-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 10 Feb 2026 18:16:32 +0100 Source: linux Architecture: source Version: 5.10.249-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Closes: 1122193 1123750 Changes: linux (5.10.249-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.248 - xfrm: delete x->tunnel as we delete x (CVE-2025-40215) - Revert "xfrm: destroy xfrm_state synchronously on net exit path" - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added - xfrm: flush all states in xfrm_state_fini - jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted (CVE-2025-68337) - ext4: refresh inline data size before write operations (CVE-2025-68264) - locking/spinlock/debug: Fix data-race in do_raw_write_lock (CVE-2025-68336) - ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() (CVE-2025-68261) - USB: serial: option: add Foxconn T99W760 - USB: serial: option: add Telit Cinterion FE910C04 new compositions - USB: serial: option: move Telit 0x10c7 composition in the right place - USB: serial: ftdi_sio: match on interface number for jtag - serial: add support of CPCI cards - USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC - USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC - [armhf] spi: imx: keep dma request disabled before dma transfer setup - bfs: Reconstruct file type when loading from disk (CVE-2025-68266) - [arm64] pinctrl: qcom: msm: Fix deadlock in pinmux configuration - [x86] platform/x86: acer-wmi: Ignore backlight event - [x86] platform/x86: huawei-wmi: add keys for HONOR models - comedi: c6xdigio: Fix invalid PNP driver unregistration (CVE-2025-68332) - comedi: multiq3: sanitize config options in multiq3_attach() (CVE-2025-68258) - comedi: check device's attached status in compat ioctls (CVE-2025-68257) - staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing (CVE-2025-68255) - smack: fix bug: unprivileged task can create labels (CVE-2025-68733) - drm/vgem-fence: Fix potential deadlock on release (CVE-2025-68757) - USB: Fix descriptor count when handling invalid MBIM extended descriptor - [arm64] irqchip/qcom-irq-combiner: Fix section mismatch - rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() - inet: Avoid ehash lookup race in inet_ehash_insert() - iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine - iio: imu: st_lsm6dsx: discard samples during filters settling time - iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member - crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (CVE-2025-68724) - [x86] dumpstack: Make show_trace_log_lvl() static - kmsan: introduce __no_sanitize_memory and __no_kmsan_checks - [x86] kmsan: don't instrument stack walking functions - [x86] dumpstack: Prevent KASAN false positive warnings in __show_regs() - [armhf] pinctrl: stm32: fix hwspinlock resource leak in probe function - scsi: target: Do not write NUL characters into ASCII configfs output - ext4: minor defrag code improvements - ext4: correct the checking of quota files before moving extents - [x86] perf/x86/intel: Correct large PEBS flag check - regulator: core: disable supply if enabling main regulator fails - nbd: clean up return value checking of sock_xmit() - nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply() - nbd: defer config put in recv_work (CVE-2025-68372) - scsi: stex: Fix reboot_notifier leak in probe error path - [amd64] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse (CVE-2025-68367) - wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() - nbd: defer config unlock in nbd_genl_connect (CVE-2025-68366) - [arm*] clk: renesas: r9a06g032: Fix memory leak in error path - lib/vsprintf: Check pointer before dereferencing in time_and_date() - ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() (CVE-2025-68364) - ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() - watchdog: wdat_wdt: Stop watchdog when uninstalling module - watchdog: wdat_wdt: Fix ACPI table leak in probe function - NFSD/blocklayout: Fix minlength check in proc_layoutget - wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() (CVE-2025-68759) - [arm*] pwm: bcm2835: Support apply function for atomic configuration - [arm*] pwm: bcm2835: Make sure the channel is enabled after