[ubuntu/jammy-proposed] linux-lowlatency-hwe-6.8 6.8.0-136.136.2~22.04.1 (Accepted)
Andy Whitcroft
apw at canonical.com
Sun Jul 5 21:51:07 UTC 2026
linux-lowlatency-hwe-6.8 (6.8.0-136.136.2~22.04.1) jammy; urgency=medium
* jammy/linux-lowlatency-hwe-6.8: 6.8.0-136.136.2~22.04.1 -proposed tracker (LP: #2159040)
* Packaging resync (LP: #1786013)
- [Packaging] debian.lowlatency-hwe-6.8/dkms-versions -- update from
kernel-versions (main/2026.06.22)
* Add intel-speed-select to linux-tools-$(uname -r) (LP: #2131077)
- [Packaging] debian.lowlatency-hwe-6.8/control.stub.in -- sync from
master 2026.06.22
[ Ubuntu-lowlatency: 6.8.0-136.136.2 ]
* noble/linux-lowlatency: 6.8.0-136.136.2 -proposed tracker (LP: #2159013)
* Packaging resync (LP: #1786013)
- [Packaging] debian.lowlatency/dkms-versions -- update from kernel-
versions (main/2026.06.22)
* Add intel-speed-select to linux-tools-$(uname -r) (LP: #2131077)
- [Packaging] debian.lowlatency/control.stub.in -- sync from master
2026.06.22
[ Ubuntu: 6.8.0-136.136 ]
* noble/linux: 6.8.0-136.136 -proposed tracker (LP: #2158930)
* ext4: writeback causes kernel oops when low on space (LP: #2158377)
- ext4: get rid of ppath in get_ext_path()
* mount08 from ubuntu_ltp_syscalls failed - TFAIL: mount(/proc/139835/fd/4)
succeeded (LP: #2137199)
- proc: proc_readfd() -> proc_fd_iterate()
- proc: proc_readfdinfo() -> proc_fdinfo_iterate()
- proc: add proc_splice_unmountable()
- proc: block mounting on top of /proc/<pid>/map_files/*
- proc: block mounting on top of /proc/<pid>/fd/*
- proc: block mounting on top of /proc/<pid>/fdinfo/*
* Add intel-speed-select to linux-tools-$(uname -r) (LP: #2131077)
- [Packaging] Add intel-speed-select to linux-tools
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956)
- blk-cgroup: wait for blkcg cleanup before initializing new disk
- fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
- drbd: Balance RCU calls in drbd_adm_dump_devices()
- loop: fix partition scan race between udev and loop_reread_partitions()
- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
- blk-cgroup: fix disk reference leak in blkcg_maybe_throttle_current()
- pstore/ram: fix resource leak when ioremap() fails
- ACPI: x86: cmos_rtc: Clean up address space handler driver
- ACPI: x86: cmos_rtc: Improve coordination with ACPI TAD driver
- devres: fix missing node debug info in devm_krealloc()
- thermal/drivers/spear: Fix error condition for reading st,thermal-flags
- debugfs: check for NULL pointer in debugfs_create_str()
- debugfs: fix placement of EXPORT_SYMBOL_GPL for debugfs_create_str()
- s390/cio: convert sprintf()/snprintf() to sysfs_emit()
- s390/cio: use generic driver_override infrastructure
- irqchip/irq-pic32-evic: Address warning related to wrong printf()
formatter
- hrtimers: Update the return type of enqueue_hrtimer()
- hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
- hrtimer: Reduce trace noise in hrtimer_start()
- locking: Fix rwlock support in <linux/spinlock_up.h>
- firmware: dmi: Correct an indexing error in dmi.h
- wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
- wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
irq_prepare_bcn_tasklet
- bpf: Add CHECKSUM_COMPLETE to bpf test progs
- bpf: test_run: Fix the null pointer dereference issue in
bpf_lwt_xmit_push_encap
- dpaa2: add independent dependencies for FSL_DPAA2_SWITCH
- [Config] Adjust CONFIG_FSL_DPAA2_SWITCH
- dpaa2: compile dpaa2 even CONFIG_FSL_DPAA2_ETH=n
- s390/bpf: Zero-extend bpf prog return values and kfunc arguments
- params: Replace __modinit with __init_or_module
- module: Fix freeing of charp module parameters when CONFIG_SYSFS=n
- wifi: mt76: mt7921: Reset ampdu_state state in case of failure in
mt76_connac2_tx_check_aggr()
- wifi: mt76: mt7615: fix use_cts_prot support
- wifi: mt76: mt7915: fix use_cts_prot support
- wifi: mt76: mt7996: fix FCS error flag check in RX descriptor
- arm64: cpufeature: Make PMUVer and PerfMon unsigned
- wifi: mt76: mt7996: fix struct mt7996_mcu_uni_event
- wifi: mt76: mt7915: fix use-after-free bugs in mt7915_mac_dump_work()
- bpf, devmap: Remove unnecessary if check in for loop
- bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
- wifi: rtw89: phy: fix uninitialized variable access in
rtw89_phy_cfo_set_crystal_cap()
- r8152: fix incorrect register write to USB_UPHY_XTAL
- powerpc/crash: fix backup region offset update to elfcorehdr
- selftests/powerpc: Re-order *FLAGS to follow lib.mk
- selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
- macvlan: annotate data-races around port->bc_queue_len_used
- bpf: Fix stale offload->prog pointer after constant blinding
- wifi: brcmfmac: Fix error pointer dereference
- bpf: Drop task_to_inode and inet_conn_established from lsm sleepable
hooks
- ACPI: AGDI: fix missing newline in error message
- arm64: kexec: Remove duplicate allocation for trans_pgd
- net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
- net: bcmgenet: add bcmgenet_has_* helpers
- net: bcmgenet: move DESC_INDEX flow to ring 0
- net: bcmgenet: support reclaiming unsent Tx packets
- net: bcmgenet: switch to use 64bit statistics
- net: bcmgenet: fix racing timeout handler
- netfilter: xt_socket: enable defrag after all other checks
- netfilter: nft_fwd_netdev: check ttl/hl before forwarding
- bpf: Fix RCU stall in bpf_fd_array_map_clear()
- 6pack: propagage new tty types
- net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
- net/rds: Optimize rds_ib_laddr_check
- net/rds: Restrict use of RDS/IB to the initial network namespace
- bpf: Fix OOB in pcpu_init_value
- ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
- net: ipa: Fix programming of QTIME_TIMESTAMP_CFG
- net: ipa: Fix decoding EV_PER_EE for IPA v5.0+
- dt-bindings: net: dsa: nxp,sja1105: make spi-cpol optional for sja1110
- net/mlx5e: Fix features not applied during netdev registration
- net/mlx5e: IPsec, fix ASO poll timeout with read_poll_timeout_atomic()
- bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
- Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds
MTU
- Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error
- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
- Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
- net: phy: move at803x PHY driver to dedicated directory
- net: phy: qcom: at803x: Use the correct bit to disable extended next
page
- sctp: fix missing encap_port propagation for GSO fragments
- net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
- drm/komeda: fix integer overflow in AFBC framebuffer size check
- drm/sun4i: backend: fix error pointer dereference
- ASoC: sti: Return errors from regmap_field_alloc()
- ASoC: sti: use managed regmap_field allocations
- dm cache: fix null-deref with concurrent writes in passthrough mode
- dm cache: fix write path cache coherency in passthrough mode
- dm cache: fix write hang in passthrough mode
- dm cache policy smq: fix missing locks in invalidating cache blocks
- dm cache: fix concurrent write failure in passthrough mode
- dm cache: support shrinking the origin device
- dm cache: fix dirty mapping checking in passthrough mode switching
- platform/chrome: chromeos_tbmc: Drop wakeup source on remove
- dm cache metadata: fix memory leak on metadata abort retry
- dm log: fix out-of-bounds write due to region_count overflow
- drm/bridge: cadence: cdns-mhdp8546-core: Set the mhdp connector earlier
in atomic_enable()
- drm/bridge: cadence: cdns-mhdp8546-core: Add mode_valid hook to
drm_bridge_funcs
- drm/bridge: cadence: cdns-mhdp8546-core: Handle HDCP state in bridge
atomic check
- spi: fsl-qspi: Use reinit_completion() for repeated operations
- drm/sun4i: Fix resource leaks
- drm/amdgpu: Add default case in DVI mode validation
- dm init: ensure device probing has finished in dm-mod.waitfor=
- fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build
break
- crypto: atmel - Use unregister_{aeads,ahashes,skciphers}
- crypto: atmel-aes - guard unregister on error in atmel_aes_register_algs
- padata: Remove cpu online check from cpu add and removal
- padata: Put CPU offline callback in ONLINE section to allow failure
- drm/amdgpu/gfx10: look at the right prop for gfx queue priority
- spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo
- drm/msm/dpu: fix mismatch between power and frequency
- drm/msm/dsi: add the missing parameter description
- drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
- drm/panel: sharp-ls043t1le01: make use of prepare_prev_first
- drm/panel: simple: Correct G190EAN01 prepare timing
- ALSA: core: Validate compress device numbers without dynamic minors
- drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
- drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
- drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
- drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
- drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
- drm/amd/pm/ci: Fill DW8 fields from SMC
- drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
- ALSA: hda/realtek: fix code style (ERROR: else should follow close brace
'}')
- ASoC: SOF: Intel: hda: Place check before dereference
- drm/msm/a6xx: Fix HLSQ register dumping
- drm/msm/shrinker: Fix can_block() logic
- drm/msm/a6xx: Use barriers while updating HFI Q headers
- pmdomain: ti: omap_prm: Fix a reference leak on device node
- pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
- ASoC: fsl_micfil: Add access property for "VAD Detected"
- ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
- ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
- ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
- ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
- ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
- ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
- ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
- ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
- ASoC: fsl_easrc: Change the type for iec958 channel status controls
- ASoC: qcom: qdsp6: topology: check widget type before accessing data
- crypto: qat - use swab32 macro
- ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
- PCI: Enable AtomicOps only if Root Port supports them
- PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
- selftests/mm: skip migration tests if NUMA is unavailable
- Documentation: fix a hugetlbfs reservation statement
- selftest: memcg: skip memcg_sock test if address family not supported
- ALSA: scarlett2: Add missing sentinel initializer field
- ASoC: SOF: compress: return the configured codec from get_params
- PCI: tegra194: Fix polling delay for L2 state
- PCI: tegra194: Increase LTSSM poll time on surprise link down
- PCI: tegra194: Disable LTSSM after transition to Detect on surprise link
down
- PCI: tegra194: Rename 'root_bus' to 'root_port_bus' in
tegra_pcie_downstream_dev_to_D0()
- PCI: tegra194: Don't force the device into the D0 state before L2
- PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
- PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-
select"
- PCI: tegra194: Disable direct speed change for Endpoint mode
- PCI: tegra194: Allow system suspend when the Endpoint link is not up
- PCI: tegra194: Use DWC IP core version
- PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
- spi: mtk-snfi: unregister ECC engine on probe failure and remove()
callback
- ALSA: sc6000: Use standard print API
- ALSA: sc6000: Keep the programmed board state in card-private data
- dm cache: fix missing return in invalidate_committed's error path
- crypto: jitterentropy - replace long-held spinlock with mutex
- gfs2: Call unlock_new_inode before d_instantiate
- ktest: Avoid undef warning when WARNINGS_FILE is unset
- ktest: Honor empty per-test option overrides
- ktest: Run POST_KTEST hooks on failure and cancellation
- quota: Fix race of dquot_scan_active() with quota deactivation
- gfs2: add some missing log locking
- gfs2: prevent NULL pointer dereference during unmount
- efi/capsule-loader: fix incorrect sizeof in phys array reallocation
- ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
- ARM: dts: mediatek: mt7623: fix efuse fallback compatible
- memory: tegra124-emc: Fix dll_change check
- memory: tegra30-emc: Fix dll_change check
- arm64: dts: imx8-apalis: Fix LEDs name collision
- arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
(M.2 W_DISABLE1)
- iommufd: vfio compatibility extension check for noiommu mode
- arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
- arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
- arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
- arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
- soc: qcom: ocmem: make the core clock optional
- soc: qcom: ocmem: use scoped device node handling to simplify error
paths
- soc: qcom: ocmem: register reasons for probe deferrals
- soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
- arm64: dts: qcom: sm8450: Fix GIC_ITS range length
- arm64: dts: qcom: sm8550: Fix GIC_ITS range length
- arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host
controller
- arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
- arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
- arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
- arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
during boot
- arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
- soc/tegra: cbb: Set ERD on resume for err interrupt
- unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts()
failure
- ocfs2/dlm: validate qr_numregions in dlm_match_regions()
- ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
- soc: qcom: llcc: fix v1 SB syndrome register offset
- soc: qcom: aoss: compare against normalized cooling state
- arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
- ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
- arm64/xor: fix conflicting attributes for xor_block_template
- ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
- ocfs2: fix listxattr handling when the buffer is full
- ocfs2: validate bg_bits during freefrag scan
- ocfs2: validate group add input before caching
- dmaengine: dw-axi-dmac: Remove unnecessary return statement from void
function
- soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
- dmaengine: mxs-dma: Fix missing return value from
of_dma_controller_register()
- soundwire: cadence: Clear message complete before signaling waiting
thread
- tracing: Rebuild full_name on each hist_field_name() call
- ima: check return value of crypto_shash_final() in boot aggregate
- HID: asus: make asus_resume adhere to linux kernel coding standards
- HID: asus: do not abort probe when not necessary
- mtd: physmap_of_gemini: Fix disabled pinctrl state check
- dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
- mtd: spi-nor: core: correct the op.dummy.nbytes when check read
operations
- mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
- mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
- mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
- mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
- mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
- mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
- mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
- HID: usbhid: fix deadlock in hid_post_reset()
- bpf, arm64: Fix off-by-one in check_imm signed range check
- bpf, sockmap: Fix af_unix iter deadlock
- bpf, sockmap: Fix af_unix null-ptr-deref in proto update
- bpf, sockmap: Take state lock for af_unix iter
- bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
- bpf: Fix NULL deref in map_kptr_match_type for scalar regs
- bpf: allow UTF-8 literals in bpf_bprintf_prepare()
- bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
- pinctrl: pinctrl-pic32: Fix resource leak
- pinctrl: cy8c95x0: remove duplicate error message
- pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
- pinctrl: cy8c95x0: Avoid returning positive values to user space
- perf branch: Avoid incrementing NULL
- perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE
trace
- pinctrl: abx500: Fix type of 'argument' variable
- perf lock: Fix option value type in parse_max_stack
- perf expr: Return -EINVAL for syntax error in expr__find_ids()
- ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
- ipmi: ssif_bmc: fix message desynchronization after truncated response
- ipmi: ssif_bmc: change log level to dbg in irq callback
- perf util: Kill die() prototype, dead for a long time
- i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
- dev_printk: add new dev_err_probe() helpers
- backlight: sky81452-backlight: Check return value of
devm_gpiod_get_optional() in sky81452_bl_parse_dt()
- platform/surface: surfacepro3_button: Drop wakeup source on remove
- leds: lgm-sso: Remove duplicate assignments for priv->mmap
- tty: hvc_iucv: fix off-by-one in number of supported devices
- platform/x86: panasonic-laptop: Fix OPTD notifier registration and
cleanup
- mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
- nfs/blocklayout: Fix compilation error (`make W=1`) in
bl_write_pagelist()
- fs/ntfs3: terminate the cached volume label after UTF-8 conversion
- platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
- platform/x86: dell-wmi-sysman: bound enumeration string aggregation
- RDMA/core: Prefer NLA_NUL_STRING
- clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
- scsi: sg: Make sg_sysfs_class constant
- scsi: sg: Fix sysctl sg-big-buff register during sg_init()
- scsi: sg: Resolve soft lockup issue when opening /dev/sgX
- clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from
byte_div_clk_src dividers
- scsi: target: core: Fix integer overflow in UNMAP bounds check
- dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
- clk: qcom: gcc-sc8180x: Add missing GDSCs
- clk: qcom: gcc-sc8180x: Use retention for USB power domains
- clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
- clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
- clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
- clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
- clk: imx: imx6q: Fix device node reference leak in
of_assigned_ldb_sels()
- clk: imx8mq: Correct the CSI PHY sels
- clk: qoriq: avoid format string warning
- clk: xgene: Fix mapping leak in xgene_pllclk_init()
- dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
- clk: qcom: dispcc-sc7180: Add missing MDSS resets
- lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
- clk: visconti: pll: initialize clk_init_data to zero
- f2fs: Use sysfs_emit_at() to simplify code
- f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
- drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
- drm/i915: Loop over all active pipes in intel_mbus_dbox_update
- drm/i915/wm: Verify the correct plane DDB entry
- crypto: sa2ul - Fix AEAD fallback algorithm names
- crypto: ccp - copy IV using skcipher ivsize
- arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for
PMIC_nINT
- PCMCIA: Fix garbled log messages for KERN_CONT
- arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
- arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
- macvlan: fix macvlan_get_size() not reserving space for
IFLA_MACVLAN_BC_CUTOFF
- net/sched: sch_cake: fix NAT destination port not being updated in
cake_update_flowkeys
- nexthop: fix IPv6 route referencing IPv4 nexthop
- net/sched: taprio: fix use-after-free in advance_sched() on schedule
switch
- tcp: add data-race annotations around tp->data_segs_out and
tp->total_retrans
- tcp: annotate data-races around tp->bytes_sent
- tcp: annotate data-races around tp->bytes_retrans
- tcp: annotate data-races around tp->dsack_dups
- tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
- tcp: annotate data-races around tp->plb_rehash
- i40e: don't advertise IFF_SUPP_NOFCS
- e1000e: Unroll PTP in probe error handling
- ipv6: fix possible UAF in icmpv6_rcv()
- sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
- pppoe: drop PFC frames
- netfilter: nft_osf: restrict it to ipv4
- netfilter: conntrack: remove sprintf usage
- netfilter: xtables: restrict several matches to inet family
- ipvs: fix MTU check for GSO packets in tunnel mode
- netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
- netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
- arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
- ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
- ksmbd: Use struct_size() to improve smb_direct_rdma_xmit()
- ksmbd: add support for supplementary groups
- ksmbd: destroy async_ida in ksmbd_conn_free()
- ksmbd: scope conn->binding slowpath to bound sessions only
- net/rds: zero per-item info buffer before handing it to visitors
- net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
- net/sched: sch_pie: annotate data-races in pie_dump_stats()
- net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
- net/sched: sch_red: annotate data-races in red_dump_stats()
- net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
- net: dsa: realtek: rtl8365mb: fix mode mask calculation
- nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
- tipc: fix double-free in tipc_buf_append()
- vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
- fs/adfs: validate nzones in adfs_validate_bblk()
- rtc: abx80x: Disable alarm feature if no interrupt attached
- fbdev: offb: fix PCI device reference leak on probe failure
- mailbox: mailbox-test: free channels on probe error
- cgroup/rdma: fix integer overflow in rdmacg_try_charge()
- mailbox: add sanity check for channel array
- mailbox: mailbox-test: don't free the reused channel
- mailbox: mailbox-test: initialize struct earlier
- mailbox: mailbox-test: make data_ready a per-instance variable
- btrfs: fix double-decrement of bytes_may_use in
submit_one_async_extent()
- tracing: branch: Fix inverted check on stat tracer registration
- nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
- nvme-pci: fix missed admin queue sq doorbell write
- drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
- drm/amdgpu: fix spelling typos
- drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
- drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
- netfilter: xt_policy: fix strict mode inbound policy matching
- netfilter: nf_conntrack_sip: don't use simple_strtoul
- spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
- drm/sysfb: ofdrm: fix PCI device reference leaks
- cdrom, scsi: sr: propagate read-only status to block layer via
set_disk_ro()
- netdevsim: zero initialize struct iphdr in dummy sk_buff
- net/sched: netem: fix probability gaps in 4-state loss model
- net/sched: netem: fix queue limit check to include reordered packets
- net/sched: netem: only reseed PRNG when seed is explicitly provided
- net/sched: netem: validate slot configuration
- net/sched: netem: fix slot delay calculation overflow
- net/sched: netem: check for negative latency and jitter
- net/sched: sch_choke: annotate data-races in choke_dump_stats()
- net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
- vrf: Fix a potential NPD when removing a port from a VRF
- net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
- net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
- NFC: trf7970a: Ignore antenna noise when checking for RF field
- neighbour: add RCU protection to neigh_tables[]
- neigh: let neigh_xmit take skb ownership
- ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
- net: mctp i2c: check length before marking flow active
- net: phy: dp83869: fix setting CLK_O_SEL field.
- drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
- drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
- drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
- drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
- ASoC: codecs: ab8500: Fix casting of private data
- netfilter: skip recording stale or retransmitted INIT
- sctp: discard stale INIT after handshake completion
- net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
- net: netconsole: move newline trimming to function
- netconsole: propagate device name truncation in dev_name_store()
- ALSA: hda/conexant: fix some typos
- ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
- ALSA: hda/conexant: Fix missing error check for jack detection
- futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
- drm/amd/display: Allow DCE link encoder without AUX registers
- drm/amd/display: Read EDID from VBIOS embedded panel info
- bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
- net: bonding: add broadcast_neighbor option for 802.3ad
- bonding: add support for per-port LACP actor priority
- bonding: print churn state via netlink
- bonding: 3ad: implement proper RCU rules for port->aggregator
- iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
- iavf: stop removing VLAN filters from PF on interface down
- iavf: wait for PF confirmation before removing VLAN filters
- iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
- ice: fix NULL pointer dereference in ice_reset_all_vfs()
- net: tls: fix strparser anchor skb leak on offload RX setup failure
- sfc: fix error code in efx_devlink_info_running_versions()
- net/sched: cls_flower: revert unintended changes
- smb: client: correctly handle ErrorContextData as a flexible array
- net: bcmgenet: Initialize u64 stats seq counter
- net: bcmgenet: fix leaking free_bds
- net/sched: sch_pie: annotate more data-races in pie_dump_stats()
- netconsole: avoid out-of-bounds access on empty string in trim_newline()
- bonding: fix NULL pointer dereference in actor_port_prio setting
- crypto: af_alg - Cap AEAD AD length to 0x80000000
- i40e: Cleanup PTP pins on probe failure
- workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
- netfilter: nf_conntrack_sip: get helper before allocating expectation
- audit: fix incorrect inheritable capability in CAPSET records
- netfilter: nft_ct: fix missing expect put in obj eval
- net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
- audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
- KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
- KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer
arithmetic
- KVM: x86: Fix Xen hypercall tracepoint argument assignment
- ASoC: SOF: Intel: hda-dai: remove dspless special case
- ASoC: SOF: Intel: hda-dai: add support for dspless mode beyond HDAudio
- smb/client: fix possible infinite loop and oob read in symlink_data()
- drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
- ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
- ALSA: usb-audio: Bound MIDI endpoint descriptor scans
- ceph: fix a buffer leak in __ceph_setxattr()
- powerpc/warp: Fix error handling in pika_dtm_thread
- netfs: fix error handling in netfs_extract_user_iter()
- libceph: Fix potential out-of-bounds access in osdmap_decode()
- libceph: Fix potential null-ptr-deref in decode_choose_args()
- libceph: Fix potential out-of-bounds access in crush_decode()
- libceph: handle rbtree insertion error in decode_choose_args()
- iommu/vt-d: Disable DMAR for Intel Q35 IGFX
- drm/i915: skip __i915_request_skip() for already signaled requests
- drm/panfrost: Fix wait_bo ioctl leaking positive return from
dma_resv_wait_timeout()
- drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
- drm/gma500/oaktrail_lvds: fix hang on init failure
- drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
- eventfs: Use list_add_tail_rcu() for SRCU-protected children list
- smb: client: Use FullSessionKey for AES-256 encryption key derivation
- btrfs: use inode already stored in local variable at btrfs_rmdir()
- btrfs: use btrfs inodes in btrfs_rmdir() to avoid so much usage of
BTRFS_I()
- mptcp: drop __mptcp_fastopen_gen_msk_ackseq()
- mptcp: fix rx timestamp corruption on fastopen
- mptcp: pm: prio: skip closed subflows
- mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- f2fs: fix false alarm of lockdep on cp_global_sem lock
- spi: sifive: Simplify clock handling with devm_clk_get_enabled()
- spi: sifive: fix controller deregistration
- mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
- netfs: Fix potential uninitialised var in netfs_extract_user_iter()
- io_uring/kbuf: use mem_is_zero()
- md/raid1: fix the comparing region of interval tree
- md: wake raid456 reshape waiters before suspend
- btrfs: pass struct btrfs_inode to clone_copy_inline_extent()
- btrfs: fix deadlock between reflink and transaction commit when using
flushoncommit
- bus: fsl-mc: use generic driver_override infrastructure
- sparc/vdso: Always reject undefined references during linking
- sparc64: vdso: Link with -z noexecstack
- wifi: mt76: mt7996: fix use-after-free bugs in mt7996_mac_dump_work()
- wifi: mt76: mt7921: fix 6GHz regulatory update on connection
- bpf: Fix variable length stack write over spilled pointers
- wifi: ath10k: fix station lookup failure during disconnect
- bpf: fix mm lifecycle in open-coded task_vma iterator
- bpf: switch task_vma iterator from mmap_lock to per-VMA locks
- bpf: return VMA snapshot from task_vma iterator
- Bluetooth: SCO: check for codecs->num_codecs == 1 before assigning to
sco_pi(sk)->codec
- ipv4: udp: fix typos in comments
- ipv6: udp: fix typos in comments
- udp: Force compute_score to always inline
- PCI: endpoint: Align pci_epc_set_msix(), pci_epc_ops::set_msix() nr_irqs
encoding
- PCI: dwc: ep: Fix MSI-X Table Size configuration in
dw_pcie_ep_set_msix()
- PCI: dwc: Invoke post_init in dw_pcie_resume_noirq()
- PCI: dwc: Perform cleanup in the error path of dw_pcie_resume_noirq()
- spi: spi-nxp-fspi: remove the goto in probe
- spi: spi-nxp-fspi: enable runtime pm for fspi
- spi: nxp-fspi: Use reinit_completion() for repeated operations
- drm/v3d: Handle error from drm_sched_entity_init()
- PCI: dwc: rcar-gen4: Change EPC BAR alignment to 4K as per the
documentation
- drm/imagination: Switch reset_reason fields from enum to u32
- drm/msm/dsi: fix bits_per_pclk
- drm/msm/dsi: fix hdisplay calculation for CMD mode panel
- PCI: qcom: Advertise Hotplug Slot Capability with no Command Completion
support
- drm/msm/a6xx: Fix dumping A650+ debugbus blocks
- crypto: qat - introduce fuse array
- crypto: qat - disable 4xxx AE cluster when lead engine is fused off
- crypto: qat - disable 420xx AE cluster when lead engine is fused off
- crypto: qat - fix type mismatch in RAS sysfs show functions
- PCI: tegra194: Set LTR message request before PCIe link up in Endpoint
mode
- PCI: tegra194: Free up Endpoint resources during remove()
- arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
- arm64: dts: qcom: sm8650: Fix GIC_ITS range length
- arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
- arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
- arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
- arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
- arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
- hte: tegra194: remove Kconfig dependency on Tegra194 SoC
- [Config] Adjust CONFIG_HTE_TEGRA194
- cxl/pci: Check memdev driver binding status in cxl_reset_done()
- ext4: fix possible null-ptr-deref in mbt_kunit_exit()
- pinctrl: realtek: Fix function signature for config argument
- perf maps: Fix copy_from that can break sorted by name order
- platform/x86: asus-wmi: adjust screenpad power/brightness handling
- platform/x86: asus-wmi: fix screenpad brightness range
- tty: serial: ip22zilog: Fix section mispatch warning
- clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
- erofs: unify lcn as u64 for 32-bit platforms
- net/sched: act_mirred: fix wrong device for mac_header_xmit check in
tcf_blockcast_redir
- tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
- ice: fix ICE_AQ_LINK_SPEED_M for 200G
- net/mlx5: Fix HCA caps leak on notifier init failure
- pwm: atmel-tcb: Cache clock rates and mark chip as atomic
- mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
- fsnotify: fix inode reference leak in fsnotify_recalc_mask()
- drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
- ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
- tcp: make probe0 timer handle expired user timeout
- drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
- drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
- ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
- drm/xe/debugfs: Correct printing of register whitelist ranges
- drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
- PCI: Initialize temporary device in new_id_store()
- ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
- drm/loongson: Use managed KMS polling
- ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
- drm/xe/dma-buf: handle empty bo and UAF races
- btrfs: do not mark inode incompressible after inline attempt fails
- tracing: Avoid NULL return from hist_field_name() on truncation
- Upstream stable to v6.6.141, v6.12.91
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46117
- RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46137
- mptcp: pm: ADD_ADDR rtx: fix potential data-race
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46160
- btrfs: fix missing last_unlink_trans update when removing a directory
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46314
- drm/v3d: Reject empty multisync extension to prevent infinite loop
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46274
- io-wq: check that the predecessor is hashed in io_wq_remove_pending()
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-31707
- ksmbd: validate response sizes in ipc_validate_msg()
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46068
- crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-31613
- smb: client: fix OOB reads parsing symlink error response
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-43245
- ntfs: ->d_compare() must not block
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45846
- bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45845
- net/sched: taprio: fix NULL pointer dereference in class dump
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45844
- netfilter: arp_tables: fix IEEE1394 ARP payload parsing
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45843
- slip: bound decode() reads against the compressed packet length
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45842
- slip: reject VJ receive packets on instances with no rstate array
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45841
- netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45840
- openvswitch: cap upcall PID array size and pre-size vport replies
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-46319
- net/sched: act_ct: Only release RCU read lock after ct_ft
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45839
- bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
* Noble update: upstream stable patchset 2026-06-16 (LP: #2156956) //
CVE-2026-45838
- bpf: fix end-of-list detection in cgroup_storage_get_next_key()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619)
- regset: use kvzalloc() for regset_get_alloc()
- selftests/bpf: validate fake register spill/fill precision backtracking
logic
- exit: Sleep at TASK_IDLE when waiting for application core dump
- media: uvcvideo: Enable VB2_DMABUF for metadata stream
- media: i2c: ov8856: free control handler on error in
ov8856_init_controls()
- spi: bcm63xx: fix controller deregistration
- spi: atmel: fix controller deregistration
- regulator: mt6357: fix OF node reference imbalance
- regulator: max77650: fix OF node reference imbalance
- media: rc: streamzap: Error handling in probe
- regulator: rk808: fix OF node reference imbalance
- regulator: act8945a: fix OF node reference imbalance
- regulator: bd9571mwv: fix OF node reference imbalance
- spi: lantiq-ssc: fix controller deregistration
- spi: qup: fix controller deregistration
- spi: at91-usart: fix controller deregistration
- platform/x86: hp-wmi: Ignore backlight and FnLock events
- media: pci: zoran: fix potential memory leak in zoran_probe()
- media: dib8000: avoid division by 0 in dib8000_set_dds()
- media: i2c: imx412: Assert reset GPIO during probe
- media: staging: imx: request mbus_config in csi_start
- media: i2c: ov08d10: fix image vertical start setting
- media: omap3isp: drop the use count of v4l2 pipeline
- spi: dln2: fix controller deregistration
- spi: s3c64xx: fix controller deregistration
- spi: fsl-espi: fix controller deregistration
- spi: omap2-mcspi: fix controller deregistration
- spi: mtk-nor: fix controller deregistration
- spi: sh-hspi: fix controller deregistration
- spi: bcmbca-hsspi: fix controller deregistration
- spi: coldfire-qspi: fix controller deregistration
- spi: sprd: fix controller deregistration
- spi: img-spfi: fix controller deregistration
- spi: imx: fix runtime pm leak on probe deferral
- spi: orion: fix runtime pm leak on unbind
- spi: orion: fix clock imbalance on registration failure
- spi: cadence: fix controller deregistration
- spi: cadence: fix unclocked access on unbind
- drm/amdkfd: Add upper bound check for num_of_nodes
- drm/amdgpu/vce: Prevent partial address patches
- drm/radeon: add missing revision check for CI
- drm/amdgpu: zero-initialize GART table on allocation
- drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
- drm/amdgpu/pm: add missing revision check for CI
- drm/amdgpu/pm: align Hawaii mclk workaround with radeon
- ipmi:ssif: Fix a shutdown race
- ALSA: hda: cs35l56: Propagate ASP TX source control errors
- ALSA: misc: Use guard() for spin locks
- ALSA: core: Serialize deferred fasync state checks
- ALSA: seq: Notify client and port info changes
- ALSA: seq: Fix UMP group 16 filtering
- spi: zynq-qspi: Simplify clock handling with devm_clk_get_enabled()
- spi: zynq-qspi: fix controller deregistration
- spi: tegra114: fix controller deregistration
- spi: tegra20-sflash: fix controller deregistration
- spi: uniphier: Simplify clock handling with devm_clk_get_enabled()
- spi: uniphier: fix controller deregistration
- mm/hugetlb_cma: round up per_node before logging it
- mm/damon/core: disallow time-quota setting zero esz
- mm/damon/core: implement damon_kdamond_pid()
- mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
- usb: typec: tcpm: reset internal port states on soft reset AMS
- mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
- mtd: spi-nor: sst: Factor out common write operation to
`sst_nor_write_data()`
- pwm: imx-tpm: Count the number of enabled channels in probe
- batman-adv: tp_meter: fix tp_num leak on kmalloc failure
- tracing/probes: Limit size of event probe to 3K
- usb: dwc3: Move GUID programming after PHY initialization
- vsock/virtio: fix length and offset in tap skb for split packets
- drm/amdgpu/vcn3: Avoid overflow on msg bound check
- drm/amdgpu/vcn4: Avoid overflow on msg bound check
- mtd: spi-nor: sst: Fix SST write failure
- media: nxp: imx8-isi: Reduce minimum queued buffers from 2 to 0
- media: chips-media: wave5: fix a potential memory leak in
wave5_vdi_init()
- media: chips-media: wave5: add missing spinlock protection for
send_eos_event()
- media: chips-media: wave5: add missing spinlock protection for
handle_dynamic_resolution_change()
- spi: st-ssc4: fix controller deregistration
- spi: meson-spicc: fix controller deregistration
- spi: aspeed-smc: fix controller deregistration
- vsock/virtio: fix MSG_PEEK ignoring skb offset when calculating bytes to
copy
- spi: mxs: fix controller deregistration
- spi: pic32: fix controller deregistration
- spi: pl022: fix controller deregistration
- spi: npcm-pspi: fix controller deregistration
- spi: pic32-sqi: fix controller deregistration
- spi: mxic: fix controller deregistration
- spi: orion: fix controller deregistration
- drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count.
