-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 Dec 2025 18:55:57 +0100 Source: linux Architecture: source Version: 5.10.247-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Closes: 1107479 1114557 Changes: linux (5.10.247-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.245 - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. (CVE-2025-23143) - mtd: Add check for devm_kcalloc() - flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read - NFSv4: Don't clear capabilities that won't be reset - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server - tracing: Fix tracing_marker may trigger page fault during preempt_disable - NFSv4/flexfiles: Fix layout merge mirror check. - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. (CVE-2025-39913) - compiler.h: drop fallback overflow checkers - overflow: Allow mixed type arguments - EDAC/altera: Delete an inappropriate dma_free_coherent() call - ocfs2: fix recursive semaphore deadlock in fiemap call (CVE-2025-39885) - [armhf] mtd: rawnand: stm32_fmc2: fix ECC overwrite - fuse: check if copy_file_range() returns larger than requested size - fuse: prevent overflow in copy_file_range return value - mm/khugepaged: fix the address passed to notifier on testing young - [armhf] mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check - [armhf] mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer (CVE-2025-39907) - [x86] Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table - tty: hvc_console: Call hvc_kick in hvc_write unconditionally - USB: serial: option: add Telit Cinterion FN990A w/audio compositions - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions - [arm*] net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (CVE-2025-39876) - tunnels: reset the GSO metadata before reusing the skb - igb: fix link test skipping when interface is admin down - genirq/affinity: Add irq_update_affinity_desc() - genirq: Export affinity setter for modules - genirq: Provide new interfaces for affinity hints - i40e: Use irq_update_affinity_hint() - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (CVE-2025-39911) - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed - can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails - [armhf] dmaengine: ti: edma: Fix memory allocation size for queue_priority_map (CVE-2025-39869) - [arm*] dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ ees (CVE-2025-39923) - [armhf] phy: ti-pipe3: fix device leak at unbind - [arm64] soc: qcom: mdt_loader: Deal with zero e_shentsize - [x86] drm/i915/power: fix size for for_each_set_bit() in abox iteration - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (CVE-2025-39883) - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported - wifi: mac80211: fix incorrect type for ret - cgroup: split cgroup_destroy_wq into 3 workqueues (CVE-2025-39953) - um: virtio_uml: Fix use-after-free after put_device in probe (CVE-2025-39951) - qed: Don't collect too many protection override GRC elements (CVE-2025-39949) - net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure - i40e: remove redundant memory barrier when cleaning Tx descs - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (CVE-2025-39955) - Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" - net: liquidio: fix overflow in octeon_init_instr_queue() - cnic: Fix use-after-free bugs in cnic_delete_task (CVE-2025-39945) - power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery - power: supply: bq27xxx: restrict no-battery detection to bq27000 - [armhf] mmc: mvsdio: Fix dma_unmap_sg() nents value - [x86] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active - rds: ib: Increment i_fastreg_wrs before bailing out - [x86] ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (CVE-2025-39964) - usb: gadget: dummy_hcd: remove usage of list iterator past the loop body - [rt] USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels - [armhf] phy: ti: convert to devm_platform_ioremap_resource(_byname) - phy: Use device_get_match_data() - [armhf] phy: ti: omap-usb2: fix device leak at unbind - net: rfkill: gpio: add DT support - net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer (CVE-2025-39937) - btrfs: tree-checker: fix the incorrect inode ref size check - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 - ALSA: usb-audio: Fix build with CONFIG_INPUT=n - usb: core: Add 0x prefix to quirks debug output - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions - [arm64] dts: imx8mp: Correct thermal sensor index - cpufreq: Initialize cpufreq-based invariance before subsys - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow (CVE-2025-39987) - [armhf] can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow (CVE-2025-39986) - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow (CVE-2025-39985) - can: peak_usb: fix shift-out-of-bounds issue (CVE-2025-40020) - bnxt_en: correct offset handling for IPv6 destination address - nexthop: Pass extack to nexthop notifier - rtnetlink: Add RTNH_F_TRAP flag - nexthop: Emit a notification when a nexthop is added - nexthop: Emit a notification when a single nexthop is replaced - nexthop: Forbid FDB status change while nexthop is in a group (CVE-2025-39980) - [x86] drm/gma500: Fix null dereference in hdmi teardown (CVE-2025-40011) - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx (CVE-2025-40022) - i40e: fix idx validation in i40e_validate_queue_map (CVE-2025-39972) - i40e: fix input validation logic for action_meta (CVE-2025-39970) - i40e: add max boundary check for VF filters (CVE-2025-39968) - i40e: add mask to apply valid bits for itr_idx - tracing: dynevent: Add a missing lockdown check on dynevent (CVE-2025-40021) - fbcon: fix integer overflow in fbcon_do_set_font (CVE-2025-39967) - fbcon: Fix OOB access in font allocation - mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() (CVE-2025-21861) - i40e: increase max descriptors for XL710 - i40e: add validation for ring_len param (CVE-2025-39973) - i40e: fix idx validation in config queues msg (CVE-2025-39971) - i40e: fix validation of VF state in get resources (CVE-2025-39969) - mm/hugetlb: fix folio is still mapped when deleted (CVE-2025-40006) https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.246 - scsi: target: target_core_configfs: Add length check to avoid buffer overflow (CVE-2025-39998) - media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (CVE-2025-39996) - media: rc: fix races with imon_disconnect() (CVE-2025-39993) - udp: Fix memory accounting leak. (CVE-2025-22058) - media: tunner: xc5000: Refactor firmware load - media: tuner: xc5000: Fix use-after-free in xc5000_release (CVE-2025-39994) - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe (CVE-2025-39995) - USB: serial: option: add SIMCom 8230C compositions - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 - dm-integrity: limit MAX_TAG_SIZE to 255 - perf subcmd: avoid crash in exclude_cmds when excludes is empty - hid: fix I2C read buffer overflow in raw_event() for mcp2221 - driver core/PM: Set power.no_callbacks along with power.no_pm - drm/amd/display: Remove redundant safeguards for dmub-srv destroy() - drm/amd/display: Fix potential null dereference (CVE-2023-53498) - crypto: rng - Ensure set_ent is always present (CVE-2025-40109) - filelock: add FL_RECLAIM to show_fl_flags() macro - [arm64] perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (CVE-2025-40081) - [x86] vdso: Fix output operand size of RDPID - regmap: Remove superfluous check for !config in __regmap_init() - libbpf: Fix reuse of DEVMAP - ACPI: processor: idle: Fix memory leak when register cpuidle device failed - [arm64] pinctrl: meson-gxl: add missing i2c_d pinmux - blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx (CVE-2025-40125) - block: use int to store blk_stack_limits() return value - PM: sleep: core: Clear power.must_resume in noirq suspend error path - [armhf] pwm: tiehrpwm: Fix corner case in clock divisor calculation - bpf: Explicitly check accesses to bpf_sock_addr (CVE-2025-40078) - i2c: designware: Add disabling clocks when probe fails - drm/radeon/r600_cs: clean up of dead code in r600_cs - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup (CVE-2025-40116) - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (CVE-2025-40118) - [x86] scsi: myrs: Fix dma_alloc_coherent() error check - media: rj54n1cb0c: Fix memleak in rj54n1_probe() - ALSA: lx_core: use int type to store negative error codes - drm/amdgpu: Power up UVD 3 for FW validation (v2) - wifi: mwifiex: send world regulatory domain to driver - tcp: fix __tcp_close() to only send RST when required - [armhf] usb: phy: twl6030: Fix incorrect type for ret - usb: gadget: configfs: Correctly set use_os_string at bind - pps: fix warning in pps_register_cdev when register device fail (CVE-2025-40070) - [x86] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping - [x86] ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (CVE-2025-40154) - [x86] ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (CVE-2025-40121) - iio: consumers: Fix offset handling in iio_convert_raw_to_processed() - netfilter: ipset: Remove unused htable_bits in macro ahash_region - drivers/base/node: handle error properly in register_one_node() - RDMA/cm: Rate limit destroy CM ID timeout error message - wifi: mt76: fix potential memory leak in