pwm_request() - mfd: mt6397-irq: Fix missing irq_domain_remove() in error path - mfd: mt6358-irq: Fix missing irq_domain_remove() in error path - wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() (CVE-2025-68362) - ima: Handle error code returned by ima_filter_rule_match() (CVE-2025-68740) - usb: chaoskey: fix locking for O_NONBLOCK - [arm*] usb: dwc2: disable platform lowlevel hw resources during shutdown - [arm*] usb: dwc2: fix hang during shutdown if set as peripheral - [arm*] usb: dwc2: fix hang during suspend if set as peripheral - usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE - [arm*] crypto: ccree - Correctly handle return of sg_nents_for_len - staging: fbtft: core: fix potential memory leak in fbtft_probe_common() - [arm*] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition - wifi: ieee80211: correct FILS status codes - backlight: led-bl: Add devlink to supplier LEDs (CVE-2025-68758) - [arm*] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal - drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() - ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 - ext4: remove unused return value of __mb_check_buddy - ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation - regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex (CVE-2025-68354) - netfilter: nft_connlimit: move stateful fields out of expression data - netfilter: nf_conncount: reduce unnecessary GC - netfilter: nf_conncount: rework API to use sk_buff directly - netfilter: nft_connlimit: update the count if add was skipped - mtd: lpddr_cmds: fix signed shifts in lpddr_cmds - net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (CVE-2025-68325) - perf tools: Fix split kallsyms DSO counting - pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling - pinctrl: single: Fix incorrect type for error return variable - NFS: Clean up function nfs_mark_dir_for_revalidate() - NFS: Fix open coded versions of nfs_set_cache_invalid() - NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() - NFS: don't unhash dentry during unlink/rename - NFS: Avoid changing nlink when file removes and attribute updates race - fs/nls: Fix utf16 to utf8 conversion - NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (CVE-2025-68349) - Revert "nfs: ignore SB_RDONLY when remounting nfs" (regression in 5.10.239) - Revert "nfs: clear SB_RDONLY before getting superblock" - Revert "nfs: ignore SB_RDONLY when mounting nfs" (regression in 5.10.231) - NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags (CVE-2025-68764) - fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() - [x86] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led - blk-mq: Abort suspend when wakeup events are pending - dma/pool: eliminate alloc_pages warning in atomic_pool_expand - [armhf] 9464/1: fix input-only operand modification in load_unaligned_zeropad() - dm-raid: fix possible NULL dereference with undefined raid type - dm log-writes: Add missing set_freezable() for freezable kthread - efi/cper: Add a new helper function to print bitmasks - [arm64] efi/cper: Adjust infopfx size to accept an extra space - [arm64] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs - ocfs2: fix memory leak in ocfs2_merge_rec_left() - usb: phy: Initialize struct usb_phy list_head - ALSA: dice: fix buffer overflow in detect_stream_formats() (CVE-2025-68346) - NFS: Fix missing unlock in nfs_unlink() - netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around - netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails - [arm64] bpf, arm64: Do not audit capability check in do_jit() - btrfs: fix memory leak of fs_devices in degraded seed device path - ACPICA: Avoid walking the Namespace if start_node is NULL (CVE-2025-71118) - ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only - hfsplus: fix volume corruption issue for generic/070 - hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create (CVE-2025-68774) - hfsplus: Verify inode mode when loading from disk (CVE-2025-68767) - hfsplus: fix volume corruption issue for generic/073 - btrfs: scrub: always update btrfs_scrub_progress::last_physical - Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE - netrom: Fix memory leak in