[ubuntu/jammy-proposed] linux-lowlatency-hwe-6.8 6.8.0-136.136.2~22.04.1 (Accepted)

Andy Whitcroft apw at canonical.com
Sun Jul 5 21:51:07 UTC 2026


linux-lowlatency-hwe-6.8 (6.8.0-136.136.2~22.04.1) jammy; urgency=medium

  * jammy/linux-lowlatency-hwe-6.8: 6.8.0-136.136.2~22.04.1 -proposed tracker (LP: #2159040)

  * Packaging resync (LP: #1786013)
    - [Packaging] debian.lowlatency-hwe-6.8/dkms-versions -- update from
      kernel-versions (main/2026.06.22)

  * Add intel-speed-select  to linux-tools-$(uname -r) (LP: #2131077)
    - [Packaging] debian.lowlatency-hwe-6.8/control.stub.in -- sync from
      master 2026.06.22

  [ Ubuntu-lowlatency: 6.8.0-136.136.2 ]

  * noble/linux-lowlatency: 6.8.0-136.136.2 -proposed tracker (LP: #2159013)
  * Packaging resync (LP: #1786013)
    - [Packaging] debian.lowlatency/dkms-versions -- update from kernel-
      versions (main/2026.06.22)
  * Add intel-speed-select  to linux-tools-$(uname -r) (LP: #2131077)
    - [Packaging] debian.lowlatency/control.stub.in -- sync from master
      2026.06.22
  [ Ubuntu: 6.8.0-136.136 ]
  * noble/linux: 6.8.0-136.136 -proposed tracker (LP: #2158930)
  * ext4: writeback causes kernel oops when low on space (LP: #2158377)
    - ext4: get rid of ppath in get_ext_path()
  * mount08 from ubuntu_ltp_syscalls failed - TFAIL: mount(/proc/139835/fd/4)
    succeeded (LP: #2137199)
    - proc: proc_readfd() -> proc_fd_iterate()
    - proc: proc_readfdinfo() -> proc_fdinfo_iterate()
    - proc: add proc_splice_unmountable()
    - proc: block mounting on top of /proc/<pid>/map_files/*
    - proc: block mounting on top of /proc/<pid>/fd/*
    - proc: block mounting on top of /proc/<pid>/fdinfo/*
  * Add intel-speed-select  to linux-tools-$(uname -r) (LP: #2131077)
    - [Packaging] Add intel-speed-select to linux-tools
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956)
    - blk-cgroup: wait for blkcg cleanup before initializing new disk
    - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
    - drbd: Balance RCU calls in drbd_adm_dump_devices()
    - loop: fix partition scan race between udev and loop_reread_partitions()
    - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
    - blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
    - pstore/ram: fix resource leak when ioremap() fails
    - ACPI: x86: cmos_rtc: Clean up address space handler driver
    - ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
    - devres: fix missing node debug info in devm_krealloc()
    - thermal/drivers/spear: Fix error condition for reading st,thermal-flags
    - debugfs: check for NULL pointer in debugfs_create_str()
    - debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
    - s390/cio: convert sprintf()/snprintf() to sysfs_emit()
    - s390/cio: use generic driver_override infrastructure
    - irqchip/irq-pic32-evic: Address warning related to wrong printf()
      formatter
    - hrtimers: Update the return type of enqueue_hrtimer()
    - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
    - hrtimer: Reduce trace noise in hrtimer_start()
    - locking: Fix rwlock support in <linux/spinlock_up.h>
    - firmware: dmi: Correct an indexing error in dmi.h
    - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
    - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
      irq_prepare_bcn_tasklet
    - bpf: Add CHECKSUM_COMPLETE to bpf test progs
    - bpf: test_run: Fix the null pointer dereference issue in
      bpf_lwt_xmit_push_encap
    - dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
    - [Config] Adjust CONFIG_FSL_DPAA2_SWITCH
    - dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
    - s390/bpf: Zero-extend bpf prog return values and kfunc arguments
    - params: Replace __modinit with __init_or_module
    - module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
    - wifi: mt76: mt7921: Reset ampdu_state state in case of failure in
      mt76_connac2_tx_check_aggr()
    - wifi: mt76: mt7615: fix use_cts_prot support
    - wifi: mt76: mt7915: fix use_cts_prot support
    - wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
    - arm64: cpufeature: Make PMUVer and PerfMon unsigned
    - wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
    - wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
    - bpf, devmap: Remove unnecessary if check in for loop
    - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
    - wifi: rtw89: phy: fix uninitialized variable access in
      rtw89_phy_cfo_set_crystal_cap()
    - r8152: fix incorrect register write to USB_UPHY_XTAL
    - powerpc/crash: fix backup region offset update to elfcorehdr
    - selftests/powerpc: Re-order *FLAGS to follow lib.mk
    - selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
    - macvlan: annotate data-races around port->bc_queue_len_used
    - bpf: Fix stale offload->prog pointer after constant blinding
    - wifi: brcmfmac: Fix error pointer dereference
    - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable
      hooks
    - ACPI: AGDI: fix missing newline in error message
    - arm64: kexec: Remove duplicate allocation for trans_pgd
    - net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
    - net: bcmgenet: add bcmgenet_has_* helpers
    - net: bcmgenet: move DESC_INDEX flow to ring 0
    - net: bcmgenet: support reclaiming unsent Tx packets
    - net: bcmgenet: switch to use 64bit statistics
    - net: bcmgenet: fix racing timeout handler
    - netfilter: xt_socket: enable defrag after all other checks
    - netfilter: nft_fwd_netdev: check ttl/hl before forwarding
    - bpf: Fix RCU stall in bpf_fd_array_map_clear()
    - 6pack: propagage new tty types
    - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
    - net/rds: Optimize rds_ib_laddr_check
    - net/rds: Restrict use of RDS/IB to the initial network namespace
    - bpf: Fix OOB in pcpu_init_value
    - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
    - net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
    - net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
    - dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
    - net/mlx5e: Fix features not applied during netdev registration
    - net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
    - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
    - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds
      MTU
    - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
    - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
    - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
    - net: phy: move at803x PHY driver to dedicated directory
    - net: phy: qcom: at803x: Use the correct bit to disable extended next
      page
    - sctp: fix missing encap_port propagation for GSO fragments
    - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
    - drm/komeda: fix integer overflow in AFBC framebuffer size check
    - drm/sun4i: backend: fix error pointer dereference
    - ASoC: sti: Return errors from regmap_field_alloc()
    - ASoC: sti: use managed regmap_field allocations
    - dm cache: fix null-deref with concurrent writes in passthrough mode
    - dm cache: fix write path cache coherency in passthrough mode
    - dm cache: fix write hang in passthrough mode
    - dm cache policy smq: fix missing locks in invalidating cache blocks
    - dm cache: fix concurrent write failure in passthrough mode
    - dm cache: support shrinking the origin device
    - dm cache: fix dirty mapping checking in passthrough mode switching
    - platform/chrome: chromeos_tbmc: Drop wakeup source on remove
    - dm cache metadata: fix memory leak on metadata abort retry
    - dm log: fix out-of-bounds write due to region_count overflow
    - drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier
      in atomic_enable()
    - drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to
      drm_bridge_funcs
    - drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge
      atomic check
    - spi: fsl-qspi: Use reinit_completion() for repeated operations
    - drm/sun4i: Fix resource leaks
    - drm/amdgpu: Add default case in DVI mode validation
    - dm init: ensure device probing has finished in dm-mod.waitfor=
    - fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build
      break
    - crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
    - crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
    - padata: Remove cpu online check from cpu add and removal
    - padata: Put CPU offline callback in ONLINE section to allow failure
    - drm/amdgpu/gfx10: look at the right prop for gfx queue priority
    - spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
    - drm/msm/dpu: fix mismatch between power and frequency
    - drm/msm/dsi: add the missing parameter description
    - drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
    - drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
    - drm/panel: simple: Correct G190EAN01 prepare timing
    - ALSA: core: Validate compress device numbers without dynamic minors
    - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
    - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
    - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
    - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
    - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
    - drm/amd/pm/ci: Fill DW8 fields from SMC
    - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
    - ALSA: hda/realtek: fix code style (ERROR: else should follow close brace
      '}')
    - ASoC: SOF: Intel: hda: Place check before dereference
    - drm/msm/a6xx: Fix HLSQ register dumping
    - drm/msm/shrinker: Fix can_block() logic
    - drm/msm/a6xx: Use barriers while updating HFI Q headers
    - pmdomain: ti: omap_prm: Fix a reference leak on device node
    - pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
    - ASoC: fsl_micfil: Add access property for "VAD Detected"
    - ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
    - ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
    - ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
    - ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
    - ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
    - ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
    - ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
    - ASoC: fsl_easrc: Change the type for iec958 channel status controls
    - ASoC: qcom: qdsp6: topology: check widget type before accessing data
    - crypto: qat - use swab32 macro
    - ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
    - PCI: Enable AtomicOps only if Root Port supports them
    - PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
    - selftests/mm: skip migration tests if NUMA is unavailable
    - Documentation: fix a hugetlbfs reservation statement
    - selftest: memcg: skip memcg_sock test if address family not supported
    - ALSA: scarlett2: Add missing sentinel initializer field
    - ASoC: SOF: compress: return the configured codec from get_params
    - PCI: tegra194: Fix polling delay for L2 state
    - PCI: tegra194: Increase LTSSM poll time on surprise link down
    - PCI: tegra194: Disable LTSSM after transition to Detect on surprise link
      down
    - PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in
      tegra_pcie_downstream_dev_to_D0()
    - PCI: tegra194: Don't force the device into the D0 state before L2
    - PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
    - PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-
      select"
    - PCI: tegra194: Disable direct speed change for Endpoint mode
    - PCI: tegra194: Allow system suspend when the Endpoint link is not up
    - PCI: tegra194: Use DWC IP core version
    - PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
    - spi: mtk-snfi: unregister ECC engine on probe failure and remove()
      callback
    - ALSA: sc6000: Use standard print API
    - ALSA: sc6000: Keep the programmed board state in card-private data
    - dm cache: fix missing return in invalidate_committed's error path
    - crypto: jitterentropy - replace long-held spinlock with mutex
    - gfs2: Call unlock_new_inode before d_instantiate
    - ktest: Avoid undef warning when WARNINGS_FILE is unset
    - ktest: Honor empty per-test option overrides
    - ktest: Run POST_KTEST hooks on failure and cancellation
    - quota: Fix race of dquot_scan_active() with quota deactivation
    - gfs2: add some missing log locking
    - gfs2: prevent NULL pointer dereference during unmount
    - efi/capsule-loader: fix incorrect sizeof in phys array reallocation
    - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
    - ARM: dts: mediatek: mt7623: fix efuse fallback compatible
    - memory: tegra124-emc: Fix dll_change check
    - memory: tegra30-emc: Fix dll_change check
    - arm64: dts: imx8-apalis: Fix LEDs name collision
    - arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
      (M.2 W_DISABLE1)
    - iommufd: vfio compatibility extension check for noiommu mode
    - arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
    - arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
    - arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
    - arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
    - soc: qcom: ocmem: make the core clock optional
    - soc: qcom: ocmem: use scoped device node handling to simplify error
      paths
    - soc: qcom: ocmem: register reasons for probe deferrals
    - soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
    - arm64: dts: qcom: sm8450: Fix GIC_ITS range length
    - arm64: dts: qcom: sm8550: Fix GIC_ITS range length
    - arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host
      controller
    - arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
    - arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
    - arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
    - arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
      during boot
    - arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
    - soc/tegra: cbb: Set ERD on resume for err interrupt
    - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()
      failure
    - ocfs2/dlm: validate qr_numregions in dlm_match_regions()
    - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
    - soc: qcom: llcc: fix v1 SB syndrome register offset
    - soc: qcom: aoss: compare against normalized cooling state
    - arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
    - ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
    - arm64/xor: fix conflicting attributes for xor_block_template
    - ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
    - ocfs2: fix listxattr handling when the buffer is full
    - ocfs2: validate bg_bits during freefrag scan
    - ocfs2: validate group add input before caching
    - dmaengine: dw-axi-dmac: Remove unnecessary return statement from void
      function
    - soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
    - dmaengine: mxs-dma: Fix missing return value from
      of_dma_controller_register()
    - soundwire: cadence: Clear message complete before signaling waiting
      thread
    - tracing: Rebuild full_name on each hist_field_name() call
    - ima: check return value of crypto_shash_final() in boot aggregate
    - HID: asus: make asus_resume adhere to linux kernel coding standards
    - HID: asus: do not abort probe when not necessary
    - mtd: physmap_of_gemini: Fix disabled pinctrl state check
    - dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
    - mtd: spi-nor: core: correct the op.dummy.nbytes when check read
      operations
    - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
    - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
    - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
    - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
    - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
    - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
    - mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
    - HID: usbhid: fix deadlock in hid_post_reset()
    - bpf, arm64: Fix off-by-one in check_imm signed range check
    - bpf, sockmap: Fix af_unix iter deadlock
    - bpf, sockmap: Fix af_unix null-ptr-deref in proto update
    - bpf, sockmap: Take state lock for af_unix iter
    - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
    - bpf: Fix NULL deref in map_kptr_match_type for scalar regs
    - bpf: allow UTF-8 literals in bpf_bprintf_prepare()
    - bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
    - pinctrl: pinctrl-pic32: Fix resource leak
    - pinctrl: cy8c95x0: remove duplicate error message
    - pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
    - pinctrl: cy8c95x0: Avoid returning positive values to user space
    - perf branch: Avoid incrementing NULL
    - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE
      trace
    - pinctrl: abx500: Fix type of 'argument' variable
    - perf lock: Fix option value type in parse_max_stack
    - perf expr: Return -EINVAL for syntax error in expr__find_ids()
    - ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
    - ipmi: ssif_bmc: fix message desynchronization after truncated response
    - ipmi: ssif_bmc: change log level to dbg in irq callback
    - perf util: Kill die() prototype, dead for a long time
    - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
    - dev_printk: add new dev_err_probe() helpers
    - backlight: sky81452-backlight: Check return value of
      devm_gpiod_get_optional() in sky81452_bl_parse_dt()
    - platform/surface: surfacepro3_button: Drop wakeup source on remove
    - leds: lgm-sso: Remove duplicate assignments for priv->mmap
    - tty: hvc_iucv: fix off-by-one in number of supported devices
    - platform/x86: panasonic-laptop: Fix OPTD notifier registration and
      cleanup
    - mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
    - nfs/blocklayout: Fix compilation error (`make W=1`) in
      bl_write_pagelist()
    - fs/ntfs3: terminate the cached volume label after UTF-8 conversion
    - platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
    - platform/x86: dell-wmi-sysman: bound enumeration string aggregation
    - RDMA/core: Prefer NLA_NUL_STRING
    - clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
    - scsi: sg: Make sg_sysfs_class constant
    - scsi: sg: Fix sysctl sg-big-buff register during sg_init()
    - scsi: sg: Resolve soft lockup issue when opening /dev/sgX
    - clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from
      byte_div_clk_src dividers
    - scsi: target: core: Fix integer overflow in UNMAP bounds check
    - dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
    - clk: qcom: gcc-sc8180x: Add missing GDSCs
    - clk: qcom: gcc-sc8180x: Use retention for USB power domains
    - clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
    - clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
    - clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
    - clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
    - clk: imx: imx6q: Fix device node reference leak in
      of_assigned_ldb_sels()
    - clk: imx8mq: Correct the CSI PHY sels
    - clk: qoriq: avoid format string warning
    - clk: xgene: Fix mapping leak in xgene_pllclk_init()
    - dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
    - clk: qcom: dispcc-sc7180: Add missing MDSS resets
    - lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
    - clk: visconti: pll: initialize clk_init_data to zero
    - f2fs: Use sysfs_emit_at() to simplify code
    - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
    - drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
    - drm/i915: Loop over all active pipes in intel_mbus_dbox_update
    - drm/i915/wm: Verify the correct plane DDB entry
    - crypto: sa2ul - Fix AEAD fallback algorithm names
    - crypto: ccp - copy IV using skcipher ivsize
    - arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for
      PMIC_nINT
    - PCMCIA: Fix garbled log messages for KERN_CONT
    - arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
    - arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
    - macvlan: fix macvlan_get_size() not reserving space for
      IFLA_MACVLAN_BC_CUTOFF
    - net/sched: sch_cake: fix NAT destination port not being updated in
      cake_update_flowkeys
    - nexthop: fix IPv6 route referencing IPv4 nexthop
    - net/sched: taprio: fix use-after-free in advance_sched() on schedule
      switch
    - tcp: add data-race annotations around tp->data_segs_out and
      tp->total_retrans
    - tcp: annotate data-races around tp->bytes_sent
    - tcp: annotate data-races around tp->bytes_retrans
    - tcp: annotate data-races around tp->dsack_dups
    - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
    - tcp: annotate data-races around tp->plb_rehash
    - i40e: don't advertise IFF_SUPP_NOFCS
    - e1000e: Unroll PTP in probe error handling
    - ipv6: fix possible UAF in icmpv6_rcv()
    - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
    - pppoe: drop PFC frames
    - netfilter: nft_osf: restrict it to ipv4
    - netfilter: conntrack: remove sprintf usage
    - netfilter: xtables: restrict several matches to inet family
    - ipvs: fix MTU check for GSO packets in tunnel mode
    - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
    - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
    - arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
    - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
    - ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
    - ksmbd: add support for supplementary groups
    - ksmbd: destroy async_ida in ksmbd_conn_free()
    - ksmbd: scope conn->binding slowpath to bound sessions only
    - net/rds: zero per-item info buffer before handing it to visitors
    - net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
    - net/sched: sch_pie: annotate data-races in pie_dump_stats()
    - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
    - net/sched: sch_red: annotate data-races in red_dump_stats()
    - net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
    - net: dsa: realtek: rtl8365mb: fix mode mask calculation
    - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
    - tipc: fix double-free in tipc_buf_append()
    - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
    - fs/adfs: validate nzones in adfs_validate_bblk()
    - rtc: abx80x: Disable alarm feature if no interrupt attached
    - fbdev: offb: fix PCI device reference leak on probe failure
    - mailbox: mailbox-test: free channels on probe error
    - cgroup/rdma: fix integer overflow in rdmacg_try_charge()
    - mailbox: add sanity check for channel array
    - mailbox: mailbox-test: don't free the reused channel
    - mailbox: mailbox-test: initialize struct earlier
    - mailbox: mailbox-test: make data_ready a per-instance variable
    - btrfs: fix double-decrement of bytes_may_use in
      submit_one_async_extent()
    - tracing: branch: Fix inverted check on stat tracer registration
    - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
    - nvme-pci: fix missed admin queue sq doorbell write
    - drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
    - drm/amdgpu: fix spelling typos
    - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
    - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
    - netfilter: xt_policy: fix strict mode inbound policy matching
    - netfilter: nf_conntrack_sip: don't use simple_strtoul
    - spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
    - drm/sysfb: ofdrm: fix PCI device reference leaks
    - cdrom, scsi: sr: propagate read-only status to block layer via
      set_disk_ro()
    - netdevsim: zero initialize struct iphdr in dummy sk_buff
    - net/sched: netem: fix probability gaps in 4-state loss model
    - net/sched: netem: fix queue limit check to include reordered packets
    - net/sched: netem: only reseed PRNG when seed is explicitly provided
    - net/sched: netem: validate slot configuration
    - net/sched: netem: fix slot delay calculation overflow
    - net/sched: netem: check for negative latency and jitter
    - net/sched: sch_choke: annotate data-races in choke_dump_stats()
    - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
