CVE-2025-38230)
- [armhf] media: omap3isp: use sgtable-based scatterlist wrappers
- f2fs: don't over-report free space or inodes in statvfs
- RDMA/core: Use refcount_t instead of atomic_t on refcount of
iwcm_id_private
- RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
(CVE-2025-38211)
- [x86] uio: uio_hv_generic: use devm_kzalloc() for private data alloc
- [x86] Drivers: hv: vmbus: Fix duplicate CPU assignments within a device
- [x86] Drivers: hv: Rename 'alloced' to 'allocated'
- [x86] Drivers: hv: vmbus: Add utility function for querying ring size
- [x86] uio_hv_generic: Query the ringbuffer size for device
- [x86] uio_hv_generic: Align ring size to system page
- net_sched: sch_sfq: reject invalid perturb period (CVE-2025-38193)
- i2c: tiny-usb: disable zero-length read messages
- i2c: robotfuzz-osif: disable zero-length read messages
- atm: clip: prevent NULL deref in clip_push() (CVE-2025-38251)
- ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
(CVE-2025-38249)
- attach_recursive_mnt(): do not lock the covering tree when sliding
something under it
- libbpf: Fix null pointer dereference in btf_dump__free on allocation
failure
- wifi: mac80211: fix beacon interval calculation overflow
- vsock/uapi: fix linux/vm_sockets.h userspace compilation errors
- atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
(CVE-2025-38245)
- Bluetooth: L2CAP: Fix L2CAP MTU negotiation
- dm-raid: fix variable in journal device check
- btrfs: update superblock's device bytes_used when dropping chunk
- HID: wacom: fix memory leak on kobject creation failure
- HID: wacom: fix memory leak on sysfs attribute creation failure
- HID: wacom: fix kobject reference count leak
- [arm*] drm/tegra: Assign plane type before registration
- [arm*] drm/tegra: Fix a possible null pointer dereference
(CVE-2025-38363)
- drm/udl: Unregister device before cleaning up on disconnect
- [amd64] drm/amdkfd: Fix race in GWS queue scheduling
- [amd64] PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time
- [arm64] Restrict pagetable teardown to avoid false warning
- rtc: cmos: use spin_lock_irqsave in cmos_interrupt
- [x86] vsock/vmci: Clear the vmci transport packet properly when
initializing it (CVE-2025-38403)
- mmc: sdhci: Add a helper function for dump register in dynamic debug mode
- usb: typec: altmodes/displayport: do not index invalid pin_assignments
(CVE-2025-38391)
- RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
(CVE-2025-38387)
- nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
(CVE-2025-38400)
- NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN (CVE-2025-38393)
- scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
- scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
- scsi: ufs: core: Fix spelling of a sysfs attribute name
- RDMA/mlx5: Fix CC counters query for MPV
- btrfs: fix missing error handling when searching for inode refs during
log replay
- [armhf] drm/exynos: fimd: Guard display clock control with runtime PM
calls
- [arm64] spi: spi-fsl-dspi: Clear completion counter before initiating
transfer
- [x86] drm/i915/gt: Fix timeline left held on VMA alloc error
(CVE-2025-38389)
- amd-xgbe: align CL37 AN sequence as per databook
- enic: fix incorrect MTU comparison in enic_change_mtu()
- rose: fix dangling neighbour pointers in rose_rt_device_down()
(CVE-2025-38377)
- nui: Fix dma_mapping_error() check
- net/sched: Always pass notifications when child class becomes empty
(CVE-2025-38350)
- [i386] ALSA: sb: Force to disable DMAs once when DMA mode is changed
- scsi: target: Fix NULL pointer dereference in
core_scsi3_decode_spec_i_port() (CVE-2025-38399)
- wifi: mac80211: drop invalid source address OCB frames
- wifi: ath6kl: remove WARN on bad firmware input (CVE-2025-38406)
- ACPICA: Refuse to evaluate a method if arguments are missing
(CVE-2025-38386)
- rcu: Return early if callback is not specified
- regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
(CVE-2025-38395)
- mtk-sd: Prevent memory corruption from DMA map failure (CVE-2025-38401)
- [armhf] drm/v3d: Disable interrupts before resetting the GPU
(CVE-2025-38371)
- RDMA/mlx5: Fix vport loopback for MPV device
- flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes
- NFSv4/flexfiles: Fix handling of NFS level errors in I/O
- btrfs: propagate last_unlink_trans earlier when doing a rmdir
- btrfs: use btrfs_record_snapshot_destroy() during rmdir
- [arm64] dpaa2-eth: rename dpaa2_eth_xdp_release_buf into
dpaa2_eth_recycle_buf
- [arm64] dpaa2-eth: Update dpni_get_single_step_cfg command
- [arm64] dpaa2-eth: Update SINGLE_STEP register access
- [arm64] net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
- [arm64] dpaa2-eth: fix xdp_rxq_info leak
- Logitech C-270 even more broken
- usb: typec: displayport: Fix potential deadlock (CVE-2025-38404)
- [x86] ACPI: PAD: fix crash in exit_round_robin() (CVE-2024-49935)
- media: uvcvideo: Return the number of processed controls
- media: uvcvideo: Send control events for partial succeeds
- media: uvcvideo: Rollback non processed entities on error
- staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
- [arm*] drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling
(CVE-2025-38467)
- perf: Revert to requiring CAP_SYS_ADMIN for uprobes (CVE-2025-38466)