nr_sendmsg() (CVE-2025-68787) - net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (CVE-2025-71066) - ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() - mlxsw: spectrum_router: Fix neighbour use-after-free (CVE-2025-68801) - mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats (CVE-2025-68800) - net: openvswitch: fix middle attribute validation in push_nsh() action (CVE-2025-68785) - [x86] broadcom: b44: prevent uninitialized value usage - netfilter: nf_conncount: fix leaked ct in error paths - ipvs: fix ipv4 null-ptr-deref in route error path (CVE-2025-68813) - caif: fix integer underflow in cffrml_receive() (CVE-2025-68799) - net/sched: ets: Remove drr class from the active list if it changes to strict (CVE-2025-68815) - nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() - net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers - ethtool: Avoid overflowing userspace buffer on stats query (CVE-2025-68795) - net/mlx5: fw_tracer, Add support for unrecognized string - net/mlx5: fw_tracer, Validate format string parameters (CVE-2025-68816) - net/mlx5: fw_tracer, Handle escaped percent properly - net: hns3: using the num_tqps in the vf driver to apply for resources (CVE-2025-71064) - net: hns3: add VLAN id validation before using (CVE-2025-71112) - hwmon: (ibmpex) fix use-after-free in high/low store (CVE-2025-68789) - HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen - [arm*] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation (CVE-2025-68777) - [x86] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table - ACPI: CPPC: Fix missing PCC check for guaranteed_perf - [arm*] spi: fsl-cpm: Check length parity before switching to 16 bit mode (CVE-2025-68773) - net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() (CVE-2025-68776) - [x86] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path - [x86] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path - ALSA: usb-mixer: us16x08: validate meter packet indices (CVE-2025-68783) - ipmi: Fix the race between __scan_channels() and deliver_response() - ipmi: Fix __scan_channels() failing to rescan channels - [armhf] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx - [arm64] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 - scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive - scsi: qla2xxx: Use reinit_completion on mbx_intr_comp - [x86] via_wdt: fix critical boot hang due to unnamed resource allocation (CVE-2025-71114) - exfat: fix remount failure in different process environments - [rt] usbip: Fix locking bug in RT-enabled kernels - usb: typec: ucsi: Handle incorrect num_connectors capability (CVE-2025-71108) - usb: xhci: limit run_graceperiod for only usb 3.0 devices - usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive. - nvme-fc: don't hold rport lock when putting ctrl - vhost/vsock: improve RCU read sections around vhost_vsock_get() - [amd64] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit - ext4: xattr: fix null pointer deref in ext4_raw_inode() (CVE-2025-68820) - ext4: fix incorrect group number assertion in mb_check_buddy - jbd2: use a weaker annotation in journal handling - usb: usb-storage: Maintain minimal modifications to the bcdDevice range. - media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() (CVE-2025-68819) - [arm*] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe - char: applicom: fix NULL pointer dereference in ac_ioctl (CVE-2025-68797) - [x86] intel_th: Fix error handling in intel_th_output_open - [i386] cpufreq: nforce2: fix reference count leak in nforce2 - scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" (CVE-2025-68818) (regression in 5.10.177) - scsi: aic94xx: fix use-after-free in device removal path (CVE-2025-71075) - NFSD: use correct reservation type in nfsd4_scsi_fence_client - scsi: target: Reset t_task_cdb pointer in error case (CVE-2025-68782) - f2fs: invalidate dentry cache on failed whiteout creation (CVE-2025-71069) - f2fs: fix return value of f2fs_recover_fsync_data() (CVE-2025-68769) - media: vidtv: initialize local pointers upon transfer of memory ownership (CVE-2025-68808) - ocfs2: fix kernel BUG in ocfs2_find_victim_chain (CVE-2025-68771) - platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver (CVE-2025-68804) - [arm64] scs: fix a wrong parameter in __scs_magic (CVE-2025-71102) - libceph: make decode_pool() more resilient against corrupted osdmaps (CVE-2025-71116) - [x86] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 - [x86] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() - [x86] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (CVE-2025-71104) - [x86] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation - [x86] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) - tracing: Do not register unsupported perf events (CVE-2025-71125) - PM: runtime: Do not clear needs_force_resume with enabled runtime PM - fsnotify: do not generate ACCESS/MODIFY events on child for special files (CVE-2025-68788) - nfsd: Mark variable __maybe_unused to avoid W=1 build break - io_uring: fix filename leak in __io_openat_prep() - drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() - [arm*] amba: tegra-ahb: Fix device leak on SMMU enable - [arm64] soc: amlogic: canvas: fix device leak on lookup - [arm64] rpmsg: glink: fix rpmsg device leak - [x86] i2c: amd-mp2: fix reference leak in MP2 PCI device - hwmon: (w83791d) Convert macros to functions to avoid TOCTOU (CVE-2025-71111) - hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU - i40e: fix scheduling in set_rx_mode - iavf: fix off-by-one issues in iavf_config_rss_reg() (CVE-2025-71087) - crypto: seqiv - Do not use req->iv after crypto_aead_encrypt (CVE-2025-71131) - [armhf] net: mdio: aspeed: move reg accessing part into separate functions - [armhf] net: mdio: aspeed: add dummy read to avoid read-after-write issue - net: openvswitch: Avoid needlessly taking the RTNL on vport destroy - ip6_gre: make ip6gre_header() robust (CVE-2025-71098) - [x86] platform/x86: msi-laptop: add missing sysfs_remove_group() - [x86] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic - team: fix check for port enabled in team_queue_override_port_prio_changed() (CVE-2025-71091) - net: usb: rtl8150: fix memory leak on usb_submit_urb() failure (CVE-2025-71154) - firewire: nosy: switch from 'pci_' to 'dma_' API - firewire: nosy: Fix dma_free_coherent() size - [armhf] net: dsa: b53: skip multicast entries for fdb_dump() - net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct - [arm64] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (CVE-2025-71137) - ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (CVE-2025-71085) - ipv4: Fix reference count leak when using error routes with nexthop objects (CVE-2025-71097) - net: rose: fix invalid array index in rose_kill_by_device() (CVE-2025-71086) - RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() - [armhf] ASoC: stm32: sai: fix device leak on probe - [armhf] iommu/omap: fix device leaks on probe_device() - HID: logitech-dj: Remove duplicate error logging - PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths - [arm64] mfd: max77620: Fix potential IRQ chip conflict when probing two devices - media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() (CVE-2025-71136) - media: cec: Fix debugfs leak on bus_register() failure - media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() - idr: fix idr_alloc() returning an ID out of range - RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly (CVE-2025-71096) - RDMA/cm: Fix leaking the multicast GID table reference (CVE-2025-71084) - e1000: fix OOB in e1000_tbi_should_accept() (CVE-2025-71093) - [amd64] fjes: Add missing iounmap in fjes_hw_init() - nfsd: Drop the client reference in client_states_open() - net: usb: sr9700: fix incorrect command used to write single register - net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write (CVE-2025-71079) - [arm64] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers - drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb - RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (CVE-2025-38022) - virtio_console: fix order of fields cols and rows - console: Delete unused con_font_copy() callback implementations - console: Delete dummy con_font_set() and con_font_default() callback implementations - Fonts: Add charcount field to font_desc - fbcon: Avoid using FNTCHARCNT() and hard-coded built-in