    - vrf: Fix a potential NPD when removing a port from a VRF
    - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
    - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
    - NFC: trf7970a: Ignore antenna noise when checking for RF field
    - neighbour: add RCU protection to neigh_tables[]
    - neigh: let neigh_xmit take skb ownership
    - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
    - net: mctp i2c: check length before marking flow active
    - net: phy: dp83869: fix setting CLK_O_SEL field.
    - drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
    - drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
    - drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
    - ASoC: codecs: ab8500: Fix casting of private data
    - netfilter: skip recording stale or retransmitted INIT
    - sctp: discard stale INIT after handshake completion
    - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
    - net: netconsole: move newline trimming to function
    - netconsole: propagate device name truncation in dev_name_store()
    - ALSA: hda/conexant: fix some typos
    - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
    - ALSA: hda/conexant: Fix missing error check for jack detection
    - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
    - drm/amd/display: Allow DCE link encoder without AUX registers
    - drm/amd/display: Read EDID from VBIOS embedded panel info
    - bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
    - net: bonding: add broadcast_neighbor option for 802.3ad
    - bonding: add support for per-port LACP actor priority
    - bonding: print churn state via netlink
    - bonding: 3ad: implement proper RCU rules for port->aggregator
    - iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
    - iavf: stop removing VLAN filters from PF on interface down
    - iavf: wait for PF confirmation before removing VLAN filters
    - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
    - ice: fix NULL pointer dereference in ice_reset_all_vfs()
    - net: tls: fix strparser anchor skb leak on offload RX setup failure
    - sfc: fix error code in efx_devlink_info_running_versions()
    - net/sched: cls_flower: revert unintended changes
    - smb: client: correctly handle ErrorContextData as a flexible array
    - net: bcmgenet: Initialize u64 stats seq counter
    - net: bcmgenet: fix leaking free_bds
    - net/sched: sch_pie: annotate more data-races in pie_dump_stats()
    - netconsole: avoid out-of-bounds access on empty string in trim_newline()
    - bonding: fix NULL pointer dereference in actor_port_prio setting
    - crypto: af_alg - Cap AEAD AD length to 0x80000000
    - i40e: Cleanup PTP pins on probe failure
    - workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
    - netfilter: nf_conntrack_sip: get helper before allocating expectation
    - audit: fix incorrect inheritable capability in CAPSET records
    - netfilter: nft_ct: fix missing expect put in obj eval
    - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
    - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
    - KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
    - KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer
      arithmetic
    - KVM: x86: Fix Xen hypercall tracepoint argument assignment
    - ASoC: SOF: Intel: hda-dai: remove dspless special case
    - ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio
    - smb/client: fix possible infinite loop and oob read in symlink_data()
    - drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
    - ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
    - ALSA: usb-audio: Bound MIDI endpoint descriptor scans
    - ceph: fix a buffer leak in __ceph_setxattr()
    - powerpc/warp: Fix error handling in pika_dtm_thread
    - netfs: fix error handling in netfs_extract_user_iter()
    - libceph: Fix potential out-of-bounds access in osdmap_decode()
    - libceph: Fix potential null-ptr-deref in decode_choose_args()
    - libceph: Fix potential out-of-bounds access in crush_decode()
    - libceph: handle rbtree insertion error in decode_choose_args()
    - iommu/vt-d: Disable DMAR for Intel Q35 IGFX
    - drm/i915: skip __i915_request_skip() for already signaled requests
    - drm/panfrost: Fix wait_bo ioctl leaking positive return from
      dma_resv_wait_timeout()
    - drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
    - drm/gma500/oaktrail_lvds: fix hang on init failure
    - drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
    - eventfs: Use list_add_tail_rcu() for SRCU-protected children list
    - smb: client: Use FullSessionKey for AES-256 encryption key derivation
    - btrfs: use inode already stored in local variable at btrfs_rmdir()
    - btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of
      BTRFS_I()
    - mptcp: drop __mptcp_fastopen_gen_msk_ackseq()
    - mptcp: fix rx timestamp corruption on fastopen
    - mptcp: pm: prio: skip closed subflows
    - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
    - f2fs: fix incorrect file address mapping when inline inode is unwritten
    - f2fs: fix false alarm of lockdep on cp_global_sem lock
    - spi: sifive: Simplify clock handling with devm_clk_get_enabled()
    - spi: sifive: fix controller deregistration
    - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
    - netfs: Fix potential uninitialised var in netfs_extract_user_iter()
    - io_uring/kbuf: use mem_is_zero()
    - md/raid1: fix the comparing region of interval tree
    - md: wake raid456 reshape waiters before suspend
    - btrfs: pass struct btrfs_inode to clone_copy_inline_extent()
    - btrfs: fix deadlock between reflink and transaction commit when using
      flushoncommit
    - bus: fsl-mc: use generic driver_override infrastructure
    - sparc/vdso: Always reject undefined references during linking
    - sparc64: vdso: Link with -z noexecstack
    - wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
    - wifi: mt76: mt7921: fix 6GHz regulatory update on connection
    - bpf: Fix variable length stack write over spilled pointers
    - wifi: ath10k: fix station lookup failure during disconnect
    - bpf: fix mm lifecycle in open-coded task_vma iterator
    - bpf: switch task_vma iterator from mmap_lock to per-VMA locks
    - bpf: return VMA snapshot from task_vma iterator
    - Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to
      sco_pi(sk)->codec
    - ipv4: udp: fix typos in comments
    - ipv6: udp: fix typos in comments
    - udp: Force compute_score to always inline
    - PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs
      encoding
    - PCI: dwc: ep: Fix MSI-X Table Size configuration in
      dw_pcie_ep_set_msix()
    - PCI: dwc: Invoke post_init in dw_pcie_resume_noirq()
    - PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()
    - spi: spi-nxp-fspi: remove the goto in probe
    - spi: spi-nxp-fspi: enable runtime pm for fspi
    - spi: nxp-fspi: Use reinit_completion() for repeated operations
    - drm/v3d: Handle error from drm_sched_entity_init()
    - PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the
      documentation
    - drm/imagination: Switch reset_reason fields from enum to u32
    - drm/msm/dsi: fix bits_per_pclk
    - drm/msm/dsi: fix hdisplay calculation for CMD mode panel
    - PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion
      support
    - drm/msm/a6xx: Fix dumping A650+ debugbus blocks
    - crypto: qat - introduce fuse array
    - crypto: qat - disable 4xxx AE cluster when lead engine is fused off
    - crypto: qat - disable 420xx AE cluster when lead engine is fused off
    - crypto: qat - fix type mismatch in RAS sysfs show functions
    - PCI: tegra194: Set LTR message request before PCIe link up in Endpoint
      mode
    - PCI: tegra194: Free up Endpoint resources during remove()
    - arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
    - arm64: dts: qcom: sm8650: Fix GIC_ITS range length
    - arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
    - arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
    - arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
    - arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
    - arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
    - hte: tegra194: remove Kconfig dependency on Tegra194 SoC
    - [Config] Adjust CONFIG_HTE_TEGRA194
    - cxl/pci: Check memdev driver binding status in cxl_reset_done()
    - ext4: fix possible null-ptr-deref in mbt_kunit_exit()
    - pinctrl: realtek: Fix function signature for config argument
    - perf maps: Fix copy_from that can break sorted by name order
    - platform/x86: asus-wmi: adjust screenpad power/brightness handling
    - platform/x86: asus-wmi: fix screenpad brightness range
    - tty: serial: ip22zilog: Fix section mispatch warning
    - clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
    - erofs: unify lcn as u64 for 32-bit platforms
    - net/sched: act_mirred: fix wrong device for mac_header_xmit check in
      tcf_blockcast_redir
    - tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
    - ice: fix ICE_AQ_LINK_SPEED_M for 200G
    - net/mlx5: Fix HCA caps leak on notifier init failure
    - pwm: atmel-tcb: Cache clock rates and mark chip as atomic
    - mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
    - fsnotify: fix inode reference leak in fsnotify_recalc_mask()
    - drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
    - ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
    - tcp: make probe0 timer handle expired user timeout
    - drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
    - drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
    - ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
    - drm/xe/debugfs: Correct printing of register whitelist ranges
    - drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
    - PCI: Initialize temporary device in new_id_store()
    - ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
    - drm/loongson: Use managed KMS polling
    - ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
    - drm/xe/dma-buf: handle empty bo and UAF races
    - btrfs: do not mark inode incompressible after inline attempt fails
    - tracing: Avoid NULL return from hist_field_name() on truncation
    - Upstream stable to v6.6.141, v6.12.91
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46117
    - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46137
    - mptcp: pm: ADD_ADDR rtx: fix potential data-race
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46160
    - btrfs: fix missing last_unlink_trans update when removing a directory
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46314
    - drm/v3d: Reject empty multisync extension to prevent infinite loop
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46274
    - io-wq: check that the predecessor is hashed in io_wq_remove_pending()
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-31707
    - ksmbd: validate response sizes in ipc_validate_msg()
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46068
    - crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-31613
    - smb: client: fix OOB reads parsing symlink error response
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-43245
    - ntfs: ->d_compare() must not block
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45846
    - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45845
    - net/sched: taprio: fix NULL pointer dereference in class dump
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45844
    - netfilter: arp_tables: fix IEEE1394 ARP payload parsing
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45843
    - slip: bound decode() reads against the compressed packet length
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45842
    - slip: reject VJ receive packets on instances with no rstate array
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45841
    - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45840
    - openvswitch: cap upcall PID array size and pre-size vport replies
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-46319
    - net/sched: act_ct: Only release RCU read lock after ct_ft
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45839
    - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
  * Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
    CVE-2026-45838
    - bpf: fix end-of-list detection in cgroup_storage_get_next_key()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619)
    - regset: use kvzalloc() for regset_get_alloc()
    - selftests/bpf: validate fake register spill/fill precision backtracking
      logic
    - exit: Sleep at TASK_IDLE when waiting for application core dump
    - media: uvcvideo: Enable VB2_DMABUF for metadata stream
    - media: i2c: ov8856: free control handler on error in
      ov8856_init_controls()
    - spi: bcm63xx: fix controller deregistration
    - spi: atmel: fix controller deregistration
    - regulator: mt6357: fix OF node reference imbalance
    - regulator: max77650: fix OF node reference imbalance
    - media: rc: streamzap: Error handling in probe
    - regulator: rk808: fix OF node reference imbalance
    - regulator: act8945a: fix OF node reference imbalance
    - regulator: bd9571mwv: fix OF node reference imbalance
    - spi: lantiq-ssc: fix controller deregistration
    - spi: qup: fix controller deregistration
    - spi: at91-usart: fix controller deregistration
    - platform/x86: hp-wmi: Ignore backlight and FnLock events
    - media: pci: zoran: fix potential memory leak in zoran_probe()
    - media: dib8000: avoid division by 0 in dib8000_set_dds()
    - media: i2c: imx412: Assert reset GPIO during probe
    - media: staging: imx: request mbus_config in csi_start
    - media: i2c: ov08d10: fix image vertical start setting
    - media: omap3isp: drop the use count of v4l2 pipeline
    - spi: dln2: fix controller deregistration
    - spi: s3c64xx: fix controller deregistration
    - spi: fsl-espi: fix controller deregistration
    - spi: omap2-mcspi: fix controller deregistration
    - spi: mtk-nor: fix controller deregistration
    - spi: sh-hspi: fix controller deregistration
    - spi: bcmbca-hsspi: fix controller deregistration
    - spi: coldfire-qspi: fix controller deregistration
    - spi: sprd: fix controller deregistration
    - spi: img-spfi: fix controller deregistration
    - spi: imx: fix runtime pm leak on probe deferral
    - spi: orion: fix runtime pm leak on unbind
    - spi: orion: fix clock imbalance on registration failure
    - spi: cadence: fix controller deregistration
    - spi: cadence: fix unclocked access on unbind
    - drm/amdkfd: Add upper bound check for num_of_nodes
    - drm/amdgpu/vce: Prevent partial address patches
    - drm/radeon: add missing revision check for CI
    - drm/amdgpu: zero-initialize GART table on allocation
    - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
    - drm/amdgpu/pm: add missing revision check for CI
    - drm/amdgpu/pm: align Hawaii mclk workaround with radeon
    - ipmi:ssif: Fix a shutdown race
    - ALSA: hda: cs35l56: Propagate ASP TX source control errors
    - ALSA: misc: Use guard() for spin locks
    - ALSA: core: Serialize deferred fasync state checks
    - ALSA: seq: Notify client and port info changes
    - ALSA: seq: Fix UMP group 16 filtering
    - spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
    - spi: zynq-qspi: fix controller deregistration
    - spi: tegra114: fix controller deregistration
    - spi: tegra20-sflash: fix controller deregistration
    - spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
    - spi: uniphier: fix controller deregistration
    - mm/hugetlb_cma: round up per_node before logging it
    - mm/damon/core: disallow time-quota setting zero esz
    - mm/damon/core: implement damon_kdamond_pid()
    - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
    - usb: typec: tcpm: reset internal port states on soft reset AMS
    - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
    - mtd: spi-nor: sst: Factor out common write operation to
      `sst_nor_write_data()`
    - pwm: imx-tpm: Count the number of enabled channels in probe
    - batman-adv: tp_meter: fix tp_num leak on kmalloc failure
    - tracing/probes: Limit size of event probe to 3K
    - usb: dwc3: Move GUID programming after PHY initialization
    - vsock/virtio: fix length and offset in tap skb for split packets
    - drm/amdgpu/vcn3: Avoid overflow on msg bound check
    - drm/amdgpu/vcn4: Avoid overflow on msg bound check
    - mtd: spi-nor: sst: Fix SST write failure
    - media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0
    - media: chips-media: wave5: fix a potential memory leak in
      wave5_vdi_init()
    - media: chips-media: wave5: add missing spinlock protection for
      send_eos_event()
    - media: chips-media: wave5: add missing spinlock protection for
      handle_dynamic_resolution_change()
    - spi: st-ssc4: fix controller deregistration
    - spi: meson-spicc: fix controller deregistration
    - spi: aspeed-smc: fix controller deregistration
    - vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to
      copy
    - spi: mxs: fix controller deregistration
    - spi: pic32: fix controller deregistration
    - spi: pl022: fix controller deregistration
    - spi: npcm-pspi: fix controller deregistration
    - spi: pic32-sqi: fix controller deregistration
    - spi: mxic: fix controller deregistration
    - spi: orion: fix controller deregistration
    - drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.
    - drm/amdgpu: gate VM CPU HDP flush on reset lock
    - drm/amd/display: Change dither policy for 10 bpc output back to
      dithering
    - drm/xe/bo: Fix bo leak on unaligned size validation in
      xe_bo_init_locked()
    - drm/exynos: remove bridge when component_add fails
    - drm/amdkfd: Make all TLB-flushes heavy-weight
    - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
    - Upstream stable to v6.6.140, v6.12.89, v6.12.90
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46207
    - vsock/virtio: fix empty payload in tap skb for non-linear buffers
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46164
    - btrfs: fix double free in create_space_info_sub_group() error path
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46201
    - drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46211
    - drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46200
    - spi: mpc52xx: fix controller deregistration
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46241
    - spi: mpc52xx: fix use-after-free on registration failure
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46214
    - vsock/virtio: fix accept queue count leak on transport mismatch
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46234
    - vsock: fix buffer size clamping order
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46159
    - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
      info-leak
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46208
    - batman-adv: stop tp_meter sessions during mesh teardown
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-23171
    - bonding: fix use-after-free due to enslave fail after slave array update
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-45836
    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46191
    - fbcon: Avoid OOB font access if console rotation fails
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46111
    - Bluetooth: hci_conn: fix potential UAF in create_big_sync
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-45999
    - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46044
    - ipmi:ssif: Clean up kthread on errors
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46231
    - batman-adv: bla: put backbone reference on failed claim hash insert
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46233
    - batman-adv: bla: only purge non-released claims
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46212
    - batman-adv: bla: prevent use-after-free when deleting claims
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46238
    - batman-adv: stop caching unowned originator pointers in BAT IV
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46206
    - batman-adv: reject new tp_meter sessions during teardown
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46198
    - batman-adv: fix integer overflow on buff_pos
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46227
    - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in
      SCTP_SENDALL
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46220
    - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46197
    - drm/amdkfd: validate SVM ioctl nattr against buffer size
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46209
    - drm/gem: Fix inconsistent plane dimension calculation in
      drm_gem_fb_init_with_funcs()
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46230
    - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46199
    - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46204
    - drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46218
    - drm/amdgpu: Add bounds checking to ib_{get,set}_value
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46229
    - drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46219
    - spi: mpc52xx: fix use-after-free on unbind
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46225
    - spi: rspi: fix controller deregistration
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46226
    - spi: fsl: fix controller deregistration
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46235
    - media: saa7164: add ioremap return checks and cleanups
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46312
    - media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46236
    - media: rc: xbox_remote: heed DMA restrictions
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46205
    - staging: media: atomisp: Disallow all private IOCTLs
  * Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
    CVE-2026-46232
    - HID: playstation: Clamp num_touch_reports
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549)
    - xen/privcmd: fix double free via VMA splitting
    - Buffer overflow in drivers/xen/sys-hypervisor.c
    - ALSA: usb-audio: Avoid false E-MU sample-rate notifications
    - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
    - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
    - usb: chipidea: otg: not wait vbus drop if use role_switch
    - usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS
      change
    - ALSA: usb-audio: Evaluate packsize caps at the right place
    - driver core: Don't let a device probe until it's ready
    - firmware: google: framebuffer: Do not mark framebuffer as busy
    - arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
    - drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
    - device property: Make modifications of fwnode "flags" thread safe
    - um: drivers: call kernel_strrchr() explicitly in cow_user.c
    - Revert "ALSA: usb: Increase volume range that triggers a warning"
    - PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
    - lib/ts_kmp: fix integer overflow in pattern length calculation
    - media: i2c: imx219: Check return value of devm_gpiod_get_optional() in
      imx219_probe()
    - ALSA: aoa: i2sbus: fix OF node lifetime handling
    - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
    - mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
    - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
    - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
    - parisc: _llseek syscall is only available for 32-bit userspace
    - sched: Use u64 for bandwidth ratio calculations
    - selftests/mqueue: Fix incorrectly named file
    - selftests/landlock: Fix format warning for __u64 in net_test
    - io_uring/timeout: check unused sqe fields
    - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
    - io_uring/poll: fix signed comparison in io_poll_get_ownership()
    - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
    - ALSA: core: Fix potential data race at fasync handling
    - ALSA: caiaq: Fix control_put() result and cache rollback