- fix proc_sys_compare() handling of in-lookup dentries
- netlink: Fix wraparounds of sk->sk_rmem_alloc. (CVE-2025-38465)
- tipc: Fix use-after-free in tipc_conn_close(). (CVE-2025-38464)
- vsock: Fix transport_{g2h,h2g} TOCTOU (CVE-2025-38462)
- vm_sockets: Add flags field in the vsock address data structure
- vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag
- af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path
- af_vsock: Assign the vsock transport considering the vsock address flags
- vsock: Fix transport_* TOCTOU (CVE-2025-38461)
- vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local`
- net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap
- net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
- atm: clip: Fix potential null-ptr-deref in to_atmarpd(). (CVE-2025-38460)
- atm: clip: Fix memory leak of struct clip_vcc. (CVE-2025-38546)
- atm: clip: Fix infinite recursive call of clip_push(). (CVE-2025-38459)
- atm: clip: Fix NULL pointer dereference in vcc_sendmsg() (CVE-2025-38458)
- net/sched: Abort __tc_modify_qdisc if parent class does not exist
(CVE-2025-38457)
- fs/proc: do_task_stat: use __for_each_thread()
- rxrpc: Fix oops due to non-existence of prealloc backlog struct
(CVE-2025-38514)
- [amd64] Mitigate Indirect Target Selection (CVE-2024-28956):
+ Documentation: x86/bugs/its: Add ITS documentation
+ x86/bhi: Define SPEC_CTRL_BHI_DIS_S
+ x86/its: Enumerate Indirect Target Selection (ITS) bug
+ x86/alternatives: Introduce int3_emulate_jcc()
+ x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions
+ x86/its: Add support for ITS-safe indirect thunk
+ x86/alternative: Optimize returns patching
+ x86/alternatives: Remove faulty optimization
+ x86/its: Add support for ITS-safe return thunk
+ x86/its: Fix undefined reference to cpu_wants_rethunk_at()
+ x86/its: Enable Indirect Target Selection mitigation
+ x86/its: Add "vmexit" option to skip mitigation on some CPUs
+ x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc()
+ x86/its: Use dynamic thunks for indirect branches
+ x86/its: Fix build errors when CONFIG_MODULES=n
+ x86/its: FineIBT-paranoid vs ITS
- [x86] mce/amd: Fix threshold limit reset
- [x86] mce: Don't remove sysfs if thresholding sysfs init fails
- [x86] mce: Make sure CMCI banks are cleared during shutdown on Intel
- [arm64] pinctrl: qcom: msm: mark certain pins as invalid for interrupts
(CVE-2025-38516)
- drm/sched: Increment job count before swapping tail spsc queue
(CVE-2025-38515)
- usb: gadget: u_serial: Fix race condition in TTY wakeup (CVE-2025-38448)
- ethernet: atl1: Add missing DMA mapping error checks and count errors
- netlink: Fix rmem check in netlink_broadcast_deliver().
- netlink: make sure we allow at least one dump skb
- [x86] Input: xpad - add support for Amazon Game Controller
- [x86] Input: xpad - add VID for Turtle Beach controllers
- [x86] Input: xpad - support Acer NGR 200 Controller
- dma-buf: fix timeout handling in dma_resv_wait_timeout v2
- wifi: zd1211rw: Fix potential NULL pointer dereference in
zd_mac_tx_to_dev() (CVE-2025-38513)
- md/raid1: Fix stack memory use after return in raid1_reshape
(CVE-2025-38445)
- net: appletalk: Fix device refcount leak in atrtr_create()
(CVE-2025-38542)
- net: phy: microchip: limit 100M workaround to link-down events on LAN88xx
- bnxt_en: Fix DCB ETS validation
- bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT (CVE-2025-38439)
- [x86] atm: idt77252: Add missing `dma_map_error()`
- net: usb: qmi_wwan: add SIMCom 8230C composition
- vt: add missing notification when switching back to text mode
- HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY
- HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras
(CVE-2025-38540)
- Input: atkbd - do not skip atkbd_deactivate() when skipping
ATKBD_CMD_GETID
- vhost-scsi: protect vq->log_used with vq->mutex (CVE-2025-38074)
- [i386] mm: Disable hugetlb page table sharing on 32-bit
- [x86] Mitigate Transient Scheduler Attacks (CVE-2024-36350,
CVE-2024-36357):
- x86/bugs: Rename MDS machinery to something more generic
- x86/bugs: Add a Transient Scheduler Attacks mitigation
- KVM: x86: add support for CPUID leaf 0x80000021
- KVM: SVM: Advertise TSA CPUID bits to guests
- x86/process: Move the buffer clearing before MONITOR
- rseq: Fix segfault on registration when rseq_cs is non-zero
(CVE-2025-38067)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.241
- [arm64] phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY
mode (CVE-2025-38535)
- USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition
- USB: serial: option: add Foxconn T99W640
- USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI
- usb: gadget: configfs: Fix OOB read on empty string write
(CVE-2025-38497)
- [armhf] i2c: stm32: fix the device used for the DMA map
- [x86] thunderbolt: Fix bit masking in tb_dp_port_set_hops()
- [x86] Input: xpad - set correct controller type for Acer NGR200
- [i386] pch_uart: Fix dma_sync_sg_for_device() nents value
- HID: core: ensure the allocated report buffer can contain the reserved
report ID (CVE-2025-38495)
- HID: core: ensure __hid_request reserves the report ID as the first byte
- HID: core: do not bypass hid_hw_raw_request (CVE-2025-38494)
- phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in