- drm/amdgpu: gate VM CPU HDP flush on reset lock
- drm/amd/display: Change dither policy for 10 bpc output back to
dithering
- drm/xe/bo: Fix bo leak on unaligned size validation in
xe_bo_init_locked()
- drm/exynos: remove bridge when component_add fails
- drm/amdkfd: Make all TLB-flushes heavy-weight
- btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
- Upstream stable to v6.6.140, v6.12.89, v6.12.90
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46207
- vsock/virtio: fix empty payload in tap skb for non-linear buffers
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46164
- btrfs: fix double free in create_space_info_sub_group() error path
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46201
- drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46211
- drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46200
- spi: mpc52xx: fix controller deregistration
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46241
- spi: mpc52xx: fix use-after-free on registration failure
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46214
- vsock/virtio: fix accept queue count leak on transport mismatch
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46234
- vsock: fix buffer size clamping order
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46159
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46208
- batman-adv: stop tp_meter sessions during mesh teardown
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-23171
- bonding: fix use-after-free due to enslave fail after slave array update
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-45836
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46191
- fbcon: Avoid OOB font access if console rotation fails
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46111
- Bluetooth: hci_conn: fix potential UAF in create_big_sync
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-45999
- erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46044
- ipmi:ssif: Clean up kthread on errors
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46231
- batman-adv: bla: put backbone reference on failed claim hash insert
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46233
- batman-adv: bla: only purge non-released claims
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46212
- batman-adv: bla: prevent use-after-free when deleting claims
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46238
- batman-adv: stop caching unowned originator pointers in BAT IV
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46206
- batman-adv: reject new tp_meter sessions during teardown
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46198
- batman-adv: fix integer overflow on buff_pos
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46227
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in
SCTP_SENDALL
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46220
- drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46197
- drm/amdkfd: validate SVM ioctl nattr against buffer size
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46209
- drm/gem: Fix inconsistent plane dimension calculation in
drm_gem_fb_init_with_funcs()
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46230
- drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46199
- drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46204
- drm/amdgpu/vcn4: Prevent OOB reads when parsing IB
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46218
- drm/amdgpu: Add bounds checking to ib_{get,set}_value
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46229
- drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46219
- spi: mpc52xx: fix use-after-free on unbind
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46225
- spi: rspi: fix controller deregistration
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46226
- spi: fsl: fix controller deregistration
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46235
- media: saa7164: add ioremap return checks and cleanups
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46312
- media: videobuf2: Set vma_flags in vb2_dma_sg_mmap
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46236
- media: rc: xbox_remote: heed DMA restrictions
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46205
- staging: media: atomisp: Disallow all private IOCTLs
* Noble update: upstream stable patchset 2026-06-12 (LP: #2156619) //
CVE-2026-46232
- HID: playstation: Clamp num_touch_reports
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549)
- xen/privcmd: fix double free via VMA splitting
- Buffer overflow in drivers/xen/sys-hypervisor.c
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- usb: chipidea: otg: not wait vbus drop if use role_switch
- usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS
change
- ALSA: usb-audio: Evaluate packsize caps at the right place
- driver core: Don't let a device probe until it's ready
- firmware: google: framebuffer: Do not mark framebuffer as busy
- arm64/mm: Enable batched TLB flush in unmap_hotplug_range()
- drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
- device property: Make modifications of fwnode "flags" thread safe
- um: drivers: call kernel_strrchr() explicitly in cow_user.c
- Revert "ALSA: usb: Increase volume range that triggers a warning"
- PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete
- lib/ts_kmp: fix integer overflow in pattern length calculation
- media: i2c: imx219: Check return value of devm_gpiod_get_optional() in
imx219_probe()
- ALSA: aoa: i2sbus: fix OF node lifetime handling
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused
- nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
- nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
- parisc: _llseek syscall is only available for 32-bit userspace
- sched: Use u64 for bandwidth ratio calculations
- selftests/mqueue: Fix incorrectly named file
- selftests/landlock: Fix format warning for __u64 in net_test
- io_uring/timeout: check unused sqe fields
- iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
- io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
- ALSA: core: Fix potential data race at fasync handling
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: 6fire: Fix input volume change detection
- ALSA: pcmtest: fix reference leak on failed device registration
- ALSA: pcmtest: Fix resource leaks in module init error paths
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- tools/accounting: handle truncated taskstats netlink messages
- arm64: dts: marvell: uDPU: add ethernet aliases
- net: txgbe: fix firmware version check
- net: ks8851: Avoid excess softirq scheduling
- drm/arcpgu: fix device node leak
- extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE'
- tpm: avoid -Wunused-but-set-variable
- LoongArch: Show CPU vulnerabilites correctly
- power: supply: axp288_charger: Do not cancel work before initializing it
- randomize_kstack: Maintain kstack_offset per task
- mmc: block: use single block write in retry
- mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
- arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins
- firmware: google: framebuffer: Do not unregister platform device
- crypto: talitos - fix SEC1 32k ahash request limitation
- crypto: talitos - rename first/last to first_desc/last_desc
- tpm: tpm_tis: add error logging for data transfer
- tpm: tpm_tis: stop transmit if retries are exhausted
- rtc: ntxec: fix OF node reference imbalance
- mm/damon/core: use time_in_range_open() for damos quota window start
- userfaultfd: allow registration of ranges below mmap_min_addr
- KVM: x86: Defer non-architectural deliver of exception payload to
userspace read
- KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
- KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
- KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts
- KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode
- KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT
- KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN
- KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT
- KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT
- KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
- KVM: nSVM: Add missing consistency check for nCR3 validity
- KVM: nSVM: Always intercept VMMCALL when L2 is active
- io_uring/poll: fix multishot recv missing EOF on wakeup race
- perf annotate: Use jump__delete when freeing LoongArch jumps
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2
- check-uapi: link into shared objects
- HID: apple: ensure the keyboard backlight is off if suspending
- wifi: rtl8xxxu: fix potential use of uninitialized value
- taskstats: set version in TGID exit notifications
- apparmor: use target task's context in apparmor_getprocattr()
- bus: mhi: host: pci_generic: Switch to async power up to avoid boot
delays
- crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit
- crypto: atmel-ecc - Release client on allocation failure
- crypto: hisilicon - Fix dma_unmap_single() direction
- IB/core: Fix zero dmac race in neighbor resolution
- ktest: Fix the month in the name of the failure directory
- seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
- ksmbd: use msleep instaed of schedule_timeout_interruptible()
- ksmbd: replace connection list with hash table
- ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id()
- wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor
- wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling
- ALSA: aoa: Use guard() for mutex locks
- ALSA: aoa: i2sbus: clear stale prepared state
- mm/zsmalloc: copy KMSAN metadata in zs_page_migrate()
- media: rc: ttusbir: respect DMA coherency rules
- ALSA: aoa: Skip devices with no codecs in i2sbus_resume()
- block: relax pgmap check in bio_add_page for compatible zone device
pages
- iio: frequency: admv1013: add dev variable
- net: mctp: fix don't require received header reserved bits to be zero
- driver core: Add kernel-doc for DEV_FLAG_COUNT enum value
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- ACPI: scan: Use acpi_dev_put() in object add error paths
- ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
- ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
- ACPI: video: force native backlight on HP OMEN 16 (8A44)
- iommufd: Fix a race with concurrent allocation and unmap
- spi: rockchip: fix controller deregistration
- ksmbd: rewrite stop_sessions() with restartable iteration
- iommu/amd: Use atomic64_inc_return() in iommu.c
- iommu/amd: serialize sequence allocation under concurrent TLB
invalidations
- KVM: SVM: check validity of VMCB controls when returning from SMM
- wifi: mt76: mt7925: fix incorrect length field in txpower command
- wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
- ALSA: usb-audio: midi2: Restart output URBs on resume
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- USB: omap_udc: DMA: Don't enable burst 4 mode
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- ALSA: firewire-tascam: Do not drop unread control events
- powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o
- xfrm: provide message size for XFRM_MSG_MAPPING
- selinux: don't reserve xattr slot when we won't fill it
- selinux: shrink critical section in sel_write_load()
- selinux: prune /sys/fs/selinux/disable
- LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
- spi: syncuacer: fix controller deregistration
- spi: sun4i: fix controller deregistration
- spi: ti-qspi: fix controller deregistration
- spi: sun6i: fix controller deregistration
- spi: zynqmp-gqspi: fix controller deregistration
- staging: vme_user: fix root device leak on init failure
- LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT
- parisc: Fix IRQ leak in LASI driver
- hwmon: (ltc2992) Clamp threshold writes to hardware range
- hwmon: (ltc2992) Fix u32 overflow in power read path
- clk: rk808: fix OF node reference imbalance
- hwmon: (corsair-psu) Close HID device on probe errors
- cifs: abort open_cached_dir if we don't request leases
- cifs: change_conf needs to be called for session setup
- extcon: ptn5150: handle pending IRQ events during system resume
- gpio: of: clear OF_POPULATED on hog nodes in remove path
- hv_sock: fix ARM64 support
- spi: microchip-core-qspi: fix controller deregistration
- udf: reject descriptors with oversized CRC length
- thermal: core: Free thermal zone ID later during removal
- thermal/drivers/sprd: Fix temperature clamping in
sprd_thm_temp_to_rawdata
- thermal/drivers/sprd: Fix raw temperature clamping in
sprd_thm_rawdata_to_temp
- spi: topcliff-pch: fix controller deregistration
- clk: imx: imx8-acm: fix flags for acm clocks
- cpuidle: powerpc: avoid double clear when breaking snooze
- ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk
table
- ASoC: fsl_easrc: fix comment typo
- ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error
- ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
- ASoC: qcom: q6apm: remove child devices when apm is removed
- dm: don't report warning when doing deferred remove
- dm-verity-fec: correctly reject too-small FEC devices
- dm-verity-fec: correctly reject too-small hash devices
- lib/scatterlist: fix temp buffer in extract_user_to_sg()
- nvme-apple: drop invalid put of admin queue reference count
- openvswitch: vport: fix self-deadlock on release of tunnel ports
- s390/debug: Reject zero-length input in debug_input_flush_fn()
- PCI: Update saved_config_space upon resource assignment
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI/AER: Stop ruling out unbound devices as error source
- PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
- power: supply: max17042: avoid overflow when determining health
- mptcp: fastclose msk when linger time is 0
- mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
- mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
- mptcp: sockopt: set timestamp flags on subflow socket, not msk
- f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
- f2fs: fix fiemap boundary handling when read extent cache is incomplete
- f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
- KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value
- KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
- LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang()
- LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
- LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by
software
- LoongArch: KVM: Move unconditional delay into timer clear scenery
- LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte()
- LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup
- fs: prepare for adding LSM blob to backing_file
- dma-mapping: drop unneeded includes from dma-mapping.h
- dma-mapping: add __dma_from_device_group_begin()/end()
- mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
- mtd: spinand: winbond: Declare the QE bit on W25NxxJW
- gtp: disable BH before calling udp_tunnel_xmit_skb()
- printk: add print_hex_dump_devel()
- net: stmmac: avoid shadowing global buf_sz
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
- wifi: mt76: mt7925: fix incorrect TLV length in CLC command
- KVM: arm64: Wake-up from WFI when iqrchip is in userspace
- Upstream stable to v6.6.137, v6.6.138, v6.6.139, v6.12.85, v6.12.86,
v6.12.87, v6.12.88
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43490
- ksmbd: validate inherited ACE SID length
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46196
- tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46110
- net: stmmac: Prevent NULL deref when RX memory exhausted
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46090
- ALSA: aloop: Fix peer runtime UAF during format-change stop
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46291
- crypto: caam - guard HMAC key hex dumps in hash_digest_key
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46299
- hfsplus: fix held lock freed on hfsplus_fill_super()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46169
- hfsplus: fix uninit-value by validating catalog record size
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45991
- udf: fix partition descriptor append bookkeeping
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46007
- hwmon: (powerz) Avoid cacheline sharing for DMA buffer
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46065
- fbdev: defio: Disconnect deferred I/O from the lifetime of struct
fb_info
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46194
- f2fs: fix node_cnt race between extent node destroy and writeback
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46168
- mptcp: fix scheduling with atomic in timestamp sockopt
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46189
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46133
- RDMA/rxe: Reject unknown opcodes before ICRC processing
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46114
- RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46127
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46176
- RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46178
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46145
- RDMA/mana: Validate rx_hash_key_len
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46126
- RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46144
- RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46121
- mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46131
- KVM: x86: check for nEPT/nNPT in slow flush hypercalls
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46139
- smb: client: use kzalloc to zero-initialize security descriptor buffer
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46112
- RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46292
- pmdomain: core: Fix detach procedure for virtual devices in genpd
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46304
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46135
- nvmet-tcp: fix race between ICReq handling and queue teardown
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46161
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43492
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46124
- isofs: validate block number from NFS file handle in isofs_export_iget
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46303
- isofs: validate Rock Ridge CE continuation extent against volume size
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46106
- eventfs: Hold eventfs_mutex and SRCU when remount walks events
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46294
- dm: fix a buffer overflow in ioctl processing
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46107
- dm-thin: fix metadata refcount underflow
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46129
- btrfs: fix double free in create_space_info() error path
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46143
- ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46293
- clk: microchip: mpfs-ccc: fix out of bounds access during output
registration
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46301
- spi: topcliff-pch: fix use-after-free on unbind
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46273
- ibmveth: Disable GSO for packets with small MSS
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43495
- net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43502
- net/rds: handle zerocopy send cleanup before the message is queued
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46120
- ip6_gre: Use cached t->net in ip6erspan_changelink().
