-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 11 Dec 2025 18:55:57 +0100
Source: linux-signed-arm64
Architecture: source
Version: 5.10.247+1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-arm64 (5.10.247+1) bullseye-security; urgency=high
.
* Sign kernel from linux 5.10.247-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.245
- net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod.
(CVE-2025-23143)
- mtd: Add check for devm_kcalloc()
- flexfiles/pNFS: fix NULL checks on result of ff_layout_choose_ds_for_read
- NFSv4: Don't clear capabilities that won't be reset
- NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server
- tracing: Fix tracing_marker may trigger page fault during preempt_disable
- NFSv4/flexfiles: Fix layout merge mirror check.
- tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate
psock->cork. (CVE-2025-39913)
- compiler.h: drop fallback overflow checkers
- overflow: Allow mixed type arguments
- EDAC/altera: Delete an inappropriate dma_free_coherent() call
- ocfs2: fix recursive semaphore deadlock in fiemap call (CVE-2025-39885)
- [armhf] mtd: rawnand: stm32_fmc2: fix ECC overwrite
- fuse: check if copy_file_range() returns larger than requested size
- fuse: prevent overflow in copy_file_range return value
- mm/khugepaged: fix the address passed to notifier on testing young
- [armhf] mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check
- [armhf] mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC
buffer (CVE-2025-39907)
- [x86] Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk
table
- tty: hvc_console: Call hvc_kick in hvc_write unconditionally
- USB: serial: option: add Telit Cinterion FN990A w/audio compositions
- USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions
- [arm*] net: fec: Fix possible NPD in
fec_enet_phy_reset_after_clk_enable() (CVE-2025-39876)
- tunnels: reset the GSO metadata before reusing the skb
- igb: fix link test skipping when interface is admin down
- genirq/affinity: Add irq_update_affinity_desc()
- genirq: Export affinity setter for modules
- genirq: Provide new interfaces for affinity hints
- i40e: Use irq_update_affinity_hint()
- i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path
(CVE-2025-39911)
- can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when
j1939_local_ecu_get() failed
- can: j1939: j1939_local_ecu_get(): undo increment when
j1939_local_ecu_get() fails
- [armhf] dmaengine: ti: edma: Fix memory allocation size for
queue_priority_map (CVE-2025-39869)
- [arm*] dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/
ees (CVE-2025-39923)
- [armhf] phy: ti-pipe3: fix device leak at unbind
- [arm64] soc: qcom: mdt_loader: Deal with zero e_shentsize
- [x86] drm/i915/power: fix size for for_each_set_bit() in abox iteration
- mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison
memory (CVE-2025-39883)
- ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is
not supported
- wifi: mac80211: fix incorrect type for ret
- cgroup: split cgroup_destroy_wq into 3 workqueues (CVE-2025-39953)
- um: virtio_uml: Fix use-after-free after put_device in probe
(CVE-2025-39951)
- qed: Don't collect too many protection override GRC elements
(CVE-2025-39949)
- net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure
- i40e: remove redundant memory barrier when cleaning Tx descs
- tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (CVE-2025-39955)
- Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set"
- net: liquidio: fix overflow in octeon_init_instr_queue()
- cnic: Fix use-after-free bugs in cnic_delete_task (CVE-2025-39945)
- power: supply: bq27xxx: fix error return in case of no bq27000 hdq
battery
- power: supply: bq27xxx: restrict no-battery detection to bq27000
- [armhf] mmc: mvsdio: Fix dma_unmap_sg() nents value
- [x86] KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is
active
- rds: ib: Increment i_fastreg_wrs before bailing out
- [x86] ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error
message
- drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path
- crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
(CVE-2025-39964)
- usb: gadget: dummy_hcd: remove usage of list iterator past the loop body
- [rt] USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels
- [armhf] phy: ti: convert to devm_platform_ioremap_resource(_byname)
- phy: Use device_get_match_data()
- [armhf] phy: ti: omap-usb2: fix device leak at unbind
- net: rfkill: gpio: add DT support
- net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer
(CVE-2025-39937)
- btrfs: tree-checker: fix the incorrect inode ref size check
- ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks
- ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5