pep_sock_accept()
- af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()
- af_packet: fix soft lockup issue caused by tpacket_snd()
- [armhf] dmaengine: nbpfaxi: Fix memory corruption in probe()
(CVE-2025-38538)
- isofs: Verify inode mode when loading from disk
- memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()
- [arm*] mmc: bcm2835: Fix dma_unmap_sg() nents value
- [x86] mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based
Positivo models
- [armhf] soc: aspeed: lpc-snoop: Cleanup resources in stack-order
- [armhf] soc: aspeed: lpc-snoop: Don't disable channels that aren't
enabled (CVE-2025-38487)
- iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
- iio: adc: max1363: Reorder mode_list[] entries
- [i386] comedi: pcl812: Fix bit shift out of bounds (CVE-2025-38530)
- [i386] comedi: aio_iiro_16: Fix bit shift out of bounds (CVE-2025-38529)
- [i386] comedi: das16m1: Fix bit shift out of bounds (CVE-2025-38483)
- [i386] comedi: das6402: Fix bit shift out of bounds (CVE-2025-38482)
- [x86] comedi: Fix some signed shift left operations
- comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
(CVE-2025-38480)
- comedi: Fix initialization of data for instructions that write to
subdevice (CVE-2025-38478)
- net/sched: sch_qfq: Fix race condition on qfq_aggregate
(CVE-2025-38477)
- rpl: Fix use-after-free in rpl_do_srh_inline(). (CVE-2025-38476)
- hwmon: (corsair-cpro) Validate the size of the received input buffer
(CVE-2025-38548)
- usb: net: sierra: check for no status endpoint (CVE-2025-38474)
- Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() (CVE-2025-38473)
- Bluetooth: SMP: If an unallowed command is received consider it a failure
- Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout
- Bluetooth: L2CAP: Fix attempting to adjust outgoing MTU
- net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during
runtime (CVE-2025-38470)
- net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree
(CVE-2025-38468)
- usb: hub: fix detection of high tier USB3 devices behind suspended hubs
- usb: hub: Fix flushing and scheduling of delayed work that tunes runtime
pm
- usb: hub: Fix flushing of delayed work used for post resume purposes
- [arm*] usb: musb: Add and use inline functions musb_{get,set}_state
- [arm*] usb: musb: fix gadget state on disconnect
- [arm64] usb: dwc3: qcom: Don't leave BCR asserted
- [arm64] ASoC: fsl_sai: Force a software reset when starting in consumer
mode
- mm/vmalloc: leave lazy MMU mode on PTE mapping error
- virtio-net: ensure the received length does not exceed allocated size
(CVE-2025-38375)
- [arm*] xhci: Disable stream for xHC controller with XHCI_BROKEN_STREAMS
- regulator: core: fix NULL dereference on unbind due to stale coupling
data (CVE-2025-38668)
- RDMA/core: Rate limit GID cache warning messages
- i40e: Add rx_missed_errors for buffer exhaustion
- i40e: report VF tx_dropped with tx_errors instead of tx_discards
- net: appletalk: Fix use-after-free in AARP proxy probe (CVE-2025-38666)
- net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in
qfq_delete_class
- [arm64] net: hns3: refine the struct hane3_tc_info
- [arm64] net: hns3: fixed vf get max channels bug
- [arm64] i2c: qup: jump out of the loop in case of timeout
(CVE-2025-38671)
- [x86] ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx
- e1000e: disregard NVM checksum on tgp when valid checksum bit is not set
- e1000e: ignore uninitialized checksum word on tgp
- gve: Fix stuck TX queue for DQ queue format
- nilfs2: reject invalid file types when reading inodes (CVE-2025-38663)
- [amd64] x86/bugs: Fix use of possibly uninit value in
amd_check_tsa_microcode()
- comedi: comedi_test: Fix possible deletion of uninitialized timers
- ALSA: hda: Add missing NVIDIA HDA codec IDs
- [arm*] usb: chipidea: add USB PHY event
- [armhf] usb: phy: mxs: disconnect line when USB charger is attached
- fs_context: fix parameter name in infofc() macro
- hfsplus: remove mutex_lock check in hfsplus_free_extents (CVE-2025-38650)
- ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()
- ASoC: ops: dynamically allocate struct snd_ctl_elem_value
- staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
(CVE-2025-38612)
- pps: fix poll support
- [armhf] dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485
interface
- [arm64] dts: imx8mm-beacon: Fix HS400 USDHC clock speed
- cpufreq: Initialize cpufreq-based frequency-invariance later
- cpufreq: Init policy->rwsem before it may be possibly used
- [arm*] drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed
- bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
(CVE-2025-38608)
- bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure
- wifi: rtl818x: Kill URBs before clearing tx status queue (CVE-2025-38604)
- wifi: iwlwifi: Fix memory leak in iwl_mvm_init()
- iwlwifi: Add missing check for alloc_ordered_workqueue
(CVE-2025-38602)
- wifi: ath11k: clear initialized flag for deinit-ed srng lists
(CVE-2025-38601)
- tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range
- drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value
- netfilter: nf_tables: adjust lockdep assertions handling
- net/sched: Restrict conditions for adding duplicating netems to qdisc
tree (CVE-2025-38553)
