Accepted linux-signed-amd64 6.12.88+1 (source) into stable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 May 2026 11:52:56 +0200
Source: linux-signed-amd64
Architecture: source
Version: 6.12.88+1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Changes:
 linux-signed-amd64 (6.12.88+1) trixie-security; urgency=high
 .
   * Sign kernel from linux 6.12.88-1
 .
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88
     - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
     - ipmi: Add limits to event and receive message requests
     - ipmi: Check event message buffer response for bad data
     - ipmi:si: Return state to normal if message allocation fails
     - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
     - ACPI: scan: Use acpi_dev_put() in object add error paths
     - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
     - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
     - ACPI: video: force native backlight on HP OMEN 16 (8A44)
     - ASoC: SOF: Don't allow pointer operations on unconfigured streams
     - spi: rockchip: fix controller deregistration
     - ksmbd: rewrite stop_sessions() with restartable iteration
     - mm: convert mm_lock_seq to a proper seqcount
     - [amd64] x86: shadow stacks: proper error handling for mmap lock
       (CVE-2026-43109)
     - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn
     - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
     - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c
     - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB
       invalidations (CVE-2026-43220) (Closes: #1135313)
     - flow_dissector: do not dissect PPPoE PFC frames
     - net: txgbe: fix RTNL assertion warning when remove module
     - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088)
     - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM
     - net/sched: sch_red: Replace direct dequeue call with peek and
       qdisc_dequeue_peeked
     - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499)
     - exit: prevent preemption of oopsing TASK_DEAD task
     - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
     - wifi: mt76: mt7925: fix incorrect length field in txpower command
     - wifi: mt76: mt7921: fix a potential clc buffer length underflow
     - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
     - wifi: b43legacy: enforce bounds check on firmware key index in RX path
     - wifi: mac80211: drop stray 'static' from fast-RX rx_result
     - wifi: rsi: fix kthread lifetime race between self-exit and external-stop
     - wifi: mac80211: use safe list iteration in radar detect work
     - wifi: ath5k: do not access array OOB (Closes: #1119093)
     - wifi: mac80211: remove station if connection prep fails
     - wifi: b43: enforce bounds check on firmware key index in b43_rx()
     - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
       task
     - usb: usblp: fix heap leak in IEEE 1284 device ID via short response
     - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
     - ALSA: usb-audio: midi2: Restart output URBs on resume
     - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
     - ALSA: usb-audio: Fix UAC3 cluster descriptor size check
     - USB: omap_udc: DMA: Don't enable burst 4 mode
     - USB: serial: option: add Telit Cinterion LE910Cx compositions
     - usb: ulpi: fix memory leak on ulpi_register() error paths
     - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
     - ALSA: firewire-tascam: Do not drop unread control events
     - xfrm: provide message size for XFRM_MSG_MAPPING
     - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
     - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
     - xfrm: ah: account for ESN high bits in async callbacks
     - selinux: don't reserve xattr slot when we won't fill it
     - selinux: shrink critical section in sel_write_load()
     - selinux: prune /sys/fs/selinux/disable
     - Bluetooth: virtio_bt: clamp rx length before skb_put
     - Bluetooth: virtio_bt: validate rx pkt_type header length
     - Bluetooth: btmtk: validate WMT event SKB length before struct access
     - Bluetooth: hci_event: Fix OOB read and infinite loop in
       hci_le_create_big_complete_evt
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
     - [armhf] spi: sun4i: fix controller deregistration
     - [armhf] spi: ti-qspi: fix controller deregistration
     - spi: sun6i: fix controller deregistration
     - fanotify: fix false positive on permission events
     - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
     - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
     - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
       rtnl_fill_vfinfo
     - sound: ua101: fix division by zero at probe
     - net: libwx: fix VF illegal register access
     - ip6_gre: Use cached t->net in ip6erspan_changelink().