    - ALSA: 6fire: Fix input volume change detection
    - ALSA: pcmtest: fix reference leak on failed device registration
    - ALSA: pcmtest: Fix resource leaks in module init error paths
    - iio: adc: ad7768-1: fix one-shot mode data acquisition
    - tools/accounting: handle truncated taskstats netlink messages
    - arm64: dts: marvell: uDPU: add ethernet aliases
    - net: txgbe: fix firmware version check
    - net: ks8851: Avoid excess softirq scheduling
    - drm/arcpgu: fix device node leak
    - extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
    - tpm: avoid -Wunused-but-set-variable
    - LoongArch: Show CPU vulnerabilites correctly
    - power: supply: axp288_charger: Do not cancel work before initializing it
    - randomize_kstack: Maintain kstack_offset per task
    - mmc: block: use single block write in retry
    - mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
    - arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
    - firmware: google: framebuffer: Do not unregister platform device
    - crypto: talitos - fix SEC1 32k ahash request limitation
    - crypto: talitos - rename first/last to first_desc/last_desc
    - tpm: tpm_tis: add error logging for data transfer
    - tpm: tpm_tis: stop transmit if retries are exhausted
    - rtc: ntxec: fix OF node reference imbalance
    - mm/damon/core: use time_in_range_open() for damos quota window start
    - userfaultfd: allow registration of ranges below mmap_min_addr
    - KVM: x86: Defer non-architectural deliver of exception payload to
      userspace read
    - KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
    - KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
    - KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
    - KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
    - KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
    - KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
    - KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
    - KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
    - KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
    - KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
    - KVM: nSVM: Add missing consistency check for nCR3 validity
    - KVM: nSVM: Always intercept VMMCALL when L2 is active
    - io_uring/poll: fix multishot recv missing EOF on wakeup race
    - perf annotate: Use jump__delete when freeing LoongArch jumps
    - mtd: spi-nor: sst: Fix write enable before AAI sequence
    - amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
    - check-uapi: link into shared objects
    - HID: apple: ensure the keyboard backlight is off if suspending
    - wifi: rtl8xxxu: fix potential use of uninitialized value
    - taskstats: set version in TGID exit notifications
    - apparmor: use target task's context in apparmor_getprocattr()
    - bus: mhi: host: pci_generic: Switch to async power up to avoid boot
      delays
    - crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
    - crypto: atmel-ecc - Release client on allocation failure
    - crypto: hisilicon - Fix dma_unmap_single() direction
    - IB/core: Fix zero dmac race in neighbor resolution
    - ktest: Fix the month in the name of the failure directory
    - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
    - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
    - ksmbd: use msleep instaed of schedule_timeout_interruptible()
    - ksmbd: replace connection list with hash table
    - ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
    - wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
    - wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
    - ALSA: aoa: Use guard() for mutex locks
    - ALSA: aoa: i2sbus: clear stale prepared state
    - mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
    - media: rc: ttusbir: respect DMA coherency rules
    - ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
    - block: relax pgmap check in bio_add_page for compatible zone device
      pages
    - iio: frequency: admv1013: add dev variable
    - net: mctp: fix don't require received header reserved bits to be zero
    - driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
    - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
    - ALSA: caiaq: Don't abort when no input device is available
    - ALSA: caiaq: fix usb_dev refcount leak on probe failure
    - ACPI: scan: Use acpi_dev_put() in object add error paths
    - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
    - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
    - ACPI: video: force native backlight on HP OMEN 16 (8A44)
    - iommufd: Fix a race with concurrent allocation and unmap
    - spi: rockchip: fix controller deregistration
    - ksmbd: rewrite stop_sessions() with restartable iteration
    - iommu/amd: Use atomic64_inc_return() in iommu.c
    - iommu/amd: serialize sequence allocation under concurrent TLB
      invalidations
    - KVM: SVM: check validity of VMCB controls when returning from SMM
    - wifi: mt76: mt7925: fix incorrect length field in txpower command
    - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
    - ALSA: usb-audio: midi2: Restart output URBs on resume
    - ALSA: usb-audio: Fix UAC3 cluster descriptor size check
    - USB: omap_udc: DMA: Don't enable burst 4 mode
    - USB: serial: option: add Telit Cinterion LE910Cx compositions
    - ALSA: firewire-tascam: Do not drop unread control events
    - powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
    - xfrm: provide message size for XFRM_MSG_MAPPING
    - selinux: don't reserve xattr slot when we won't fill it
    - selinux: shrink critical section in sel_write_load()
    - selinux: prune /sys/fs/selinux/disable
    - LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
    - spi: syncuacer: fix controller deregistration
    - spi: sun4i: fix controller deregistration
    - spi: ti-qspi: fix controller deregistration
    - spi: sun6i: fix controller deregistration
    - spi: zynqmp-gqspi: fix controller deregistration
    - staging: vme_user: fix root device leak on init failure
    - LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
    - parisc: Fix IRQ leak in LASI driver
    - hwmon: (ltc2992) Clamp threshold writes to hardware range
    - hwmon: (ltc2992) Fix u32 overflow in power read path
    - clk: rk808: fix OF node reference imbalance
    - hwmon: (corsair-psu) Close HID device on probe errors
    - cifs: abort open_cached_dir if we don't request leases
    - cifs: change_conf needs to be called for session setup
    - extcon: ptn5150: handle pending IRQ events during system resume
    - gpio: of: clear OF_POPULATED on hog nodes in remove path
    - hv_sock: fix ARM64 support
    - spi: microchip-core-qspi: fix controller deregistration
    - udf: reject descriptors with oversized CRC length
    - thermal: core: Free thermal zone ID later during removal
    - thermal/drivers/sprd: Fix temperature clamping in
      sprd_thm_temp_to_rawdata
    - thermal/drivers/sprd: Fix raw temperature clamping in
      sprd_thm_rawdata_to_temp
    - spi: topcliff-pch: fix controller deregistration
    - clk: imx: imx8-acm: fix flags for acm clocks
    - cpuidle: powerpc: avoid double clear when breaking snooze
    - ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk
      table
    - ASoC: fsl_easrc: fix comment typo
    - ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
    - ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
    - ASoC: qcom: q6apm: remove child devices when apm is removed
    - dm: don't report warning when doing deferred remove
    - dm-verity-fec: correctly reject too-small FEC devices
    - dm-verity-fec: correctly reject too-small hash devices
    - lib/scatterlist: fix temp buffer in extract_user_to_sg()
    - nvme-apple: drop invalid put of admin queue reference count
    - openvswitch: vport: fix self-deadlock on release of tunnel ports
    - s390/debug: Reject zero-length input in debug_input_flush_fn()
    - PCI: Update saved_config_space upon resource assignment
    - PCI/AER: Clear only error bits in PCIe Device Status
    - PCI/AER: Stop ruling out unbound devices as error source
    - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
    - power: supply: max17042: avoid overflow when determining health
    - mptcp: fastclose msk when linger time is 0
    - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
    - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
    - mptcp: sockopt: set timestamp flags on subflow socket, not msk
    - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
    - f2fs: fix fiemap boundary handling when read extent cache is incomplete
    - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
    - KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
    - KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
    - LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
    - LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
    - LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by
      software
    - LoongArch: KVM: Move unconditional delay into timer clear scenery
    - LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
    - LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
    - fs: prepare for adding LSM blob to backing_file
    - dma-mapping: drop unneeded includes from dma-mapping.h
    - dma-mapping: add __dma_from_device_group_begin()/end()
    - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
    - mtd: spinand: winbond: Declare the QE bit on W25NxxJW
    - gtp: disable BH before calling udp_tunnel_xmit_skb()
    - printk: add print_hex_dump_devel()
    - net: stmmac: avoid shadowing global buf_sz
    - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
    - wifi: mt76: mt7925: fix incorrect TLV length in CLC command
    - KVM: arm64: Wake-up from WFI when iqrchip is in userspace
    - Upstream stable to v6.6.137, v6.6.138, v6.6.139, v6.12.85, v6.12.86,
      v6.12.87, v6.12.88
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43490
    - ksmbd: validate inherited ACE SID length
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46196
    - tracepoint: balance regfunc() on func_add() failure in
      tracepoint_add_func()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46110
    - net: stmmac: Prevent NULL deref when RX memory exhausted
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46090
    - ALSA: aloop: Fix peer runtime UAF during format-change stop
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46291
    - crypto: caam - guard HMAC key hex dumps in hash_digest_key
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46299
    - hfsplus: fix held lock freed on hfsplus_fill_super()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46169
    - hfsplus: fix uninit-value by validating catalog record size
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45991
    - udf: fix partition descriptor append bookkeeping
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46007
    - hwmon: (powerz) Avoid cacheline sharing for DMA buffer
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46065
    - fbdev: defio: Disconnect deferred I/O from the lifetime of struct
      fb_info
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46194
    - f2fs: fix node_cnt race between extent node destroy and writeback
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46168
    - mptcp: fix scheduling with atomic in timestamp sockopt
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46189
    - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46133
    - RDMA/rxe: Reject unknown opcodes before ICRC processing
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46114
    - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46127
    - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46176
    - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46178
    - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46145
    - RDMA/mana: Validate rx_hash_key_len
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46126
    - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46144
    - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46121
    - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46131
    - KVM: x86: check for nEPT/nNPT in slow flush hypercalls
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46139
    - smb: client: use kzalloc to zero-initialize security descriptor buffer
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46112
    - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46292
    - pmdomain: core: Fix detach procedure for virtual devices in genpd
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46304
    - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46161
    - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43492
    - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46124
    - isofs: validate block number from NFS file handle in isofs_export_iget
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46303
    - isofs: validate Rock Ridge CE continuation extent against volume size
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46106
    - eventfs: Hold eventfs_mutex and SRCU when remount walks events
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46294
    - dm: fix a buffer overflow in ioctl processing
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46107
    - dm-thin: fix metadata refcount underflow
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46129
    - btrfs: fix double free in create_space_info() error path
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46143
    - ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46293
    - clk: microchip: mpfs-ccc: fix out of bounds access during output
      registration
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46301
    - spi: topcliff-pch: fix use-after-free on unbind
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46273
    - ibmveth: Disable GSO for packets with small MSS
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43495
    - net: wwan: t7xx: validate port_count against message length in
      t7xx_port_enum_msg_handler
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43502
    - net/rds: handle zerocopy send cleanup before the message is queued
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46120
    - ip6_gre: Use cached t->net in ip6erspan_changelink().
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46142
    - net: libwx: fix VF illegal register access
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46184
    - sound: ua101: fix division by zero at probe
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46132
    - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
      rtnl_fill_vfinfo
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46190
    - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46150
    - fanotify: fix false positive on permission events
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46296
    - spi: s3c64xx: fix NULL-deref on driver unbind
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45834
    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45835
    - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46138
    - Bluetooth: hci_event: Fix OOB read and infinite loop in
      hci_le_create_big_complete_evt
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46186
    - Bluetooth: virtio_bt: validate rx pkt_type header length
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46123
    - Bluetooth: virtio_bt: clamp rx length before skb_put
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46193
    - xfrm: ah: account for ESN high bits in async callbacks
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46172
    - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46116
    - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46157
    - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46146
    - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46167
    - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46151
    - usb: usblp: fix heap leak in IEEE 1284 device ID via short response
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46180
    - wifi: brcmfmac: Fix potential use-after-free issue when stopping
      watchdog task
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46122
    - wifi: b43: enforce bounds check on firmware key index in b43_rx()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46125
    - wifi: mac80211: remove station if connection prep fails
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46307
    - wifi: ath5k: do not access array OOB
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46187
    - wifi: rsi: fix kthread lifetime race between self-exit and external-stop
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46152
    - wifi: mac80211: drop stray 'static' from fast-RX rx_result
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46163
    - wifi: b43legacy: enforce bounds check on firmware key index in RX path
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46136
    - wifi: mt76: mt7921: fix a potential clc buffer length underflow
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46173
    - exit: prevent preemption of oopsing TASK_DEAD task
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-31499
    - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43496
    - net/sched: sch_red: Replace direct dequeue call with peek and
      qdisc_dequeue_peeked
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43088
    - net: af_key: zero aligned sockaddr tail in PF_KEY exports
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46287
    - net: txgbe: fix RTNL assertion warning when remove module
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46306
    - flow_dissector: do not dissect PPPoE PFC frames
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46113
    - KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46063
    - x86/shstk: Prevent deadlock during shstk sigreturn
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43109
    - x86: shadow stacks: proper error handling for mmap lock
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46179
    - ASoC: SOF: Don't allow pointer operations on unconfigured streams
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43497
    - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46108
    - ipmi:si: Return state to normal if message allocation fails
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46128
    - ipmi: Check event message buffer response for bad data
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46177
    - ipmi: Add limits to event and receive message requests
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46149
    - scsi: target: configfs: Bound snprintf() return in
      tg_pt_gp_members_show()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46101
    - netfilter: reject zero shift in nft_bitwise
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46099
    - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46276
    - drm/amdgpu: fix zero-size GDS range init on RDNA4
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46033
    - crypto: authencesn - reject short ahash digests during instance creation
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46083
    - spi: fix resource leaks on device setup failure
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46003
    - net: qrtr: ns: Limit the total number of nodes
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46086
    - net: bridge: use a stable FDB dst snapshot in RCU readers
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46026
    - net: qrtr: ns: Limit the maximum number of lookups
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43491
    - net: qrtr: ns: Limit the maximum server registration per node
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46282
    - iio: frequency: admv1013: fix NULL pointer dereference on str
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46084
    - RDMA/mana_ib: Disable RX steering on RSS QP destroy
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46091
    - media: rc: igorplugusb: heed coherency rules
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46069
    - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46021
    - thermal: core: Fix thermal zone governor cleanup issues
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46280
    - lib: test_hmm: evict device pages on file close to avoid use-after-free
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-31715
    - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
      f2fs_write_end_io()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-31709
    - smb: client: validate the whole DACL before rewriting it in cifsacl
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45997
    - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-43499
    - rtmutex: Use waiter::task instead of current in remove_waiter()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46062
    - ntfs3: fix integer overflow in run_unpack() volume boundary check
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46072
    - ntfs3: add buffer boundary checks to run_unpack()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46052
    - ceph: only d_add() negative dentries when they are unhashed
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46023
    - dm mirror: fix integer overflow in create_dirty_log()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46075
    - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46077
    - crypto: atmel-tdes - fix DMA sync direction
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45986
    - crypto: ccree - fix a memory leak in cc_mac_digest()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46019
    - crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46103
    - can: ucan: fix devres lifetime
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46056
    - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46015
    - tcp: call sk_data_ready() after listener migration
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46040
    - inotify: fix watch count leak when fsnotify_add_inode_mark_locked()
      fails
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46070
    - md/raid5: validate payload size before accessing journal metadata
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46051
    - md/raid5: fix soft lockup in retry_aligned_read()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46046
    - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46094
    - ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46076
    - KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46082
    - KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45987
    - KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46005
    - xfs: fix a resource leak in xfs_alloc_buftarg()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46024
    - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46037
    - ipv4: icmp: validate reply type before using icmp_pointers
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46031
    - net: ks8851: Reinstate disabling of BHs around IRQ handler
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46027
    - net/smc: avoid early lgr access in smc_clc_wait_msg
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46053
    - net: rds: fix MR cleanup on copy error
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46038
    - net: qrtr: ns: Free the node during ctrl_cmd_bye()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46012
    - rxrpc: Fix memory leaks in rxkad_verify_response()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46004
    - ALSA: caiaq: Handle probe errors properly
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46079
    - rbd: fix null-ptr-deref when device_add_disk() fails
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46016
    - remoteproc: xlnx: Only access buffer information if IPI is buffered
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46285
    - mtd: docg3: fix use-after-free in docg3_release()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46050
    - md/raid10: fix deadlock with check operation and nowait requests
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46061