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46142
- net: libwx: fix VF illegal register access
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46184
- sound: ua101: fix division by zero at probe
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46132
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46190
- mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46150
- fanotify: fix false positive on permission events
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46296
- spi: s3c64xx: fix NULL-deref on driver unbind
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45834
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45835
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46138
- Bluetooth: hci_event: Fix OOB read and infinite loop in
hci_le_create_big_complete_evt
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46186
- Bluetooth: virtio_bt: validate rx pkt_type header length
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46123
- Bluetooth: virtio_bt: clamp rx length before skb_put
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46193
- xfrm: ah: account for ESN high bits in async callbacks
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46172
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46116
- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46157
- ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46146
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46167
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46151
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46180
- wifi: brcmfmac: Fix potential use-after-free issue when stopping
watchdog task
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46122
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46125
- wifi: mac80211: remove station if connection prep fails
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46307
- wifi: ath5k: do not access array OOB
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46187
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46152
- wifi: mac80211: drop stray 'static' from fast-RX rx_result
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46163
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46136
- wifi: mt76: mt7921: fix a potential clc buffer length underflow
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46173
- exit: prevent preemption of oopsing TASK_DEAD task
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-31499
- Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43496
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43088
- net: af_key: zero aligned sockaddr tail in PF_KEY exports
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46287
- net: txgbe: fix RTNL assertion warning when remove module
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46306
- flow_dissector: do not dissect PPPoE PFC frames
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46113
- KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46063
- x86/shstk: Prevent deadlock during shstk sigreturn
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43109
- x86: shadow stacks: proper error handling for mmap lock
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46179
- ASoC: SOF: Don't allow pointer operations on unconfigured streams
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43497
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46108
- ipmi:si: Return state to normal if message allocation fails
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46128
- ipmi: Check event message buffer response for bad data
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46177
- ipmi: Add limits to event and receive message requests
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46149
- scsi: target: configfs: Bound snprintf() return in
tg_pt_gp_members_show()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46101
- netfilter: reject zero shift in nft_bitwise
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46099
- net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46276
- drm/amdgpu: fix zero-size GDS range init on RDNA4
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46033
- crypto: authencesn - reject short ahash digests during instance creation
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46083
- spi: fix resource leaks on device setup failure
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46003
- net: qrtr: ns: Limit the total number of nodes
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46086
- net: bridge: use a stable FDB dst snapshot in RCU readers
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46026
- net: qrtr: ns: Limit the maximum number of lookups
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43491
- net: qrtr: ns: Limit the maximum server registration per node
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46282
- iio: frequency: admv1013: fix NULL pointer dereference on str
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46084
- RDMA/mana_ib: Disable RX steering on RSS QP destroy
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46091
- media: rc: igorplugusb: heed coherency rules
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46069
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46021
- thermal: core: Fix thermal zone governor cleanup issues
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46280
- lib: test_hmm: evict device pages on file close to avoid use-after-free
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-31715
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-31709
- smb: client: validate the whole DACL before rewriting it in cifsacl
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45997
- scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-43499
- rtmutex: Use waiter::task instead of current in remove_waiter()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46062
- ntfs3: fix integer overflow in run_unpack() volume boundary check
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46072
- ntfs3: add buffer boundary checks to run_unpack()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46052
- ceph: only d_add() negative dentries when they are unhashed
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46023
- dm mirror: fix integer overflow in create_dirty_log()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46075
- crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46077
- crypto: atmel-tdes - fix DMA sync direction
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45986
- crypto: ccree - fix a memory leak in cc_mac_digest()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46019
- crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46103
- can: ucan: fix devres lifetime
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46056
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46015
- tcp: call sk_data_ready() after listener migration
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46040
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked()
fails
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46070
- md/raid5: validate payload size before accessing journal metadata
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46051
- md/raid5: fix soft lockup in retry_aligned_read()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46046
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46094
- ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46076
- KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46082
- KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45987
- KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46005
- xfs: fix a resource leak in xfs_alloc_buftarg()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46024
- libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46037
- ipv4: icmp: validate reply type before using icmp_pointers
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46031
- net: ks8851: Reinstate disabling of BHs around IRQ handler
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46027
- net/smc: avoid early lgr access in smc_clc_wait_msg
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46053
- net: rds: fix MR cleanup on copy error
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46038
- net: qrtr: ns: Free the node during ctrl_cmd_bye()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46012
- rxrpc: Fix memory leaks in rxkad_verify_response()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46004
- ALSA: caiaq: Handle probe errors properly
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46079
- rbd: fix null-ptr-deref when device_add_disk() fails
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46016
- remoteproc: xlnx: Only access buffer information if IPI is buffered
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46285
- mtd: docg3: fix use-after-free in docg3_release()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46050
- md/raid10: fix deadlock with check operation and nowait requests
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46061
- jbd2: fix deadlock in jbd2_journal_cancel_revoke()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46078
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46049
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46002
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46047
- net: qrtr: ns: Fix use-after-free in driver remove()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46009
- PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46011
- media: mtk-jpeg: fix use-after-free in release path due to uncancelled
work
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46102
- net: strparser: fix skb_head leak in strp_abort_strp()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46098
- net: caif: clear client service pointer on teardown
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46088
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46058
- media: amphion: Fix race between m2m job_abort and device_run
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46073
- hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45989
- of: unittest: fix use-after-free in testdrv_probe()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45996
- spi: imx: fix use-after-free on unbind
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46092
- wifi: rtw88: check for PCI upstream bridge existence
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46089
- zram: do not forget to endio for partial discard requests
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46080
- ocfs2: split transactions in dio completion to avoid credit exhaustion
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-23468
- drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46064
- ibmasm: fix heap over-read in ibmasm_send_i2o_message()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45994
- ibmasm: fix OOB reads in command_file_write due to missing size checks
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46022
- misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46041
- greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames()
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46286
- leds: qcom-lpg: Check for array overflow when selecting the high
resolution
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46006
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-45993
- LoongArch: Add spectre boundry for syscall dispatch table
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2026-46018
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
* Noble update: upstream stable patchset 2026-06-11 (LP: #2156549) //
CVE-2025-54518 // CVE-2026-46174
- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op
cache
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373)
- ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
- ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
- ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC
- media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl()
- ALSA: asihpi: avoid write overflow check warning
- ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
- ASoC: SOF: topology: reject invalid vendor array size in token parser
- can: mcp251x: add error handling for power enable in open and resume
- ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
- ALSA: hda/realtek: add quirk for Framework F111:000F
- ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
- ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
- ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
- pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
debouncer)
- platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug
- HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
- ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
- ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
- ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
- soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching
- arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency
- PCI: hv: Set default NUMA node to 0 for devices without affinity info
- drm/vc4: Release runtime PM reference after binding V3D
- drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
- net: stmmac: Fix PTP ref clock for Tegra234
- dt-bindings: net: Fix Tegra234 MGBE PTP clock
- tracing/probe: reject non-closed empty immediate strings
- e1000: check return value of e1000_read_eeprom
- xsk: respect tailroom for ZC setups
- xsk: fix XDP_UMEM_SG_FLAG issues
- selftests: net: bridge_vlan_mcast: wait for h1 before querier check
- gpio: tegra: fix irq_release_resources calling enable instead of disable
- ALSA: usb-audio: Improve Focusrite sample rate filtering
- usb: storage: Expand range of matched versions for VL817 quirks entry
- USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
- usb: port: add delay after usb_hub_set_port_power()
- scripts: generate_rust_analyzer.py: avoid FD leak
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates
race
- KVM: nVMX: Fold requested virtual interrupt check into
has_nested_events()
- net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- checkpatch: add support for Assisted-by tag
- Revert "perf unwind-libdw: Fix invalid reference counts"
- net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers
- scripts: generate_rust_analyzer.py: define scripts
- KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
- rxrpc: Fix key quota calculation for multitoken keys
- ocfs2: add inline inode consistency check to
ocfs2_validate_inode_block()
- Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"
- scripts/dtc: Remove unused dts_version in dtc-lexer.l
- fuse: Check for large folio with SPLICE_F_MOVE
- fuse: quiet down complaints in fuse_conn_limit_write
- smb: server: fix max_connections off-by-one in tcp accept path
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- crypto: testmgr - Hide ENOENT errors
- crypto: testmgr - Hide ENOENT errors better
- platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP
GZ302EAC
- drm/amdgpu: Handle GPU page faults correctly on non-4K page systems
- ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED)
- ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9
- net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules
- arm64: dts: qcom: hamoa/x1: fix idle exit latency
- HID: amd_sfh: don't log error when device discovery fails with
-EOPNOTSUPP
- net: increase IP_TUNNEL_RECURSION_LIMIT to 5
- netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC ->
GFP_KERNEL_ACCOUNT allocation
- netfilter: nfnetlink_queue: make hash table per queue
- thermal: core: Mark thermal zones as exiting before unregistration
- KVM: Remove subtle "struct kvm_stats_desc" pseudo-overlay
- PCI: Fix placement of pci_save_state() in pci_bus_add_device()
- ima: verify if the segment size has changed
- ima: do not copy measurement list to kdump kernel
- ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
- btrfs: tracepoints: fix sleep while in atomic context in
btrfs_sync_file()
- Upstream stable to v6.6.136, v6.12.83, v6.12.84
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31706
- ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31712
- ksmbd: require minimum ACE size in smb_check_perm_dacl()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31575
- mm/userfaultfd: fix hugetlb fault mutex hash calculation
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31582
- hwmon: (powerz) Fix use-after-free on USB disconnect
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43073
- x86-64: rename misleadingly named '__copy_user_nocache()' function
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2025-21709
- kernel: be more careful about dup_mmap() failures and uprobe registering
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31606
- usb: gadget: f_hid: don't call cdev_init while cdev in use
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31731
- thermal: core: Address thermal zone removal races with resume
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31677
- crypto: af_alg - limit RX SG extraction by receive buffer budget
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43107
- xfrm: account XFRMA_IF_ID in aevent size calculation
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43119
- Bluetooth: hci_sync: annotate data-races around hdev->req_status
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31696
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31697
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31698
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31699
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command
failed
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31700
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31701
- ALSA: caiaq: take a reference on the USB device in create_card()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31702
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31704
- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31705
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31708
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43350
- smb: client: require a full NFS mode SID before reading mode bits
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31711
- smb: server: fix active_num_conn leak on transport allocation failure
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31694
- fuse: reject oversized dirents in page cache
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31714
- f2fs: fix to avoid memory leak in f2fs_rename()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31716
- fs/ntfs3: validate rec->used in journal-replay file record check
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43075
- ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43076
- ocfs2: validate inline data i_size during inode read
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31595
- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in
epf_ntb_epc_cleanup
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-23444
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-23442
- ipv6: add NULL checks for idev in SRv6 paths
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31594
- PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31576
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43058
- media: vidtv: fix pass-by-value structs causing MSAN warnings
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31577
- nilfs2: fix NULL i_assoc_inode dereference in
nilfs_mdt_save_to_shadow_map
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31578
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31580
- bcache: fix cached_dev.sb_bio use-after-free and crash
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31581
- ALSA: 6fire: fix use-after-free on disconnect
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31583
- media: em28xx: fix use-after-free in em28xx_v4l2_open()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31584
- media: mediatek: vcodec: fix use-after-free in encoder release path
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31585
- media: vidtv: fix nfeeds state corruption on start_streaming failure
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31586
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31686
- mm/kasan: fix double free for kasan pXds
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31587
- ASoC: qcom: q6apm: move component registration to unmanaged version
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31588
- KVM: x86: Use scratch field in MMIO fragment to hold small write values
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31590
- KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31596
- ocfs2: handle invalid dinode in ocfs2_group_extend
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31597
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31598
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31599
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31602
- ALSA: ctxfi: Limit PTP to a single page
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31603
- staging: sm750fb: fix division by zero in ps_to_hz()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31604
- wifi: rtw88: fix device leak on probe failure
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31605
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31610
- ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31611
- ksmbd: require 3 sub-authorities before reading sub_auth[2]
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31612
- ksmbd: validate EaNameLength in smb2_get_ea()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31615
- usb: gadget: renesas_usb3: validate endpoint index in standard request
handlers
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31616
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31617
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31618
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31619
- ALSA: fireworks: bound device-supplied status before string array lookup
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43072
- drm/vc4: platform_get_irq_byname() returns an int
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31622
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31623
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31624
- HID: core: clamp report_size in s32ton() to avoid undefined shift
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31625
- HID: alps: fix NULL pointer dereference in alps_raw_event()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31626
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31627
- i2c: s3c24xx: check the size of the SMBUS message before using it
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31532
- can: raw: fix ro->uniq use-after-free in raw_rcv()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31629
- nfc: llcp: add missing return after LLCP_CLOSED checks
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31407
- netfilter: conntrack: add missing netlink policy validations
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43079
- perf/x86/intel/uncore: Skip discovery table for offline dies
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43080
- l2tp: Drop large packets with UDP encap
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43345
- net: ipa: fix event ring index not programmed for IPA v5.0+
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43081
- net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31673
- af_unix: read UNIX_DIAG_VFS data under unix_state_lock
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43082
- net: txgbe: leave space for null terminators on property_entry
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31681
- netfilter: xt_multiport: validate range encoding in checkentry
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43085
- netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43086
- ipvs: fix NULL deref in ip_vs_add_service error path
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43089
- xfrm_user: fix info leak in build_mapping()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43091
- xfrm: Wait for RCU readers during policy netns exit
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43092
- xsk: validate MTU against usable frame size on bind
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43093
- xsk: tighten UMEM headroom validation to account for tailroom and min
frame
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43094
- ixgbevf: add missing negotiate_features op to Hyper-V ops table
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43098
- nfc: s3fwrn5: allocate rx skb before consuming bytes
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43099
- ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43103
- net: lapbether: handle NETDEV_PRE_TYPE_CHANGE
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-31684
- net: sched: act_csum: validate nested VLAN headers
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43074
- eventpoll: defer struct eventpoll free to RCU grace period
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43104
- drm/vc4: Fix a memory leak in hang state error path