     - net/rds: handle zerocopy send cleanup before the message is queued
     - net: wwan: t7xx: validate port_count against message length in
       t7xx_port_enum_msg_handler
     - hwmon: (ltc2992) Clamp threshold writes to hardware range
     - hwmon: (ltc2992) Fix u32 overflow in power read path
     - clk: rk808: fix OF node reference imbalance
     - hwmon: (corsair-psu) Close HID device on probe errors
     - af_unix: Reject SIOCATMARK on non-stream sockets
     - block: add pgmap check to biovec_phys_mergeable
     - cifs: abort open_cached_dir if we don't request leases
     - cifs: change_conf needs to be called for session setup
     - extcon: ptn5150: handle pending IRQ events during system resume
     - gpio: of: clear OF_POPULATED on hog nodes in remove path
     - hv_sock: fix ARM64 support
     - ibmveth: Disable GSO for packets with small MSS
     - ice: fix double free in ice_sf_eth_activate() error path
     - spi: microchip-core-qspi: fix controller deregistration
     - udf: reject descriptors with oversized CRC length
     - thermal: core: Free thermal zone ID later during removal
     - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
     - thermal/drivers/sprd: Fix raw temperature clamping in
       sprd_thm_rawdata_to_temp
     - spi: topcliff-pch: fix controller deregistration
     - spi: topcliff-pch: fix use-after-free on unbind
     - clk: imx: imx8-acm: fix flags for acm clocks
     - clk: microchip: mpfs-ccc: fix out of bounds access during output
       registration
     - cpuidle: powerpc: avoid double clear when breaking snooze
     - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
       quirk table
     - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
     - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
     - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed
     - btrfs: fix double free in create_space_info() error path
     - dm-thin: fix metadata refcount underflow
     - dm: don't report warning when doing deferred remove
     - dm: fix a buffer overflow in ioctl processing
     - eventfs: Hold eventfs_mutex and SRCU when remount walks events
     - dm-verity-fec: correctly reject too-small FEC devices
     - dm-verity-fec: correctly reject too-small hash devices
     - isofs: validate Rock Ridge CE continuation extent against volume size
     - isofs: validate block number from NFS file handle in isofs_export_iget
     - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
     - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
     - lib/scatterlist: fix length calculations in extract_kvec_to_sg
     - lib/scatterlist: fix temp buffer in extract_user_to_sg()
     - libceph: Fix slab-out-of-bounds access in auth message processing
     - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
     - nvme-apple: drop invalid put of admin queue reference count
     - nvmet-tcp: fix race between ICReq handling and queue teardown
     - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
     - openvswitch: vport: fix self-deadlock on release of tunnel ports
     - pmdomain: core: Fix detach procedure for virtual devices in genpd
     - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
     - [s390x] debug: Reject zero-length input in debug_input_flush_fn()
     - smb/client: fix out-of-bounds read in smb2_compound_op()
     - smb/client: fix out-of-bounds read in symlink_data()
     - smb: client: use kzalloc to zero-initialize security descriptor buffer
     - smb: client: validate dacloffset before building DACL pointers
     - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls
     - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
     - PCI: Update saved_config_space upon resource assignment (Closes: #1131025)
     - PCI/AER: Clear only error bits in PCIe Device Status
     - PCI/AER: Stop ruling out unbound devices as error source
     - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
     - power: supply: max17042: avoid overflow when determining health
     - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
     - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
     - RDMA/mana: Validate rx_hash_key_len
     - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
     - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
     - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
     - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
     - RDMA/rxe: Reject unknown opcodes before ICRC processing
     - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
     - mptcp: fastclose msk when linger time is 0
     - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
     - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
     - mptcp: sockopt: set timestamp flags on subflow socket, not msk
     - mptcp: fix scheduling with atomic in timestamp sockopt
     - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
     - f2fs: fix fiemap boundary handling when read extent cache is incomplete
     - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
     - f2fs: fix node_cnt race between extent node destroy and writeback
     - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
     - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
       value
     - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
     - bpf: Fix use-after-free in arena_vm_close on fork
     - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
     - fs: prepare for adding LSM blob to backing_file
     - dma-mapping: drop unneeded includes from dma-mapping.h
     - dma-mapping: add __dma_from_device_group_begin()/end()
     - hwmon: (powerz) Avoid cacheline sharing for DMA buffer
     - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
     - udf: fix partition descriptor append bookkeeping
     - mtd: spinand: winbond: Declare the QE bit on W25NxxJW
     - hfsplus: fix uninit-value by validating catalog record size
     - hfsplus: fix held lock freed on hfsplus_fill_super()
     - erofs: move {in,out}pages into struct z_erofs_decompress_req
     - erofs: tidy up z_erofs_lz4_handle_overlap()
     - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
     - gtp: disable BH before calling udp_tunnel_xmit_skb()
     - printk: add print_hex_dump_devel()
     - crypto: caam - guard HMAC key hex dumps in hash_digest_key
     - ALSA: aloop: Fix peer runtime UAF during format-change stop
     - net: stmmac: avoid shadowing global buf_sz
     - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
     - net: stmmac: Prevent NULL deref when RX memory exhausted
     - wifi: mt76: mt7925: fix incorrect TLV length in CLC command
     - tracepoint: balance regfunc() on func_add() failure in
       tracepoint_add_func()
     - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
     - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in
       Zen2's op cache
     - ksmbd: validate inherited ACE SID length
 .
   [ Salvatore Bonaccorso ]
   * ptrace: slightly saner 'get_dumpable()' logic
Checksums-Sha1:
 3e2652133084d30ac3bbc28e83563e36b4fe8f73 10824 linux-signed-amd64_6.12.88+1.dsc
 24be664952b0917d10c078a9f8d0d951e238db82 931636 linux-signed-amd64_6.12.88+1.tar.xz
Checksums-Sha256:
 4ae314b4324e7bb519dc8a5f54c2aeca16e1a7932e1a1489368ab4c2d43cf46f 10824 linux-signed-amd64_6.12.88+1.dsc
 c2023a24e77a7eed19f7a705cda123266b267a307cd2c3b86633d04f202b678e 931636 linux-signed-amd64_6.12.88+1.tar.xz
Files:
 e545a22ea7aa2f6f0c15a40490a3997c 10824 kernel optional linux-signed-amd64_6.12.88+1.dsc
 28e7e3fe825983c623ccef4032b52eaa 931636 kernel optional linux-signed-amd64_6.12.88+1.tar.xz

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCagc3qgAKCRBCTVFtUgON
Cs7iAP938nCVDLyzqB/+33ZhdIBq9BcQEChHe35XtbOp4ZbwnQEAkwVoVmm8Auwy
pcd4oZdPYy7h1lqM4wIlULFprTTlHgs=
=O3rD
-----END PGP SIGNATURE-----