font charcount (Closes: #1123750) - [x86] drm/vmwgfx: Fix a null-ptr access in the cursor snooper (CVE-2025-40110) - usb: xhci: move link chain bit quirk checks into one helper function. - usb: xhci: Apply the link chain quirk on NEC isoc endpoints (CVE-2025-22022) - ipv6: Fix potential uninit-value access in __ip6_make_skb() (CVE-2024-36903) - ipv4: Fix uninit-value access in __ip_make_skb() (CVE-2024-36927) - HID: core: Harden s32ton() against conversion to 0 bits (CVE-2025-38556) - usb: gadget: udc: fix use-after-free in usb_gadget_state_work (CVE-2025-68282) - net/mlx5e: Avoid field-overflowing memcpy() (CVE-2022-48744) - [i386] ALSA: wavefront: Clear substream pointers on close - [i386] ALSA: wavefront: Fix integer overflow in sample size validation (CVE-2025-68344) - ext4: fix string copying in parse_apply_sb_mount_options() (CVE-2025-71123) - btrfs: don't rewrite ret from inode_permission - xfs: fix a memory leak in xfs_buf_item_init() - f2fs: use global inline_xattr_slab instead of per-sb slab cache (CVE-2025-71105) - f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() - f2fs: fix to propagate error from f2fs_enable_checkpoint() - f2fs: fix to avoid updating zero-sized extent in extent cache (CVE-2025-68796) - [arm*] usb: dwc3: keep susphy enabled during exit to avoid controller faults - jbd2: fix the inconsistency between checksum and data in memory for journal sb - tpm: Cap the number of PCR banks (CVE-2025-71077) - NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap - SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (CVE-2025-71120) - hwmon: replace snprintf in show functions with sysfs_emit - hwmon: (max16065) Use local variable to avoid TOCTOU - crypto: af_alg - zero initialize memory allocated via sock_kmalloc (CVE-2025-71113) - [arm64] iommu/qcom: fix device leak on of_xlate() - [arm64] PCI: brcmstb: Fix disabling L0s capability - [armhf] ASoC: stm: Use dev_err_probe() helper - [armhf] ASoC: stm32: sai: Use the devm_clk_get_optional() helper - [armhf] ASoC: stm32: sai: fix clk prepare imbalance on probe failure - mm/balloon_compaction: make balloon page compaction callbacks static - mm/balloon_compaction: we cannot have isolated pages in the balloon list - mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() - lockd: fix vfs_test_lock() calls - [x86] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() - wifi: mac80211: Discard Beacon frames to non-broadcast address (CVE-2025-71127) - NFSD: NFSv4 file creation neglects setting ACL (CVE-2025-68803) - scsi: iscsi: Move pool freeing - scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress (CVE-2023-52975) - [arm*] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (CVE-2025-37830) - ovl: Use "buf" flexible array for memcpy() destination (CVE-2022-49743) - btrfs: do not clean up repair bio if submit fails (CVE-2022-49168) - [arm64] bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() (CVE-2022-49711) - [amd64] Revert "iommu/amd: Skip enabling command/event buffers for kdump" (regression in 5.10.247) - scsi: core: ufs: Fix a hang in the error handler (CVE-2025-38119) - net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() - [x86] atm: Fix dma_free_coherent() size - net: 3com: 3c59x: fix possible null dereference in vortex_probe1() (CVE-2026-23020) - [x86] mei: me: add nova lake point S DID - lib/crypto: aes: Fix missing MMU protection for AES S-box - wifi: avoid kernel-infoleak from struct iw_point (CVE-2026-22978) - libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (CVE-2026-22990) - libceph: make free_choose_arg_map() resilient to partial allocation (CVE-2026-22991) - libceph: make calc_target() set t->paused, not just clear it (CVE-2026-23047) - ext4: introduce ITAIL helper - ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (CVE-2025-22121) - bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself - [rt][armhf] 9461/1: Disable HIGHPTE on PREEMPT_RT kernels - NFSv4: ensure the open stateid seqid doesn't go backwards - NFS: Fix up the automount fs_context to use the correct cred - [x86] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset - scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" (regression in 5.10.223) - [armhf] dts: imx6q-ba16: fix RTC interrupt level - netfilter: nft_synproxy: avoid possible data-race on update operation - netfilter: nf_conncount: update last_gc only when GC has been performed - bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress - inet: ping: Fix icmp out counting - net: sock: fix hardened usercopy panic in sock_recv_errqueue (CVE-2026-22977) - netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates - net/mlx5e: Don't print error message due to invalid module - eth: bnxt: move and rename reset helpers - bnxt_en: Fix potential data corruption with HW GRO/LRO - HID: quirks: work around VID/PID conflict for appledisplay - net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (CVE-2026-22976) - net: usb: pegasus: fix memory leak in update_eth_regs_async() (CVE-2026-23021) - arp: do not assume dev_hard_header() does not change skb->head - blk-throttle: Set BIO_THROTTLED when bio has been throttled (CVE-2022-49465) - nfsd: provide locking for v4_end_grace (CVE-2026-22980) - [x86] powercap: fix race condition in register_control_type() - [x86] powercap: fix sscanf() error return value handling - can: j1939: make j1939_session_activate() fail if device is no longer registered (CVE-2025-71182) - [arm64] ASoC: fsl_sai: Add missing registers to cache default - scsi: sg: Fix occasional bogus elapsed time that exceeds timeout - efi/cper: Fix cper_bits_to_str buffer handling and return value - NFS: unlink/rmdir shouldn't call d_delete() twice on ENOENT - NFS: add barriers when testing for NFS_FSDATA_BLOCKED https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.249 - pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() (CVE-2026-23038) - nvmet-tcp: remove boilerplate code - nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (CVE-2026-22998) - ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (CVE-2026-23003) - macvlan: Add nodst option to macvlan type source - macvlan: Use 'hash' iterators to simplify code - macvlan: fix possible UAF in macvlan_forward_source() (CVE-2026-23001) - ipv4: ip_gre: make ipgre_header() robust (CVE-2026-23011) - net/sched: sch_qfq: do not free existing class in qfq_change_class() (CVE-2026-22999) - [arm*] dmaengine: tegra-adma: Fix use-after-free (CVE-2025-71162) - [armhf] phy: stm32-usphyc: Fix off by one in probe() (CVE-2025-71196) - [armhf] dmaengine: omap-dma: fix dma_pool resource leak in error paths (CVE-2026-23033) - HID: usbhid: paper over wrong bNumDescriptor field (Closes: #1122193) - ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer - net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts (CVE-2026-22997) - [arm64] phy: rockchip: inno-usb2: fix disconnection in gadget mode - [arm64] phy: rockchip: inno-usb2: fix communication disruption in gadget mode - [arm*] usb: dwc3: Check for USB4 IP_NAME - [arm*] USB: OHCI/UHCI: Add soft dependencies on ehci_platform - USB: serial: option: add Telit LE910 MBIM composition - USB: serial: ftdi_sio: add support for PICAXE AXE027 cable - ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref - [x86] EDAC/x38: Fix a resource leak in x38_probe1() - [x86] EDAC/i3200: Fix a resource leak in i3200_probe1() - [x86] resctrl: Fix memory bandwidth counter width for Hygon - [x86] resctrl: Add missing resctrl initialization for Hygon - drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare - drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel (CVE-2026-23049) - [x86] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() - [armhf] dmaengine: at_hdmac: fix device leak on of_dma_xlate() (CVE-2025-71191) - [arm64] dmaengine: bcm-sba-raid: fix device leak on probe (CVE-2025-71190) - [armhf] dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation - [armhf] dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation (CVE-2025-71185) - [arm64] dmaengine: ti: k3-udma: fix device leak on udma lookup - btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (CVE-2025-71194) - macvlan: Fix leaking skb in source mode with nodst option - posix-clock: introduce posix_clock_context concept - Fix memory leak in posix_clock_open() - posix-clock: Store file pointer in struct posix_clock_context - ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE. - net: usb: dm9601: remove broken SR9700 support - sctp: sm_statefuns: Fix spelling mistakes - sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT - amd-xgbe: avoid misleading per-packet error log - gue: Fix skb memleak with inner IP protocol 0. (CVE-2026-23095) - netlink: add a proto specification for FOU - net: fou: use policy and operation tables generated from the spec - fou: Don't allow 0 for FOU_ATTR_IPPROTO. (CVE-2026-23083) - l2tp: avoid one data-race in l2tp_tunnel_del_work() - ipvlan: Make the addrs_lock be per port (CVE-2026-23103) - net/sched: Enforce that teql can only be used as root qdisc (CVE-2026-23074) - net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (CVE-2026-23105) - crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (CVE-2026-23060) - [i386] comedi: dmm32at: serialize use of paged registers - w1: fix redundant counter decrement in w1_attach_slave_device() - [x86] Input: i8042 - add quirks for MECHREVO Wujie 15X Pro - [x86] Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA - [x86] scsi: storvsc: Process unsupported MODE_SENSE_10 - regmap: Fix race condition in hwspinlock irqsave routine (CVE-2026-23071) - scsi: core: Wake up the error handler when final completions race against each other (CVE-2026-23110) - ALSA: usb: Increase volume range that triggers a warning - [arm64] net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M - [arm64] net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue - [x86] mISDN: annotate data-race around dev->work - usbnet: limit max_mtu based on device's hard_mtu - drm/amd/pm: Don't clear SI SMC table when setting power limit - drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) - be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (CVE-2026-23084) - bonding: provide a net pointer to __skb_flow_dissect() - net/sched: act_ife: avoid possible NULL deref (CVE-2026-23064) - leds: led-class: Only Add LED to leds_list when it is fully ready (CVE-2026-23101) - of: fix reference count leak in of_alias_scan() - iio: adc: ad9467: fix ad9434 vref mask - [armhf] iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver (CVE-2025-71199) - iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl - ALSA: ctxfi: Fix potential OOB access in audio mixer handling (CVE-2026-23076) - ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (CVE-2026-23089) - mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function - wifi: ath10k: fix dma_free_coherent() pointer - wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() - wifi: rsi: Fix memory corruption due to not set vif driver data size (CVE-2026-23073) - slimbus: core: fix runtime PM imbalance on report present - slimbus: core: fix device reference leak on report present (CVE-2026-23090) - [x86] intel_th: fix device leak on output open() (CVE-2026-23091) - uacce: fix cdev handling in the cleanup path (CVE-2026-23096) - uacce: implement mremap in uacce_vm_ops to return -EPERM (CVE-2026-23056) - uacce: ensure safe queue release with state management (CVE-2026-23063) - netrom: fix double-free in nr_route_frame() (CVE-2026-23098) - [x86] perf/x86/intel: Do not enable BTS for guests - [armhf] irqchip/gic-v3-its: Avoid truncating memory addresses (CVE-2026-23085) - can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak (CVE-2026-23058) - can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak (CVE-2026-23061) - can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak (CVE-2026-23080) - can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak (CVE-2026-23108) - migrate: correct lock ordering for hugetlb file folios (CVE-2026-23097) - bpf: Do not let BPF test infra emit invalid GSO types to stack (CVE-2025-68725) - bpf: Reject narrower access to pointer ctx fields (CVE-2025-38591) - fbdev: fbcon: Properly revert changes when vc_resize() failed - fbdev: fbcon: release buffer when fbcon_do_set_font() failed - fbcon: always restore the old font data in fbcon_do_set_font() - Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work - net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() - [arm*] net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() - rocker: fix memory leak in