- net_sched: act_ctinfo: use atomic64_t for three counters
- xen/gntdev: remove struct gntdev_copy_batch from stack
- wifi: rtl8xxxu: Fix RX skb size for aggregation disabled
- mwl8k: Add missing check after DMA map
- wifi: mac80211: Check 802.11 encaps offloading in
ieee80211_tx_h_select_key()
- Reapply "wifi: mac80211: Update skb's control block key in
ieee80211_tx_dequeue()"
- wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P
IE
- can: kvaser_usb: Assign netdev.dev_port based on device channel index
- netfilter: xt_nfacct: don't assume acct name is null-terminated
(CVE-2025-38639)
- vrf: Drop existing dst reference in vrf_ip6_input_dst
- [arm64] PCI: rockchip-host: Fix "Unexpected Completion" log message
- [arm*] crypto: marvell/cesa - Fix engine load inaccuracy
- mtd: fix possible integer overflow in erase_xfer()
- [armhf] clk: davinci: Add NULL check in davinci_lpsc_clk_register()
(CVE-2025-38635)
- [arm*] pinctrl: sunxi: Fix memory leak on krealloc failure
- [arm64] crypto: inside-secure - Fix `dma_unmap_sg()` nents value
- crypto: ccp - Fix crash when rebind ccp device for ccp.ko
(CVE-2025-38581)
- [armhf] clk: sunxi-ng: v3s: Fix de clock definition
- scsi: mvsas: Fix dma_unmap_sg() nents value
- [x86] scsi: isci: Fix dma_unmap_sg() nents value
- soundwire: stream: restore params when prepare ports fail
- fs/orangefs: Allow 2 more characters in do_c_string()
- [arm*] dmaengine: mv_xor: Fix missing check after DMA map and missing
unmap
- [x86] crypto: qat - fix seq_file position update in adf_ring_next()
- jfs: fix metapage reference count leak in dbAllocCtl
- vhost-scsi: Fix log flooding with target does not exist errors
- bpf: Check flow_dissector ctx accesses are aligned
- apparmor: ensure WB_HISTORY_SIZE value is a power of 2
- module: Restore the moduleparam prefix length check
- [arm*] rtc: ds1307: fix incorrect maximum clock rate handling
- [arm64] rtc: pcf85063: fix incorrect maximum clock rate handling
- [arm*] rtc: pcf8563: fix incorrect maximum clock rate handling
- f2fs: fix to avoid UAF in f2fs_sync_inode_meta() (CVE-2025-38578)
- f2fs: fix to avoid panic in f2fs_evict_inode (CVE-2025-38577)
- f2fs: fix to avoid out-of-boundary access in devs.path (CVE-2025-38652)
- scsi: ufs: core: Use link recovery when h8 exit fails during runtime
resume
- pNFS/flexfiles: Avoid spurious layout returns in
ff_layout_choose_ds_for_read
- pNFS/flexfiles: don't attempt pnfs on fatal DS errors
- NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()
(CVE-2025-39730)
- NFSv4.2: another fix for listxattr
- mm: extract might_alloc() debug check
- XArray: Add calls to might_alloc()
- NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY
- netpoll: prevent hanging NAPI when netcons gets enabled
- phy: mscc: Fix parsing of unicast frames
- pptp: ensure minimal skb length in pptp_xmit() (CVE-2025-38574)
- ipv6: reject malicious packets in ipv6_gso_segment() (CVE-2025-38572)
- net: drop UFO packets in udp_rcv_segment() (CVE-2025-38622)
- benet: fix BUG when creating VFs (CVE-2025-38569) (regression in
5.10.235)
- ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out()
- smb: client: let recv_done() cleanup before notifying the callers.
- pptp: fix pptp_xmit() error path
- perf/core: Don't leak AUX buffer refcount on allocation failure
- perf/core: Exit early on perf_mmap() fail (CVE-2025-38565)
- perf/core: Prevent VMA split of buffer mappings (CVE-2025-38563)
- net/packet: fix a race in packet_set_ring() and packet_notifier()
(CVE-2025-38617)
- vsock: Do not allow binding to VMADDR_PORT_ANY (CVE-2025-38618)
- USB: serial: option: add Foxconn T99W709
- mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
- usb: gadget : fix use-after-free in composite_dev_cleanup()
(CVE-2025-38555)
- io_uring: don't use int for ABI
- ALSA: usb-audio: Validate UAC3 power domain descriptors, too
(CVE-2025-38729)
- ALSA: usb-audio: Validate UAC3 cluster segment descriptors
(CVE-2025-39757)
- netlink: avoid infinite retry looping in netlink_unicast()
(CVE-2025-38727)
- nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
(CVE-2025-38724)
- NFSD: detect mismatch of file handle and delegation stateid in OPEN op
- fs: Prevent file descriptor table allocations exceeding INT_MAX
(CVE-2025-39756)
- ACPI: processor: perflib: Fix initial _PPC limit application
- ACPI: processor: perflib: Move problematic pr->performance check
- udp: also consider secpath when evaluating ipsec use for checksumming
- netfilter: ctnetlink: fix refcount leak on table dump (CVE-2025-38721)
- sctp: linearize cloned gso packets in sctp_rcv (CVE-2025-38718)
- [x86] intel_idle: Allow loading ACPI tables for any family
- cpuidle: governors: menu: Avoid using invalid recent intervals data
- hfs: fix slab-out-of-bounds in hfs_bnode_read() (CVE-2025-38715)
- hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() (CVE-2025-38714)
- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
(CVE-2025-38713)
- hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
(CVE-2025-38712)
- udf: Verify partition map count
- drbd: add missing kref_get in handle_write_conflicts (CVE-2025-38708)
- hfs: fix not erasing deleted b-tree node issue
- ata: libata-sata: Disallow changing LPM state if not supported
- securityfs: don't pin dentries twice, once is enough...