- ALSA: usb-audio: Fix build with CONFIG_INPUT=n
- usb: core: Add 0x prefix to quirks debug output
- IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions
- [arm64] dts: imx8mp: Correct thermal sensor index
- cpufreq: Initialize cpufreq-based invariance before subsys
- can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
(CVE-2025-39987)
- [armhf] can: sun4i_can: populate ndo_change_mtu() to prevent buffer
overflow (CVE-2025-39986)
- can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
(CVE-2025-39985)
- can: peak_usb: fix shift-out-of-bounds issue (CVE-2025-40020)
- bnxt_en: correct offset handling for IPv6 destination address
- nexthop: Pass extack to nexthop notifier
- rtnetlink: Add RTNH_F_TRAP flag
- nexthop: Emit a notification when a nexthop is added
- nexthop: Emit a notification when a single nexthop is replaced
- nexthop: Forbid FDB status change while nexthop is in a group
(CVE-2025-39980)
- [x86] drm/gma500: Fix null dereference in hdmi teardown (CVE-2025-40011)
- crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
(CVE-2025-40022)
- i40e: fix idx validation in i40e_validate_queue_map (CVE-2025-39972)
- i40e: fix input validation logic for action_meta (CVE-2025-39970)
- i40e: add max boundary check for VF filters (CVE-2025-39968)
- i40e: add mask to apply valid bits for itr_idx
- tracing: dynevent: Add a missing lockdown check on dynevent
(CVE-2025-40021)
- fbcon: fix integer overflow in fbcon_do_set_font (CVE-2025-39967)
- fbcon: Fix OOB access in font allocation
- mm/migrate_device: don't add folio to be freed to LRU in
migrate_device_finalize() (CVE-2025-21861)
- i40e: increase max descriptors for XL710
- i40e: add validation for ring_len param (CVE-2025-39973)
- i40e: fix idx validation in config queues msg (CVE-2025-39971)
- i40e: fix validation of VF state in get resources (CVE-2025-39969)
- mm/hugetlb: fix folio is still mapped when deleted (CVE-2025-40006)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.246
- scsi: target: target_core_configfs: Add length check to avoid buffer
overflow (CVE-2025-39998)
- media: b2c2: Fix use-after-free causing by irq_check_work in
flexcop_pci_remove (CVE-2025-39996)
- media: rc: fix races with imon_disconnect() (CVE-2025-39993)
- udp: Fix memory accounting leak. (CVE-2025-22058)
- media: tunner: xc5000: Refactor firmware load
- media: tuner: xc5000: Fix use-after-free in xc5000_release
(CVE-2025-39994)
- media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in
probe (CVE-2025-39995)
- USB: serial: option: add SIMCom 8230C compositions
- wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188
- dm-integrity: limit MAX_TAG_SIZE to 255
- perf subcmd: avoid crash in exclude_cmds when excludes is empty
- hid: fix I2C read buffer overflow in raw_event() for mcp2221
- driver core/PM: Set power.no_callbacks along with power.no_pm
- drm/amd/display: Remove redundant safeguards for dmub-srv destroy()
- drm/amd/display: Fix potential null dereference (CVE-2023-53498)
- crypto: rng - Ensure set_ent is always present (CVE-2025-40109)
- filelock: add FL_RECLAIM to show_fl_flags() macro
- [arm64] perf: arm_spe: Prevent overflow in PERF_IDX2OFF()
(CVE-2025-40081)
- [x86] vdso: Fix output operand size of RDPID
- regmap: Remove superfluous check for !config in __regmap_init()
- libbpf: Fix reuse of DEVMAP
- ACPI: processor: idle: Fix memory leak when register cpuidle device
failed
- [arm64] pinctrl: meson-gxl: add missing i2c_d pinmux
- blk-mq: check kobject state_in_sysfs before deleting in
blk_mq_unregister_hctx (CVE-2025-40125)
- block: use int to store blk_stack_limits() return value
- PM: sleep: core: Clear power.must_resume in noirq suspend error path
- [armhf] pwm: tiehrpwm: Fix corner case in clock divisor calculation
- bpf: Explicitly check accesses to bpf_sock_addr (CVE-2025-40078)
- i2c: designware: Add disabling clocks when probe fails
- drm/radeon/r600_cs: clean up of dead code in r600_cs
- usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup
(CVE-2025-40116)
- scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (CVE-2025-40118)
- [x86] scsi: myrs: Fix dma_alloc_coherent() error check
- media: rj54n1cb0c: Fix memleak in rj54n1_probe()
- ALSA: lx_core: use int type to store negative error codes
- drm/amdgpu: Power up UVD 3 for FW validation (v2)
- wifi: mwifiex: send world regulatory domain to driver
- tcp: fix __tcp_close() to only send RST when required
- [armhf] usb: phy: twl6030: Fix incorrect type for ret
- usb: gadget: configfs: Correctly set use_os_string at bind
- pps: fix warning in pps_register_cdev when register device fail
(CVE-2025-40070)
- [x86] ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping
- [x86] ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping
(CVE-2025-40154)
- [x86] ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping
(CVE-2025-40121)
- iio: consumers: Fix offset handling in iio_convert_raw_to_processed()
- netfilter: ipset: Remove unused htable_bits in macro ahash_region
- drivers/base/node: handle error properly in register_one_node()
- RDMA/cm: Rate limit destroy CM ID timeout error message
- wifi: mt76: fix potential memory leak in mt76_wmac_probe()
- ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message
- RDMA/core: Resolve MAC of next-hop device without ARP support
- IB/sa: Fix sa_local_svc_timeout_ms read race
- NFSv4.1: fix backchannel max_resp_sz verification check
- ipvs: Defer ip_vs_ftp unregister during netns cleanup (CVE-2025-40018)
- scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()
(CVE-2025-40115)
- usb: vhci-hcd: Prevent suspending virtually attached devices
- RDMA/siw: Always report immediate post SQ errors
- net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast
(CVE-2025-40140)
- Bluetooth: MGMT: Fix not exposing debug UUID on
MGMT_OP_READ_EXP_FEATURES_INFO
- [armhf] hwrng: ks-sa - fix division by zero in ks_sa_rng_init
(CVE-2025-40127)
- ocfs2: fix double free in user_cluster_connect() (CVE-2025-40055)
- drivers/base/node: fix double free in register_one_node()
- nfp: fix RSS hash key size when RSS is not supported
- net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not
configurable
- net: dlink: handle copy_thresh allocation failure (CVE-2025-40053)
- Revert "net/mlx5e: Update and set Xon/Xoff upon MTU set" (regression in
5.10.242)
- Squashfs: fix uninit-value in squashfs_get_parent (CVE-2025-40049)
- [x86] uio_hv_generic: Let userspace take care of interrupt mask
(CVE-2025-40048)
- [arm*] mfd: vexpress-sysreg: Check the return value of
devm_gpiochip_add_data()
- mm: hugetlb: avoid soft lockup when mprotect to large memory area
(CVE-2025-40153)
- Input: atmel_mxt_ts - allow reset GPIO to sleep
- Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info
leak (CVE-2025-40035)
- pinctrl: check the return value of pinmux_ops::get_function_name()
(CVE-2025-40030)
- [arm64] bus: fsl-mc: Check return value of platform_get_resource()
(CVE-2025-40029)
- fs: always return zero on success from replace_fd()
- clocksource/drivers/clps711x: Fix resource leaks in error paths
- libperf event: Ensure tracing data is multiple of 8 sized
- perf util: Fix compression checks returning -1 as bool
- perf session: Fix handling when buffer exceeds 2 GiB
- scsi: libsas: Add sas_task_find_rq()
- scsi: mvsas: Delete mvs_tag_init()
- scsi: mvsas: Use sas_task_find_rq() for tagging
- scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (CVE-2025-40001)
- net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()
- [x86] drm/vmwgfx: Fix Use-after-free in validation (CVE-2025-40111)
- net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()
(CVE-2025-40187)
- tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().
(CVE-2025-40186)
- [arm*] net: fsl_pq_mdio: Fix device node reference leak in
fsl_pq_mdio_probe
- [arm64] mailbox: zynqmp-ipi: Remove redundant
mbox_controller_unregister() call
- [arm64] mailbox: zynqmp-ipi: Remove dev.parent check in
zynqmp_ipi_free_mboxes
- bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (CVE-2025-40183)
- drm/amdgpu: Add additional DCE6 SCL registers
- drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs
- drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6
- drm/amd/display: Properly disable scaling on DCE6
- crypto: essiv - Check ssize for decryption and in-place encryption
(CVE-2025-40019)
- tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single
- ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT
- [arm64] dts: qcom: msm8916: Add missing MDSS reset
- [armhf] OMAP2+: pm33xx-core: ix device node reference leaks in
amx3_idle_init
- xen/events: Cleanup find_virq() return codes
- xen/manage: Fix suspend error path
- [arm64] firmware: meson_sm: fix device leak at probe
- drm/nouveau: fix bad ret code in nouveau_bo_move_prep
- [armhf,i386] copy_sighand: Handle architectures where sizeof(unsigned
long) < sizeof(u64)
- [x86] cpufreq: intel_pstate: Fix object lifecycle issue in
update_qos_request() (CVE-2025-40194)
- iio: dac: ad5360: use int type to store negative error codes
- iio: dac: ad5421: use int type to store negative error codes
- init: handle bootloader identifier in kernel parameters
- iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in
resume
- lib/genalloc: fix device leak in of_gen_pool_get()
- openat2: don't trigger automounts with RESOLVE_NO_XDEV
- scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
- sctp: Fix MAC comparison to be constant-time (CVE-2025-40204)