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43105
- drm/vc4: Fix memory leak of BO array in hang state
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43110
- wifi: brcmfmac: validate bsscfg indices in IF events
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43111
- HID: roccat: fix use-after-free in roccat_report_event
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43112
- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43113
- wifi: wl1251: validate packet IDs before indexing tx_frames
* Noble update: upstream stable patchset 2026-06-10 (LP: #2156373) //
CVE-2026-43120
- RDMA/irdma: Fix double free related to rereg_user_mr
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149)
- vfio/pci: Use unmap_mapping_range()
- gfs2: Improve gfs2_consist_inode() usage
- Input: uinput - take event lock when submitting FF request "event"
- MIPS: Always record SEGBITS in cpu_data.vmbits
- MIPS: mm: Suppress TLB uniquification on EHINV hardware
- MIPS: mm: Rewrite TLB uniquification for the hidden bit feature
- virtio_net: clamp rss_max_key_size to NETDEV_RSS_KEY_LEN
- Revert "mptcp: add needs_id for netlink appending addr"
- netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
- Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"
- arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
- arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity
- arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges
- net/mlx5: Update the list of the PCI supported devices
- net: qualcomm: qca_uart: report the consumed byte on RX skb allocation
failure
- rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING)
- rxrpc: Fix missing error checks for rxkad encryption/decryption failure
- Revert "PCI: Enable ACS after configuring IOMMU for OF platforms"
- usb: typec: ucsi: skip connector validation before init
- drm/i915/psr: Do not use pipe_src as borders for SU area
- rxrpc: Fix anonymous key handling
- ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
- rxrpc: Fix rxkad crypto unalignment handling
- Upstream stable to v6.6.134, v6.6.135, v6.12.82
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31429
- net: skb: fix cross-cache free of KFENCE-allocated skb head
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31645
- net: lan966x: fix page pool leak in error paths
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-23302
- net: annotate data-races around sk->sk_{data_ready,write_space}
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-23330
- nfc: nci: complete pending data exchange on device close
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-23374
- blktrace: fix __this_cpu_read/write in preemptible context
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31634
- rxrpc: fix reference count leak in rxrpc_server_keyring()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31638
- rxrpc: Only put the call ref if one was acquired
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31639
- rxrpc: Fix key reference count leak from call->key
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31642
- rxrpc: Fix call removal to use RCU safe deletion
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31646
- net: lan966x: fix page_pool error handling in
lan966x_fdma_rx_alloc_page_pool()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31648
- mm: filemap: fix nr_pages calculation overflow in filemap_map_pages()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31651
- mmc: vub300: fix NULL-deref on disconnect
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31655
- pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31656
- drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31658
- net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31689
- EDAC/mc: Fix error path ordering in edac_mc_alloc()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31430
- X.509: Fix out-of-bounds access when parsing extensions
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31660
- nfc: pn533: allocate rx skb before consuming bytes
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31661
- wifi: brcmsmac: Fix dma_free_coherent() size
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31662
- tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31664
- xfrm: clear trailing padding in build_polexpire()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31665
- netfilter: nft_ct: fix use-after-free in timeout object destroy
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31667
- Input: uinput - fix circular locking dependency with ff-core
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31670
- net: rfkill: prevent unlimited numbers of rfkill events from being
created
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31671
- xfrm_user: fix info leak in build_report()
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-31672
- wifi: rt2x00usb: fix devres lifetime
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2026-43336
- lib/crypto: chacha: Zeroize permuted_state before it leaves scope
* Noble update: upstream stable patchset 2026-06-09 (LP: #2156149) //
CVE-2025-54505 // CVE-2026-31628
- x86/CPU: Fix FPDSS on Zen1
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958)
- Revert "rust: pin-init: internal: init: document load-bearing fact of
field accessors"
- arm64/scs: Fix handling of advance_loc4
- HID: logitech-hidpp: Enable MX Master 4 over bluetooth
- btrfs: don't take device_list_mutex when querying zone info
- tg3: replace placeholder MAC address with device property
- objtool: Fix Clang jump table detection
- i2c: tegra: Don't mark devices with pins as IRQ safe
- spi: geni-qcom: Check DMA interrupts early in ISR
- dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix
common property warning
- wifi: ath11k: Pass the correct value of each TID during a stop AMPDU
session
- net: fec: fix the PTP periodic output sysfs interface
- tg3: Fix race for querying speed/duplex
- net: sfp: Fix Ubiquiti U-Fiber Instant SFP module on mvneta
- net: enetc: check whether the RSS algorithm is Toeplitz
- ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add rollback on
failure
- net: introduce mangleid_features
- net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec
- netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr
- netfilter: nf_conntrack_expect: honor expectation helper field
- netfilter: nf_conntrack_expect: store netns and zone in expectation
- Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate
- net/mlx5: Avoid "No data available" when FW version queries fail
- net: hsr: fix VLAN add unwind on slave errors
- iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one
- hwmon: (pxe1610) Check return value of page-select write in probe
- hwmon: (ltc4286) Add missing MODULE_IMPORT_NS("PMBUS")
- dt-bindings: gpio: fix microchip #interrupt-cells
- hwmon: (tps53679) Fix device ID comparison and printing in
tps53676_identify()
- hwmon: (occ) Fix missing newline in occ_show_extended()
- mips: ralink: update CPU clock index
- sched/fair: Fix zero_vruntime tracking fix
- riscv: kgdb: fix several debug register assignment bugs
- USB: serial: option: add MeiG Smart SRM825WN
- MIPS: SiByte: Bring back cache initialisation
- MIPS: Fix the GCC version check for `__multi3' workaround
- mips: mm: Allocate tlb_vpn array atomically
- iio: adc: ti-adc161s626: fix buffer read on big-endian
- drm/ast: dp501: Fix initialization of SCU2C
- drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU
eDP
- drm/amdgpu/pm: drop SMU driver if version not matched messages
- USB: serial: io_edgeport: add support for Blackbox IC135A
- USB: serial: option: add support for Rolling Wireless RW135R-GL
- USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam
- Input: synaptics-rmi4 - fix a locking bug in an error path
- Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk
table
- Input: bcm5974 - recover from failed mode switch
- Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless
mode
- Input: xpad - add support for Razer Wolverine V3 Pro
- iio: adc: aspeed: clear reference voltage bits before configuring vref
- iio: accel: fix ADXL355 temperature signature value
- iio: dac: ad5770r: fix error return in ad5770r_read_raw()
- iio: light: vcnl4035: fix scan buffer on big-endian
- iio: imu: bmi160: Remove potential undefined behavior in
bmi160_config_pin()
- iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only
- iio: gyro: mpu3050: Fix out-of-sequence free_irq()
- usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive
- usb: ehci-brcm: fix sleep during atomic
- cdc-acm: new quirk for EPSON HMD
- firmware: microchip: fail auto-update probe if no flash found
- dt-bindings: connector: add pd-disable dependency
- nvmem: imx: assign nvmem_cell_info::raw_len
- gpio: mxc: map Both Edge pad wakeup to Rising Edge
- thunderbolt: Fix property read in nhi_wake_supported()
- usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows
partial transfer
- btrfs: fix the qgroup data free range for inline data extents
- usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
- spi: cadence-qspi: Fix exec_mem_op error handling
- drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu
v13
- s390/perf_cpum_sf: Convert to use try_cmpxchg128()
- s390/cpum_sf: Cap sampling rate to prevent lsctl exception
- MPTCP: fix lock class name family in pm_nl_create_listen_socket
- drm/amd/amdgpu: decouple ASPM with pcie dpm
- drm/amd/amdgpu: disable ASPM in some situations
- drm/amd/display: Disable fastboot on DCE 6 too
- drm/amd/display: Keep PLL0 running on DCE 6.0 and 6.4
- drm/amd/display: Fix DCE 6.0 and 6.4 PLL programming.
- drm/amd/display: Adjust DCE 8-10 clock, don't overclock by 15%
- drm/amd/display: Disable scaling on DCE6 for now
- drm/amd: Disable ASPM on SI
- drm/amd/display: Correct logic check error for fastboot
- bpf: Improve bounds when s64 crosses sign boundary
- selftests/bpf: Test cross-sign 64bits range refinement
- selftests/bpf: Test invariants on JSLT crossing sign
- bpf: Add third round of bounds deduction
- selftests/bpf: test refining u32/s32 bounds when ranges cross min/max
boundary
- arm64/scs: Fix potential sign extension issue of advance_loc4
- usb: ulpi: fix memory leak on ulpi_register() error paths
- Upstream stable to v6.6.132, v6.6.133, v6.12.81
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2025-62626
- x86/CPU/AMD: Add additional fixed RDSEED microcode revisions
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31450
- ext4: publish jinode after initialization
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31466
- mm/huge_memory: fix folio isn't locked in softleaf_to_folio()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43054
- scsi: target: tcm_loop: Drain commands in target_reset handler
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43056
- net: mana: fix use-after-free in add_adev() error path
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43057
- net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31695
- wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31720
- usb: gadget: f_uac1_legacy: validate control request size
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31721
- usb: gadget: f_hid: move list and spinlock inits from bind to alloc
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31722
- usb: gadget: f_rndis: Fix net_device lifecycle with device_move
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31723
- usb: gadget: f_subset: Fix net_device lifecycle with device_move
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31724
- usb: gadget: f_eem: Fix net_device lifecycle with device_move
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31725
- usb: gadget: f_ecm: Fix net_device lifecycle with device_move
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43342
- usb: gadget: f_rndis: Protect RNDIS options with mutex
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43343
- usb: gadget: f_subset: Fix unbalanced refcnt in geth_free
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31726
- usb: gadget: uvc: fix NULL pointer dereference during unbind race
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31728
- usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2025-71269
- btrfs: do not free data reservation in fallback from inline due to
-ENOSPC
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-23389
- ice: Fix memory leak in ice_set_ringparam()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31729
- usb: typec: ucsi: validate connector number in ucsi_notify_common()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43324
- USB: dummy-hcd: Fix interrupt synchronization error
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43327
- USB: dummy-hcd: Fix locking/synchronization error
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31730
- misc: fastrpc: possible double-free of cctx->remote_heap
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43332
- thermal: core: Fix thermal zone device registration error path
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43328
- cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error
path
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31737
- net: ftgmac100: fix ring allocation unwind on open failure
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31738
- vxlan: validate ND option lengths in vxlan_na_create
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31740
- counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31741
- counter: rz-mtu3-cnt: prevent counter from being toggled multiple times
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31747
- comedi: me4000: Fix potential overrun of firmware buffer
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31748
- comedi: me_daq: Fix potential overrun of firmware buffer
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31749
- comedi: ni_atmio16d: Fix invalid clean-up after failed attach
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43340
- comedi: Reinit dev->spinlock between attachments to low-level drivers
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31751
- comedi: dt2815: add hardware detection to prevent crash
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31752
- bridge: br_nd_send: validate ND option lengths
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31754
- usb: cdns3: gadget: fix state inconsistency on gadget init failure
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31755
- usb: cdns3: gadget: fix NULL pointer dereference in ep_queue
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31756
- usb: dwc2: gadget: Fix spin_lock/unlock mismatch in
dwc2_hsotg_udc_stop()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31758
- usb: usbtmc: Flush anchored URBs in usbtmc_release
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31759
- usb: ulpi: fix double free in ulpi_register_interface() error path
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31761
- iio: gyro: mpu3050: Move iio_device_register() to correct location
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31762
- iio: gyro: mpu3050: Fix irq resource leak
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31763
- iio: gyro: mpu3050: Fix incorrect free_irq() variable
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31767
- drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31768
- iio: adc: ti-adc161s626: use DMA-safe memory for spi_read()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31770
- hwmon: (occ) Fix division by zero in occ_show_power_1()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31432
- ksmbd: fix OOB write in QUERY_INFO for compound requests
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31772
- Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43334
- Bluetooth: SMP: force responder MITM requirements before building the
pairing response
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31773
- Bluetooth: SMP: derive legacy responder STK authentication from MITM
state
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31776
- ALSA: ctxfi: Fix missing SPDIFI1 index handling
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31778
- ALSA: caiaq: fix stack out-of-bounds read in init_card
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31779
- wifi: iwlwifi: mvm: fix potential out-of-bounds read in
iwl_mvm_nd_match_info_handler()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31780
- wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31781
- drm/ioc32: stop speculation on the drm_compat_ioctl path
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43007
- accel/qaic: Handle DBC deactivation if the owner went away
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43333
- bpf: reject direct access to nullable PTR_TO_BUF pointers
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31415
- ipv6: avoid overflows in ip6_datagram_send_ctl()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31422
- net/sched: cls_flow: fix NULL pointer dereference on shared blocks
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31421
- net/sched: cls_fw: fix NULL pointer dereference on shared blocks
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31417
- net/x25: Fix overflow when accumulating packets
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43012
- net/mlx5: Fix switchdev mode rollback in case of failure
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43013
- net/mlx5: lag: Check for LAG device before creating debugfs
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43014
- net: macb: properly unregister fixed rate clocks
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43015
- net: macb: fix clk handling on PCI glue driver removal
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31675
- net/sched: sch_netem: fix out-of-bounds access in packet corruption
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43016
- bpf: sockmap: Fix use-after-free of sk->sk_socket in
sk_psock_verdict_data_ready().
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31425
- rds: ib: reject FRMR registration before IB connection is established
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43017
- Bluetooth: MGMT: validate mesh send advertising payload length
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43018
- Bluetooth: hci_event: fix potential UAF in
hci_le_remote_conn_param_req_evt
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43019
- Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43020
- Bluetooth: MGMT: validate LTK enc_size on load
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43023
- Bluetooth: SCO: fix race conditions in sco_sock_connect()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43024
- netfilter: nf_tables: reject immediate NF_QUEUE verdict
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31424
- netfilter: x_tables: restrict xt_check_match/xt_check_target extensions
for NFPROTO_ARP
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43025
- netfilter: ctnetlink: ignore explicit helper on new expectations
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31414
- netfilter: nf_conntrack_expect: use expect->helper
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43026
- netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43027
- netfilter: nf_conntrack_helper: pass helper to expect cleanup
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43028
- netfilter: x_tables: ensure names are nul-terminated
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31416
- netfilter: nfnetlink_log: account for netlink header size
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43329
- netfilter: flowtable: strictly check for maximum number of actions
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31680
- net: ipv6: flowlabel: defer exclusive option free until RCU teardown
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43030
- bpf: Fix regsafe() for pointers to packet
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43032
- NFC: pn533: bound the UART receive buffer
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43035
- net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to
zero to prevent an info-leak
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43036
- net: use skb_header_pointer() for TCPv4 GSO frag_off check
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43339
- ipv6: prevent possible UaF in addrconf_permanent_addr()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-31423
- net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43040
- net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX
fields to zero to prevent an info-leak
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43041
- net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory
leak
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43043
- crypto: af-alg - fix NULL pointer dereference in scatterwalk
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43330
- crypto: caam - fix overflow on long hmac keys
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43044
- crypto: caam - fix DMA corruption on long hmac keys
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43046
- btrfs: reject root items with drop_progress and zero drop_level
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43338
- btrfs: reserve enough transaction items for qgroup ioctls
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43047
- HID: multitouch: Check to ensure report responses match the request
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43049
- HID: logitech-hidpp: Prevent use-after-free on force feedback
initialisation failure
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43050
- atm: lec: fix use-after-free in sock_def_readable()
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43051
- HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq
* Noble update: upstream stable patchset 2026-06-08 (LP: #2155958) //
CVE-2026-43052
- wifi: mac80211: check tdls flag in ieee80211_tdls_oper
* Noble update: upstream stable patchset 2026-06-05 (LP: #2155660)
- perf: Extract a few helpers
- perf: Make sure to use pmu_ctx->pmu for groups
- cxl/hdm: Avoid incorrect DVSEC fallback when HDM decoders are enabled
- hwmon: (axi-fan-control) Use device firmware agnostic API
- hwmon: (axi-fan-control) Make use of dev_err_probe()
- hwmon: axi-fan: don't use driver_override as IRQ name
- sh: platform_early: remove pdev->driver_override check
- bpf: Release module BTF IDR before module unload
- bpf: Fix undefined behavior in interpreter sdiv/smod for INT_MIN
- HID: asus: avoid memory leak in asus_report_fixup()
- platform/x86: intel-hid: Add Dell 14 Plus 2-in-1 to dmi_vgbs_allow_list
- nvme-pci: cap queue creation to used queues
- nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
- platform/x86: intel-hid: Enable 5-button array on ThinkPad X1 Fold 16
Gen 1
- platform/x86: touchscreen_dmi: Add quirk for y-inverted Goodix
touchscreen on SUPI S10
- nvme-pci: ensure we're polling a polled queue
- HID: magicmouse: fix battery reporting for Apple Magic Trackpad 2
- HID: magicmouse: avoid memory leak in magicmouse_report_fixup()
- net: usb: r8152: add TRENDnet TUC-ET2G
- HID: mcp2221: cancel last I2C command on read error
- HID: asus: add xg mobile 2023 external hardware support
- module: Fix kernel panic when a symbol st_shndx is out of bounds
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_set_reg()
- ASoC: fsl_easrc: Fix event generation in fsl_easrc_iec958_put_bits()
- dma-buf: Include ioctl.h in UAPI header
- HID: apple: avoid memory leak in apple_report_fixup()
- btrfs: set BTRFS_ROOT_ORPHAN_CLEANUP during subvol create
- ALSA: hda/realtek: add HP Laptop 14s-dr5xxx mute LED quirk
- ALSA: hda/realtek: Add headset jack quirk for Thinkpad X390
- objtool: Handle Clang RSP musical chairs
- usb: core: new quirk to handle devices with zero configurations
- spi: intel-pci: Add support for Nova Lake mobile SPI flash
- xfrm: call xdo_dev_state_delete during state update
- xfrm: Fix the usage of skb->sk
- esp: fix skb leak with espintcp and async crypto
- af_key: validate families in pfkey_send_migrate()
- dma: swiotlb: add KMSAN annotations to swiotlb_bounce()
- can: statistics: add missing atomic access in hot path
- Bluetooth: L2CAP: Validate PDU length before reading SDU length in
l2cap_ecred_data_rcv()
- Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing
sock_hold
- Bluetooth: hci_ll: Fix firmware leak on error path
- Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
- pinctrl: mediatek: common: Fix probe failure for devices without EINT
- ionic: fix persistent MAC address override on PF
- nfc: nci: fix circular locking dependency in nci_close_device
- net: openvswitch: Avoid releasing netdev before teardown completes
- openvswitch: defer tunnel netdev_put to RCU release
- openvswitch: validate MPLS set/set_masked payload length
- net/smc: fix double-free of smc_spd_priv when tee() duplicates splice
pipe buffer
- rtnetlink: count IFLA_INFO_SLAVE_KIND in if_nlmsg_size
- platform/olpc: olpc-xo175-ec: Fix overflow error message to print inlen
- ice: use ice_update_eth_stats() for representor stats
- ipv6: Remove permanent routes from tb6_gc_hlist when all exceptions
expire.