    - jbd2: fix deadlock in jbd2_journal_cancel_revoke()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46078
    - erofs: fix the out-of-bounds nameoff handling for trailing dirents
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46049
    - ALSA: ctxfi: Add fallback to default RSR for S/PDIF
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46002
    - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46047
    - net: qrtr: ns: Fix use-after-free in driver remove()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46009
    - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46011
    - media: mtk-jpeg: fix use-after-free in release path due to uncancelled
      work
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46102
    - net: strparser: fix skb_head leak in strp_abort_strp()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46098
    - net: caif: clear client service pointer on teardown
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46088
    - ALSA: control: Validate buf_len before strnlen() in
      snd_ctl_elem_init_enum_names()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46058
    - media: amphion: Fix race between m2m job_abort and device_run
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46073
    - hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45989
    - of: unittest: fix use-after-free in testdrv_probe()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45996
    - spi: imx: fix use-after-free on unbind
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46092
    - wifi: rtw88: check for PCI upstream bridge existence
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46089
    - zram: do not forget to endio for partial discard requests
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46080
    - ocfs2: split transactions in dio completion to avoid credit exhaustion
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-23468
    - drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46064
    - ibmasm: fix heap over-read in ibmasm_send_i2o_message()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45994
    - ibmasm: fix OOB reads in command_file_write due to missing size checks
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46022
    - misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46041
    - greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46286
    - leds: qcom-lpg: Check for array overflow when selecting the high
      resolution
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46006
    - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-45993
    - LoongArch: Add spectre boundry for syscall dispatch table
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2026-46018
    - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
  * Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
    CVE-2025-54518 // CVE-2026-46174
    - x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op
      cache
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373)
    - ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
    - ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
    - ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
    - media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
    - ALSA: asihpi: avoid write overflow check warning
    - ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
    - ASoC: SOF: topology: reject invalid vendor array size in token parser
    - can: mcp251x: add error handling for power enable in open and resume
    - ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
    - ALSA: hda/realtek: add quirk for Framework F111:000F
    - ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
    - ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
    - ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
    - pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
      debouncer)
    - platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
    - HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
    - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
    - ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
    - ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
    - soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
    - arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
    - PCI: hv: Set default NUMA node to 0 for devices without affinity info
    - drm/vc4: Release runtime PM reference after binding V3D
    - drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
    - net: stmmac: Fix PTP ref clock for Tegra234
    - dt-bindings: net: Fix Tegra234 MGBE PTP clock
    - tracing/probe: reject non-closed empty immediate strings
    - e1000: check return value of e1000_read_eeprom
    - xsk: respect tailroom for ZC setups
    - xsk: fix XDP_UMEM_SG_FLAG issues
    - selftests: net: bridge_vlan_mcast: wait for h1 before querier check
    - gpio: tegra: fix irq_release_resources calling enable instead of disable
    - ALSA: usb-audio: Improve Focusrite sample rate filtering
    - usb: storage: Expand range of matched versions for VL817 quirks entry
    - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
    - usb: port: add delay after usb_hub_set_port_power()
    - scripts: generate_rust_analyzer.py: avoid FD leak
    - USB: serial: option: add Telit Cinterion FN990A MBIM composition
    - Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates
      race
    - KVM: nVMX: Fold requested virtual interrupt check into
      has_nested_events()
    - net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
    - checkpatch: add support for Assisted-by tag
    - Revert "perf unwind-libdw: Fix invalid reference counts"
    - net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers
    - scripts: generate_rust_analyzer.py: define scripts
    - KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
    - rxrpc: Fix key quota calculation for multitoken keys
    - ocfs2: add inline inode consistency check to
      ocfs2_validate_inode_block()
    - Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
    - scripts/dtc: Remove unused dts_version in dtc-lexer.l
    - fuse: Check for large folio with SPLICE_F_MOVE
    - fuse: quiet down complaints in fuse_conn_limit_write
    - smb: server: fix max_connections off-by-one in tcp accept path
    - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
    - crypto: testmgr - Hide ENOENT errors
    - crypto: testmgr - Hide ENOENT errors better
    - platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP
      GZ302EAC
    - drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
    - ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED)
    - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9
    - net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules
    - arm64: dts: qcom: hamoa/x1: fix idle exit latency
    - HID: amd_sfh: don't log error when device discovery fails with
      -EOPNOTSUPP
    - net: increase IP_TUNNEL_RECURSION_LIMIT to 5
    - netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC ->
      GFP_KERNEL_ACCOUNT allocation
    - netfilter: nfnetlink_queue: make hash table per queue
    - thermal: core: Mark thermal zones as exiting before unregistration
    - KVM: Remove subtle "struct kvm_stats_desc" pseudo-overlay
    - PCI: Fix placement of pci_save_state() in pci_bus_add_device()
    - ima: verify if the segment size has changed
    - ima: do not copy measurement list to kdump kernel
    - ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
    - btrfs: tracepoints: fix sleep while in atomic context in
      btrfs_sync_file()
    - Upstream stable to v6.6.136, v6.12.83, v6.12.84
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31706
    - ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31712
    - ksmbd: require minimum ACE size in smb_check_perm_dacl()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31575
    - mm/userfaultfd: fix hugetlb fault mutex hash calculation
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31582
    - hwmon: (powerz) Fix use-after-free on USB disconnect
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43073
    - x86-64: rename misleadingly named '__copy_user_nocache()' function
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2025-21709
    - kernel: be more careful about dup_mmap() failures and uprobe registering
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31606
    - usb: gadget: f_hid: don't call cdev_init while cdev in use
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31731
    - thermal: core: Address thermal zone removal races with resume
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31677
    - crypto: af_alg - limit RX SG extraction by receive buffer budget
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43107
    - xfrm: account XFRMA_IF_ID in aevent size calculation
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43119
    - Bluetooth: hci_sync: annotate data-races around hdev->req_status
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31696
    - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31697
    - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31698
    - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
      failed
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31699
    - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command
      failed
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31700
    - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31701
    - ALSA: caiaq: take a reference on the USB device in create_card()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31702
    - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31704
    - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31705
    - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31708
    - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43350
    - smb: client: require a full NFS mode SID before reading mode bits
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31711
    - smb: server: fix active_num_conn leak on transport allocation failure
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31694
    - fuse: reject oversized dirents in page cache
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31714
    - f2fs: fix to avoid memory leak in f2fs_rename()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31716
    - fs/ntfs3: validate rec->used in journal-replay file record check
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43075
    - ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43076
    - ocfs2: validate inline data i_size during inode read
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31595
    - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in
      epf_ntb_epc_cleanup
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-23444
    - wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-23442
    - ipv6: add NULL checks for idev in SRv6 paths
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31594
    - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31576
    - media: hackrf: fix to not free memory after the device is registered in
      hackrf_probe()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43058
    - media: vidtv: fix pass-by-value structs causing MSAN warnings
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31577
    - nilfs2: fix NULL i_assoc_inode dereference in
      nilfs_mdt_save_to_shadow_map
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31578
    - media: as102: fix to not free memory after the device is registered in
      as102_usb_probe()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31580
    - bcache: fix cached_dev.sb_bio use-after-free and crash
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31581
    - ALSA: 6fire: fix use-after-free on disconnect
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31583
    - media: em28xx: fix use-after-free in em28xx_v4l2_open()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31584
    - media: mediatek: vcodec: fix use-after-free in encoder release path
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31585
    - media: vidtv: fix nfeeds state corruption on start_streaming failure
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31586
    - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31686
    - mm/kasan: fix double free for kasan pXds
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31587
    - ASoC: qcom: q6apm: move component registration to unmanaged version
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31588
    - KVM: x86: Use scratch field in MMIO fragment to hold small write values
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31590
    - KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31596
    - ocfs2: handle invalid dinode in ocfs2_group_extend
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31597
    - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31598
    - ocfs2: fix possible deadlock between unlink and dio_end_io_write
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31599
    - media: vidtv: fix NULL pointer dereference in
      vidtv_channel_pmt_match_sections
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31602
    - ALSA: ctxfi: Limit PTP to a single page
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31603
    - staging: sm750fb: fix division by zero in ps_to_hz()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31604
    - wifi: rtw88: fix device leak on probe failure
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31605
    - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31610
    - ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31611
    - ksmbd: require 3 sub-authorities before reading sub_auth[2]
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31612
    - ksmbd: validate EaNameLength in smb2_get_ea()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31615
    - usb: gadget: renesas_usb3: validate endpoint index in standard request
      handlers
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31616
    - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31617
    - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31618
    - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31619
    - ALSA: fireworks: bound device-supplied status before string array lookup
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43072
    - drm/vc4: platform_get_irq_byname() returns an int
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31622
    - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31623
    - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31624
    - HID: core: clamp report_size in s32ton() to avoid undefined shift
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31625
    - HID: alps: fix NULL pointer dereference in alps_raw_event()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31626
    - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31627
    - i2c: s3c24xx: check the size of the SMBUS message before using it
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31532
    - can: raw: fix ro->uniq use-after-free in raw_rcv()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31629
    - nfc: llcp: add missing return after LLCP_CLOSED checks
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31407
    - netfilter: conntrack: add missing netlink policy validations
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43079
    - perf/x86/intel/uncore: Skip discovery table for offline dies
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43080
    - l2tp: Drop large packets with UDP encap
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43345
    - net: ipa: fix event ring index not programmed for IPA v5.0+
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43081
    - net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31673
    - af_unix: read UNIX_DIAG_VFS data under unix_state_lock
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43082
    - net: txgbe: leave space for null terminators on property_entry
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31681
    - netfilter: xt_multiport: validate range encoding in checkentry
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43085
    - netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43086
    - ipvs: fix NULL deref in ip_vs_add_service error path
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43089
    - xfrm_user: fix info leak in build_mapping()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43091
    - xfrm: Wait for RCU readers during policy netns exit
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43092
    - xsk: validate MTU against usable frame size on bind
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43093
    - xsk: tighten UMEM headroom validation to account for tailroom and min
      frame
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43094
    - ixgbevf: add missing negotiate_features op to Hyper-V ops table
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43098
    - nfc: s3fwrn5: allocate rx skb before consuming bytes
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43099
    - ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43103
    - net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-31684
    - net: sched: act_csum: validate nested VLAN headers
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43074
    - eventpoll: defer struct eventpoll free to RCU grace period
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43104
    - drm/vc4: Fix a memory leak in hang state error path
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43105
    - drm/vc4: Fix memory leak of BO array in hang state
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43110
    - wifi: brcmfmac: validate bsscfg indices in IF events
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43111
    - HID: roccat: fix use-after-free in roccat_report_event
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43112
    - fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43113
    - wifi: wl1251: validate packet IDs before indexing tx_frames
  * Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
    CVE-2026-43120
    - RDMA/irdma: Fix double free related to rereg_user_mr
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149)
    - vfio/pci: Use unmap_mapping_range()
    - gfs2: Improve gfs2_consist_inode() usage
    - Input: uinput - take event lock when submitting FF request "event"
    - MIPS: Always record SEGBITS in cpu_data.vmbits
    - MIPS: mm: Suppress TLB uniquification on EHINV hardware
    - MIPS: mm: Rewrite TLB uniquification for the hidden bit feature
    - virtio_net: clamp rss_max_key_size to NETDEV_RSS_KEY_LEN
    - Revert "mptcp: add needs_id for netlink appending addr"
    - netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
    - Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"
    - arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
    - arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
    - arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
    - net/mlx5: Update the list of the PCI supported devices
    - net: qualcomm: qca_uart: report the consumed byte on RX skb allocation
      failure
    - rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
    - rxrpc: Fix missing error checks for rxkad encryption/decryption failure
    - Revert "PCI: Enable ACS after configuring IOMMU for OF platforms"
    - usb: typec: ucsi: skip connector validation before init
    - drm/i915/psr: Do not use pipe_src as borders for SU area
    - rxrpc: Fix anonymous key handling
    - ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
    - rxrpc: Fix rxkad crypto unalignment handling
    - Upstream stable to v6.6.134, v6.6.135, v6.12.82
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31429
    - net: skb: fix cross-cache free of KFENCE-allocated skb head
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31645
    - net: lan966x: fix page pool leak in error paths
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-23302
    - net: annotate data-races around sk->sk_{data_ready,write_space}
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-23330
    - nfc: nci: complete pending data exchange on device close
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-23374
    - blktrace: fix __this_cpu_read/write in preemptible context
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31634
    - rxrpc: fix reference count leak in rxrpc_server_keyring()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31638
    - rxrpc: Only put the call ref if one was acquired
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31639
    - rxrpc: Fix key reference count leak from call->key
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31642
    - rxrpc: Fix call removal to use RCU safe deletion
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31646
    - net: lan966x: fix page_pool error handling in
      lan966x_fdma_rx_alloc_page_pool()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31648
    - mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31651
    - mmc: vub300: fix NULL-deref on disconnect
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31655
    - pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31656
    - drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31658
    - net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31689
    - EDAC/mc: Fix error path ordering in edac_mc_alloc()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31430
    - X.509: Fix out-of-bounds access when parsing extensions
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31660
    - nfc: pn533: allocate rx skb before consuming bytes
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31661
    - wifi: brcmsmac: Fix dma_free_coherent() size
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31662
    - tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31664
    - xfrm: clear trailing padding in build_polexpire()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31665
    - netfilter: nft_ct: fix use-after-free in timeout object destroy
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31667
    - Input: uinput - fix circular locking dependency with ff-core
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31670
    - net: rfkill: prevent unlimited numbers of rfkill events from being
      created
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31671
    - xfrm_user: fix info leak in build_report()
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-31672
    - wifi: rt2x00usb: fix devres lifetime
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2026-43336
    - lib/crypto: chacha: Zeroize permuted_state before it leaves scope
  * Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
    CVE-2025-54505 // CVE-2026-31628
    - x86/CPU: Fix FPDSS on Zen1
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958)
    - Revert "rust: pin-init: internal: init: document load-bearing fact of
      field accessors"
    - arm64/scs: Fix handling of advance_loc4
    - HID: logitech-hidpp: Enable MX Master 4 over bluetooth
    - btrfs: don't take device_list_mutex when querying zone info
    - tg3: replace placeholder MAC address with device property
    - objtool: Fix Clang jump table detection
    - i2c: tegra: Don't mark devices with pins as IRQ safe
    - spi: geni-qcom: Check DMA interrupts early in ISR
    - dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix
      common property warning
    - wifi: ath11k: Pass the correct value of each TID during a stop AMPDU
      session
    - net: fec: fix the PTP periodic output sysfs interface
    - tg3: Fix race for querying speed/duplex
    - net: sfp: Fix Ubiquiti U-Fiber Instant SFP module on mvneta
    - net: enetc: check whether the RSS algorithm is Toeplitz
    - ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add rollback on
      failure
    - net: introduce mangleid_features
    - net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec
    - netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
    - netfilter: nf_conntrack_expect: honor expectation helper field
    - netfilter: nf_conntrack_expect: store netns and zone in expectation
    - Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate
    - net/mlx5: Avoid "No data available" when FW version queries fail