mt76_wmac_probe() - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message - RDMA/core: Resolve MAC of next-hop device without ARP support - IB/sa: Fix sa_local_svc_timeout_ms read race - NFSv4.1: fix backchannel max_resp_sz verification check - ipvs: Defer ip_vs_ftp unregister during netns cleanup (CVE-2025-40018) - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() (CVE-2025-40115) - usb: vhci-hcd: Prevent suspending virtually attached devices - RDMA/siw: Always report immediate post SQ errors - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (CVE-2025-40140) - Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO - [armhf] hwrng: ks-sa - fix division by zero in ks_sa_rng_init (CVE-2025-40127) - ocfs2: fix double free in user_cluster_connect() (CVE-2025-40055) - drivers/base/node: fix double free in register_one_node() - nfp: fix RSS hash key size when RSS is not supported - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable - net: dlink: handle copy_thresh allocation failure (CVE-2025-40053) - Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" (regression in 5.10.242) - Squashfs: fix uninit-value in squashfs_get_parent (CVE-2025-40049) - [x86] uio_hv_generic: Let userspace take care of interrupt mask (CVE-2025-40048) - [arm*] mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() - mm: hugetlb: avoid soft lockup when mprotect to large memory area (CVE-2025-40153) - Input: atmel_mxt_ts - allow reset GPIO to sleep - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (CVE-2025-40035) - pinctrl: check the return value of pinmux_ops::get_function_name() (CVE-2025-40030) - [arm64] bus: fsl-mc: Check return value of platform_get_resource() (CVE-2025-40029) - fs: always return zero on success from replace_fd() - clocksource/drivers/clps711x: Fix resource leaks in error paths - libperf event: Ensure tracing data is multiple of 8 sized - perf util: Fix compression checks returning -1 as bool - perf session: Fix handling when buffer exceeds 2 GiB - scsi: libsas: Add sas_task_find_rq() - scsi: mvsas: Delete mvs_tag_init() - scsi: mvsas: Use sas_task_find_rq() for tagging - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (CVE-2025-40001) - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() - [x86] drm/vmwgfx: Fix Use-after-free in validation (CVE-2025-40111) - net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() (CVE-2025-40187) - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). (CVE-2025-40186) - [arm*] net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe - [arm64] mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call - [arm64] mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (CVE-2025-40183) - drm/amdgpu: Add additional DCE6 SCL registers - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 - drm/amd/display: Properly disable scaling on DCE6 - crypto: essiv - Check ssize for decryption and in-place encryption (CVE-2025-40019) - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT - [arm64] dts: qcom: msm8916: Add missing MDSS reset - [armhf] OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init - xen/events: Cleanup find_virq() return codes - xen/manage: Fix suspend error path - [arm64] firmware: meson_sm: fix device leak at probe - drm/nouveau: fix bad ret code in nouveau_bo_move_prep - [armhf,i386] copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) - [x86] cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() (CVE-2025-40194) - iio: dac: ad5360: use int type to store negative error codes - iio: dac: ad5421: use int type to store negative error codes - init: handle bootloader identifier in kernel parameters - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume - lib/genalloc: fix device leak in of_gen_pool_get() - openat2: don't trigger automounts with RESOLVE_NO_XDEV - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() - sctp: Fix MAC comparison to be constant-time (CVE-2025-40204) - mmc: core: SPI mode remove cmd7 - [armhf] memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe - rtc: interface: Ensure alarm irq is enabled when UIE is enabled - rtc: interface: Fix long-standing race when setting alarm - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (CVE-2025-40219) - PCI/ERR: Fix uevent on failure to recover - PCI/AER: Fix missing uevent on recovery when a reset is requested - PCI/AER: Support errors introduced by PCIe r6.0 - [x86] umip: Check that the instruction opcode is at least two bytes - [x86] umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry - ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() - ext4: correctly handle queries for metadata mappings - ext4: guard against EA inode refcount underflow in xattr update (CVE-2025-40190) - [arm64] dts: qcom: sdm845: Fix slimbam num-channels/ees - tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (CVE-2025-40042) - dm: fix NULL pointer dereference in __dm_suspend() (CVE-2025-40134) - [x86] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value - [x86] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type - [x86] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag - media: mc: Clear minor number before put device (CVE-2025-40197) - Squashfs: add additional inode sanity checking - Squashfs: reject negative file sizes in squashfs_read_inode() (CVE-2025-40200) - udf: fix uninit-value use in udf_get_fileshortad (CVE-2024-50143) - fs: udf: fix OOB read in lengthAllocDescs handling (CVE-2025-40044) - [x86] KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O (CVE-2025-40026) - net/9p: fix double req put in p9_fd_cancelled (CVE-2025-40027) - minixfs: Verify inode mode when loading from disk - pid: Add a judgment for ns null in pid_nr_ns (CVE-2025-40178) - fs: Add 'initramfs_options' to set initramfs mount options - cramfs: Verify inode mode when loading from disk - locking: Introduce __cleanup() based infrastructure - fscontext: do not consume log entries when returning -EMSGSIZE - [arm64] mte: Do not flag the zero page as PG_mte_tagged - overflow, tracing: Define the is_signed_type() macro once - btrfs: remove duplicated in_range() macro - Update <linux/minmax.h> to the version in 6.17 - media: pci/ivtv: switch from 'pci_' to 'dma_' API - media: pci: ivtv: Add missing check after DMA map - media: cx18: Add missing check after DMA map - media: pci: ivtv: Add check for DMA map result - mm/slab: make __free(kfree) accept error pointers - wifi: rt2x00: use explicitly signed or unsigned types - jbd2: ensure that all ongoing I/O complete before freeing blocks - ext4: detect invalid INLINE_DATA + EXTENTS flag combination (CVE-2025-40167) - [arm*] pwm: berlin: Fix wrong register in suspend/resume (CVE-2025-40188) - btrfs: avoid potential out-of-bounds in btrfs_encode_fh() (CVE-2025-40205) - bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() - media: rc: Directly use ida_free() - media: lirc: Fix error handling in lirc_register() - xen/events: Update virq_to_irq on migration - HID: multitouch: fix sticky fingers - iomap: add the new iomap_iter model - fsdax: switch dax_iomap_rw to use iomap_iter - dax: skip read lock assertion for read-only filesystems - net: dlink: handle dma_map_single() failure properly - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H - net/ip6_tunnel: Prevent perpetual tunnel growth (CVE-2025-40173) - amd-xgbe: Avoid spurious link down messages during interface toggle - tcp: fix tcp_tso_should_defer() vs large RTT - tg3: prevent use of uninitialized remote_adv and local_adv variables - net: usb: use eth_hw_addr_set() instead of ether_addr_copy() - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address - net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset - drm/amd/powerplay: Fix CIK shutdown temperature - sched/fair: Trivial correction of the newidle_balance() comment - sched/balancing: Rename newidle_balance() => sched_balance_newidle() - sched/fair: Fix pelt lost idle time detection - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() (CVE-2025-40088) - exec: Fix incorrect type for ret - hfs: clear offset and space out of valid records in b-tree node - hfs: make proper initalization of struct hfs_find_data - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() (CVE-2025-40244) - hfs: validate record offset in hfsplus_bmap_alloc - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() - dlm: check for defined force value in dlm_lockspace_release - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() (CVE-2025-40243) - hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() - net: rtnetlink: add msg kind names - net: rtnetlink: add helper to extract msg type's kind - net: rtnetlink: use BIT for flag values - net: netlink: add NLM_F_BULK delete request modifier - net: rtnetlink: add bulk delete support flag - net: add ndo_fdb_del_bulk - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del - rtnetlink: Allow deleting FDB entries in user namespace - [arm64] net: enetc: correct the value of ENETC_RXB_TRUESIZE - [arm64] dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path - [arm64] mm: avoid always making PTE dirty in pte_mkwrite() - sctp: avoid NULL dereference when chunk data buffer is missing (CVE-2025-40240) - net: bonding: fix possible peer notify event loss or dup issue - Revert "cpuidle: menu: Avoid discarding useful information" - ocfs2: clear extent cache after moving/defragmenting extents (CVE-2025-40233) - net: usb: rtl8150: Fix frame padding - USB: serial: option: add UNISOC UIS7720 - USB: serial: option: add Quectel RG255C - USB: serial: option: add Telit FN920C04 ECM compositions - usb/core/quirks: Add Huawei ME906S to wakeup quirk - binder: remove "invalid inc weak" check - comedi: fix divide-by-zero in comedi_buf_munge() (CVE-2025-40106) - [x86] mei: me: add wildcat lake P DID - most: usb: Fix use-after-free in hdm_disconnect (CVE-2025-40223) - most: usb: hdm_probe: Fix calling put_device() before device initialization - serial: 8250_exar: add support for Advantech 2 port card with Device ID 0x0018 - [arm64] cputype: Add Neoverse-V3AE definitions - [arm64] errata: Apply workarounds for Neoverse-V3AE - vsock: fix lock inversion in vsock_assign_transport() (CVE-2025-40231) - padata: Reset next CPU when reorder sequence wraps around - iio: imu: inv_icm42600: use = { } instead of memset() - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended - PM: runtime: Add new devm functions - iio: imu: inv_icm42600: Simplify pm_runtime setup - NFSD: Rework encoding and decoding of nfsd4_deviceid - NFSD: Minor cleanup in layoutcommit processing - NFSD: Fix last write offset handling in layoutcommit - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again - PCI: Add sysfs attribute for device power state - PCI/sysfs: Use sysfs_emit() and sysfs_emit_at() in "show" functions - PCI/sysfs: Ensure devices are powered for config reads - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options() (CVE-2025-40198) - drm/amdgpu: use atomic functions with memory barriers for vm fault info - vfs: Don't leak disconnected dentries on umount (CVE-2025-40105) - NFSD: Define a proc_layoutcommit for the FlexFiles layout type (CVE-2025-40087) - fuse: fix livelock in synchronous file put from fuseblk workers (CVE-2025-40220) - arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() - net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg - fsdax: Fix infinite loop in dax_iomap_rw() https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.247 - net/sched: sch_qfq: Fix null-deref in agg_dequeue (CVE-2025-40083) - [x86] bugs: Fix reporting of LFENCE retpoline - btrfs: always drop log root tree reference in btrfs_replay_log() - btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() - NFSD: Fix crash in nfsd4_read_release() (CVE-2025-40324) (regression in 5.10.220) - net: usb: asix_devices: Check return value of usbnet_get_endpoints - [x86] fbdev: atyfb: Check if pll_ops->init_pll failed - [x86] ACPI: video: Fix use-after-free in acpi_video_switch_brightness() (CVE-2025-40211) - fbdev: bitblit: bound-check glyph index in bit_putcs* (CVE-2025-40322) - wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode (CVE-2025-40321) - wifi: ath10k: Fix memory leak on unsupported WMI command - [arm64] drm/msm/a6xx: Fix GMU firmware parser - ALSA: usb-audio: fix control pipe direction - bpf: Sync pending IRQ work before freeing ring buffer (CVE-2025-40319) - usbnet: Prevents free active kevent (regression in 5.10.137) - [armhf] drm/etnaviv: fix flush sequence logic - drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table() - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji - drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland - block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL - regmap: slimbus: fix bus_context pointer in regmap init calls (CVE-2025-40317) - net: phy: dp83867: Disable EEE support as not implemented - xfs: always warn about deprecated mount options - devcoredump: Fix circular locking dependency with devcd->mutex. (regression in 5.10.204) - can: gs_usb: increase max interface to U8_MAX - serial: 8250_dw: Use devm_add_action_or_reset() - serial: 8250_dw: handle reset control deassert error - [x86] resctrl: Fix miscount of bandwidth event when reactivating previously unavailable RMID - [x86] boot: Compile boot code with -std=gnu11 too - arch: back to -std=gnu89 in < v5.18 - tracing: fix declaration-after-statement warning - usb: gadget: f_fs: Fix epfile null pointer access after ep enable. (CVE-2025-40315) - block: make REQ_OP_ZONE_OPEN a write operation - bpf: Don't use %pK through printk - [arm*] pinctrl: single: fix bias pull up/down handling in pin_config_set - memstick: Add timeout to prevent indefinite waiting - [x86] ACPI: video: force native for Lenovo 82K8 - [i386] cpufreq/longhaul: handle NULL policy in longhaul_exit - [arm*] irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment - [arm64] mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card - ACPICA: dispatcher: Use acpi_ds_clear_operands() in acpi_ds_call_control_method() - [arm64] tee: allow a driver