- mmc: core: SPI mode remove cmd7
- [armhf] memory: samsung: exynos-srom: Fix of_iomap leak in
exynos_srom_probe
- rtc: interface: Ensure alarm irq is enabled when UIE is enabled
- rtc: interface: Fix long-standing race when setting alarm
- PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
(CVE-2025-40219)
- PCI/ERR: Fix uevent on failure to recover
- PCI/AER: Fix missing uevent on recovery when a reset is requested
- PCI/AER: Support errors introduced by PCIe r6.0
- [x86] umip: Check that the instruction opcode is at least two bytes
- [x86] umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT
aliases)
- NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()
- nfsd: nfserr_jukebox in nlm_fopen should lead to a retry
- ext4: increase i_disksize to offset + len in
ext4_update_disksize_before_punch()
- ext4: correctly handle queries for metadata mappings
- ext4: guard against EA inode refcount underflow in xattr update
(CVE-2025-40190)
- [arm64] dts: qcom: sdm845: Fix slimbam num-channels/ees
- tracing: Fix race condition in kprobe initialization causing NULL pointer
dereference (CVE-2025-40042)
- dm: fix NULL pointer dereference in __dm_suspend() (CVE-2025-40134)
- [x86] mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config
max_register value
- [x86] mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for
cache_type
- [x86] mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config
flag
- media: mc: Clear minor number before put device (CVE-2025-40197)
- Squashfs: add additional inode sanity checking
- Squashfs: reject negative file sizes in squashfs_read_inode()
(CVE-2025-40200)
- udf: fix uninit-value use in udf_get_fileshortad (CVE-2024-50143)
- fs: udf: fix OOB read in lengthAllocDescs handling (CVE-2025-40044)
- [x86] KVM: x86: Don't (re)check L1 intercepts when completing userspace
I/O (CVE-2025-40026)
- net/9p: fix double req put in p9_fd_cancelled (CVE-2025-40027)
- minixfs: Verify inode mode when loading from disk
- pid: Add a judgment for ns null in pid_nr_ns (CVE-2025-40178)
- fs: Add 'initramfs_options' to set initramfs mount options
- cramfs: Verify inode mode when loading from disk
- locking: Introduce __cleanup() based infrastructure
- fscontext: do not consume log entries when returning -EMSGSIZE
- [arm64] mte: Do not flag the zero page as PG_mte_tagged
- overflow, tracing: Define the is_signed_type() macro once
- btrfs: remove duplicated in_range() macro
- Update <linux/minmax.h> to the version in 6.17
- media: pci/ivtv: switch from 'pci_' to 'dma_' API
- media: pci: ivtv: Add missing check after DMA map
- media: cx18: Add missing check after DMA map
- media: pci: ivtv: Add check for DMA map result
- mm/slab: make __free(kfree) accept error pointers
- wifi: rt2x00: use explicitly signed or unsigned types
- jbd2: ensure that all ongoing I/O complete before freeing blocks
- ext4: detect invalid INLINE_DATA + EXTENTS flag combination
(CVE-2025-40167)
- [arm*] pwm: berlin: Fix wrong register in suspend/resume (CVE-2025-40188)
- btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
(CVE-2025-40205)
- bus: mhi: host: Do not use uninitialized 'dev' pointer in
mhi_init_irq_setup()
- media: rc: Directly use ida_free()
- media: lirc: Fix error handling in lirc_register()
- xen/events: Update virq_to_irq on migration
- HID: multitouch: fix sticky fingers
- iomap: add the new iomap_iter model
- fsdax: switch dax_iomap_rw to use iomap_iter
- dax: skip read lock assertion for read-only filesystems
- net: dlink: handle dma_map_single() failure properly
- r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H
- net/ip6_tunnel: Prevent perpetual tunnel growth (CVE-2025-40173)
- amd-xgbe: Avoid spurious link down messages during interface toggle
- tcp: fix tcp_tso_should_defer() vs large RTT
- tg3: prevent use of uninitialized remote_adv and local_adv variables
- net: usb: use eth_hw_addr_set() instead of ether_addr_copy()
- net: usb: lan78xx: Add error handling to lan78xx_init_mac_address
- net: usb: lan78xx: fix use of improperly initialized dev->chipid in
lan78xx_reset
- drm/amd/powerplay: Fix CIK shutdown temperature
- sched/fair: Trivial correction of the newidle_balance() comment
- sched/balancing: Rename newidle_balance() => sched_balance_newidle()
- sched/fair: Fix pelt lost idle time detection
- hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
(CVE-2025-40088)
- exec: Fix incorrect type for ret
- hfs: clear offset and space out of valid records in b-tree node
- hfs: make proper initalization of struct hfs_find_data
- hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent()
(CVE-2025-40244)
- hfs: validate record offset in hfsplus_bmap_alloc
- hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat()