    - net: hsr: fix VLAN add unwind on slave errors
    - iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one
    - hwmon: (pxe1610) Check return value of page-select write in probe
    - hwmon: (ltc4286) Add missing MODULE_IMPORT_NS("PMBUS")
    - dt-bindings: gpio: fix microchip #interrupt-cells
    - hwmon: (tps53679) Fix device ID comparison and printing in
      tps53676_identify()
    - hwmon: (occ) Fix missing newline in occ_show_extended()
    - mips: ralink: update CPU clock index
    - sched/fair: Fix zero_vruntime tracking fix
    - riscv: kgdb: fix several debug register assignment bugs
    - USB: serial: option: add MeiG Smart SRM825WN
    - MIPS: SiByte: Bring back cache initialisation
    - MIPS: Fix the GCC version check for `__multi3' workaround
    - mips: mm: Allocate tlb_vpn array atomically
    - iio: adc: ti-adc161s626: fix buffer read on big-endian
    - drm/ast: dp501: Fix initialization of SCU2C
    - drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU
      eDP
    - drm/amdgpu/pm: drop SMU driver if version not matched messages
    - USB: serial: io_edgeport: add support for Blackbox IC135A
    - USB: serial: option: add support for Rolling Wireless RW135R-GL
    - USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
    - Input: synaptics-rmi4 - fix a locking bug in an error path
    - Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk
      table
    - Input: bcm5974 - recover from failed mode switch
    - Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless
      mode
    - Input: xpad - add support for Razer Wolverine V3 Pro
    - iio: adc: aspeed: clear reference voltage bits before configuring vref
    - iio: accel: fix ADXL355 temperature signature value
    - iio: dac: ad5770r: fix error return in ad5770r_read_raw()
    - iio: light: vcnl4035: fix scan buffer on big-endian
    - iio: imu: bmi160: Remove potential undefined behavior in
      bmi160_config_pin()
    - iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
    - iio: gyro: mpu3050: Fix out-of-sequence free_irq()
    - usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
    - usb: ehci-brcm: fix sleep during atomic
    - cdc-acm: new quirk for EPSON HMD
    - firmware: microchip: fail auto-update probe if no flash found
    - dt-bindings: connector: add pd-disable dependency
    - nvmem: imx: assign nvmem_cell_info::raw_len
    - gpio: mxc: map Both Edge pad wakeup to Rising Edge
    - thunderbolt: Fix property read in nhi_wake_supported()
    - usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows
      partial transfer
    - btrfs: fix the qgroup data free range for inline data extents
    - usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
    - spi: cadence-qspi: Fix exec_mem_op error handling
    - drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu
      v13
    - s390/perf_cpum_sf: Convert to use try_cmpxchg128()
    - s390/cpum_sf: Cap sampling rate to prevent lsctl exception
    - MPTCP: fix lock class name family in pm_nl_create_listen_socket
    - drm/amd/amdgpu: decouple ASPM with pcie dpm
    - drm/amd/amdgpu: disable ASPM in some situations
    - drm/amd/display: Disable fastboot on DCE 6 too
    - drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4
    - drm/amd/display: Fix DCE 6.0 and 6.4 PLL programming.
    - drm/amd/display: Adjust DCE 8-10 clock, don't overclock by 15%
    - drm/amd/display: Disable scaling on DCE6 for now
    - drm/amd: Disable ASPM on SI
    - drm/amd/display: Correct logic check error for fastboot
    - bpf: Improve bounds when s64 crosses sign boundary
    - selftests/bpf: Test cross-sign 64bits range refinement
    - selftests/bpf: Test invariants on JSLT crossing sign
    - bpf: Add third round of bounds deduction
    - selftests/bpf: test refining u32/s32 bounds when ranges cross min/max
      boundary
    - arm64/scs: Fix potential sign extension issue of advance_loc4
    - usb: ulpi: fix memory leak on ulpi_register() error paths
    - Upstream stable to v6.6.132, v6.6.133, v6.12.81
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2025-62626
    - x86/CPU/AMD: Add additional fixed RDSEED microcode revisions
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31450
    - ext4: publish jinode after initialization
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31466
    - mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43054
    - scsi: target: tcm_loop: Drain commands in target_reset handler
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43056
    - net: mana: fix use-after-free in add_adev() error path
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43057
    - net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31695
    - wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31720
    - usb: gadget: f_uac1_legacy: validate control request size
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31721
    - usb: gadget: f_hid: move list and spinlock inits from bind to alloc
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31722
    - usb: gadget: f_rndis: Fix net_device lifecycle with device_move
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31723
    - usb: gadget: f_subset: Fix net_device lifecycle with device_move
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31724
    - usb: gadget: f_eem: Fix net_device lifecycle with device_move
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31725
    - usb: gadget: f_ecm: Fix net_device lifecycle with device_move
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43342
    - usb: gadget: f_rndis: Protect RNDIS options with mutex
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43343
    - usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31726
    - usb: gadget: uvc: fix NULL pointer dereference during unbind race
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31728
    - usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2025-71269
    - btrfs: do not free data reservation in fallback from inline due to
      -ENOSPC
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-23389
    - ice: Fix memory leak in ice_set_ringparam()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31729
    - usb: typec: ucsi: validate connector number in ucsi_notify_common()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43324
    - USB: dummy-hcd: Fix interrupt synchronization error
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43327
    - USB: dummy-hcd: Fix locking/synchronization error
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31730
    - misc: fastrpc: possible double-free of cctx->remote_heap
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43332
    - thermal: core: Fix thermal zone device registration error path
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43328
    - cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error
      path
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31737
    - net: ftgmac100: fix ring allocation unwind on open failure
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31738
    - vxlan: validate ND option lengths in vxlan_na_create
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31740
    - counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31741
    - counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31747
    - comedi: me4000: Fix potential overrun of firmware buffer
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31748
    - comedi: me_daq: Fix potential overrun of firmware buffer
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31749
    - comedi: ni_atmio16d: Fix invalid clean-up after failed attach
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43340
    - comedi: Reinit dev->spinlock between attachments to low-level drivers
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31751
    - comedi: dt2815: add hardware detection to prevent crash
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31752
    - bridge: br_nd_send: validate ND option lengths
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31754
    - usb: cdns3: gadget: fix state inconsistency on gadget init failure
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31755
    - usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31756
    - usb: dwc2: gadget: Fix spin_lock/unlock mismatch in
      dwc2_hsotg_udc_stop()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31758
    - usb: usbtmc: Flush anchored URBs in usbtmc_release
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31759
    - usb: ulpi: fix double free in ulpi_register_interface() error path
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31761
    - iio: gyro: mpu3050: Move iio_device_register() to correct location
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31762
    - iio: gyro: mpu3050: Fix irq resource leak
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31763
    - iio: gyro: mpu3050: Fix incorrect free_irq() variable
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31767
    - drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31768
    - iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31770
    - hwmon: (occ) Fix division by zero in occ_show_power_1()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31432
    - ksmbd: fix OOB write in QUERY_INFO for compound requests
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31772
    - Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43334
    - Bluetooth: SMP: force responder MITM requirements before building the
      pairing response
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31773
    - Bluetooth: SMP: derive legacy responder STK authentication from MITM
      state
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31776
    - ALSA: ctxfi: Fix missing SPDIFI1 index handling
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31778
    - ALSA: caiaq: fix stack out-of-bounds read in init_card
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31779
    - wifi: iwlwifi: mvm: fix potential out-of-bounds read in
      iwl_mvm_nd_match_info_handler()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31780
    - wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31781
    - drm/ioc32: stop speculation on the drm_compat_ioctl path
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43007
    - accel/qaic: Handle DBC deactivation if the owner went away
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43333
    - bpf: reject direct access to nullable PTR_TO_BUF pointers
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31415
    - ipv6: avoid overflows in ip6_datagram_send_ctl()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31422
    - net/sched: cls_flow: fix NULL pointer dereference on shared blocks
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31421
    - net/sched: cls_fw: fix NULL pointer dereference on shared blocks
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31417
    - net/x25: Fix overflow when accumulating packets
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43012
    - net/mlx5: Fix switchdev mode rollback in case of failure
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43013
    - net/mlx5: lag: Check for LAG device before creating debugfs
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43014
    - net: macb: properly unregister fixed rate clocks
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43015
    - net: macb: fix clk handling on PCI glue driver removal
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31675
    - net/sched: sch_netem: fix out-of-bounds access in packet corruption
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43016
    - bpf: sockmap: Fix use-after-free of sk->sk_socket in
      sk_psock_verdict_data_ready().
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31425
    - rds: ib: reject FRMR registration before IB connection is established
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43017
    - Bluetooth: MGMT: validate mesh send advertising payload length
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43018
    - Bluetooth: hci_event: fix potential UAF in
      hci_le_remote_conn_param_req_evt
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43019
    - Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43020
    - Bluetooth: MGMT: validate LTK enc_size on load
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43023
    - Bluetooth: SCO: fix race conditions in sco_sock_connect()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43024
    - netfilter: nf_tables: reject immediate NF_QUEUE verdict
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31424
    - netfilter: x_tables: restrict xt_check_match/xt_check_target extensions
      for NFPROTO_ARP
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43025
    - netfilter: ctnetlink: ignore explicit helper on new expectations
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31414
    - netfilter: nf_conntrack_expect: use expect->helper
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43026
    - netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43027
    - netfilter: nf_conntrack_helper: pass helper to expect cleanup
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43028
    - netfilter: x_tables: ensure names are nul-terminated
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31416
    - netfilter: nfnetlink_log: account for netlink header size
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43329
    - netfilter: flowtable: strictly check for maximum number of actions
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31680
    - net: ipv6: flowlabel: defer exclusive option free until RCU teardown
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43030
    - bpf: Fix regsafe() for pointers to packet
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43032
    - NFC: pn533: bound the UART receive buffer
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43035
    - net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to
      zero to prevent an info-leak
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43036
    - net: use skb_header_pointer() for TCPv4 GSO frag_off check
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43339
    - ipv6: prevent possible UaF in addrconf_permanent_addr()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-31423
    - net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43040
    - net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX
      fields to zero to prevent an info-leak
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43041
    - net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory
      leak
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43043
    - crypto: af-alg - fix NULL pointer dereference in scatterwalk
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43330
    - crypto: caam - fix overflow on long hmac keys
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43044
    - crypto: caam - fix DMA corruption on long hmac keys
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43046
    - btrfs: reject root items with drop_progress and zero drop_level
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43338
    - btrfs: reserve enough transaction items for qgroup ioctls
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43047
    - HID: multitouch: Check to ensure report responses match the request
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43049
    - HID: logitech-hidpp: Prevent use-after-free on force feedback
      initialisation failure
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43050
    - atm: lec: fix use-after-free in sock_def_readable()
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43051
    - HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
  * Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
    CVE-2026-43052
    - wifi: mac80211: check tdls flag in ieee80211_tdls_oper
  * Noble update: upstream stable patchset 2026-06-05 (LP: #2155660)
    - perf: Extract a few helpers
    - perf: Make sure to use pmu_ctx->pmu for groups
    - cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled
    - hwmon: (axi-fan-control) Use device firmware agnostic API
    - hwmon: (axi-fan-control) Make use of dev_err_probe()
    - hwmon: axi-fan: don't use driver_override as IRQ name
    - sh: platform_early: remove pdev->driver_override check
    - bpf: Release module BTF IDR before module unload
    - bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
    - HID: asus: avoid memory leak in asus_report_fixup()
    - platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
    - nvme-pci: cap queue creation to used queues
    - nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
    - platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16
      Gen 1
    - platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix
      touchscreen on SUPI S10
    - nvme-pci: ensure we're polling a polled queue
    - HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
    - HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
    - net: usb: r8152: add TRENDnet TUC-ET2G
    - HID: mcp2221: cancel last I2C command on read error
    - HID: asus: add xg mobile 2023 external hardware support
    - module: Fix kernel panic when a symbol st_shndx is out of bounds
    - ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
    - ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
    - dma-buf: Include ioctl.h in UAPI header
    - HID: apple: avoid memory leak in apple_report_fixup()
    - btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
    - ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
    - ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
    - objtool: Handle Clang RSP musical chairs
    - usb: core: new quirk to handle devices with zero configurations
    - spi: intel-pci: Add support for Nova Lake mobile SPI flash
    - xfrm: call xdo_dev_state_delete during state update
    - xfrm: Fix the usage of skb->sk
    - esp: fix skb leak with espintcp and async crypto
    - af_key: validate families in pfkey_send_migrate()
    - dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
    - can: statistics: add missing atomic access in hot path
    - Bluetooth: L2CAP: Validate PDU length before reading SDU length in
      l2cap_ecred_data_rcv()
    - Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing
      sock_hold
    - Bluetooth: hci_ll: Fix firmware leak on error path
    - Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
    - pinctrl: mediatek: common: Fix probe failure for devices without EINT
    - ionic: fix persistent MAC address override on PF
    - nfc: nci: fix circular locking dependency in nci_close_device
    - net: openvswitch: Avoid releasing netdev before teardown completes
    - openvswitch: defer tunnel netdev_put to RCU release
    - openvswitch: validate MPLS set/set_masked payload length
    - net/smc: fix double-free of smc_spd_priv when tee() duplicates splice
      pipe buffer
    - rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
    - platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
    - ice: use ice_update_eth_stats() for representor stats
    - ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions
      expire.
    - ipv6: Don't remove permanent routes with exceptions from tb6_gc_hlist.
    - tcp: optimize inet_use_bhash2_on_bind()
    - udp: Fix wildcard bind conflict check when using hash2
    - net: enetc: fix the output issue of 'ethtool --show-ring'
    - dma-mapping: add missing `inline` for `dma_free_attrs`
    - Bluetooth: L2CAP: Fix send LE flow credits in ACL link
    - Bluetooth: Remove 3 repeated macro definitions
    - Bluetooth: hci_sync: Remove remaining dependencies of hci_request
    - Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
    - Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
    - Bluetooth: btusb: clamp SCO altsetting table indices
    - tls: Purge async_hold in tls_decrypt_async_wait()
    - netfilter: nfnetlink_log: fix uninitialized padding leak in
      NFULA_PAYLOAD
    - netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
    - netfilter: nf_conntrack_expect: skip expectations in other netns via
      proc
    - netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in
      process_sdp
    - netfilter: ctnetlink: use netlink policy range checks
    - net: macb: use the current queue number for stats
    - regmap: Synchronize cache for the page selector
    - RDMA/rw: Fall back to direct SGE on MR pool exhaustion
    - RDMA/irdma: Initialize free_qp completion before using it
    - RDMA/irdma: Update ibqp state to error if QP is already in error state
    - RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
    - RDMA/irdma: Clean up unnecessary dereference of event->cm_node
    - RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
    - RDMA/irdma: Fix deadlock during netdev reset with active connections
    - RDMA/irdma: Return EINVAL for invalid arp index error
    - scsi: scsi_transport_sas: Fix the maximum channel scanning issue
    - x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
    - drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
    - PM: hibernate: Don't ignore return from set_memory_ro()
    - PM: hibernate: Drain trailing zero pages on userspace restore
    - spi: sn-f-ospi: Fix resource leak in f_ospi_probe()
    - ASoC: Intel: catpt: Fix the device initialization
    - ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
    - drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
    - hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
    - sysctl: fix uninitialized variable in proc_do_large_bitmap
    - ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
    - ASoC: adau1372: Fix clock leak on PLL lock failure
    - spi: spi-fsl-lpspi: fix teardown order issue (UAF)
    - s390/syscalls: Add spectre boundary for syscall dispatch table
    - s390/barrier: Make array_index_mask_nospec() __always_inline
    - ksmbd: fix potencial OOB in get_file_all_info() for compound requests
    - ksmbd: do not expire session on binding failure
    - ALSA: firewire-lib: fix uninitialized local variable
    - ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
    - can: gw: fix OOB heap access in cgw_csum_crc8_rel()
    - can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
    - cpufreq: conservative: Reset requested_freq on limits change
    - platform/x86: ISST: Correct locked bit width
    - KVM: arm64: Discard PC update state on vcpu reset
    - hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs
      attributes
    - hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute
      temperature
    - hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
    - media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
    - virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and
      napi_tx is false
    - s390/entry: Scrub r12 register on kernel entry
    - erofs: add GFP_NOIO in the bio completion if needed
    - alarmtimer: Fix argument order in alarm_timer_forward()
    - scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
    - scsi: ses: Handle positive SCSI error from ses_recv_diag()
    - net: macb: Use dev_consume_skb_any() to free TX SKBs
    - KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO
      SPTE
    - jbd2: gracefully abort on checkpointing state corruptions
    - irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
    - dmaengine: sh: rz-dmac: Protect the driver specific lists
    - dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
    - LoongArch: Workaround LS2K/LS7A GPU DMA hang bug
    - xfs: stop reclaim before pushing AIL during unmount
    - xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
    - ext4: fix journal credit check when setting fscrypt context
    - ext4: convert inline data to extents when truncate exceeds inline size
    - ext4: fix fsync(2) for nojournal mode
    - ext4: make recently_deleted() properly work with lazy itable
      initialization
    - ext4: replace BUG_ON with proper error handling in
      ext4_read_inline_folio
    - ext4: avoid allocate block from corrupted group in
      ext4_mb_find_by_goal()
    - ext4: reject mount if bigalloc with s_first_data_block != 0
    - ext4: fix use-after-free in update_super_work when racing with umount