to allocate a tee_device without a pool - nvme-fc: use lock accessing port_state and rport state (CVE-2025-40342) - [arm64] video: backlight: lp855x_bl: Set correct EPROM start for LP8556 - cpuidle: Fail cpuidle device registration if there is one already - uprobe: Do not emulate/sstep original instruction when ip is changed - [x86] hwmon: (dell-smm) Add support for Dell OptiPlex 7040 - tools/cpupower: Fix incorrect size in cpuidle_state_disable() - [x86] tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage - [x86] tools/power x86_energy_perf_policy: Enhance HWP enable - [x86] tools/power x86_energy_perf_policy: Prefer driver HWP limits - [armhf] mfd: stmpe: Remove IRQ domain upon removal - [armhf] mfd: stmpe-i2c: Add missing MODULE_LICENSE - drm/amd/pm: Use cached metrics data on arcturus - drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff - drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf() - [i386] PCI: Disable MSI on RDC PCI to PCIe bridges - [amd64] drm/amdkfd: return -ENOTTY for unsupported IOCTLs - media: pci: ivtv: Don't create fake v4l2_fh - [amd64] vsyscall: Do not require X86_PF_INSTR to emulate vsyscall - net: stmmac: Check stmmac_hw_setup() in stmmac_resume() - bridge: Redirect to backup port when port is administratively down - net: ipv6: fix field-spanning memcpy warning in AH output - media: imon: make send_packet() more robust - [armhf] drm/bridge: display-connector: don't set OP_DETECT for DisplayPorts - usb: gadget: f_ncm: Fix MAC assignment NCM ethernet - char: misc: Does not request module for miscdevice with dynamic minor - net: When removing nexthops, don't call synchronize_net if it is not necessary - net: Call trace_sock_exceed_buf_limit() for memcg failure with SK_MEM_RECV. - ALSA: usb-audio: Add validation of UAC2/UAC3 effect units - rds: Fix endianness annotation for RDS_MPATH_HASH - scsi: pm80xx: Fix race condition caused by static variables - [amd64] drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption - media: fix uninitialized symbol warnings - scsi: pm8001: Use int instead of u32 to store error codes - [arm*] dmaengine: mv_xor: match alloc_wc and free_wc - ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled - net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms - ALSA: usb-audio: apply quirk for MOONDROP Quark2 - net: call cond_resched() less often in __release_sock() - [amd64] iommu/amd: Skip enabling command/event buffers for kdump - usb: gadget: f_hid: Fix zero length packet transfer - net: phy: marvell: Fix 88e1510 downshift counter errata - media: redrat3: use int type to store negative error codes - [x86] kvm: Prefer native qspinlock for dedicated vCPUs irrespective of PV_UNHALT - udp_tunnel: use netdev_warn() instead of netdev_WARN() - net/cls_cgroup: Fix task_get_classid() during qdisc run - scsi: lpfc: Define size of debugfs entry for xri rebalancing - allow finish_no_open(file, ERR_PTR(-E...)) - usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs - [arm*] usb: xhci: plat: Facilitate using autosuspend for xhci plat devices - ipv6: np->rxpmtu race annotation - jfs: Verify inode mode when loading from disk (CVE-2025-40312) - jfs: fix uninitialized waitqueue in transaction manager - wifi: ath10k: Fix connection after GTK rekeying - r8169: set EEE speed down ratio to 1 - NFSv4: handle ERR_GRACE on delegation recalls - NFSv4.1: fix mount hang after CREATE_SESSION failure - nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing - fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock - [arm64] net: macb: avoid dealing with endianness in macb_set_hwaddr() - Bluetooth: SCO: Fix UAF on sco_conn_free (CVE-2025-40309) - Bluetooth: bcsp: receive data only if registered (CVE-2025-40308) - ALSA: usb-audio: add mono main switch to Presonus S1824c - exfat: limit log print for IO error - page_pool: Clamp pool size to max 16K pages - orangefs: fix xattr related buffer overflow... (CVE-2025-40306) - ACPICA: Update dsmethod.c to get rid of unused variable warning - btrfs: mark dirty extent range for out of bound prealloc extents - fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/ symlink - 9p: fix /sys/fs/9p/caches overwriting itself - 9p: sysfs_init: don't hardcode error to ENOMEM - ACPI: property: Return present device nodes only on fwnode interface - fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds (CVE-2025-40304) - ceph: add checking of wait_for_completion_killable() return value - [x86] ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot again (regression in 5.10.231) - net: vlan: sync VLAN features with lower device - [armhf] net: dsa: b53: fix resetting speed and pause on forced link - [armhf] net: dsa: b53: fix enabling ip multicast - [armhf] net: dsa: b53: stop reading ARL entries if search is done - sctp: Hold RCU read lock while iterating over address list - sctp: Prevent TOCTOU out-of-bounds write (CVE-2025-40331) - net: sctp: Fix some typos - net: Use nlmsg_unicast() instead of netlink_unicast() - sctp: hold endpoint before calling cb in sctp_transport_lookup_process - sctp: Hold sock lock while iterating over address list - net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup - tracing: Fix memory leaks in create_field_var() - NFS4: Fix state renewals missing after boot - HID: quirks: avoid Cooler Master MM712 dongle wakeup bug - ASoC: max98090/91: fixed max98091 ALSA widget powering up/down - [arm*] net: fec: correct rx_bytes statistic for the case SHIFT16 is set - Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF (CVE-2025-40283) - Bluetooth: 6lowpan: reset link-local header on ipv6 recv path (CVE-2025-40282) - Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion - Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions - sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto (CVE-2025-40281) - net/smc: fix mismatch between CLC header and proposal - tipc: Fix use-after-free in tipc_mon_reinit_self(). (CVE-2025-40280) - net: mdio: fix resource leak in mdiobus_register_device() - wifi: mac80211: skip rate verification for not captured PSDUs - net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel- infoleak (CVE-2025-40278) - net/mlx5e: Fix maxrate wraparound in threshold between units - net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps - net_sched: limit try_bulk_dequeue_skb() batches - Bluetooth: L2CAP: export l2cap_chan_hold for modules - acpi,srat: Fix incorrect device handle check for Generic Initiator - regulator: fixed: use dev_err_probe for register - regulator: fixed: fix GPIO descriptor leak on register failure - [x86] drm/vmwgfx: Validate command header size against SVGA_CMD_MAX_DATASIZE (CVE-2025-40277) - ALSA: usb-audio: Fix NULL pointer dereference in snd_usb_mixer_controls_badd (CVE-2025-40275) - fsdax: mark the iomap argument to dax_iomap_sector as const - mm/ksm: fix flag-dropping behavior in ksm_madvise - netfilter: nf_tables: reject duplicate device on updates (CVE-2025-38678) - HID: hid-ntrig: Prevent memory leak in ntrig_report_version() - NFSD: free copynotify stateid in nfs4_free_ol_stateid() (CVE-2025-40273) - strparser: Fix signed/unsigned mismatch bug - ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe (regression in 5.10.65) - fs/proc: fix uaf in proc_readdir_de() (CVE-2025-40271) - spi: Try to get ACPI GPIO IRQ earlier (regression in 5.10.231) - [x86] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe() - HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 (regression in 5.10.240) (Closes: #1114557) - exfat: check return value of sb_min_blocksize in exfat_read_boot_sector - be2net: pass wrb_params in case of OS2BMC (CVE-2025-40264) - Input: cros_ec_keyb - fix an invalid memory access (CVE-2025-40263) - [arm*] Input: imx_sc_key - fix memory corruption on unload (CVE-2025-40262) - nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl() (CVE-2025-40261) - scsi: sg: Do not sleep in atomic context (CVE-2025-40259) - scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show() - [arm*] drm/tegra: dc: Fix reference leak in tegra_dc_couple() (regression in 5.10.28) - net: openvswitch: remove never-working support for setting nsh fields (CVE-2025-40254) - vsock: Ignore signal/timeout on connect() if already established (CVE-2025-40248) - scsi: core: Fix a regression triggered by scsi_host_busy() - kconfig/mconf: Initialize the default locale at startup - kconfig/nconf: Initialize the default locale at startup - mm/mm_init: fix hash table order logging in alloc_large_system_hash() - ALSA: usb-audio: fix uac2 clock source at terminal parser - [x86] uio_hv_generic: Set event for all channels on the device - Makefile.compiler: replace cc-ifversion with compiler-specific macros - Revert "NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity" (regression in 5.10.241) - net: netpoll: fix incorrect refcount handling causing incorrect cleanup - ALSA: usb-audio: Fix potential overflow of PCM transfer buffer (CVE-2025-40269) - [armhf] pmdomain: imx: Fix reference count leak in imx_gpc_remove - ata: libata-scsi: Fix system suspend for a security locked drive (regression in 5.10.241) - mptcp: fix race condition in mptcp_schedule_work() (CVE-2025-40258) - mptcp: fix a race in mptcp_pm_del_add_timer() (CVE-2025-40257) - usb: deprecate the third argument of usb_maxpacket() - Input: remove third argument of usb_maxpacket() - Input: pegasus-notetaker - fix potential out-of-bounds access - can: kvaser_usb: leaf: Fix potential infinite loop in command parsers - Bluetooth: SMP: Fix not generating mackey and ltk when repairing - net: aquantia: Add missing descriptor cache invalidation on ATL2 - net/mlx5e: Fix validation logic in rate limiting - net: atlantic: fix fragment overflow handling in RX path - [x86] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()" - iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields - atm/fore200e: Fix possible data race in fore200e_open() - can: sja1000: fix max irq loop handling - [armhf] can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling - dm-verity: fix unreliable memory allocation - [x86] thunderbolt: Add support for Intel Wildcat Lake - [arm*] serial: amba-pl011: prefer dma_mapping_error() over explicit address checking (regression in 5.10.204) - most: usb: fix double free on late probe failure - usb: cdns3: Fix double resource release in cdns3_pci_probe - usb: gadget: f_eem: Fix memory leak in eem_unwrap (regression in 5.10.50) - usb: storage: Fix memory leak in USB bulk transport - USB: storage: Remove subclass and protocol overrides from Novatek quirk - usb: storage: sddr55: Reject out-of-bound new_pba - [arm*] usb: dwc3: Fix race condition between concurrent dwc3_remove_requests() call paths - USB: serial: ftdi_sio: add support for u-blox EVK-M101 - USB: serial: option: add support for Rolling RW101R-GL - drm/amd/display: Check NULL before accessing - libceph: fix potential use-after-free in have_mon_and_osd_map() - fs: writeback: fix use-after-free in __mark_inode_dirty() (CVE-2025-39866) - Bluetooth: Add more enc key size check - netfilter: nf_set_pipapo: fix initial map fill (CVE-2024-57947) - scsi: pm80xx: Set phy->enable_completion only when we wait for it (CVE-2024-47666) - smb: client: fix memory leak in cifs_construct_tcon() - usb: typec: ucsi: psy: Set max current to zero when disconnected (regression in 5.10.241) - usb: uas: fix urb unmapping issue when the uas device is remove during ongoing data transfer - ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up (CVE-2025-21887) (regression in 5.10.188) - [amd64] netfilter: nf_set_pipapo_avx2: fix initial map fill . [ Uwe Kleine-König ] * Disable CONFIG_CDROM_PKTCDVD for all archs as this driver is orphaned, buggy and not needed. (Closes: #1107479) . [ Ben Hutchings ] * d/b/genorig.py, d/rules, d/salsa-ci.yml: Put orig tarballs directly in .. * d/salsa-ci.yml: Adjust filenames to allow source package name suffix * d/salsa-ci.yml: Fix cache configuration for build job * d/salsa-ci.yml: Move orig tarball generation to a separate job again * d/salsa-ci.yml: Restore lintian checking of source package * [rt] Update to 5.10.246-rt140 * [rt] net/sched: act_ife: convert comma to semicolon Checksums-Sha1: 3dde2ab9e626ebaa06d78136760774626252346d 209429 linux_5.10.247-1.dsc cf1ee5fcd11850b72802396180206062335aa730 122115324 linux_5.10.247.orig.tar.xz b83f171d4b90ae1ec575be4ff7012e867f4af62a 1769544 linux_5.10.247-1.debian.tar.xz ff7ad5e807dfbdf54fcb1374b865ed7b3084d3cd 6320 linux_5.10.247-1_source.buildinfo Checksums-Sha256: 4decac0295de58278eab28e88c98ecc4df8eeaa320f197a4b3a4211b77a065f5 209429 linux_5.10.247-1.dsc dce0db938fd1bd36b619301e2abaee5126420add50d8851a4312e5dad1abc3b1 122115324 linux_5.10.247.orig.tar.xz 90014e16f6627a6b14733d55901580f5be24f99d510d5ece0228b54bcea033c1 1769544 linux_5.10.247-1.debian.tar.xz ab2d993b8ad3ec393552af44bec3664fcf42036fb711cc248d11b4a62171646c 6320 linux_5.10.247-1_source.buildinfo Files: 52afeb04ff46214057d8c9c1e61ece87 209429 kernel optional linux_5.10.247-1.dsc ab025ea03f6785d7279dfc95f91c38c2 122115324 kernel optional linux_5.10.247.orig.tar.xz 8c3c00f348b13749d20556dc0d99723a 1769544 kernel optional linux_5.10.247-1.debian.tar.xz 80efb8264140f8a8e1e6aa3fee04398b 6320 kernel optional linux_5.10.247-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmk7DMIACgkQ57/I7JWG EQmAhhAAo8xIF7RORKAs1LlBQIrPREBdPD7Gbor2Yh3gdL1cwoj2BjpDnKsfzqrw IyjL+VTEAYafZ4lhHpvZpOrjjS5610bYSKbdp743CyM4U5hBgbyZaPjf/SllmWhG +pzXgcc4r0aAK4R+JLbry6Sa95H5/Ef6kpnMmcGH0FnDNTQ6gX2QApjix0VqAuLo UQ376F5bMYJ6Y8NYOt+dnmig8nDLFOzo6KR+xq2ofEXQANyarWxuyOs8eVHLb/xs 3dxfbBwRBaCrKdChTxhEQSBcIHY3NHG0taWzAftgwOi+sy3zLiq9uxOaaNb1S2N4 WC259MTlEl54nP48i0ASSNrdbDBq8tSGvCyaeP0Wrt9RoBAeNcvcUbmB3tHz42k8 ZDF+o+LYHxwyIsRL0o5d2CoawVxWWSpk4TCjwEywAOk/bE7fnmPOk5quQJSg9T4n Pzy3Oj3ZCOerGUL2go8GKJdAyK8bYqfwuJKjOInievz1QunGIaYI7QR1aMpCnfcB CGh3ZoOVGss3S8U+lEvlFQGAL8lq08Pna590jfzOblTUfNGOPYp98dLo0qfxO4YT FI2j9eqDkIV9dqnP4/PmIVpqPUK+iHv/YOzrxhYm+3dLok64r4/oHHb1+Xb7pD4q l0VmAA1cssNve9l+gOhaJYLNa1KgSrKc2gfquWDxxzIcj8/zlYA= =CP6j -----END PGP SIGNATURE-----