- dlm: check for defined force value in dlm_lockspace_release
- hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits()
(CVE-2025-40243)
- hfsplus: return EIO when type of hidden directory mismatch in
hfsplus_fill_super()
- net: rtnetlink: add msg kind names
- net: rtnetlink: add helper to extract msg type's kind
- net: rtnetlink: use BIT for flag values
- net: netlink: add NLM_F_BULK delete request modifier
- net: rtnetlink: add bulk delete support flag
- net: add ndo_fdb_del_bulk
- net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del
- rtnetlink: Allow deleting FDB entries in user namespace
- [arm64] net: enetc: correct the value of ENETC_RXB_TRUESIZE
- [arm64] dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path
- [arm64] mm: avoid always making PTE dirty in pte_mkwrite()
- sctp: avoid NULL dereference when chunk data buffer is missing
(CVE-2025-40240)
- net: bonding: fix possible peer notify event loss or dup issue
- Revert "cpuidle: menu: Avoid discarding useful information"
- ocfs2: clear extent cache after moving/defragmenting extents
(CVE-2025-40233)
- net: usb: rtl8150: Fix frame padding
- USB: serial: option: add UNISOC UIS7720
- USB: serial: option: add Quectel RG255C
- USB: serial: option: add Telit FN920C04 ECM compositions
- usb/core/quirks: Add Huawei ME906S to wakeup quirk
- binder: remove "invalid inc weak" check
- comedi: fix divide-by-zero in comedi_buf_munge() (CVE-2025-40106)
- [x86] mei: me: add wildcat lake P DID
- most: usb: Fix use-after-free in hdm_disconnect (CVE-2025-40223)
- most: usb: hdm_probe: Fix calling put_device() before device
initialization
- serial: 8250_exar: add support for Advantech 2 port card with Device ID
0x0018
- [arm64] cputype: Add Neoverse-V3AE definitions
- [arm64] errata: Apply workarounds for Neoverse-V3AE
- vsock: fix lock inversion in vsock_assign_transport() (CVE-2025-40231)
- padata: Reset next CPU when reorder sequence wraps around
- iio: imu: inv_icm42600: use = { } instead of memset()
- iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended
- PM: runtime: Add new devm functions
- iio: imu: inv_icm42600: Simplify pm_runtime setup
- NFSD: Rework encoding and decoding of nfsd4_deviceid
- NFSD: Minor cleanup in layoutcommit processing
- NFSD: Fix last write offset handling in layoutcommit
- wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again
- PCI: Add sysfs attribute for device power state
- PCI/sysfs: Use sysfs_emit() and sysfs_emit_at() in "show" functions
- PCI/sysfs: Ensure devices are powered for config reads
- ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()
(CVE-2025-40198)
- drm/amdgpu: use atomic functions with memory barriers for vm fault info
- vfs: Don't leak disconnected dentries on umount (CVE-2025-40105)
- NFSD: Define a proc_layoutcommit for the FlexFiles layout type
(CVE-2025-40087)
- fuse: fix livelock in synchronous file put from fuseblk workers
(CVE-2025-40220)
- arch_topology: Fix incorrect error check in topology_parse_cpu_capacity()
- net: rtnetlink: fix module reference count leak issue in
rtnetlink_rcv_msg
- fsdax: Fix infinite loop in dax_iomap_rw()
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.247
- net/sched: sch_qfq: Fix null-deref in agg_dequeue (CVE-2025-40083)
- [x86] bugs: Fix reporting of LFENCE retpoline
- btrfs: always drop log root tree reference in btrfs_replay_log()
- btrfs: use smp_mb__after_atomic() when forcing COW in
create_pending_snapshot()
- NFSD: Fix crash in nfsd4_read_release() (CVE-2025-40324) (regression in
5.10.220)
- net: usb: asix_devices: Check return value of usbnet_get_endpoints
- [x86] fbdev: atyfb: Check if pll_ops->init_pll failed
- [x86] ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
(CVE-2025-40211)
- fbdev: bitblit: bound-check glyph index in bit_putcs* (CVE-2025-40322)
- wifi: brcmfmac: fix crash while sending Action Frames in standalone AP
Mode (CVE-2025-40321)
- wifi: ath10k: Fix memory leak on unsupported WMI command
- [arm64] drm/msm/a6xx: Fix GMU firmware parser
- ALSA: usb-audio: fix control pipe direction
- bpf: Sync pending IRQ work before freeing ring buffer (CVE-2025-40319)
- usbnet: Prevents free active kevent (regression in 5.10.137)
- [armhf] drm/etnaviv: fix flush sequence logic
- drm/amd/pm: fix smu table id bound check issue in smu_cmn_update_table()
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Fiji
- drm/amd/pm/powerplay/smumgr: Fix PCIeBootLinkLevel value on Iceland
- block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL
- regmap: slimbus: fix bus_context pointer in regmap init calls
(CVE-2025-40317)
- net: phy: dp83867: Disable EEE support as not implemented
- xfs: always warn about deprecated mount options
- devcoredump: Fix circular locking dependency with devcd->mutex.