- usb: xhci: print xhci->xhc_state when queue_command failed
- [arm64] cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
- usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default
- usb: xhci: Avoid showing warnings for dying controller
- usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
- usb: xhci: Avoid showing errors during surprise removal
- cpufreq: Exit governor when failed to start old governor
- [armhf] rockchip: fix kernel hang during smp initialization
(CVE-2025-39752)
- ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was
successed
- [armhf] tegra: Use I/O memcpy to write to IRAM (CVE-2025-39794)
- PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
- thermal: sysfs: Return ENODATA instead of EAGAIN for reads
- PM: sleep: console: Fix the black screen issue
- ACPI: processor: fix acpi_object initialization
- [arm64] mmc: sdhci-msm: Ensure SD card power isn't ON when card removed
- ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
- [x86] bugs: Avoid warning when overriding return thunk
- [x86] ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
- [x86] ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
- ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
(CVE-2025-38706)
- usb: core: usb_submit_urb: downgrade type check
- [x86] pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in
mperf_stop()
- [arm64] platform/chrome: cros_ec_typec: Defer probe on missing EC parent
- ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
(CVE-2025-39751)
- ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
- ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
- iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
- ASoC: codecs: rt5640: Retry DEVICE_ID verification
- xen/netfront: Fix TX response spurious interrupts
- wifi: cfg80211: reject HTC bit for management frames
- be2net: Use correct byte order and format string for TCP seq and ack_seq
- et131x: Add missing check after DMA map
- rcu: Protect ->defer_qs_iw_pending from data race (CVE-2025-39749)
- wifi: cfg80211: Fix interface type validation
- net: ipv4: fix incorrect MTU in broadcast routes
- [arm64] net: thunderx: Fix format-truncation warning in
bgx_acpi_match_id()
- wifi: iwlwifi: mvm: fix scan request validation
- [arm*] net: fec: allow disable coalescing
- drm/amd/display: Separate set_gsl from set_gsl_source_select
- wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
- wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
- drm/amd/display: Fix 'failed to blank crtc!'
- wifi: rtlwifi: fix possible skb memory leak in
`_rtl_pci_rx_interrupt()`.
- netmem: fix skb_frag_address_safe with unreadable skbs
- wifi: iwlegacy: Check rate_idx range after addition
- net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
- gve: Return error for unknown admin queue command
- [armhf] net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
- [armhf] net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
- [armhf] net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
- wifi: rtlwifi: fix possible skb memory leak in
_rtl_pci_init_one_rxdesc()
- [armhf] net: ncsi: Fix buffer overflow in fetching version id
- drm/ttm: Should to return the evict error
- uapi: in6: restore visibility of most IPv6 socket options
- [amrhf] net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
- vhost: fail early when __vhost_add_used() fails
- cifs: Fix calling CIFSFindFirst() for root path without msearch
- ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
(CVE-2025-38701)
- scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is
allocated (CVE-2025-38700)
- fs/orangefs: use snprintf() instead of sprintf()
- [arm*] watchdog: dw_wdt: Fix default timeout
- scsi: bfa: Double-free fix (CVE-2025-38699)
- jfs: truncate good inode pages when hard link is 0 (CVE-2025-39743)
- jfs: Regular file corruption check (CVE-2025-38698)
- jfs: upper bound check of tree index in dbAllocAG (CVE-2025-38697)
- [amd64] RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
(CVE-2025-39742)
- RDMA/core: reduce stack using in nldev_stat_get_doit()
- scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
(CVE-2025-38695)
- scsi: mpt3sas: Correctly handle ATA device errors
- [armhf] pinctrl: stm32: Manage irq affinity settings
- media: usb: hdpvr: disable zero-length read messages
- media: dvb-frontends: dib7090p: fix null-ptr-deref in
dib7090p_rw_on_apb() (CVE-2025-38694)
- media: dvb-frontends: w7090p: fix null-ptr-deref in
w7090p_tuner_write_serpar and w7090p_tuner_read_serpar (CVE-2025-38693)
- media: uvcvideo: Fix bandwidth issue for Alcor camera
- md: dm-zoned-target: Initialize return variable r to avoid uninitialized
use
- [arm*] rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
- dm-mpath: don't print the "loaded" message if registering fails
- i2c: Force DLL0945 touchpad i2c freq to 100khz
- scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
- scsi: aacraid: Stop using PCI_IRQ_AFFINITY
- ipmi: Use dev_warn_ratelimited() for incorrect message warnings
- ipmi: Fix strcpy source and destination the same
- net: phy: smsc: add proper reset flags for LAN8710A
- block: avoid possible overflow for chunk_sectors check in
blk_stack_limits() (CVE-2025-39795)
- pNFS: Fix stripe mapping in block/scsi layout
- pNFS: Fix disk addr range check in block/scsi layout
- pNFS: Handle RPC size limit for layoutcommits
- pNFS: Fix uninited ptr deref in block/scsi layout (CVE-2025-38691)
- [arm*] rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
- scsi: lpfc: Remove redundant assignment to avoid memory leak
- ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe()
- [arm64] ASoC: fsl_sai: replace regmap_write with regmap_update_bits
- drm/amdgpu: fix incorrect vm flags to map bo
- usb: core: config: Prevent OOB read in SS endpoint companion parsing
(CVE-2025-39760)
- misc: rtsx: usb: Ensure mmc child device is active when card is present
- usb: typec: ucsi: Update power_supply on power role change
- comedi: fix race between polling and detaching (CVE-2025-38687)
- [x86] thunderbolt: Fix copy+paste error in match_service_id()
- btrfs: fix log tree replay failure due to file with 0 links and extents
- mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
(CVE-2025-39737)
- mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
(CVE-2025-39736)
- media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
(CVE-2025-38680)
- media: uvcvideo: Do not mark valid metadata as invalid
- serial: 8250: fix panic due to PSLVERR (CVE-2025-39724)
- [x86] usb: atm: cxacru: Merge cxacru_upload_firmware() into
cxacru_heavy_init()
- [arm*] usb: dwc3: meson-g12a: fix device leaks at unbind
- bus: mhi: host: Fix endianness of BHI vector table
- vt: keyboard: Don't process Unicode characters in K_OFF mode
- vt: defkeymap: Map keycodes above 127 to K_HOLE
- ext4: check fast symlink for ea_inode correctly
- ext4: fix fsmap end of range reporting with bigalloc
- ext4: fix reserved gdt blocks handling in fsmap
- ata: libata-scsi: Fix ata_to_sense_error() status handling
- wifi: brcmsmac: Remove const from tbl_ptr parameter in
wlc_lcnphy_common_read_table()
- wifi: ath11k: fix source ring-buffer corruption
- PCI: endpoint: Fix configfs group list head handling (CVE-2025-39783)
- jbd2: prevent softlockup in jbd2_log_do_checkpoint() (CVE-2025-39782)
- [arm*] soc/tegra: pmc: Ensure power-domains are in a known state
- media: gspca: Add bounds checking to firmware parser
- [armhf] media: imx: fix a potential memory leak in
imx_media_csc_scaler_device_init()
- media: usbtv: Lock resolution while streaming (CVE-2025-39714)
- media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
(CVE-2025-39713)
- [arm*] media: venus: Add a check for packet size after reading from
shared memory (CVE-2025-39710)
- drm/amd: Restore cached power limit during resume
- net, hsr: reject HSR frame if skb can't hold tag (CVE-2025-39703)
- sch_htb: make htb_qlen_notify() idempotent (CVE-2025-37932)
- sch_drr: make drr_qlen_notify() idempotent
- sch_hfsc: make hfsc_qlen_notify() idempotent (CVE-2025-38177)
- sch_qfq: make qfq_qlen_notify() idempotent
- codel: remove sch->q.qlen check before qdisc_tree_reduce_backlog()
(CVE-2025-37798)
- sch_htb: make htb_deactivate() idempotent
- memstick: Fix deadlock by moving removing flag earlier
- mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency
- squashfs: fix memory leak in squashfs_fill_super
- ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook
830 G6
- drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3
- drm/amd/display: Fix DP audio DTO1 clock source on DCE 6.