    - ext4: fix the might_sleep() warnings in kvfree()
    - ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
    - ext4: always drain queued discard work in ext4_mb_release()
    - arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off
    - powerpc64/bpf: do not increment tailcall count when prog is NULL
    - ksmbd: fix memory leaks and NULL deref in smb2_lock()
    - tracing: Switch trace_osnoise.c code over to use guard() and __free()
    - tracing: Fix potential deadlock in cpu hotplug with osnoise
    - mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode
    - mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode
    - libbpf: Fix -Wdiscarded-qualifiers under C23
    - mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
    - xfs: avoid dereferencing log items after push callbacks
    - xfs: save ailp before dropping the AIL lock in push callbacks
    - dmaengine: idxd: Fix not releasing workqueue on .release()
    - dmaengine: idxd: Fix memory leak when a wq is reset
    - phy: ti: j721e-wiz: Fix device node reference leak in
      wiz_get_lane_phy_types()
    - dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and
      CYCLE_BIT bits for HDMA.
    - dmaengine: xilinx: xdma: Fix regmap init error handling
    - dmaengine: xilinx: xilinx_dma: Fix dma_device directions
    - dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
    - dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
    - dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
    - btrfs: fix super block offset in error message in btrfs_validate_super()
    - btrfs: fix leak of kobject name for sub-group space_info
    - btrfs: fix lost error when running device stats on multiple devices fs
    - dmaengine: idxd: Fix freeing the allocated ida too late
    - futex: Clear stale exiting pointer in futex_lock_pi() retry path
    - ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
    - kexec: Consolidate machine_kexec_mask_interrupts() implementation
    - [Config] Enable GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD by default.
    - kexec: Include kernel-end even without crashkernel
    - powerpc/kexec/core: use big-endian types for crash variables
    - drm/msm/dsi: fix hdisplay calculation when programming dsi registers
    - perf disasm: Fix off-by-one bug in outside check
    - net/mlx5: Fix crash when moving to switchdev mode
    - bonding: add ESP offload features when slaves support
    - bonding: Correctly support GSO ESP offload
    - net: add a common function to compute features for upper devices
    - bonding: use common function to compute the features
    - bonding: fix type confusion in bond_setup_by_slave()
    - xdp: allow attaching already registered memory model to xdp_rxq_info
    - net: add generic percpu page_pool allocator
    - net: do not consume a cacheline for system_page_pool
    - xdp: register system page pool as an XDP memory model
    - net: add xmit recursion limit to tunnel xmit functions
    - net: prevent NULL deref in ip[6]tunnel_xmit()
    - ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
    - usb: typec: altmode/displayport: set displayport signaling rate in
      configure message
    - rust: kbuild: allow `unused_features`
    - ceph: add a bunch of missing ceph_path_info initializers
    - drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
    - tracing: Fix enabling multiple events on the kernel command line and
      bootconfig
    - qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
    - xfs: fix returned valued from xfs_defer_can_append
    - iio: imu: inv_icm42600: add support of ICM-42686-P
    - iio: imu: inv_icm42600: fix odr switch when turning buffer off
    - perf/x86/intel/uncore: Support more units on Granite Rapids
    - perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
    - cleanup: Provide retain_and_null_ptr()
    - usb: gadget: f_ncm: Fix net_device lifecycle with device_move
    - KVM: x86: Co-locate initialization of feature MSRs in
      kvm_arch_vcpu_create()
    - KVM: x86: Quirk initialization of feature MSRs to KVM's max
      configuration
    - KVM: x86: do not allow re-enabling quirks
    - KVM: x86: Allow vendor code to disable quirks
    - KVM: x86: Introduce supported_quirks to block disabling quirks
    - KVM: x86: Remove VMX support for virtualizing guest MTRR memtypes
    - KVM: VMX: Drop support for forcing UC memory when guest CR0.CD=1
    - KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT
    - KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET
    - KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
    - drm/xe/sync: Cleanup partially initialized sync on parse failure
    - ice: fix devlink reload call trace
    - io_uring/uring_cmd: fix too strict requirement on ioctl
    - erofs: fix inline data read failure for ztailpacking pclusters
    - mm: merge folio_is_secretmem() and folio_fast_pin_allowed() into
      gup_fast_folio_allowed()
    - mm: thp: deny THP for files on anonymous inodes
    - sched/fair: Fix zero_vruntime tracking
    - mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
    - drm/i915/dsc: Add Selective Update register definitions
    - drm/imagination: Fix deadlock in soft reset sequence
    - ata: libata-scsi: Return residual for emulated SCSI commands
    - ata: libata-scsi: report correct sense field pointer in
      ata_scsiop_maint_in()
    - soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
    - firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
    - Bluetooth: MGMT: Fix list corruption and UAF in command complete
      handlers
    - nf_tables: nft_dynset: fix possible stateful expression memleak in error
      path
    - bonding: prevent potential infinite loop in bond_header_parse()
    - drm/i915/psr: Compute PSR entry_setup_frames into intel_crtc_state
    - perf/x86/intel: Add missing branch counters constraint apply
    - Revert "LoongArch: Add machine_kexec_mask_interrupts() implementation"
    - cxl/port: Fix use after free of parent_port in cxl_detach_ep()
    - driver core: generalize driver_override in struct device
    - driver core: platform: use generic driver_override infrastructure
    - bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
    - HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list
    - kbuild: install-extmod-build: Package resolve_btfids if necessary
    - nvmet: move async event work off nvmet-wq
    - ALSA: hda/realtek: add quirk for ASUS UM6702RC
    - i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
    - xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
    - xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
    - xfrm: prevent policy_hthresh.work from racing with netns teardown
    - Bluetooth: MGMT: Fix dangling pointer on
      mgmt_add_adv_patterns_monitor_complete
    - net: bcmasp: remove eee_enabled/eee_active in bcmasp_get_eee()
    - net: bcm: asp2: fix LPI timer handling
    - net: bcm: asp2: remove tx_lpi_enabled
    - net: bcmasp: Add support for ASP 2.2
    - net: bcm: asp2: convert to phylib managed EEE
    - net: bcmasp: Remove support for asp-v2.0
    - net: bcmasp: streamline early exit in probe
    - net: bcmasp: fix double free of WoL irq
    - net: bcmasp: Add support for asp-v3.0
    - net: bcmasp: fix double disable of clk
    - platform/x86: intel-hid: disable wakeup_mode during hibernation
    - iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
    - team: fix header_ops type confusion with non-Ethernet ports
    - ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
    - spi: meson-spicc: Fix double-put in remove path
    - drm/amd/display: Do not skip unrelated mode changes in DSC validation
    - spi: Group CS related fields in struct spi_device
    - spi: use generic driver_override infrastructure
    - hwmon: (pmbus/core) Fix various coding style issues
    - hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only
    - hwmon: (pmbus) Introduce the concept of "write-only" attributes
    - x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
    - ovl: fix wrong detection of 32bit inode numbers
    - net: macb: Move devm_{free,request}_irq() out of spin lock area
    - dmaengine: fsl-edma: change to guard(mutex) within fsl_edma3_xlate()
    - dmaengine: fsl-edma: fix channel parameter config for fixed channel
      requests
    - LoongArch: Fix missing NULL checks for kstrdup()
    - xfs: scrub: unlock dquot before early return in quota scrub
    - ext4: validate p_idx bounds in ext4_ext_correct_indexes
    - LoongArch: vDSO: Emit GNU_EH_FRAME correctly
    - spi: tegra210-quad: Protect curr_xfer check in IRQ handler
    - media: nxp: imx8-isi: Fix streaming cleanup on release
    - rust: pin-init: internal: init: document load-bearing fact of field
      accessors
    - ovl: Use str_on_off() helper in ovl_show_options()
    - ovl: make fsync after metadata copy-up opt-in mount option
    - virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
    - net: add proper RCU protection to /proc/net/ptype
    - landlock: Optimize file path walks and prepare for audit support
    - landlock: Fix handling of disconnected directories
    - idpf: check error for register_netdev() on init
    - idpf: detach and close netdevs while handling a reset
    - idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
    - idpf: Fix RSS LUT NULL ptr issue after soft reset
    - ASoC: ak4458: Convert to RUNTIME_PM_OPS() & co
    - netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
    - xen/privcmd: unregister xenstore notifier on module exit
    - futex: Require sys_futex_requeue() to have identical flags
    - dmaengine: idxd: Fix leaking event log memory
    - net: bcmasp: Restore programming of TX map vector register
    - net: bcmasp: Fix network filter wake for asp-3.0
    - idpf: nullify pointers after they are freed
    - Upstream stable to v6.6.131, v6.12.78, v6.12.79, v6.12.80
  * Noble update: upstream stable patchset 2026-05-28 (LP: #2154496)
    - drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
    - drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
    - drm/logicvc: Fix device node reference leak in
      logicvc_drm_config_parse()
    - irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
    - scsi: lpfc: Properly set WC for DPP mapping
    - scsi: pm8001: Fix use-after-free in pm8001_queue_command()
    - ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
    - rseq: Clarify rseq registration rseq_size bound check comment
    - scsi: ufs: core: Move link recovery for hibern8 exit failure to
      wl_resume
    - ALSA: usb-audio: Cap the packet size pre-calculations
    - ALSA: usb-audio: Use inclusive terms
    - perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
    - ALSA: pci: hda: use snd_kcontrol_chip()
    - ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()
    - btrfs: fix incorrect key offset in error message in
      check_dev_extent_item()
    - btrfs: fix objectid value in error message in check_extent_data_ref()
    - btrfs: fix warning in scrub_verify_one_metadata()
    - btrfs: fix compat mask in error messages in btrfs_check_features()
    - bpf: Fix stack-out-of-bounds write in devmap
    - PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value
    - memory: mtk-smi: fix device leaks on common probe
    - memory: mtk-smi: fix device leak on larb probe
    - resource: Add resource set range and size helpers
    - PCI: Use resource_set_range() that correctly sets ->end
    - KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
    - media: tegra-video: Fix memory leak in __tegra_channel_try_format()
    - KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject
    - KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
    - drm/tegra: dsi: fix device leak on probe
    - ext4: get rid of ppath in ext4_split_extent_at()
    - ext4: subdivide EXT4_EXT_DATA_VALID1
    - ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
    - ext4: get rid of ppath in ext4_split_extent()
    - ext4: get rid of ppath in ext4_split_convert_extents()
    - ext4: get rid of ppath in ext4_convert_unwritten_extents_endio()
    - ext4: get rid of ppath in ext4_ext_convert_to_initialized()
    - ext4: get rid of ppath in ext4_ext_handle_unwritten_extents()
    - ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT
    - ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting
      I/O
    - ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
    - ext4: drop extent cache when splitting extent fails
    - mailbox: Use of_property_match_string() instead of open-coding
    - mailbox: don't protect of_parse_phandle_with_args with con_mutex
    - mailbox: sort headers alphabetically
    - mailbox: remove unused header files
    - mailbox: Use dev_err when there is error
    - mailbox: Use guard/scoped_guard for con_mutex
    - mailbox: Allow controller specific mapping using fwnode
    - mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
    - ext4: convert bd_bitmap_page to bd_bitmap_folio
    - ext4: convert bd_buddy_page to bd_buddy_folio
    - ext4: fix e4b bitmap inconsistency reports
    - arm64: dts: rockchip: Fix rk356x PCIe range mappings
    - clk: tegra: tegra124-emc: fix device leak on set_rate()
    - usb: cdns3: remove redundant if branch
    - usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
    - usb: cdns3: fix role switching during resume
    - drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()
    - ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
    - hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization
      induced race
    - ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
    - net: arcnet: com20020-pci: fix support for 2.5Mbit cards
    - eventpoll: Fix integer overflow in ep_loop_check_proc()
    - media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
    - nfc: pn533: properly drop the usb interface reference on disconnect
    - net: usb: kaweth: validate USB endpoints
    - net: usb: kalmia: validate USB endpoints
    - net: usb: pegasus: validate USB endpoints
    - can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a
      message
    - can: usb: f81604: correctly anchor the urb in the read bulk callback
    - can: ucan: Fix infinite loop from zero-length messages
    - can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
    - can: usb: f81604: handle short interrupt urb messages properly
    - can: usb: f81604: handle bulk write errors properly
    - HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
    - x86/efi: defer freeing of boot services memory
    - platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
    - platform/x86: dell-wmi: Add audio/mic mute key codes
    - ALSA: usb-audio: Use correct version for UAC3 header validation
    - wifi: radiotap: reject radiotap with unknown bits
    - wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
    - wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
    - wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
    - IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
    - RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
    - net/sched: ets: fix divide by zero in the offload path
    - scsi: target: Fix recursive locking in __configfs_open_file()
    - Squashfs: check metadata block offset is within range
    - drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
    - drbd: fix null-pointer dereference on local read error
    - smb: client: fix cifs_pick_channel when channels are equally loaded
    - smb: client: fix broken multichannel with krb5+signing
    - smb: client: Don't log plaintext credentials in cifs_set_cifscreds
    - scsi: core: Fix refcount leak for tagset_refcnt
    - selftests: mptcp: more stable simult_flows tests
    - selftests: mptcp: join: check removing signal+subflow endp
    - ARM: clean up the memset64() C wrapper
    - hwmon: (aht10) Add support for dht20
    - hwmon: (aht10) Fix initialization commands for AHT20
    - pinctrl: equilibrium: rename irq_chip function callbacks
    - pinctrl: equilibrium: fix warning trace on load
    - platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
    - pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
    - hwmon: (it87) Check the it87_lock() return value
    - e1000e: clear DPG_EN after reset to avoid autonomous power-gating
    - drm/solomon: Fix page start when updating rectangle in page addressing
      mode
    - net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling
      in ALE table
    - xsk: Get rid of xdp_buff_xsk::xskb_list_node
    - xsk: s/free_list_node/list_node/
    - xsk: Fix fragment node deletion to prevent buffer leak
    - xsk: Fix zero-copy AF_XDP fragment drop
    - dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ
      handler
    - atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
    - amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds
    - can: bcm: fix locking for bcm_op runtime updates
    - can: mcp251x: fix deadlock in error path of mcp251x_open
    - rust: kunit: fix warning when !CONFIG_PRINTK
    - kunit: tool: copy caller args in run_kernel to prevent mutation
    - net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
    - bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
      loaded
    - octeon_ep: Relocate counter updates before NAPI
    - octeon_ep: avoid compiler and IQ/OQ reordering
    - wifi: cw1200: Fix locking in error paths
    - wifi: wlcore: Fix a locking bug
    - wifi: mt76: mt7996: Fix possible oob access in
      mt7996_mac_write_txwi_80211()
    - wifi: mt76: Fix possible oob access in
      mt76_connac2_mac_write_txwi_80211()
    - indirect_call_wrapper: do not reevaluate function pointer
    - net/rds: Fix circular locking dependency in rds_tcp_tune
    - xen/acpi-processor: fix _CST detection using undersized evaluation
      buffer
    - bpf: export bpf_link_inc_not_zero.
    - bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
    - smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op()
    - smb/client: fix buffer size for smb311_posix_qinfo in
      SMB311_posix_query_info()
    - ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
    - amd-xgbe: fix sleep while atomic on suspend/resume
    - drm/sched: Fix kernel-doc warning for drm_sched_job_done()
    - nvme: reject invalid pr_read_keys() num_keys values
    - nvme: fix memory allocation in nvme_pr_read_keys()
    - net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless
      qdiscs
    - net: nfc: nci: Fix zero-length proprietary notifications
    - nfc: nci: free skb on nci_transceive early error paths
    - nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
    - nfc: rawsock: cancel tx_work before socket teardown
    - net: stmmac: Fix error handling in VLAN add and delete paths
    - net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error
      in mtk_xdp_setup()
    - net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
    - net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
    - net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
    - net/sched: act_ife: Fix metalist update behavior
    - xdp: use modulo operation to calculate XDP frag tailroom
    - xsk: introduce helper to determine rxq->frag_size
    - i40e: fix registering XDP RxQ info
    - i40e: use xdp.frame_sz as XDP RxQ info frag_size
    - xdp: produce a warning when calculated tailroom is negative
    - selftest/arm64: Fix sve2p1_sigill() to hwcap test
    - tracing: Add NULL pointer check to trigger_data_free()
    - net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared
      blocks
    - net: tcp: accept old ack during closing
    - scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
    - ACPI: PM: Save NVS memory on Lenovo G70-35
    - scsi: mpi3mr: Add NULL checks when resetting request and reply queues
    - unshare: fix unshare_fs() handling
    - wifi: mac80211: set default WMM parameters on all links
    - ACPI: OSI: Add DMI quirk for Acer Aspire One D255
    - scsi: ses: Fix devices attaching to different hosts
    - ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
    - ASoC: cs42l43: Report insert for exotic peripherals
    - scsi: ufs: core: Fix possible NULL pointer dereference in
      ufshcd_add_command_trace()
    - scsi: ufs: core: Fix shift out of bounds when MAXQ=32
    - ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
    - ALSA: usb-audio: Check max frame size for implicit feedback mode, too
    - powerpc/uaccess: Fix inline assembly for clang build on PPC32
    - remoteproc: sysmon: Correct subsys_name_len type in QMI request
    - powerpc: 83xx: km83xx: Fix keymile vendor prefix
    - xprtrdma: Decrement re_receiving on the early exit paths
    - net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
    - drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations
    - drm/msm/dsi: fix pclk rate calculation for bonded dsi
    - bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
    - net/mlx5: IFC updates for disabled host PF
    - net/mlx5: Query to see if host PF is disabled
    - net/mlx5: Fix deadlock between devlink lock and esw->wq
    - net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
    - net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL
      slave xmit
    - ASoC: soc-core: drop delayed_work_pending() check before flush
    - ASoC: soc-core: flush delayed work before removing DAIs and widgets
    - ASoC: simple-card-utils: use __free(device_node) for device node
    - ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
    - net: sfp: improve Huawei MA5671a fixup
    - serial: caif: hold tty->link reference in ldisc_open and ser_release
    - mctp: i2c: fix skb memory leak in receive path
    - can: hi311x: hi3110_open(): add check for hi3110_power_enable() return
      value
    - mctp: route: hold key->lock in mctp_flow_prepare_output()
    - amd-xgbe: fix link status handling in xgbe_rx_adaptation
    - amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
    - netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
    - netfilter: x_tables: guard option walkers against 1-byte tail reads
    - netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
    - netfilter: nfnetlink_cthelper: fix OOB read in
      nfnl_cthelper_dump_table()
    - regulator: pca9450: Make IRQ optional
    - regulator: pca9450: Correct interrupt type
    - sched: idle: Make skipping governor callbacks more consistent
    - nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
    - nvme-pci: Fix race bug in nvme_poll_irqdisable()
    - i40e: fix src IP mask checks and memcpy argument names in cloud filter
    - e1000/e1000e: Fix leak in DMA error cleanup
    - ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
    - ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock
      acquisition
    - ASoC: detect empty DMI strings
    - net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
    - octeontx2-af: devlink: fix NIX RAS reporter recovery condition
    - octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
    - usb: gadget: f_mass_storage: Fix potential integer overflow in
      check_command_size_in_blocks()
    - cgroup: fix race between task migration and iteration
    - ALSA: pcm: fix use-after-free on linked stream runtime in
      snd_pcm_drain()
    - ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer
      interfaces
    - net: usb: lan78xx: fix silent drop of packets with checksum errors
    - net: usb: lan78xx: fix TX byte statistics for small packets
    - net: usb: lan78xx: skip LTM configuration for LAN7850
    - ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
    - KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel
      APIC
    - USB: add QUIRK_NO_BOS for video capture several devices
    - usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
    - USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
    - usb: xhci: Fix memory leak in xhci_disable_slot()
    - usb: xhci: Prevent interrupt storm on host controller error (HCE)
    - usb: yurex: fix race in probe
    - usb: dwc3: pci: add support for the Intel Nova Lake -H
    - usb: misc: uss720: properly clean up reference in uss720_probe()
    - usb: core: don't power off roothub PHYs if phy_set_mode() fails
    - usb: cdc-acm: Restore CAP_BRK functionnality to CH343
    - usb: roles: get usb role switch from parent only for usb-b-connector