- ipv6: Don't remove permanent routes with exceptions from tb6_gc_hlist.
- tcp: optimize inet_use_bhash2_on_bind()
- udp: Fix wildcard bind conflict check when using hash2
- net: enetc: fix the output issue of 'ethtool --show-ring'
- dma-mapping: add missing `inline` for `dma_free_attrs`
- Bluetooth: L2CAP: Fix send LE flow credits in ACL link
- Bluetooth: Remove 3 repeated macro definitions
- Bluetooth: hci_sync: Remove remaining dependencies of hci_request
- Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
- Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
- Bluetooth: btusb: clamp SCO altsetting table indices
- tls: Purge async_hold in tls_decrypt_async_wait()
- netfilter: nfnetlink_log: fix uninitialized padding leak in
NFULA_PAYLOAD
- netfilter: ip6t_rt: reject oversized addrnr in rt_mt6_check()
- netfilter: nf_conntrack_expect: skip expectations in other netns via
proc
- netfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in
process_sdp
- netfilter: ctnetlink: use netlink policy range checks
- net: macb: use the current queue number for stats
- regmap: Synchronize cache for the page selector
- RDMA/rw: Fall back to direct SGE on MR pool exhaustion
- RDMA/irdma: Initialize free_qp completion before using it
- RDMA/irdma: Update ibqp state to error if QP is already in error state
- RDMA/irdma: Remove a NOP wait_event() in irdma_modify_qp_roce()
- RDMA/irdma: Clean up unnecessary dereference of event->cm_node
- RDMA/irdma: Remove reset check from irdma_modify_qp_to_err()
- RDMA/irdma: Fix deadlock during netdev reset with active connections
- RDMA/irdma: Return EINVAL for invalid arp index error
- scsi: scsi_transport_sas: Fix the maximum channel scanning issue
- x86/efi: efi_unmap_boot_services: fix calculation of ranges_to_free size
- drm/i915/gmbus: fix spurious timeout on 512-byte burst reads
- PM: hibernate: Don't ignore return from set_memory_ro()
- PM: hibernate: Drain trailing zero pages on userspace restore
- spi: sn-f-ospi: Fix resource leak in f_ospi_probe()
- ASoC: Intel: catpt: Fix the device initialization
- ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()
- drm/amdgpu: Fix fence put before wait in amdgpu_amdkfd_submit_ib
- hwmon: (adm1177) fix sysfs ABI violation and current unit conversion
- sysctl: fix uninitialized variable in proc_do_large_bitmap
- ASoC: adau1372: Fix unchecked clk_prepare_enable() return value
- ASoC: adau1372: Fix clock leak on PLL lock failure
- spi: spi-fsl-lpspi: fix teardown order issue (UAF)
- s390/syscalls: Add spectre boundary for syscall dispatch table
- s390/barrier: Make array_index_mask_nospec() __always_inline
- ksmbd: fix potencial OOB in get_file_all_info() for compound requests
- ksmbd: do not expire session on binding failure
- ALSA: firewire-lib: fix uninitialized local variable
- ASoC: SOF: ipc4-topology: Allow bytes controls without initial payload
- can: gw: fix OOB heap access in cgw_csum_crc8_rel()
- can: isotp: fix tx.buf use-after-free in isotp_sendmsg()
- cpufreq: conservative: Reset requested_freq on limits change
- platform/x86: ISST: Correct locked bit width
- KVM: arm64: Discard PC update state on vcpu reset
- hwmon: (pmbus/isl68137) Add mutex protection for AVS enable sysfs
attributes
- hwmon: (peci/cputemp) Fix crit_hyst returning delta instead of absolute
temperature
- hwmon: (peci/cputemp) Fix off-by-one in cputemp_is_visible()
- media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
- virtio_net: Fix UAF on dst_ops when IFF_XMIT_DST_RELEASE is cleared and
napi_tx is false
- s390/entry: Scrub r12 register on kernel entry
- erofs: add GFP_NOIO in the bio completion if needed
- alarmtimer: Fix argument order in alarm_timer_forward()
- scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
- scsi: ses: Handle positive SCSI error from ses_recv_diag()
- net: macb: Use dev_consume_skb_any() to free TX SKBs
- KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO
SPTE
- jbd2: gracefully abort on checkpointing state corruptions
- irqchip/qcom-mpm: Add missing mailbox TX done acknowledgment
- dmaengine: sh: rz-dmac: Protect the driver specific lists
- dmaengine: sh: rz-dmac: Move CHCTRL updates under spinlock
- LoongArch: Workaround LS2K/LS7A GPU DMA hang bug
- xfs: stop reclaim before pushing AIL during unmount
- xfs: fix ri_total validation in xlog_recover_attri_commit_pass2
- ext4: fix journal credit check when setting fscrypt context
- ext4: convert inline data to extents when truncate exceeds inline size
- ext4: fix fsync(2) for nojournal mode
- ext4: make recently_deleted() properly work with lazy itable
initialization
- ext4: replace BUG_ON with proper error handling in
ext4_read_inline_folio
- ext4: avoid allocate block from corrupted group in
ext4_mb_find_by_goal()
- ext4: reject mount if bigalloc with s_first_data_block != 0
- ext4: fix use-after-free in update_super_work when racing with umount
- ext4: fix the might_sleep() warnings in kvfree()
- ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths
- ext4: always drain queued discard work in ext4_mb_release()
- arm64: dts: imx8mn-tqma8mqnl: fix LDO5 power off
- powerpc64/bpf: do not increment tailcall count when prog is NULL
- ksmbd: fix memory leaks and NULL deref in smb2_lock()
- tracing: Switch trace_osnoise.c code over to use guard() and __free()
- tracing: Fix potential deadlock in cpu hotplug with osnoise
- mtd: spi-nor: core: avoid odd length/address reads on 8D-8D-8D mode
- mtd: spi-nor: core: avoid odd length/address writes in 8D-8D-8D mode
- libbpf: Fix -Wdiscarded-qualifiers under C23
- mm/damon/sysfs: check contexts->nr before accessing contexts_arr[0]
- xfs: avoid dereferencing log items after push callbacks
- xfs: save ailp before dropping the AIL lock in push callbacks
- dmaengine: idxd: Fix not releasing workqueue on .release()
- dmaengine: idxd: Fix memory leak when a wq is reset
- phy: ti: j721e-wiz: Fix device node reference leak in
wiz_get_lane_phy_types()
- dmaengine: dw-edma: Fix multiple times setting of the CYCLE_STATE and
CYCLE_BIT bits for HDMA.
- dmaengine: xilinx: xdma: Fix regmap init error handling
- dmaengine: xilinx: xilinx_dma: Fix dma_device directions
- dmaengine: xilinx: xilinx_dma: Fix residue calculation for cyclic DMA
- dmaengine: xilinx: xilinx_dma: Fix unmasked residue subtraction
- dmaengine: xilinx_dma: Fix reset related timeout with two-channel AXIDMA
- btrfs: fix super block offset in error message in btrfs_validate_super()
- btrfs: fix leak of kobject name for sub-group space_info
- btrfs: fix lost error when running device stats on multiple devices fs
- dmaengine: idxd: Fix freeing the allocated ida too late
- futex: Clear stale exiting pointer in futex_lock_pi() retry path
- ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter
- kexec: Consolidate machine_kexec_mask_interrupts() implementation
- [Config] Enable GENERIC_IRQ_KEXEC_CLEAR_VM_FORWARD by default.
- kexec: Include kernel-end even without crashkernel
- powerpc/kexec/core: use big-endian types for crash variables
- drm/msm/dsi: fix hdisplay calculation when programming dsi registers
- perf disasm: Fix off-by-one bug in outside check
- net/mlx5: Fix crash when moving to switchdev mode
- bonding: add ESP offload features when slaves support
- bonding: Correctly support GSO ESP offload
- net: add a common function to compute features for upper devices
- bonding: use common function to compute the features
- bonding: fix type confusion in bond_setup_by_slave()
- xdp: allow attaching already registered memory model to xdp_rxq_info
- net: add generic percpu page_pool allocator
- net: do not consume a cacheline for system_page_pool
- xdp: register system page pool as an XDP memory model
- net: add xmit recursion limit to tunnel xmit functions
- net: prevent NULL deref in ip[6]tunnel_xmit()
- ata: libata-core: Add BRIDGE_OK quirk for QEMU drives
- usb: typec: altmode/displayport: set displayport signaling rate in
configure message
- rust: kbuild: allow `unused_features`
- ceph: add a bunch of missing ceph_path_info initializers
- drm/amd/pm: remove invalid gpu_metrics.energy_accumulator on smu v13.0.x
- tracing: Fix enabling multiple events on the kernel command line and
bootconfig
- qmi_wwan: allow max_mtu above hard_mtu to control rx_urb_size
- xfs: fix returned valued from xfs_defer_can_append
- iio: imu: inv_icm42600: add support of ICM-42686-P
- iio: imu: inv_icm42600: fix odr switch when turning buffer off
- perf/x86/intel/uncore: Support more units on Granite Rapids
- perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
- cleanup: Provide retain_and_null_ptr()
- usb: gadget: f_ncm: Fix net_device lifecycle with device_move
- KVM: x86: Co-locate initialization of feature MSRs in
kvm_arch_vcpu_create()
- KVM: x86: Quirk initialization of feature MSRs to KVM's max
configuration
- KVM: x86: do not allow re-enabling quirks
- KVM: x86: Allow vendor code to disable quirks
- KVM: x86: Introduce supported_quirks to block disabling quirks
- KVM: x86: Remove VMX support for virtualizing guest MTRR memtypes
- KVM: VMX: Drop support for forcing UC memory when guest CR0.CD=1
- KVM: x86: Introduce Intel specific quirk KVM_X86_QUIRK_IGNORE_GUEST_PAT
- KVM: nVMX: Add consistency checks for CR0.WP and CR4.CET
- KVM: x86: Introduce KVM_X86_QUIRK_VMCS12_ALLOW_FREEZE_IN_SMM
- drm/xe/sync: Cleanup partially initialized sync on parse failure
- ice: fix devlink reload call trace
- io_uring/uring_cmd: fix too strict requirement on ioctl
- erofs: fix inline data read failure for ztailpacking pclusters
- mm: merge folio_is_secretmem() and folio_fast_pin_allowed() into
gup_fast_folio_allowed()
- mm: thp: deny THP for files on anonymous inodes
- sched/fair: Fix zero_vruntime tracking
- mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN stations
- drm/i915/dsc: Add Selective Update register definitions
- drm/imagination: Fix deadlock in soft reset sequence
- ata: libata-scsi: Return residual for emulated SCSI commands
- ata: libata-scsi: report correct sense field pointer in
ata_scsiop_maint_in()
- soc: microchip: mpfs: Fix memory leak in mpfs_sys_controller_probe()
- firmware: arm_ffa: Remove vm_id argument in ffa_rxtx_unmap()
- Bluetooth: MGMT: Fix list corruption and UAF in command complete
handlers
- nf_tables: nft_dynset: fix possible stateful expression memleak in error
path
- bonding: prevent potential infinite loop in bond_header_parse()
- drm/i915/psr: Compute PSR entry_setup_frames into intel_crtc_state
- perf/x86/intel: Add missing branch counters constraint apply
- Revert "LoongArch: Add machine_kexec_mask_interrupts() implementation"
- cxl/port: Fix use after free of parent_port in cxl_detach_ep()
- driver core: generalize driver_override in struct device
- driver core: platform: use generic driver_override infrastructure
- bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
- HID: apple: Add EPOMAKER TH87 to the non-apple keyboards list
- kbuild: install-extmod-build: Package resolve_btfids if necessary
- nvmet: move async event work off nvmet-wq
- ALSA: hda/realtek: add quirk for ASUS UM6702RC
- i3c: master: dw-i3c: Fix missing of_node for virtual I2C adapter
- xfrm: add missing extack for XFRMA_SA_PCPU in add_acquire and allocspi
- xfrm: fix the condition on x->pcpu_num in xfrm_sa_len
- xfrm: prevent policy_hthresh.work from racing with netns teardown
- Bluetooth: MGMT: Fix dangling pointer on
mgmt_add_adv_patterns_monitor_complete
- net: bcmasp: remove eee_enabled/eee_active in bcmasp_get_eee()
- net: bcm: asp2: fix LPI timer handling
- net: bcm: asp2: remove tx_lpi_enabled
- net: bcmasp: Add support for ASP 2.2
- net: bcm: asp2: convert to phylib managed EEE
- net: bcmasp: Remove support for asp-v2.0
- net: bcmasp: streamline early exit in probe
- net: bcmasp: fix double free of WoL irq
- net: bcmasp: Add support for asp-v3.0
- net: bcmasp: fix double disable of clk
- platform/x86: intel-hid: disable wakeup_mode during hibernation
- iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
- team: fix header_ops type confusion with non-Ethernet ports
- ALSA: hda/realtek: Sequence GPIO2 on Star Labs StarFighter
- spi: meson-spicc: Fix double-put in remove path
- drm/amd/display: Do not skip unrelated mode changes in DSC validation
- spi: Group CS related fields in struct spi_device
- spi: use generic driver_override infrastructure
- hwmon: (pmbus/core) Fix various coding style issues
- hwmon: (pmbus) Mark lowest/average/highest/rated attributes as read-only
- hwmon: (pmbus) Introduce the concept of "write-only" attributes
- x86/cpu: Enable FSGSBASE early in cpu_init_exception_handling()
- ovl: fix wrong detection of 32bit inode numbers
- net: macb: Move devm_{free,request}_irq() out of spin lock area
- dmaengine: fsl-edma: change to guard(mutex) within fsl_edma3_xlate()
- dmaengine: fsl-edma: fix channel parameter config for fixed channel
requests
- LoongArch: Fix missing NULL checks for kstrdup()
- xfs: scrub: unlock dquot before early return in quota scrub
- ext4: validate p_idx bounds in ext4_ext_correct_indexes
- LoongArch: vDSO: Emit GNU_EH_FRAME correctly
- spi: tegra210-quad: Protect curr_xfer check in IRQ handler
- media: nxp: imx8-isi: Fix streaming cleanup on release
- rust: pin-init: internal: init: document load-bearing fact of field
accessors
- ovl: Use str_on_off() helper in ovl_show_options()
- ovl: make fsync after metadata copy-up opt-in mount option
- virt: tdx-guest: Fix handling of host controlled 'quote' buffer length
- net: add proper RCU protection to /proc/net/ptype
- landlock: Optimize file path walks and prepare for audit support
- landlock: Fix handling of disconnected directories
- idpf: check error for register_netdev() on init
- idpf: detach and close netdevs while handling a reset
- idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
- idpf: Fix RSS LUT NULL ptr issue after soft reset
- ASoC: ak4458: Convert to RUNTIME_PM_OPS() & co
- netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
- xen/privcmd: unregister xenstore notifier on module exit
- futex: Require sys_futex_requeue() to have identical flags
- dmaengine: idxd: Fix leaking event log memory
- net: bcmasp: Restore programming of TX map vector register
- net: bcmasp: Fix network filter wake for asp-3.0
- idpf: nullify pointers after they are freed
- Upstream stable to v6.6.131, v6.12.78, v6.12.79, v6.12.80
* Noble update: upstream stable patchset 2026-05-28 (LP: #2154496)
- drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
- drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
- drm/logicvc: Fix device node reference leak in
logicvc_drm_config_parse()
- irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
- scsi: lpfc: Properly set WC for DPP mapping
- scsi: pm8001: Fix use-after-free in pm8001_queue_command()
- ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
- rseq: Clarify rseq registration rseq_size bound check comment
- scsi: ufs: core: Move link recovery for hibern8 exit failure to
wl_resume
- ALSA: usb-audio: Cap the packet size pre-calculations
- ALSA: usb-audio: Use inclusive terms
- perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
- ALSA: pci: hda: use snd_kcontrol_chip()
- ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()
- btrfs: fix incorrect key offset in error message in
check_dev_extent_item()
- btrfs: fix objectid value in error message in check_extent_data_ref()
- btrfs: fix warning in scrub_verify_one_metadata()
- btrfs: fix compat mask in error messages in btrfs_check_features()
- bpf: Fix stack-out-of-bounds write in devmap
- PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value
- memory: mtk-smi: fix device leaks on common probe