- drm/amd/display: Find first CRTC and its line time in
dce110_fill_display_configs
- drm/amd/display: Fill display clock and vblank time in
dce110_fill_display_configs
- fs/buffer: fix use-after-free when call bh_read() helper (CVE-2025-39691)
- move_mount: allow to add a mount into an existing group
- use uniform permission checks for all mount propagation changes
- ftrace: Also allocate and copy hash for reading of filter files
(CVE-2025-39689)
- iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe()
- iio: proximity: isl29501: fix buffered read on big-endian systems
- usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive
- USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera
- usb: storage: realtek_cr: Use correct byte order for bcs->Residue
- USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles
- [arm*] usb: dwc3: Ignore late xferNotReady event to prevent halt timeout
- f2fs: fix to do sanity check on ino and xnid (CVE-2025-38347)
- iio: hid-sensor-prox: Fix incorrect OFFSET calculation
- [x86] mce/amd: Add default names for MCA banks and blocks
- usb: hub: avoid warm port reset during USB3 disconnect
- usb: hub: Don't try to recover devices lost during warm reset.
- smb: client: fix use-after-free in crypt_message when using async crypto
(CVE-2025-38488)
- tracing: Add down_write(trace_event_sem) when adding trace event
(CVE-2025-38539)
- pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
- ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
(CVE-2025-38664)
- drm/sched: Remove optimization that causes hang when killing dependent
jobs
- mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage()
- [x86] fpu: Delay instruction pointer fixup until after warning
- ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
- net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
- usb: typec: fusb302: cache PD RX state
- PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
- block: Make REQ_OP_ZONE_FINISH a write operation
- [x86] hv_netvsc: Fix panic during namespace deletion with VF
(CVE-2025-38683)
- USB: cdc-acm: do not log successful probe on later errors
- cdc-acm: fix race between initial clearing halt and open
- comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
(CVE-2025-38481)
- ptp: Fix possible memory leak in ptp_clock_register() (CVE-2021-47455)
- block: don't call rq_qos_ops->done_bio if the bio isn't tracked
(CVE-2021-47412)
- btrfs: fix deadlock when cloning inline extents and using qgroups
(CVE-2021-46987)
- [armhf] 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
- [arm64] dpaa2-mac: split up initializing the MAC object from connecting
to it
- [arm64] dpaa2-mac: export MAC counters even when in TYPE_FIXED
- [arm64] dpaa2-eth: retry the probe when the MAC is not yet discovered on
the bus
- [arm64] dpaa2-eth: Fix device reference count leak in MAC endpoint
handling
- mm: drop the assumption that VM_SHARED always implies writable
- mm: update memfd seal write check to include F_SEAL_WRITE
- mm: reinstate ability to map write-sealed memfd mappings read-only
- dma-buf: insert memory barrier before updating num_fences
(CVE-2025-38095)
- drm/amdgpu: handle the case of pci_channel_io_frozen only in
amdgpu_pci_resume (CVE-2021-47421)
- RDMA/rxe: Return CQE error if invalid lkey was supplied (CVE-2021-47076)
- scsi: lpfc: Fix link down processing to address NULL pointer dereference
(CVE-2021-47183)
- scsi: pm80xx: Fix memory leak during rmmod (CVE-2021-47193)
- NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity
- NFSv4: Fix nfs4_bitmap_copy_adjust()
- NFS: Create an nfs4_server_set_init_caps() function
- NFS: Fix the setting of capabilities when automounting a new filesystem
(CVE-2025-39798)
- net/sched: sch_ets: properly init all active DRR list handles
- net_sched: sch_ets: implement lockless ets_dump()
- net/sched: ets: use old 'nbands' while purging unused classes
(CVE-2025-38684)
- mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
(CVE-2025-38681)
- ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
- [arm*] scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
(CVE-2025-39788)
- iio: adc: ad_sigma_delta: change to buffer predisable
- [arm64] soc: qcom: mdt_loader: Ensure we don't read past the ELF header
(CVE-2025-39787)
- [armhf] usb: musb: omap2430: fix device leak at unbind
- btrfs: populate otime when logging an inode item
- ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value
(CVE-2022-50327)
- minmax: add umin(a, b) and umax(a, b)
- ext4: fix hole length calculation overflow in non-extent inodes
- [arm*] platform/chrome: cros_ec: Make cros_ec_unregister() return void
- [arm*] platform/chrome: cros_ec: Use per-device lockdep key
- [arm*] platform/chrome: cros_ec: remove unneeded label and if-condition
- [arm*] platform/chrome: cros_ec: Unregister notifier in
cros_ec_unregister()
- locking/barriers, kcsan: Support generic instrumentation
- asm-generic: Add memory barrier dma_mb()
- wifi: ath11k: fix dest ring-buffer corruption when ring is full
- media: v4l2-ctrls: always copy the controls on completion
- media: v4l2-ctrls: Don't reset handler's error in
v4l2_ctrl_handler_free()
- [arm*} media: venus: don't de-reference NULL pointers at IRQ time
- [arm*} media: venus: hfi: explicitly release IRQ during teardown
- [arm*} media: venus: Add support for SSR trigger using fault injection
- [arm*} media: venus: protect against spurious interrupts during probe
(CVE-2025-39709)
- drm/amd/display: Don't overclock DCE 6 by 15%
- f2fs: fix to avoid out-of-boundary access in dnode page (CVE-2025-38677)
- [arm*] media: venus: vdec: Clamp param smaller than 1fps and bigger than
240.