(regression in 5.10.204)
- can: gs_usb: increase max interface to U8_MAX
- serial: 8250_dw: Use devm_add_action_or_reset()
- serial: 8250_dw: handle reset control deassert error
- [x86] resctrl: Fix miscount of bandwidth event when reactivating
previously unavailable RMID
- [x86] boot: Compile boot code with -std=gnu11 too
- arch: back to -std=gnu89 in < v5.18
- tracing: fix declaration-after-statement warning
- usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
(CVE-2025-40315)
- block: make REQ_OP_ZONE_OPEN a write operation
- bpf: Don't use %pK through printk
- [arm*] pinctrl: single: fix bias pull up/down handling in pin_config_set
- memstick: Add timeout to prevent indefinite waiting
- [x86] ACPI: video: force native for Lenovo 82K8
- [i386] cpufreq/longhaul: handle NULL policy in longhaul_exit
- [arm*] irqchip/gic-v2m: Handle Multiple MSI base IRQ Alignment
- [arm64] mmc: sdhci-msm: Enable tuning for SDR50 mode for SD card
- ACPICA: dispatcher: Use acpi_ds_clear_operands() in
acpi_ds_call_control_method()
- [arm64] tee: allow a driver to allocate a tee_device without a pool
- nvme-fc: use lock accessing port_state and rport state (CVE-2025-40342)
- [arm64] video: backlight: lp855x_bl: Set correct EPROM start for LP8556
- cpuidle: Fail cpuidle device registration if there is one already
- uprobe: Do not emulate/sstep original instruction when ip is changed
- [x86] hwmon: (dell-smm) Add support for Dell OptiPlex 7040
- tools/cpupower: Fix incorrect size in cpuidle_state_disable()
- [x86] tools/power x86_energy_perf_policy: Fix incorrect fopen mode usage
- [x86] tools/power x86_energy_perf_policy: Enhance HWP enable
- [x86] tools/power x86_energy_perf_policy: Prefer driver HWP limits
- [armhf] mfd: stmpe: Remove IRQ domain upon removal
- [armhf] mfd: stmpe-i2c: Add missing MODULE_LICENSE
- drm/amd/pm: Use cached metrics data on arcturus
- drm/amdgpu/jpeg: Hold pg_lock before jpeg poweroff
- drm/nouveau: replace snprintf() with scnprintf() in nvkm_snprintbf()
- [i386] PCI: Disable MSI on RDC PCI to PCIe bridges
- [amd64] drm/amdkfd: return -ENOTTY for unsupported IOCTLs
- media: pci: ivtv: Don't create fake v4l2_fh
- [amd64] vsyscall: Do not require X86_PF_INSTR to emulate vsyscall
- net: stmmac: Check stmmac_hw_setup() in stmmac_resume()
- bridge: Redirect to backup port when port is administratively down
- net: ipv6: fix field-spanning memcpy warning in AH output
- media: imon: make send_packet() more robust
- [armhf] drm/bridge: display-connector: don't set OP_DETECT for
DisplayPorts
- usb: gadget: f_ncm: Fix MAC assignment NCM ethernet
- char: misc: Does not request module for miscdevice with dynamic minor
- net: When removing nexthops, don't call synchronize_net if it is not
necessary
- net: Call trace_sock_exceed_buf_limit() for memcg failure with
SK_MEM_RECV.
- ALSA: usb-audio: Add validation of UAC2/UAC3 effect units
- rds: Fix endianness annotation for RDS_MPATH_HASH
- scsi: pm80xx: Fix race condition caused by static variables
- [amd64] drm/amdkfd: Tie UNMAP_LATENCY to queue_preemption
- media: fix uninitialized symbol warnings
- scsi: pm8001: Use int instead of u32 to store error codes
- [arm*] dmaengine: mv_xor: match alloc_wc and free_wc
- ipv6: Add sanity checks on ipv6_devconf.rpl_seg_enabled
- net: nfc: nci: Increase NCI_DATA_TIMEOUT to 3000 ms
- ALSA: usb-audio: apply quirk for MOONDROP Quark2
- net: call cond_resched() less often in __release_sock()
- [amd64] iommu/amd: Skip enabling command/event buffers for kdump
- usb: gadget: f_hid: Fix zero length packet transfer
- net: phy: marvell: Fix 88e1510 downshift counter errata
- media: redrat3: use int type to store negative error codes
- [x86] kvm: Prefer native qspinlock for dedicated vCPUs irrespective of
PV_UNHALT
- udp_tunnel: use netdev_warn() instead of netdev_WARN()
- net/cls_cgroup: Fix task_get_classid() during qdisc run
- scsi: lpfc: Define size of debugfs entry for xri rebalancing
- allow finish_no_open(file, ERR_PTR(-E...))
- usb: mon: Increase BUFF_MAX to 64 MiB to support multi-MB URBs
- [arm*] usb: xhci: plat: Facilitate using autosuspend for xhci plat
devices
- ipv6: np->rxpmtu race annotation
- jfs: Verify inode mode when loading from disk (CVE-2025-40312)
- jfs: fix uninitialized waitqueue in transaction manager
- wifi: ath10k: Fix connection after GTK rekeying
- r8169: set EEE speed down ratio to 1
- NFSv4: handle ERR_GRACE on delegation recalls
- NFSv4.1: fix mount hang after CREATE_SESSION failure
- nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode
dereferencing
- fs: ext4: change GFP_KERNEL to GFP_NOFS to avoid deadlock
- [arm64] net: macb: avoid dealing with endianness in macb_set_hwaddr()
- Bluetooth: SCO: Fix UAF on sco_conn_free (CVE-2025-40309)