    - USB: usbcore: Introduce usb_bulk_msg_killable()
    - USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
    - USB: core: Limit the length of unkillable synchronous timeouts
    - usb: class: cdc-wdm: fix reordering issue in read code path
    - usb: renesas_usbhs: fix use-after-free in ISR during device removal
    - usb: mdc800: handle signal and read racing
    - usb: image: mdc800: kill download URB on timeout
    - mm/tracing: rss_stat: ensure curr is false from kthread context
    - mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
    - mm/kfence: disable KFENCE upon KASAN HW tags enablement
    - mmc: core: Avoid bitfield RMW for claim/retune flags
    - ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
    - tipc: fix divide-by-zero in tipc_sk_filter_connect()
    - kprobes: avoid crash when rmmod/insmod after ftrace killed
    - libceph: reject preamble if control segment is empty
    - libceph: Use u32 for non-negative values in ceph_monmap_decode()
    - libceph: admit message frames only in CEPH_CON_S_OPEN state
    - ceph: fix i_nlink underrun during async unlink
    - ceph: fix memory leaks in ceph_mdsc_build_path()
    - time/jiffies: Mark jiffies_64_to_clock_t() notrace
    - i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
    - scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
    - scsi: hisi_sas: Add time interval between two H2D FIS following soft
      reset spec
    - scsi: hisi_sas: Use macro instead of magic number
    - scsi: hisi_sas: Fix NULL pointer exception during user_scan()
    - Revert "tcpm: allow looking for role_sw device in the main node"
    - drm/bridge: samsung-dsim: Fix memory leak in error path
    - drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
    - device property: Allow secondary lookup in fwnode_get_next_child_node()
    - irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS
      supports
    - ice: reintroduce retry mechanism for indirect AQ
    - ixgbevf: fix link setup issue
    - staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
    - staging: rtl8723bs: fix potential out-of-bounds read in
      rtw_restruct_wmm_ie
    - media: dvb-net: fix OOB access in ULE extension header tables
    - net: mana: Ring doorbell at 4 CQ wraparounds
    - ice: fix retry for AQ command 0x06EE
    - tracing: Fix syscall events activation by ensuring refcount hits zero
    - batman-adv: Avoid double-rtnl_lock ELP metric worker
    - parisc: Increase initial mapping to 64 MB with KALLSYMS
    - nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
    - arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
    - hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
    - parisc: Fix initial page table creation for boot
    - parisc: Check kernel mapping earlier at bootup
    - pmdomain: bcm: bcm2835-power: Fix broken reset status read
    - net: ncsi: fix skb leak in error paths
    - net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
    - net: dsa: microchip: Fix error path in PTP IRQ setup
    - drm/amdgpu: Fix use-after-free race in VM acquire
    - drm/amd: Set num IP blocks to 0 if discovery fails
    - drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
    - drm/i915: Fix potential overflow of shmem scatterlist length
    - tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
    - cifs: make default value of retrans as zero
    - xfs: fix undersized l_iclog_roundoff values
    - s390/dasd: Move quiesce state with pprc swap
    - s390/dasd: Copy detected format information to secondary device
    - lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
    - scsi: core: Fix error handling for scsi_alloc_sdev()
    - x86/apic: Disable x2apic on resume if the kernel expects so
    - lib/bootconfig: fix snprintf truncation check in
      xbc_node_compose_key_after()
    - lib/bootconfig: check bounds before writing in __xbc_open_brace()
    - smb: client: fix atomic open with O_DIRECT & O_SYNC
    - smb: client: fix in-place encryption corruption in SMB2_write()
    - smb: client: fix iface port assignment in parse_server_interfaces
    - btrfs: abort transaction on failure to update root in the received
      subvol ioctl
    - iio: dac: ds4424: reject -128 RAW value
    - iio: frequency: adf4377: Fix duplicated soft reset mask
    - iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
    - iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
    - iio: potentiometer: mcp4131: fix double application of wiper shift
    - iio: chemical: bme680: Fix measurement wait duration calculation
    - iio: buffer: Fix wait_queue not being removed
    - iio: gyro: mpu3050-core: fix pm_runtime error handling
    - iio: gyro: mpu3050-i2c: fix pm_runtime error handling
    - iio: imu: inv_icm42600: fix odr switch to the same value
    - i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
    - i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
    - i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
    - drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
    - gve: defer interrupt enabling until NAPI registration
    - ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
    - wifi: libertas: fix use-after-free in lbs_free_adapter()
    - platform/x86: hp-bioscfg: Support allocations of larger data
    - x86/sev: Allow IBPB-on-Entry feature for SNP guests
    - gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for
      QPL
    - net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
    - drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
    - mptcp: pm: avoid sending RM_ADDR over same subflow
    - mptcp: pm: in-kernel: always mark signal+subflow endp as used
    - selftests: mptcp: add a check for 'add_addr_accepted'
    - selftests: mptcp: join: check RM_ADDR not sent over same subflow
    - kbuild: Leave objtool binary around with 'make clean'
    - net/sched: act_gate: snapshot parameters with RCU on replace
    - can: gs_usb: gs_can_open(): always configure bitrates before starting
      device
    - usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
    - KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids
    - KVM: SVM: Add a helper to look up the max physical ID for AVIC
    - KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
    - mm/kfence: fix KASAN hardware tag faults during late enablement
    - iomap: reject delalloc mappings during writeback
    - ksmbd: Don't log keys in SMB3 signing and encryption key generation
    - drm/msm: Fix dma_free_attrs() buffer size
    - drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
    - net: macb: Shuffle the tx ring before enabling tx
    - cifs: open files should not hold ref on superblock
    - crypto: atmel-sha204a - Fix OOM ->tfm_count leak
    - xfs: fix integer overflow in bmap intent sort comparator
    - xfs: ensure dquot item is deleted from AIL only after log shutdown
    - smb: client: Compare MACs in constant time
    - ksmbd: Compare MACs in constant time
    - f2fs: fix to avoid migrating empty section
    - ext4: fix dirtyclusters double decrement on fs shutdown
    - btrfs: always fallback to buffered write if the inode requires checksum
    - net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
    - arm64: mm: Don't remap pgtables per-cont(pte|pmd) block
    - arm64: mm: Batch dsb and isb when populating pgtables
    - arm64: mm: Don't remap pgtables for allocate vs populate
    - dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
    - ext4: always allocate blocks only from groups inode can use
    - rxrpc: Fix recvmsg() unconditional requeue
    - dm-verity: disable recursive forward error correction
    - ipv6: use RCU in ip6_xmit()
    - rxrpc: Fix data-race warning and potential load/store tearing
    - btrfs: do not strictly require dirty metadata threshold for metadata
      writepages
    - riscv: Sanitize syscall table indexing under speculation
    - dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
    - tracing: Add recursion protection in kernel stack trace recording
    - net: add support for segmenting TCP fraglist GSO packets
    - net: gso: fix tcp fraglist segmentation after pull from frag_list
    - net: fix segmentation of forwarding fraglist GRO
    - net: dsa: properly keep track of conduit reference
    - drm/amd/display: Add pixel_clock to amd_pp_display_configuration
    - drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
    - drm/amdgpu: Add basic validation for RAS header
    - drm/exynos: vidi: use priv->vidi_dev for ctx lookup in
      vidi_connection_ioctl()
    - drm/exynos: vidi: fix to avoid directly dereferencing user pointer
    - drm/exynos: vidi: use ctx->lock to protect struct vidi_context member
      variables related to memory alloc/free
    - x86/uprobes: Fix XOL allocation failure for 32-bit tasks
    - platform/x86/amd/pmc: Add support for Van Gogh SoC
    - binfmt_misc: restore write access before closing files opened by
      open_exec()
    - net: stmmac: remove support for lpi_intr_o
    - mptcp: pm: in-kernel: always set ID as avail when rm endp
    - s390/xor: Fix xor_xc_2() inline assembly constraints
    - s390/stackleak: Fix __stackleak_poison() inline assembly constraint
    - s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
    - mm/mempolicy: fix wrong mmap_read_unlock() in migrate_to_node()
    - io_uring/kbuf: check if target buffer list is still legacy on recycle
    - NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
    - sunrpc: fix cache_request leak in cache_release
    - nvdimm/bus: Fix potential use after free in asynchronous initialization
    - LoongArch: Give more information if kmem access failed
    - NFC: nxp-nci: allow GPIOs to sleep
    - net: macb: fix use-after-free access to PTP clock
    - parisc: Flush correct cache in cacheflush() syscall
    - Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
    - Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
    - smb: client: fix krb5 mount with username option
    - ksmbd: unset conn->binding on failed binding request
    - kprobes: Remove unneeded goto
    - kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
    - btrfs: fix transaction abort when snapshotting received subvolumes
    - btrfs: fix transaction abort on set received ioctl due to item overflow
    - btrfs: fix transaction abort on file creation due to name hash collision
    - iio: light: bh1780: fix PM runtime leak on error path
    - batman-adv: avoid OGM aggregation when skb tailroom is insufficient
    - net: macb: queue tie-off or disable during WOL suspend
    - net: macb: Introduce gem_init_rx_ring()
    - net: macb: Reinitialize tx/rx queue pointer registers and rx ring during
      resume
    - mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
    - mmc: sdhci: fix timing selection for 1-bit bus width
    - pmdomain: bcm: bcm2835-power: Increase ASB control timeout
    - spi: fix use-after-free on controller registration failure
    - spi: fix statistics allocation
    - mtd: rawnand: pl353: make sure optimal timings are applied
    - mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in
      cadence_nand_init()
    - mtd: Avoid boot crash in RedBoot partition table parser
    - iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
    - serial: 8250_pci: add support for the AX99100
    - serial: 8250: Fix TX deadlock when using DMA
    - serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART
      BUSY
    - serial: uartlite: fix PM runtime usage count underflow on probe
    - drm/amdgpu/gmc9.0: add bounds checking for cid
    - drm/amdgpu/mmhub2.0: add bounds checking for cid
    - drm/amdgpu/mmhub2.3: add bounds checking for cid
    - drm/amdgpu/mmhub3.0.1: add bounds checking for cid
    - drm/amdgpu/mmhub3.0.2: add bounds checking for cid
    - drm/amdgpu/mmhub3.0: add bounds checking for cid
    - drm/radeon: apply state adjust rules to some additional HAINAN vairants
    - drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
    - drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START,
      END}
    - btrfs: log new dentries when logging parent dir of a conflicting inode
    - btrfs: tree-checker: fix misleading root drop_level error message
    - cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
    - soc: fsl: qbman: fix race condition in qman_destroy_fq
    - wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
    - wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
    - firmware: arm_scpi: Fix device_node reference leak in probe path
    - Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
    - Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
    - Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
    - Bluetooth: ISO: Fix defer tests being unstable
    - Bluetooth: hci_sync: Fix hci_le_create_conn_sync
    - Bluetooth: HIDP: Fix possible UAF
    - Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
    - Bluetooth: qca: fix ROM version reading on WCN3998 chips
    - net/rose: fix NULL pointer dereference in rose_transmit_link on
      reconnect
    - mpls: add missing unregister_netdevice_notifier to mpls_init
    - netfilter: ctnetlink: remove refcounting in expectation dumpers
    - netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
    - netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
      sip_help_tcp()
    - netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
    - netfilter: nft_ct: drop pending enqueued packets on removal
    - netfilter: xt_CT: drop pending enqueued packets on template removal
    - netfilter: xt_time: use unsigned int for monthday bit shift
    - net: bcmgenet: increase WoL poll timeout
    - net: mana: fix use-after-free in mana_hwc_destroy_channel() by
      reordering teardown
    - sched: idle: Consolidate the handling of two special cases
    - PM: runtime: Fix a race condition related to device removal
    - net/sched: teql: Fix double-free in teql_master_xmit
    - net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
    - net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
    - clsact: Fix use-after-free in init/destroy rollback asymmetry
    - net: usb: aqc111: Do not perform PM inside suspend callback
    - igc: fix missing update of skb->tail in igc_xmit_frame()
    - iavf: fix VLAN filter lost on add/delete race
    - wifi: mac80211: fix NULL deref in mesh_matches_local()
    - wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough
      headroom
    - ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
    - net: macb: fix uninitialized rx_fs_lock
    - net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
    - net/mlx5e: Prevent concurrent access to IPSec ASO context
    - net/mlx5e: Fix race condition during IPSec ESN update
    - udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
    - net: bonding: fix NULL deref in bond_debug_rlb_hash_show
    - netfilter: bpf: defer hook memory release until rcu readers are done
    - nfnetlink_osf: validate individual option lengths in fingerprints
    - net: mvpp2: guard flow control update with global_tx_fc in buffer
      switching
    - net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
    - icmp: fix NULL pointer dereference in icmp_tag_validation()
    - hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data() return
      value
    - hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
    - Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
    - USB: serial: f81232: fix incomplete serial port generation
    - i2c: fsi: Fix a potential leak in fsi_i2c_probe()
    - i2c: pxa: defer reset on Armada 3700 when recovery is used
    - x86/platform/uv: Handle deconfigured sockets
    - i2c: cp2615: fix serial string NULL-deref at probe
    - mtd: rawnand: serialize lock/unlock against other NAND operations
    - mtd: rawnand: brcmnand: skip DMA during panic write
    - drm/amd/display: Fix DisplayID not-found handling in
      parse_edid_displayid_vrr()
    - drm/i915/gt: Check set_default_submission() before deferencing
    - lib/bootconfig: check xbc_init_node() return in override path
    - tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
    - xen/privcmd: restrict usage in unprivileged domU
    - xen/privcmd: add boot control for restricted usage in domU
    - cgroup/cpuset: Fix incorrect use of cpuset_update_tasks_cpumask() in
      update_cpumasks_hier()
    - s390/idle: Fix cpu idle exit cpu time accounting
    - s390/vtime: Fix virtual timer forwarding
    - PCI: endpoint: Introduce pci_epc_function_is_valid()
    - PCI: endpoint: Introduce pci_epc_mem_map()/unmap()
    - PCI: dwc: endpoint: Implement the pci_epc_ops::align_addr() operation
    - PCI: dwc: ep: Use align addr function for
      dw_pcie_ep_raise_{msi,msix}_irq()
    - PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
    - drm/amdgpu: Replace kzalloc + copy_from_user with memdup_user
    - drm/amdgpu: Fix locking bugs in error paths
    - btrfs: print correct subvol num if active swapfile prevents deletion
    - bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic
      tearing
    - x86/acpi/boot: Correct acpi_is_processor_usable() check again
    - PCI: dw-rockchip: Don't wait for link since we can detect Link Up
    - Revert "PCI: dw-rockchip: Don't wait for link since we can detect Link
      Up"
    - ata: libata-scsi: Refactor ata_scsi_simulate()
    - ata: libata-scsi: Refactor ata_scsiop_read_cap()
    - ata: libata-scsi: Refactor ata_scsiop_maint_in()
    - ata: libata-scsi: Document all VPD page inquiry actors
    - ata: libata-scsi: Remove struct ata_scsi_args
    - ata: libata: Remove ATA_DFLAG_ZAC device flag
    - ata: libata: Introduce ata_port_eh_scheduled()
    - ata: libata-scsi: avoid Non-NCQ command starvation
    - workqueue: Add system_percpu_wq and system_dfl_wq
    - Input: synaptics_i2c - replace use of system_wq with system_dfl_wq
    - Input: synaptics_i2c - guard polling restart in resume
    - arm64: dts: rockchip: Fix rk3588 PCIe range mappings
    - ima: kexec: silence RCU list traversal warning
    - ima: rename variable the seq_file "file" to "ima_kexec_file"
    - ima: define and call ima_alloc_kexec_file_buf()
    - kexec: define functions to map and unmap segments
    - ima: kexec: define functions to copy IMA log at soft boot
    - ima: verify the previous kernel's IMA buffer lies in addressable RAM
    - of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range()
    - drm/exynos/vidi: Remove redundant error handling in vidi_get_modes()
    - btrfs: zoned: fix alloc_offset calculation for partly conventional block
      groups
    - btrfs: zoned: fixup last alloc pointer after extent removal for RAID1
    - btrfs: zoned: fixup last alloc pointer after extent removal for DUP
    - btrfs: zoned: fix stripe width calculation
    - btrfs: define the AUTO_KFREE/AUTO_KVFREE helper macros
    - btrfs: zoned: fixup last alloc pointer after extent removal for RAID0/10
    - ksmbd: check return value of xa_store() in krb5_authenticate
    - ksmbd: add chann_lock to protect ksmbd_chann_list xarray
    - ALSA: hda/realtek: Add quirk for Gigabyte G5 KF5 (2023)
    - ALSA: hda/realtek: Implement sound init sequence for Samsung Galaxy
      Book3 Pro 360
    - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra
    - ALSA: hda/realtek: Refactor and simplify Samsung Galaxy Book init
    - ALSA: hda/realtek: Add quirk for Samsung Galaxy Book3 Pro 360 (NP965QFG)
    - ACPI: APEI: GHES: Disable KASAN instrumentation when compile testing
      with clang < 18
    - nvme: fix admin queue leak on controller reset
    - HID: multitouch: add quirks for Lenovo Yoga Book 9i
    - HID: multitouch: new class MT_CLS_EGALAX_P80H84
    - idpf: change IRQ naming to match netdev and ethtool queue numbering
    - i40e: Fix preempt count leak in napi poll tracepoint
    - drm/xe: Do not preempt fence signaling CS instructions
    - wifi: mt76: mt7925: Fix possible oob access in
      mt7925_mac_write_txwi_80211()
    - i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock"
    - drm/xe/reg_sr: Fix leak on xa_store failure
    - net_sched: sch_fq: clear q->band_pkt_count[] in fq_reset()
    - ata: libata-core: fix cancellation of a port deferred qc work
    - ata: libata-eh: correctly handle deferred qc timeouts
    - ata: libata: cancel pending work after clearing deferred_qc
    - ata: libata-eh: Fix detection of deferred qc timeouts
    - Upstream stable to v6.6.129, v6.6.130, v6.12.76, v6.12.77
  * Noble update: upstream stable patchset 2026-05-28 (LP: #2154496) //
    CVE-2026-43067
    - ext4: handle wraparound when searching for blocks for indirect mapped
      blocks
  * Noble update: upstream stable patchset 2026-05-28 (LP: #2154496) //
    CVE-2025-39930
    - ASoC: simple-card-utils: Don't use __free(device_node) at
      graph_util_parse_dai()
  * CVE-2026-46244
    - netfilter: nft_inner: Fix IPv6 inner_thoff desync
  * CVE-2026-43185
    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
  * CVE-2026-46289
    - lib/scatterlist: fix length calculations in extract_kvec_to_sg
  * CVE-2026-46119
    - libceph: Fix slab-out-of-bounds access in auth message processing
  * CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * CVE-2026-46185
    - smb/client: fix out-of-bounds read in symlink_data()
  * CVE-2026-46195
    - smb: client: validate dacloffset before building DACL pointers
  * CVE-2026-46115
    - block: add pgmap check to biovec_phys_mergeable
  * CVE-2026-43501
    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
  * CVE-2026-45988
    - rxrpc: Fix re-decryption of RESPONSE packets
  * CVE-2026-46043
    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
  * CVE-2026-43493
    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests
  * CVE-2026-43071
    - dcache: Limit the minimal number of bucket to two
  * CVE-2026-31685
    - netfilter: ip6t_eui64: reject invalid MAC header for all packets
  * CVE-2026-43117
    - btrfs: tracepoints: get correct superblock from dentry in event
      btrfs_sync_file()
  * CVE-2026-43114
    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
      expiry
  * CVE-2026-31607
    - usbip: validate number_of_packets in usbip_pack_ret_submit()
  * CVE-2026-31659
    - batman-adv: reject oversized global TT response buffers
  * CVE-2026-31649
    - net: stmmac: fix integer underflow in chain mode
  * CVE-2026-31657
    - batman-adv: hold claim backbone gateways by reference
  * CVE-2026-31637
    - rxrpc: reject undecryptable rxkad response tickets
  * CVE-2026-31669
    - mptcp: fix slab-use-after-free in __inet_lookup_established
  * CVE-2026-31668
    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel
  * CVE-2026-43011
    - net/x25: Fix potential double free of skb
  * CVE-2026-43037
    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
  * CVE-2026-43341
    - net/ipv6: ioam6: prevent schema length wraparound in trace fill
  * CVE-2026-43038
    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
  * CVE-2026-31682
    - bridge: br_nd_send: linearize skb before parsing ND options
  * CVE-2026-31436
    - dmaengine: idxd: fix possible wrong descriptor completion in
      llist_abort_desc()
  * CVE-2026-43384
    - net/tcp-ao: Fix MAC comparison to be constant-time
  * CVE-2026-31448
    - ext4: get rid of ppath in ext4_find_extent()
    - ext4: get rid of ppath in ext4_ext_create_new_leaf()
    - ext4: get rid of ppath in ext4_ext_insert_extent()
    - ext4: avoid infinite loops caused by residual data
  * CVE-2026-31478
    - ksmbd: replace hardcoded hdr2_len with offsetof() in
      smb2_calc_max_out_buf_len()
  * CVE-2026-23428
    - ksmbd: fix use-after-free of share_conf in compound request
  * CVE-2026-23450
    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
  * CVE-2026-23455
    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
  * CVE-2026-31402
    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
  * CVE-2026-43383
    - net/tcp-md5: Fix MAC comparison to be constant-time
  * CVE-2026-43378
    - smb: server: fix use-after-free in smb2_open()
  * CVE-2026-46243
    - smb: client: reject userspace cifs.spnego descriptions
  * CVE-2026-43414
    - scsi: qla2xxx: Completely fix fcport double free
  * CVE-2026-43407
    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
  * CVE-2026-43406
    - libceph: prevent potential out-of-bounds reads in
      process_message_header()