- [x86] uio_hv_generic: Fix another memory leak in error handling paths
(CVE-2021-47070)
- dm: rearrange core declarations for extended use from dm-zone.c
- dm rq: don't queue request to blk-mq during DM suspend (CVE-2021-47498)
- [arm*] usb: dwc3: Remove DWC3 locking during gadget suspend/resume
- [arm*] usb: dwc3: core: remove lock of otg mode during gadget suspend/
resume to avoid deadlock
- [arm*] gpio: rcar: Use raw_spinlock to protect register access
(CVE-2025-21912)
- net: usbnet: Fix the wrong netif_carrier_on() call
- compiler: remove __ADDRESSABLE_ASM{_STR,}() again
- usb: xhci: Fix slot_id resource race conflict
- iio: imu: inv_icm42600: change invalid data error to -EBUSY
- tracing: Remove unneeded goto out logic
- tracing: Limit access to parser->buffer when trace_get_user failed
(CVE-2025-39683)
- iio: light: as73211: Ensure buffer holes are zeroed (CVE-2025-39687)
- mm/page_alloc: detect allocation forbidden by cpuset and bail out early
- cgroup/cpuset: Use static_branch_enable_cpuslocked() on
cpusets_insane_config_key
- scsi: qla4xxx: Prevent a potential error pointer dereference
(CVE-2025-39676)
- [amd64] iommu/amd: Avoid stack buffer overflow from kernel cmdline
(CVE-2025-38676)
- mlxsw: spectrum: Forward packets with an IPv4 link-local source IP
- ALSA: usb-audio: Fix size validation in convert_chmap_v3()
- ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add
- ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc
- net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit
(CVE-2025-39766)
- net/sched: Remove unnecessary WARNING condition for empty child qdisc in
htb_activate
- ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation
- netfilter: nft_reject: unify reject init and dump into nft_reject
- netfilter: nft_reject_inet: allow to use reject from inet ingress
- netfilter: nf_reject: don't leak dst refcount for loopback packets
(CVE-2025-38732)
- alloc_fdtable(): change calling conventions.
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.242
- ftrace: Fix potential warning in trace_printk_seq during ftrace_dump
(CVE-2025-39813)
- scsi: core: sysfs: Correct sysfs attributes access rights
- [x86] cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper
(CVE-2025-39681)
- nfs: fold nfs_page_group_lock_subrequests into nfs_lock_and_join_requests
- NFS: Fix a race when updating an existing write (CVE-2025-39697)
- vhost/net: Protect ubufs with rcu read lock in vhost_net_ubuf_put()
- net: ipv4: fix regression in local-broadcast routes
- Bluetooth: hci_event: Detect if HCI_EV_NUM_COMP_PKTS is unbalanced
- atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control().
(CVE-2025-39828)
- [x86] net: dlink: fix multicast stats being counted incorrectly
- net/mlx5e: Update and set Xon/Xoff upon MTU set
- net/mlx5e: Update and set Xon/Xoff upon port speed set
- net/mlx5e: Set local Xoff after FW update
- net: stmmac: xgmac: Do not enable RX FIFO Overflow interrupts
- sctp: initialize more fields in sctp_v6_from_sk() (CVE-2025-39812)
- efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare (CVE-2025-39817)
- [x86] KVM: x86: use array_index_nospec with indices that come from guest
(CVE-2025-39823)
- HID: asus: fix UAF via HID_CLAIMED_INPUT validation (CVE-2025-39824)
- HID: wacom: Add a new Art Pen 2
- HID: hid-ntrig: fix unable to handle page fault in ntrig_report_version()
(CVE-2025-39808)
- Revert "drm/amdgpu: fix incorrect vm flags to map bo"
- dma/pool: Ensure DMA_DIRECT_REMAP allocations are decrypted
- net: usb: qmi_wwan: add Telit Cinterion LE910C4-WWX new compositions
- drm/nouveau/disp: Always accept linear modifier
- [x86] ASoC: Intel: bxt_da7219_max98357a: shrink platform_id below 20
characters
- [x86] ASoC: Intel: sof_rt5682: shrink platform_id names below 20
characters
- [x86] ASoC: Intel: glk_rt5682_max98357a: shrink platform_id below 20
characters
- [x86] ASoC: Intel: sof_da7219_max98373: shrink platform_id below 20
characters
- xfs: do not propagate ENODATA disk errors into xattr code
(CVE-2025-39835)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.243
- drm/amd/display: Don't warn when missing DCE encoder caps
- tee: fix NULL pointer dereference in tee_shm_put (CVE-2025-39865)
- [arm64] dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro
- wifi: cfg80211: fix use-after-free in cmp_bss() (CVE-2025-39864)
- netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
- Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
(CVE-2025-39860)
- [x86] xirc2ps_cs: fix register access when enabling FullDuplex
- [x86] mISDN: Fix memory leak in dsp_hwec_enable()
- icmp: fix icmp_ndo_send address translation for reply direction