- Bluetooth: bcsp: receive data only if registered (CVE-2025-40308)
- ALSA: usb-audio: add mono main switch to Presonus S1824c
- exfat: limit log print for IO error
- page_pool: Clamp pool size to max 16K pages
- orangefs: fix xattr related buffer overflow... (CVE-2025-40306)
- ACPICA: Update dsmethod.c to get rid of unused variable warning
- btrfs: mark dirty extent range for out of bound prealloc extents
- fs/hpfs: Fix error code for new_inode() failure in mkdir/create/mknod/
symlink
- 9p: fix /sys/fs/9p/caches overwriting itself
- 9p: sysfs_init: don't hardcode error to ENOMEM
- ACPI: property: Return present device nodes only on fwnode interface
- fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
(CVE-2025-40304)
- ceph: add checking of wait_for_completion_killable() return value
- [x86] ALSA: hda/realtek: Audio disappears on HP 15-fc000 after warm boot
again (regression in 5.10.231)
- net: vlan: sync VLAN features with lower device
- [armhf] net: dsa: b53: fix resetting speed and pause on forced link
- [armhf] net: dsa: b53: fix enabling ip multicast
- [armhf] net: dsa: b53: stop reading ARL entries if search is done
- sctp: Hold RCU read lock while iterating over address list
- sctp: Prevent TOCTOU out-of-bounds write (CVE-2025-40331)
- net: sctp: Fix some typos
- net: Use nlmsg_unicast() instead of netlink_unicast()
- sctp: hold endpoint before calling cb in sctp_transport_lookup_process
- sctp: Hold sock lock while iterating over address list
- net: usb: qmi_wwan: initialize MAC header offset in qmimux_rx_fixup
- tracing: Fix memory leaks in create_field_var()
- NFS4: Fix state renewals missing after boot
- HID: quirks: avoid Cooler Master MM712 dongle wakeup bug
- ASoC: max98090/91: fixed max98091 ALSA widget powering up/down
- [arm*] net: fec: correct rx_bytes statistic for the case SHIFT16 is set
- Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
(CVE-2025-40283)
- Bluetooth: 6lowpan: reset link-local header on ipv6 recv path
(CVE-2025-40282)
- Bluetooth: 6lowpan: fix BDADDR_LE vs ADDR_LE_DEV address type confusion
- Bluetooth: 6lowpan: Don't hold spin lock over sleeping functions
- sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto
(CVE-2025-40281)
- net/smc: fix mismatch between CLC header and proposal
- tipc: Fix use-after-free in tipc_mon_reinit_self(). (CVE-2025-40280)
- net: mdio: fix resource leak in mdiobus_register_device()
- wifi: mac80211: skip rate verification for not captured PSDUs
- net: sched: act_ife: initialize struct tc_ife to fix KMSAN kernel-
infoleak (CVE-2025-40278)
- net/mlx5e: Fix maxrate wraparound in threshold between units
- net/mlx5e: Fix wraparound in rate limiting for values above 255 Gbps
- net_sched: limit try_bulk_dequeue_skb() batches
- Bluetooth: L2CAP: export l2cap_chan_hold for modules
- acpi,srat: Fix incorrect device handle check for Generic Initiator
- regulator: fixed: use dev_err_probe for register
- regulator: fixed: fix GPIO descriptor leak on register failure
- [x86] drm/vmwgfx: Validate command header size against
SVGA_CMD_MAX_DATASIZE (CVE-2025-40277)
- ALSA: usb-audio: Fix NULL pointer dereference in
snd_usb_mixer_controls_badd (CVE-2025-40275)
- fsdax: mark the iomap argument to dax_iomap_sector as const
- mm/ksm: fix flag-dropping behavior in ksm_madvise
- netfilter: nf_tables: reject duplicate device on updates (CVE-2025-38678)
- HID: hid-ntrig: Prevent memory leak in ntrig_report_version()
- NFSD: free copynotify stateid in nfs4_free_ol_stateid() (CVE-2025-40273)
- strparser: Fix signed/unsigned mismatch bug
- ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe
(regression in 5.10.65)
- fs/proc: fix uaf in proc_readdir_de() (CVE-2025-40271)
- spi: Try to get ACPI GPIO IRQ earlier (regression in 5.10.231)
- [x86] isdn: mISDN: hfcsusb: fix memory leak in hfcsusb_probe()
- HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 (regression
in 5.10.240) (Closes: #1114557)
- exfat: check return value of sb_min_blocksize in exfat_read_boot_sector
- be2net: pass wrb_params in case of OS2BMC (CVE-2025-40264)
- Input: cros_ec_keyb - fix an invalid memory access (CVE-2025-40263)
- [arm*] Input: imx_sc_key - fix memory corruption on unload
(CVE-2025-40262)
- nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()
(CVE-2025-40261)
- scsi: sg: Do not sleep in atomic context (CVE-2025-40259)
- scsi: target: tcm_loop: Fix segfault in tcm_loop_tpg_address_show()
- [arm*] drm/tegra: dc: Fix reference leak in tegra_dc_couple()
(regression in 5.10.28)
- net: openvswitch: remove never-working support for setting nsh fields
(CVE-2025-40254)
- vsock: Ignore signal/timeout on connect() if already established
(CVE-2025-40248)