- memory: mtk-smi: fix device leak on larb probe
- resource: Add resource set range and size helpers
- PCI: Use resource_set_range() that correctly sets ->end
- KVM: x86: Rename KVM_MSR_RET_INVALID to KVM_MSR_RET_UNSUPPORTED
- media: tegra-video: Fix memory leak in __tegra_channel_try_format()
- KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject
- KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
- drm/tegra: dsi: fix device leak on probe
- ext4: get rid of ppath in ext4_split_extent_at()
- ext4: subdivide EXT4_EXT_DATA_VALID1
- ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1
- ext4: get rid of ppath in ext4_split_extent()
- ext4: get rid of ppath in ext4_split_convert_extents()
- ext4: get rid of ppath in ext4_convert_unwritten_extents_endio()
- ext4: get rid of ppath in ext4_ext_convert_to_initialized()
- ext4: get rid of ppath in ext4_ext_handle_unwritten_extents()
- ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT
- ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting
I/O
- ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
- ext4: drop extent cache when splitting extent fails
- mailbox: Use of_property_match_string() instead of open-coding
- mailbox: don't protect of_parse_phandle_with_args with con_mutex
- mailbox: sort headers alphabetically
- mailbox: remove unused header files
- mailbox: Use dev_err when there is error
- mailbox: Use guard/scoped_guard for con_mutex
- mailbox: Allow controller specific mapping using fwnode
- mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
- ext4: convert bd_bitmap_page to bd_bitmap_folio
- ext4: convert bd_buddy_page to bd_buddy_folio
- ext4: fix e4b bitmap inconsistency reports
- arm64: dts: rockchip: Fix rk356x PCIe range mappings
- clk: tegra: tegra124-emc: fix device leak on set_rate()
- usb: cdns3: remove redundant if branch
- usb: cdns3: call cdns_power_is_lost() only once in cdns_resume()
- usb: cdns3: fix role switching during resume
- drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()
- ALSA: hda/conexant: Add quirk for HP ZBook Studio G4
- hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization
induced race
- ALSA: hda/conexant: Fix headphone jack handling on Acer Swift SF314
- net: arcnet: com20020-pci: fix support for 2.5Mbit cards
- eventpoll: Fix integer overflow in ep_loop_check_proc()
- media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
- nfc: pn533: properly drop the usb interface reference on disconnect
- net: usb: kaweth: validate USB endpoints
- net: usb: kalmia: validate USB endpoints
- net: usb: pegasus: validate USB endpoints
- can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a
message
- can: usb: f81604: correctly anchor the urb in the read bulk callback
- can: ucan: Fix infinite loop from zero-length messages
- can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
- can: usb: f81604: handle short interrupt urb messages properly
- can: usb: f81604: handle bulk write errors properly
- HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
- x86/efi: defer freeing of boot services memory
- platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
- platform/x86: dell-wmi: Add audio/mic mute key codes
- ALSA: usb-audio: Use correct version for UAC3 header validation
- wifi: radiotap: reject radiotap with unknown bits
- wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
- wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
- wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
- IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
- RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
- net/sched: ets: fix divide by zero in the offload path
- scsi: target: Fix recursive locking in __configfs_open_file()
- Squashfs: check metadata block offset is within range
- drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
- drbd: fix null-pointer dereference on local read error
- smb: client: fix cifs_pick_channel when channels are equally loaded
- smb: client: fix broken multichannel with krb5+signing
- smb: client: Don't log plaintext credentials in cifs_set_cifscreds
- scsi: core: Fix refcount leak for tagset_refcnt
- selftests: mptcp: more stable simult_flows tests
- selftests: mptcp: join: check removing signal+subflow endp
- ARM: clean up the memset64() C wrapper
- hwmon: (aht10) Add support for dht20
- hwmon: (aht10) Fix initialization commands for AHT20
- pinctrl: equilibrium: rename irq_chip function callbacks
- pinctrl: equilibrium: fix warning trace on load
- platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
- pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
- hwmon: (it87) Check the it87_lock() return value
- e1000e: clear DPG_EN after reset to avoid autonomous power-gating
- drm/solomon: Fix page start when updating rectangle in page addressing
mode
- net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling
in ALE table
- xsk: Get rid of xdp_buff_xsk::xskb_list_node
- xsk: s/free_list_node/list_node/
- xsk: Fix fragment node deletion to prevent buffer leak
- xsk: Fix zero-copy AF_XDP fragment drop
- dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ
handler
- atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
- amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds
- can: bcm: fix locking for bcm_op runtime updates
- can: mcp251x: fix deadlock in error path of mcp251x_open
- rust: kunit: fix warning when !CONFIG_PRINTK
- kunit: tool: copy caller args in run_kernel to prevent mutation
- net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
- bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
loaded
- octeon_ep: Relocate counter updates before NAPI
- octeon_ep: avoid compiler and IQ/OQ reordering
- wifi: cw1200: Fix locking in error paths
- wifi: wlcore: Fix a locking bug
- wifi: mt76: mt7996: Fix possible oob access in
mt7996_mac_write_txwi_80211()
- wifi: mt76: Fix possible oob access in
mt76_connac2_mac_write_txwi_80211()
- indirect_call_wrapper: do not reevaluate function pointer
- net/rds: Fix circular locking dependency in rds_tcp_tune
- xen/acpi-processor: fix _CST detection using undersized evaluation
buffer
- bpf: export bpf_link_inc_not_zero.
- bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
- smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op()
- smb/client: fix buffer size for smb311_posix_qinfo in
SMB311_posix_query_info()
- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
- amd-xgbe: fix sleep while atomic on suspend/resume
- drm/sched: Fix kernel-doc warning for drm_sched_job_done()
- nvme: reject invalid pr_read_keys() num_keys values
- nvme: fix memory allocation in nvme_pr_read_keys()
- net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless
qdiscs
- net: nfc: nci: Fix zero-length proprietary notifications
- nfc: nci: free skb on nci_transceive early error paths
- nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
- nfc: rawsock: cancel tx_work before socket teardown
- net: stmmac: Fix error handling in VLAN add and delete paths
- net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error
in mtk_xdp_setup()
- net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
- net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
- net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
- net/sched: act_ife: Fix metalist update behavior
- xdp: use modulo operation to calculate XDP frag tailroom
- xsk: introduce helper to determine rxq->frag_size
- i40e: fix registering XDP RxQ info
- i40e: use xdp.frame_sz as XDP RxQ info frag_size
- xdp: produce a warning when calculated tailroom is negative
- selftest/arm64: Fix sve2p1_sigill() to hwcap test
- tracing: Add NULL pointer check to trigger_data_free()
- net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared
blocks
- net: tcp: accept old ack during closing
- scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT
- ACPI: PM: Save NVS memory on Lenovo G70-35
- scsi: mpi3mr: Add NULL checks when resetting request and reply queues
- unshare: fix unshare_fs() handling
- wifi: mac80211: set default WMM parameters on all links
- ACPI: OSI: Add DMI quirk for Acer Aspire One D255
- scsi: ses: Fix devices attaching to different hosts
- ASoC: amd: yc: Add ASUS EXPERTBOOK BM1503CDA to quirk table
- ASoC: cs42l43: Report insert for exotic peripherals
- scsi: ufs: core: Fix possible NULL pointer dereference in
ufshcd_add_command_trace()
- scsi: ufs: core: Fix shift out of bounds when MAXQ=32
- ALSA: usb-audio: Avoid implicit feedback mode on DIYINHK USB Audio 2.0
- ALSA: usb-audio: Check max frame size for implicit feedback mode, too
- powerpc/uaccess: Fix inline assembly for clang build on PPC32
- remoteproc: sysmon: Correct subsys_name_len type in QMI request
- powerpc: 83xx: km83xx: Fix keymile vendor prefix
- xprtrdma: Decrement re_receiving on the early exit paths
- net: dsa: realtek: rtl8365mb: remove ifOutDiscards from rx_packets
- drm/msm/dsi: Document DSC related pclk_rate and hdisplay calculations
- drm/msm/dsi: fix pclk rate calculation for bonded dsi
- bonding: handle BOND_LINK_FAIL, BOND_LINK_BACK as valid link states
- net/mlx5: IFC updates for disabled host PF
- net/mlx5: Query to see if host PF is disabled
- net/mlx5: Fix deadlock between devlink lock and esw->wq
- net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery
- net/sched: teql: fix NULL pointer dereference in iptunnel_xmit on TEQL
slave xmit
- ASoC: soc-core: drop delayed_work_pending() check before flush
- ASoC: soc-core: flush delayed work before removing DAIs and widgets
- ASoC: simple-card-utils: use __free(device_node) for device node
- ASoC: simple-card-utils: fix graph_util_is_ports0() for DT overlays
- net: sfp: improve Huawei MA5671a fixup
- serial: caif: hold tty->link reference in ldisc_open and ser_release
- mctp: i2c: fix skb memory leak in receive path
- can: hi311x: hi3110_open(): add check for hi3110_power_enable() return
value
- mctp: route: hold key->lock in mctp_flow_prepare_output()
- amd-xgbe: fix link status handling in xgbe_rx_adaptation
- amd-xgbe: prevent CRC errors during RX adaptation with AN disabled
- netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop()
- netfilter: x_tables: guard option walkers against 1-byte tail reads
- netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
- netfilter: nfnetlink_cthelper: fix OOB read in
nfnl_cthelper_dump_table()
- regulator: pca9450: Make IRQ optional
- regulator: pca9450: Correct interrupt type
- sched: idle: Make skipping governor callbacks more consistent
- nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set
- nvme-pci: Fix race bug in nvme_poll_irqdisable()
- i40e: fix src IP mask checks and memcpy argument names in cloud filter
- e1000/e1000e: Fix leak in DMA error cleanup
- ACPI: OSL: fix __iomem type on return from acpi_os_map_generic_address()
- ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock
acquisition
- ASoC: detect empty DMI strings
- net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled
- octeontx2-af: devlink: fix NIX RAS reporter recovery condition
- octeontx2-af: devlink: fix NIX RAS reporter to use RAS interrupt status
- usb: gadget: f_mass_storage: Fix potential integer overflow in
check_command_size_in_blocks()
- cgroup: fix race between task migration and iteration
- ALSA: pcm: fix use-after-free on linked stream runtime in
snd_pcm_drain()
- ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer
interfaces
- net: usb: lan78xx: fix silent drop of packets with checksum errors
- net: usb: lan78xx: fix TX byte statistics for small packets
- net: usb: lan78xx: skip LTM configuration for LAN7850
- ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK PM1503CDA
- KVM: SVM: Initialize AVIC VMCB fields if AVIC is enabled with in-kernel
APIC
- USB: add QUIRK_NO_BOS for video capture several devices
- usb/core/quirks: Add Huawei ME906S-device to wakeup quirk
- USB: ezcap401 needs USB_QUIRK_NO_BOS to function on 10gbs usb speed
- usb: xhci: Fix memory leak in xhci_disable_slot()
- usb: xhci: Prevent interrupt storm on host controller error (HCE)
- usb: yurex: fix race in probe
- usb: dwc3: pci: add support for the Intel Nova Lake -H
- usb: misc: uss720: properly clean up reference in uss720_probe()
- usb: core: don't power off roothub PHYs if phy_set_mode() fails
- usb: cdc-acm: Restore CAP_BRK functionnality to CH343
- usb: roles: get usb role switch from parent only for usb-b-connector
- USB: usbcore: Introduce usb_bulk_msg_killable()
- USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts
- USB: core: Limit the length of unkillable synchronous timeouts
- usb: class: cdc-wdm: fix reordering issue in read code path
- usb: renesas_usbhs: fix use-after-free in ISR during device removal
- usb: mdc800: handle signal and read racing
- usb: image: mdc800: kill download URB on timeout
- mm/tracing: rss_stat: ensure curr is false from kthread context
- mmc: mmci: Fix device_node reference leak in of_get_dml_pipe_index()
- mm/kfence: disable KFENCE upon KASAN HW tags enablement
- mmc: core: Avoid bitfield RMW for claim/retune flags
- ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start
- tipc: fix divide-by-zero in tipc_sk_filter_connect()
- kprobes: avoid crash when rmmod/insmod after ftrace killed
- libceph: reject preamble if control segment is empty
- libceph: Use u32 for non-negative values in ceph_monmap_decode()
- libceph: admit message frames only in CEPH_CON_S_OPEN state
- ceph: fix i_nlink underrun during async unlink
- ceph: fix memory leaks in ceph_mdsc_build_path()
- time/jiffies: Mark jiffies_64_to_clock_t() notrace
- i3c: dw-i3c-master: Set SIR_REJECT in DAT on device attach and reattach
- scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend
- scsi: hisi_sas: Add time interval between two H2D FIS following soft
reset spec
- scsi: hisi_sas: Use macro instead of magic number
- scsi: hisi_sas: Fix NULL pointer exception during user_scan()
- Revert "tcpm: allow looking for role_sw device in the main node"
- drm/bridge: samsung-dsim: Fix memory leak in error path
- drm/bridge: ti-sn65dsi86: Enable HPD polling if IRQ is not used
- device property: Allow secondary lookup in fwnode_get_next_child_node()
- irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS
supports
- ice: reintroduce retry mechanism for indirect AQ
- ixgbevf: fix link setup issue
- staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
- staging: rtl8723bs: fix potential out-of-bounds read in
rtw_restruct_wmm_ie
- media: dvb-net: fix OOB access in ULE extension header tables
- net: mana: Ring doorbell at 4 CQ wraparounds
- ice: fix retry for AQ command 0x06EE
- tracing: Fix syscall events activation by ensuring refcount hits zero
- batman-adv: Avoid double-rtnl_lock ELP metric worker
- parisc: Increase initial mapping to 64 MB with KALLSYMS
- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
- arm64: mm: Add PTE_DIRTY back to PAGE_KERNEL* to fix kexec/hibernation
- hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
- parisc: Fix initial page table creation for boot
- parisc: Check kernel mapping earlier at bootup
- pmdomain: bcm: bcm2835-power: Fix broken reset status read
- net: ncsi: fix skb leak in error paths
- net: ethernet: arc: emac: quiesce interrupts before requesting IRQ
- net: dsa: microchip: Fix error path in PTP IRQ setup
- drm/amdgpu: Fix use-after-free race in VM acquire
- drm/amd: Set num IP blocks to 0 if discovery fails
- drm/bridge: ti-sn65dsi83: fix CHA_DSI_CLK_RANGE rounding
- drm/i915: Fix potential overflow of shmem scatterlist length
- tracing: Fix trace_buf_size= cmdline parameter with sizes >= 2G
- cifs: make default value of retrans as zero
- xfs: fix undersized l_iclog_roundoff values
- s390/dasd: Move quiesce state with pprc swap