- i40e: Fix potential invalid access when MAC list is empty
(CVE-2025-39853)
- wifi: libertas: cap SSID len in lbs_associate()
- [arm64] net: thunder_bgx: add a missing of_node_put
- [arm64] net: thunder_bgx: decrement cleanup index before use
- ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init()
- ax25: properly unshare skbs in ax25_kiss_rcv() (CVE-2025-39848)
- net: atm: fix memory leak in atm_register_sysfs when device_register fail
- ppp: fix memory leak in pad_compress_skb (CVE-2025-39847)
- ALSA: usb-audio: Add mute TLV for playback volumes on some devices
- pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region()
(CVE-2025-39846)
- wifi: mwifiex: Initialize the chan_stats array to zero
- drm/amdgpu: drop hw access in non-DC audio fini
- scsi: lpfc: Fix buffer free/clear order in deferred receive path
(CVE-2025-39841)
- batman-adv: fix OOB read/write in network-coding decode (CVE-2025-39839)
- e1000e: fix heap overflow in e1000_set_eeprom
- mm/khugepaged: fix ->anon_vma race (CVE-2023-52935)
- mm/slub: avoid accessing metadata when pointer is invalid in object_err()
- cpufreq/sched: Explicitly synchronize limits_changed flag handling
- [x86] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
- iio: light: opt3001: fix deadlock due to concurrent flag access
(CVE-2025-37968)
- [arm*] gpio: pca953x: fix IRQ storm on system wake up
- [x86] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup
- [x86] vmxnet3: update MTU after device quiesce
- [arm64] dts: marvell: uDPU: define pinctrl state for alarm LEDs
- net: phy: microchip: implement generic .handle_interrupt() callback
- net: phy: microchip: remove the use of .ack_interrupt()
- net: phy: microchip: force IRQ polling mode for lan88xx
- [x86] ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model
- [x86] pcmcia: Add error handling for add_interval() in do_validate_mem()
- [arm64] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
- cifs: fix integer overflow in match_server()
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.244
- [x86] Mitigate VMScape vulnerability (CVE-2025-40300):
+ Documentation/hw-vuln: Add VMSCAPE documentation
+ x86/vmscape: Enumerate VMSCAPE bug
+ x86/vmscape: Add conditional IBPB mitigation
+ x86/vmscape: Enable the mitigation
+ x86/bugs: Move cpu_bugs_smt_update() down
+ x86/vmscape: Warn when STIBP is disabled with SMT
+ x86/vmscape: Add old Intel CPUs to affected list
.
[ Ben Hutchings ]
* Drop "Revert "xen/swiotlb: add alignment check for dma buffers"" which
should not be needed after "xen/swiotlb: relax alignment requirements"
* [x86] ACPI: Make ACPI_HED built-in since it can no longer be modular
* Bump ABI to 36
* d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well
* d/b/buildcheck.py: Check config of kernel to be signed
* d/rules: Include target suite as an input to gencontrol.py
* Generate kernel ABI name suffix automatically if not configured
* d/c/defines: Delete ABI name suffix
* d/salsa-ci.yml: Ignore pycodestyle error E241
* d/rules.real: Move module installation to the image build rule
* certs: check-in the default x509 config file
* [rt] Update to 5.10.241-rt135
* d/b/gencontrol.py: Extend the effect of $DEBIAN_KERNEL_DISABLE_INSTALLER
.
[ Bastian Blank ]
* [arm64] Enable hyperv-daemons package. (Closes: #1109891)
* Drop not needed extra step to add debug links
* Sign modules using an ephemeral key: (closes: #1040901)
- Set MODULE_SIG_ALL to sign all modules.
- Not longer request Secure Boot signing for modules.
- Don't trust Secure Boot key any longer.
* Use abi name 0 for everything before unstable.
* Store build time signing key encrypted.
* Sign modules and support lockdown always.
.
[ Santiago Ruano Rincón ]
* d/salsa-ci.yml: Merge the extract-source job into the build's job script
* d/salsa-ci.yml: Early move orig tarballs back where they can be cached
Checksums-Sha1:
cb7315e0b3e142ad41dcc8fc7794a41f26aa6c99 6732 linux-signed-arm64_5.10.244+1.dsc
3a772248d3d8704fc6d410f4e93561357771bdc1 613524 linux-signed-arm64_5.10.244+1.tar.xz
Checksums-Sha256:
c88bd3470f1ee819a9aa4f415ab0e605bd5e60bce2aced3b923e7b143ca52835 6732 linux-signed-arm64_5.10.244+1.dsc
e96bca16fbf2c92e7adc431d5be16d72da691faef4bc3a3a86a6d4aee22aec1c 613524 linux-signed-arm64_5.10.244+1.tar.xz
Files:
ce2cfd1a9a51240f13858c07448a8a57 6732 kernel optional linux-signed-arm64_5.10.244+1.dsc
0e90c79fabedbb75fd9b8c26ae17d966 613524 kernel optional linux-signed-arm64_5.10.244+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCaOuWbgAKCRBCTVFtUgON
ChC3APoDDBuVIGv20MBtvziSHZys4MaOWisRkKZ6BtfFqMeMhAD/dR5f4I9aAlp/
uwNcRPjM2WleInHTJaJwCW59up59yQA=
=jdkF
-----END PGP SIGNATURE-----