- scsi: core: Fix a regression triggered by scsi_host_busy()
- kconfig/mconf: Initialize the default locale at startup
- kconfig/nconf: Initialize the default locale at startup
- mm/mm_init: fix hash table order logging in alloc_large_system_hash()
- ALSA: usb-audio: fix uac2 clock source at terminal parser
- [x86] uio_hv_generic: Set event for all channels on the device
- Makefile.compiler: replace cc-ifversion with compiler-specific macros
- Revert "NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache
validity" (regression in 5.10.241)
- net: netpoll: fix incorrect refcount handling causing incorrect cleanup
- ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
(CVE-2025-40269)
- [armhf] pmdomain: imx: Fix reference count leak in imx_gpc_remove
- ata: libata-scsi: Fix system suspend for a security locked drive
(regression in 5.10.241)
- mptcp: fix race condition in mptcp_schedule_work() (CVE-2025-40258)
- mptcp: fix a race in mptcp_pm_del_add_timer() (CVE-2025-40257)
- usb: deprecate the third argument of usb_maxpacket()
- Input: remove third argument of usb_maxpacket()
- Input: pegasus-notetaker - fix potential out-of-bounds access
- can: kvaser_usb: leaf: Fix potential infinite loop in command parsers
- Bluetooth: SMP: Fix not generating mackey and ltk when repairing
- net: aquantia: Add missing descriptor cache invalidation on ATL2
- net/mlx5e: Fix validation logic in rate limiting
- net: atlantic: fix fragment overflow handling in RX path
- [x86] Revert "perf/x86: Always store regs->ip in perf_callchain_kernel()"
- iio: imu: st_lsm6dsx: fix array size for st_lsm6dsx_settings fields
- atm/fore200e: Fix possible data race in fore200e_open()
- can: sja1000: fix max irq loop handling
- [armhf] can: sun4i_can: sun4i_can_interrupt(): fix max irq loop handling
- dm-verity: fix unreliable memory allocation
- [x86] thunderbolt: Add support for Intel Wildcat Lake
- [arm*] serial: amba-pl011: prefer dma_mapping_error() over explicit
address checking (regression in 5.10.204)
- most: usb: fix double free on late probe failure
- usb: cdns3: Fix double resource release in cdns3_pci_probe
- usb: gadget: f_eem: Fix memory leak in eem_unwrap (regression in 5.10.50)
- usb: storage: Fix memory leak in USB bulk transport
- USB: storage: Remove subclass and protocol overrides from Novatek quirk
- usb: storage: sddr55: Reject out-of-bound new_pba
- [arm*] usb: dwc3: Fix race condition between concurrent
dwc3_remove_requests() call paths
- USB: serial: ftdi_sio: add support for u-blox EVK-M101
- USB: serial: option: add support for Rolling RW101R-GL
- drm/amd/display: Check NULL before accessing
- libceph: fix potential use-after-free in have_mon_and_osd_map()
- fs: writeback: fix use-after-free in __mark_inode_dirty()
(CVE-2025-39866)
- Bluetooth: Add more enc key size check
- netfilter: nf_set_pipapo: fix initial map fill (CVE-2024-57947)
- scsi: pm80xx: Set phy->enable_completion only when we wait for it
(CVE-2024-47666)
- smb: client: fix memory leak in cifs_construct_tcon()
- usb: typec: ucsi: psy: Set max current to zero when disconnected
(regression in 5.10.241)
- usb: uas: fix urb unmapping issue when the uas device is remove during
ongoing data transfer
- ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
(CVE-2025-21887) (regression in 5.10.188)
- [amd64] netfilter: nf_set_pipapo_avx2: fix initial map fill
.
[ Uwe Kleine-König ]
* Disable CONFIG_CDROM_PKTCDVD for all archs as this driver is
orphaned, buggy and not needed. (Closes: #1107479)
.
[ Ben Hutchings ]
* d/b/genorig.py, d/rules, d/salsa-ci.yml: Put orig tarballs directly in ..
* d/salsa-ci.yml: Adjust filenames to allow source package name suffix
* d/salsa-ci.yml: Fix cache configuration for build job
* d/salsa-ci.yml: Move orig tarball generation to a separate job again
* d/salsa-ci.yml: Restore lintian checking of source package
* [rt] Update to 5.10.246-rt140
* [rt] net/sched: act_ife: convert comma to semicolon
Checksums-Sha1:
49b710807f3264ba9db3f0edd08fe2ef23c13ba2 6732 linux-signed-arm64_5.10.247+1.dsc
64e9a2a09c1385bbe157ea43fea7a9ed5d6cab6f 623632 linux-signed-arm64_5.10.247+1.tar.xz
Checksums-Sha256:
a95302195f5a93b7797eeb98173e4c5b8cf7843647f8ee9decef46c776b030aa 6732 linux-signed-arm64_5.10.247+1.dsc
d3660e949dc585157fe36c8d78cc94af36c44b47b0c3954b39de8d36f0910ed6 623632 linux-signed-arm64_5.10.247+1.tar.xz
Files:
8016c04a406a959a164495884d81bdf2 6732 kernel optional linux-signed-arm64_5.10.247+1.dsc
9b6465db4dfcbf3ac0d9b78f146155c3 623632 kernel optional linux-signed-arm64_5.10.247+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCaTv70QAKCRBCTVFtUgON
CtUqAP99BmJxGhdzVwjwerTKHLJlDxOXhl4SWyXuFqLcpo2qLAD/emzU2rx0roRC
wAjTj9C0hVHoZLR4GEAmeA2ansSTZAM=
=BMsQ
-----END PGP SIGNATURE-----