linux-lowlatency-hwe-6.8 (6.8.0-134.134.1~22.04.1) jammy; urgency=medium

  * jammy/linux-lowlatency-hwe-6.8: 6.8.0-134.134.1~22.04.1 -proposed tracker (LP: #2158408)

  [ Ubuntu-lowlatency: 6.8.0-134.134.1 ]

  * noble/linux-lowlatency: 6.8.0-134.134.1 -proposed tracker (LP: #2158409)
  [ Ubuntu: 6.8.0-134.134 ]
  * noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)
  * ext4: writeback causes kernel oops when low on space (LP: #2158377)
    - ext4: get rid of ppath in get_ext_path()

linux-lowlatency-hwe-6.8 (6.8.0-131.131.1~22.04.1) jammy; urgency=medium

  * jammy/linux-lowlatency-hwe-6.8: 6.8.0-131.131.1~22.04.1 -proposed tracker (LP: #2157173)

  [ Ubuntu-lowlatency: 6.8.0-131.131.1 ]

  * noble/linux-lowlatency: 6.8.0-131.131.1 -proposed tracker (LP: #2157174)
  [ Ubuntu: 6.8.0-131.131 ]
  * noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)
  * Packaging resync (LP: #1786013)
    - [Packaging] update annotations scripts
  * CVE-2026-46244
    - netfilter: nft_inner: Fix IPv6 inner_thoff desync
  * CVE-2026-43185
    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
  * CVE-2026-46289
    - lib/scatterlist: fix length calculations in extract_kvec_to_sg
  * CVE-2026-46119
    - libceph: Fix slab-out-of-bounds access in auth message processing
  * CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * CVE-2026-46185
    - smb/client: fix out-of-bounds read in symlink_data()
  * CVE-2026-46195
    - smb: client: validate dacloffset before building DACL pointers
  * CVE-2026-46115
    - block: add pgmap check to biovec_phys_mergeable
  * CVE-2026-43501
    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
  * CVE-2026-45988
    - rxrpc: Fix re-decryption of RESPONSE packets
  * CVE-2026-46043
    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
  * CVE-2026-43493
    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests
  * CVE-2026-43071
    - dcache: Limit the minimal number of bucket to two
  * CVE-2026-31685
    - netfilter: ip6t_eui64: reject invalid MAC header for all packets
  * CVE-2026-43117
    - btrfs: tracepoints: get correct superblock from dentry in event
      btrfs_sync_file()
  * CVE-2026-43114
    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
      expiry
  * CVE-2026-31607
    - usbip: validate number_of_packets in usbip_pack_ret_submit()
  * CVE-2026-31659
    - batman-adv: reject oversized global TT response buffers
  * CVE-2026-31649
    - net: stmmac: fix integer underflow in chain mode
  * CVE-2026-31657
    - batman-adv: hold claim backbone gateways by reference
  * CVE-2026-31637
    - rxrpc: reject undecryptable rxkad response tickets
  * CVE-2026-31669
    - mptcp: fix slab-use-after-free in __inet_lookup_established
  * CVE-2026-31668
    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel
  * CVE-2026-43011
    - net/x25: Fix potential double free of skb
  * CVE-2026-43037
    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
  * CVE-2026-43341
    - net/ipv6: ioam6: prevent schema length wraparound in trace fill
  * CVE-2026-43038
    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
  * CVE-2026-31682
    - bridge: br_nd_send: linearize skb before parsing ND options
  * CVE-2026-31436
    - dmaengine: idxd: fix possible wrong descriptor completion in
      llist_abort_desc()
  * CVE-2026-43384
    - net/tcp-ao: Fix MAC comparison to be constant-time
  * CVE-2026-31448
    - ext4: get rid of ppath in ext4_find_extent()
    - ext4: get rid of ppath in ext4_ext_create_new_leaf()
    - ext4: get rid of ppath in ext4_ext_insert_extent()
    - ext4: avoid infinite loops caused by residual data
  * CVE-2026-31478
    - ksmbd: replace hardcoded hdr2_len with offsetof() in
      smb2_calc_max_out_buf_len()
  * CVE-2026-23428
    - ksmbd: fix use-after-free of share_conf in compound request
  * CVE-2026-23450
    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
  * CVE-2026-23455
    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
  * CVE-2026-31402
    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
  * CVE-2026-43383
    - net/tcp-md5: Fix MAC comparison to be constant-time
  * CVE-2026-43378
    - smb: server: fix use-after-free in smb2_open()
  * CVE-2026-46243
    - smb: client: reject userspace cifs.spnego descriptions
  * CVE-2026-43414
    - scsi: qla2xxx: Completely fix fcport double free
  * CVE-2026-43407
    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
  * CVE-2026-43406
    - libceph: prevent potential out-of-bounds reads in
      process_message_header()

Date: 2026-07-04 16:50:13.231095+00:00
Changed-By: Edoardo Canepa <edoardo.canepa at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-136.136.2~22.04.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the jammy-changes mailing list