rocker_world_port_post_fini() - nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). - ice: stop counting UDP csum mismatch as rx_errors - net/mlx5: Add HW definitions of vport debug counters - net/mlx5e: Expose rx_oversize_pkts_buffer counter - net/mlx5e: Report rx_discards_phy via rx_dropped - net/mlx5e: Account for netdev stats in ndo_get_stats64 - nfc: nci: Fix race between rfkill and nci_unregister_device(). - net: bridge: fix static key check - scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() - dma/pool: distinguish between missing and exhausted atomic pools - scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo() - net/sched: act_ife: convert comma to semicolon - nvme-fc: rename free_ctrl callback to match name pattern - nvme-pci: do not directly handle subsys reset fallout - nvme: fix PCIe subsystem reset controller state transition - xfs: set max_agbno to allow sparse alloc of last full inode chunk - [armhf] dmaengine: stm32: dmamux: fix OF node leak on route allocation failure - [armhf] dmaengine: stm32: dmamux: fix device leak on route allocation (CVE-2025-71186) - scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() (CVE-2026-23087) - w1: w1_therm: use swap() to make code cleaner - w1: therm: Fix off-by-one buffer overflow in alarms_store (CVE-2025-71197) - [x86] mei: trace: treat reg parameter as string - driver core: fix potential null-ptr-deref in device_add() (CVE-2023-54321) - mm/pagewalk: add walk_page_range_vma() - ksm: use range-walk function to jump over holes in scan_get_next_rmap_item (CVE-2025-68211) - drm/amdkfd: fix a memory leak in device_queue_manager_init() - comedi: Fix getting range information for subdevices 16 to 255 - can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak (CVE-2026-23075) - of: platform: Use default match table for /firmware - ipv6: sr: Fix MAC comparison to be constant-time (CVE-2025-39702) - netfilter: nf_tables: typo NULL check in _clone() function - writeback: fix 100% CPU usage when dirtytime_expire_interval is 0 - [arm*] pinctrl: meson: mark the GPIO controller as sleeping - HID: uclogic: Correct devm device reference for hidinput input_dev name (CVE-2023-54207) - HID: uclogic: Add NULL check in uclogic_input_configured() . [ Ben Hutchings ] * [rt] Update to 5.10.247-rt141 . [ Bastian Blank ] * Only include all dpkg default.mk in rules.real Checksums-Sha1: 6dcf04599482c22079142bcf84ba650bdd6ff44f 209429 linux_5.10.249-1.dsc 22870c5b8aa1c7b0142020b0846fc4a668284816 122140068 linux_5.10.249.orig.tar.xz 676b8fe948c4ac0190e92edaf9972c120c487467 1777276 linux_5.10.249-1.debian.tar.xz b2ba081e855014274fc3ad0de61420e2874b2abd 6215 linux_5.10.249-1_source.buildinfo Checksums-Sha256: 77353ec581c5c9676e2ac45871e6f1175730399d96a9f82b61375d222d2ac696 209429 linux_5.10.249-1.dsc 5a9bd7c084550883261646b859d1c6c04b2a07dbe9eb3a153800e7eef547f6f4 122140068 linux_5.10.249.orig.tar.xz f01ab4b1d529b1596b328c8962431d4069c3c1c83b4667b0261fd3e6cb174d4c 1777276 linux_5.10.249-1.debian.tar.xz 24f1136f6a7e4995d1ac20d4996e5f3ac35e783aa1d6fe7c8242b44f906fb766 6215 linux_5.10.249-1_source.buildinfo Files: 16ef6a1a33a6035d4ee49590331227bd 209429 kernel optional linux_5.10.249-1.dsc 02f388cd971ec7f8f010dbfe4e1cd5be 122140068 kernel optional linux_5.10.249.orig.tar.xz ac63602b8d2ab351fa52733619782fa4 1777276 kernel optional linux_5.10.249-1.debian.tar.xz 48d4f879e0c5bef97d7c0aef14abea4b 6215 kernel optional linux_5.10.249-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmmLaNsACgkQ57/I7JWG EQlYrg/+NHLLZLIpvEmLOHhWznXAPSyfja03r0t7lvkbYqY16e3PlXvAaE3+xIYV +jvYhJezSsl8lcuQYTBCvHpPw7H/eiBEhRi0BLobheX/LaiGSaZQ/ozo/P997pei IaAs/tO+LZk/iQRssqyDa92C8+Zo+YSVcGafFr1m9XFn4ucZnFOU0zNuqw1dfTwD N2r+PUcXoo0mOJ4xmcCeetFyhwZ6AZ5OLAxqGOHfaIdG6cS6nr8kEz1urh0lWTFS Q6LVxL8LWdEeG9aA74irDY08yf/l7fziWH1U2J53pT7BUwFaTZ1sEPV9P+3YeBm1 +S4rwgbkWdrRCZlpxu7f1fBzP6IPRlhC25TSPbZJM8EBjedWbtK1/UU52zxw0DZG x5ftLIqYXyGsPuZNyAYZyGq6sgdxKuoaHBB6IlZy+71aZsnc41rCo2MAR8bXuvKt 73Ql7dFEwXXS0AA3DfJePD993JM2q6aX6WgoLcpDg5v4XWzV8MBwZSonCvTPVlUo iqqFSJq4zmmW/oUY93fA+Z82VN4XhL6rrjx3+C/M3624xlFO/oR3YFgfQ1fGxYMs MxUfKz2A7VQL4PKBIoViy1MkUDc2iFCP7JtticNDR42xsnl57lWLd+lzG637+wmY cDTOO2y3CTBxYJkmtUbG7FvsoMBcM68rpDR9h+lT5EV28xPriE8= =L11B -----END PGP SIGNATURE-----