- s390/dasd: Copy detected format information to secondary device
- lib/bootconfig: fix off-by-one in xbc_verify_tree() unclosed brace error
- scsi: core: Fix error handling for scsi_alloc_sdev()
- x86/apic: Disable x2apic on resume if the kernel expects so
- lib/bootconfig: fix snprintf truncation check in
xbc_node_compose_key_after()
- lib/bootconfig: check bounds before writing in __xbc_open_brace()
- smb: client: fix atomic open with O_DIRECT & O_SYNC
- smb: client: fix in-place encryption corruption in SMB2_write()
- smb: client: fix iface port assignment in parse_server_interfaces
- btrfs: abort transaction on failure to update root in the received
subvol ioctl
- iio: dac: ds4424: reject -128 RAW value
- iio: frequency: adf4377: Fix duplicated soft reset mask
- iio: chemical: sps30_serial: fix buffer size in sps30_serial_read_meas()
- iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas()
- iio: potentiometer: mcp4131: fix double application of wiper shift
- iio: chemical: bme680: Fix measurement wait duration calculation
- iio: buffer: Fix wait_queue not being removed
- iio: gyro: mpu3050-core: fix pm_runtime error handling
- iio: gyro: mpu3050-i2c: fix pm_runtime error handling
- iio: imu: inv_icm42600: fix odr switch to the same value
- i3c: mipi-i3c-hci: Use ETIMEDOUT instead of ETIME for timeout errors
- i3c: mipi-i3c-hci: Restart DMA ring correctly after dequeue abort
- i3c: mipi-i3c-hci: Add missing TID field to no-op command descriptor
- drm/bridge: ti-sn65dsi86: Add support for DisplayPort mode with HPD
- gve: defer interrupt enabling until NAPI registration
- ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
- wifi: libertas: fix use-after-free in lbs_free_adapter()
- platform/x86: hp-bioscfg: Support allocations of larger data
- x86/sev: Allow IBPB-on-Entry feature for SNP guests
- gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for
QPL
- net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
- drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
- mptcp: pm: avoid sending RM_ADDR over same subflow
- mptcp: pm: in-kernel: always mark signal+subflow endp as used
- selftests: mptcp: add a check for 'add_addr_accepted'
- selftests: mptcp: join: check RM_ADDR not sent over same subflow
- kbuild: Leave objtool binary around with 'make clean'
- net/sched: act_gate: snapshot parameters with RCU on replace
- can: gs_usb: gs_can_open(): always configure bitrates before starting
device
- usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
- KVM: SVM: Limit AVIC physical max index based on configured max_vcpu_ids
- KVM: SVM: Add a helper to look up the max physical ID for AVIC
- KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated
- mm/kfence: fix KASAN hardware tag faults during late enablement
- iomap: reject delalloc mappings during writeback
- ksmbd: Don't log keys in SMB3 signing and encryption key generation
- drm/msm: Fix dma_free_attrs() buffer size
- drm/bridge: ti-sn65dsi83: halve horizontal syncs for dual LVDS output
- net: macb: Shuffle the tx ring before enabling tx
- cifs: open files should not hold ref on superblock
- crypto: atmel-sha204a - Fix OOM ->tfm_count leak
- xfs: fix integer overflow in bmap intent sort comparator
- xfs: ensure dquot item is deleted from AIL only after log shutdown
- smb: client: Compare MACs in constant time
- ksmbd: Compare MACs in constant time
- f2fs: fix to avoid migrating empty section
- ext4: fix dirtyclusters double decrement on fs shutdown
- btrfs: always fallback to buffered write if the inode requires checksum
- net: stmmac: dwmac-loongson: Set clk_csr_i to 100-150MHz
- arm64: mm: Don't remap pgtables per-cont(pte|pmd) block
- arm64: mm: Batch dsb and isb when populating pgtables
- arm64: mm: Don't remap pgtables for allocate vs populate
- dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
- ext4: always allocate blocks only from groups inode can use
- rxrpc: Fix recvmsg() unconditional requeue
- dm-verity: disable recursive forward error correction
- ipv6: use RCU in ip6_xmit()
- rxrpc: Fix data-race warning and potential load/store tearing
- btrfs: do not strictly require dirty metadata threshold for metadata
writepages
- riscv: Sanitize syscall table indexing under speculation
- dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
- tracing: Add recursion protection in kernel stack trace recording
- net: add support for segmenting TCP fraglist GSO packets
- net: gso: fix tcp fraglist segmentation after pull from frag_list
- net: fix segmentation of forwarding fraglist GRO
- net: dsa: properly keep track of conduit reference
- drm/amd/display: Add pixel_clock to amd_pp_display_configuration
- drm/amd/pm: Use pm_display_cfg in legacy DPM (v2)
- drm/amdgpu: Add basic validation for RAS header
- drm/exynos: vidi: use priv->vidi_dev for ctx lookup in
vidi_connection_ioctl()
- drm/exynos: vidi: fix to avoid directly dereferencing user pointer
- drm/exynos: vidi: use ctx->lock to protect struct vidi_context member
variables related to memory alloc/free
- x86/uprobes: Fix XOL allocation failure for 32-bit tasks
- platform/x86/amd/pmc: Add support for Van Gogh SoC
- binfmt_misc: restore write access before closing files opened by
open_exec()
- net: stmmac: remove support for lpi_intr_o
- mptcp: pm: in-kernel: always set ID as avail when rm endp
- s390/xor: Fix xor_xc_2() inline assembly constraints
- s390/stackleak: Fix __stackleak_poison() inline assembly constraint
- s390/zcrypt: Enable AUTOSEL_DOM for CCA serialnr sysfs attribute
- mm/mempolicy: fix wrong mmap_read_unlock() in migrate_to_node()
- io_uring/kbuf: check if target buffer list is still legacy on recycle
- NFSD: Hold net reference for the lifetime of /proc/fs/nfs/exports fd
- sunrpc: fix cache_request leak in cache_release
- nvdimm/bus: Fix potential use after free in asynchronous initialization
- LoongArch: Give more information if kmem access failed
- NFC: nxp-nci: allow GPIOs to sleep
- net: macb: fix use-after-free access to PTP clock
- parisc: Flush correct cache in cacheflush() syscall
- Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
- Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
- smb: client: fix krb5 mount with username option
- ksmbd: unset conn->binding on failed binding request
- kprobes: Remove unneeded goto
- kprobes: Remove unneeded warnings from __arm_kprobe_ftrace()
- btrfs: fix transaction abort when snapshotting received subvolumes
- btrfs: fix transaction abort on set received ioctl due to item overflow
- btrfs: fix transaction abort on file creation due to name hash collision
- iio: light: bh1780: fix PM runtime leak on error path
- batman-adv: avoid OGM aggregation when skb tailroom is insufficient
- net: macb: queue tie-off or disable during WOL suspend
- net: macb: Introduce gem_init_rx_ring()
- net: macb: Reinitialize tx/rx queue pointer registers and rx ring during
resume
- mmc: sdhci-pci-gli: fix GL9750 DMA write corruption
- mmc: sdhci: fix timing selection for 1-bit bus width
- pmdomain: bcm: bcm2835-power: Increase ASB control timeout
- spi: fix use-after-free on controller registration failure
- spi: fix statistics allocation
- mtd: rawnand: pl353: make sure optimal timings are applied
- mtd: rawnand: cadence: Fix error check for dma_alloc_coherent() in
cadence_nand_init()
- mtd: Avoid boot crash in RedBoot partition table parser
- iommu/vt-d: Fix intel iommu iotlb sync hardlockup and retry
- serial: 8250_pci: add support for the AX99100
- serial: 8250: Fix TX deadlock when using DMA
- serial: 8250: Add late synchronize_irq() to shutdown to handle DW UART
BUSY
- serial: uartlite: fix PM runtime usage count underflow on probe
- drm/amdgpu/gmc9.0: add bounds checking for cid
- drm/amdgpu/mmhub2.0: add bounds checking for cid
- drm/amdgpu/mmhub2.3: add bounds checking for cid
- drm/amdgpu/mmhub3.0.1: add bounds checking for cid
- drm/amdgpu/mmhub3.0.2: add bounds checking for cid
- drm/amdgpu/mmhub3.0: add bounds checking for cid
- drm/radeon: apply state adjust rules to some additional HAINAN vairants
- drm/amdgpu: apply state adjust rules to some additional HAINAN vairants
- drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START,
END}
- btrfs: log new dentries when logging parent dir of a conflicting inode
- btrfs: tree-checker: fix misleading root drop_level error message
- cache: ax45mp: Fix device node reference leak in ax45mp_cache_init()
- soc: fsl: qbman: fix race condition in qman_destroy_fq
- wifi: mac80211: Fix static_branch_dec() underflow for aql_disable.
- wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down
- firmware: arm_scpi: Fix device_node reference leak in probe path
- Bluetooth: LE L2CAP: Disconnect if received packet's SDU exceeds IMTU
- Bluetooth: LE L2CAP: Disconnect if sum of payload sizes exceed SDU
- Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
- Bluetooth: ISO: Fix defer tests being unstable
- Bluetooth: hci_sync: Fix hci_le_create_conn_sync
- Bluetooth: HIDP: Fix possible UAF
- Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
- Bluetooth: qca: fix ROM version reading on WCN3998 chips
- net/rose: fix NULL pointer dereference in rose_transmit_link on
reconnect
- mpls: add missing unregister_netdevice_notifier to mpls_init
- netfilter: ctnetlink: remove refcounting in expectation dumpers
- netfilter: ctnetlink: fix use-after-free in ctnetlink_dump_exp_ct()
- netfilter: nf_conntrack_sip: fix Content-Length u32 truncation in
sip_help_tcp()
- netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case
- netfilter: nft_ct: drop pending enqueued packets on removal
- netfilter: xt_CT: drop pending enqueued packets on template removal
- netfilter: xt_time: use unsigned int for monthday bit shift
- net: bcmgenet: increase WoL poll timeout
- net: mana: fix use-after-free in mana_hwc_destroy_channel() by
reordering teardown
- sched: idle: Consolidate the handling of two special cases
- PM: runtime: Fix a race condition related to device removal
- net/sched: teql: Fix double-free in teql_master_xmit
- net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check
- net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check
- clsact: Fix use-after-free in init/destroy rollback asymmetry
- net: usb: aqc111: Do not perform PM inside suspend callback
- igc: fix missing update of skb->tail in igc_xmit_frame()
- iavf: fix VLAN filter lost on add/delete race
- wifi: mac80211: fix NULL deref in mesh_matches_local()
- wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough
headroom
- ACPI: processor: Fix previous acpi_processor_errata_piix4() fix
- net: macb: fix uninitialized rx_fs_lock
- net/mlx5: qos: Restrict RTNL area to avoid a lock cycle
- net/mlx5e: Prevent concurrent access to IPSec ASO context
- net/mlx5e: Fix race condition during IPSec ESN update
- udp_tunnel: fix NULL deref caused by udp_sock_create6 when CONFIG_IPV6=n
- net: bonding: fix NULL deref in bond_debug_rlb_hash_show
- netfilter: bpf: defer hook memory release until rcu readers are done
- nfnetlink_osf: validate individual option lengths in fingerprints
- net: mvpp2: guard flow control update with global_tx_fc in buffer
switching
- net: dsa: bcm_sf2: fix missing clk_disable_unprepare() in error paths
- icmp: fix NULL pointer dereference in icmp_tag_validation()
- hwmon: (pmbus/mp2975) Add error check for pmbus_read_word_data() return
value
- hwmon: (pmbus/isl68137) Fix unchecked return value and use sysfs_emit()
- Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
- USB: serial: f81232: fix incomplete serial port generation
- i2c: fsi: Fix a potential leak in fsi_i2c_probe()
- i2c: pxa: defer reset on Armada 3700 when recovery is used
- x86/platform/uv: Handle deconfigured sockets
- i2c: cp2615: fix serial string NULL-deref at probe
- mtd: rawnand: serialize lock/unlock against other NAND operations
- mtd: rawnand: brcmnand: skip DMA during panic write
- drm/amd/display: Fix DisplayID not-found handling in
parse_edid_displayid_vrr()
- drm/i915/gt: Check set_default_submission() before deferencing
- lib/bootconfig: check xbc_init_node() return in override path
- tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
- xen/privcmd: restrict usage in unprivileged domU
- xen/privcmd: add boot control for restricted usage in domU
- cgroup/cpuset: Fix incorrect use of cpuset_update_tasks_cpumask() in
update_cpumasks_hier()
- s390/idle: Fix cpu idle exit cpu time accounting
- s390/vtime: Fix virtual timer forwarding
- PCI: endpoint: Introduce pci_epc_function_is_valid()
- PCI: endpoint: Introduce pci_epc_mem_map()/unmap()
- PCI: dwc: endpoint: Implement the pci_epc_ops::align_addr() operation
- PCI: dwc: ep: Use align addr function for
dw_pcie_ep_raise_{msi,msix}_irq()
- PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
- drm/amdgpu: Replace kzalloc + copy_from_user with memdup_user
- drm/amdgpu: Fix locking bugs in error paths
- btrfs: print correct subvol num if active swapfile prevents deletion
- bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic
tearing
- x86/acpi/boot: Correct acpi_is_processor_usable() check again
- PCI: dw-rockchip: Don't wait for link since we can detect Link Up
- Revert "PCI: dw-rockchip: Don't wait for link since we can detect Link
Up"
- ata: libata-scsi: Refactor ata_scsi_simulate()
- ata: libata-scsi: Refactor ata_scsiop_read_cap()
- ata: libata-scsi: Refactor ata_scsiop_maint_in()
- ata: libata-scsi: Document all VPD page inquiry actors
- ata: libata-scsi: Remove struct ata_scsi_args
- ata: libata: Remove ATA_DFLAG_ZAC device flag
- ata: libata: Introduce ata_port_eh_scheduled()
- ata: libata-scsi: avoid Non-NCQ command starvation
- workqueue: Add system_percpu_wq and system_dfl_wq
- Input: synaptics_i2c - replace use of system_wq with system_dfl_wq
- Input: synaptics_i2c - guard polling restart in resume
- arm64: dts: rockchip: Fix rk3588 PCIe range mappings
- ima: kexec: silence RCU list traversal warning
- ima: rename variable the seq_file "file" to "ima_kexec_file"
- ima: define and call ima_alloc_kexec_file_buf()
- kexec: define functions to map and unmap segments
- ima: kexec: define functions to copy IMA log at soft boot
- ima: verify the previous kernel's IMA buffer lies in addressable RAM
- of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range()
- drm/exynos/vidi: Remove redundant error handling in vidi_get_modes()
- btrfs: zoned: fix alloc_offset calculation for partly conventional block
groups
- btrfs: zoned: fixup last alloc pointer after extent removal for RAID1
- btrfs: zoned: fixup last alloc pointer after extent removal for DUP
- btrfs: zoned: fix stripe width calculation
- btrfs: define the AUTO_KFREE/AUTO_KVFREE helper macros
- btrfs: zoned: fixup last alloc pointer after extent removal for RAID0/10
- ksmbd: check return value of xa_store() in krb5_authenticate
- ksmbd: add chann_lock to protect ksmbd_chann_list xarray
- ALSA: hda/realtek: Add quirk for Gigabyte G5 KF5 (2023)
- ALSA: hda/realtek: Implement sound init sequence for Samsung Galaxy
Book3 Pro 360
- ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book3 Ultra
- ALSA: hda/realtek: Refactor and simplify Samsung Galaxy Book init
- ALSA: hda/realtek: Add quirk for Samsung Galaxy Book3 Pro 360 (NP965QFG)
- ACPI: APEI: GHES: Disable KASAN instrumentation when compile testing
with clang < 18
- nvme: fix admin queue leak on controller reset
- HID: multitouch: add quirks for Lenovo Yoga Book 9i
- HID: multitouch: new class MT_CLS_EGALAX_P80H84
- idpf: change IRQ naming to match netdev and ethtool queue numbering
- i40e: Fix preempt count leak in napi poll tracepoint
- drm/xe: Do not preempt fence signaling CS instructions
- wifi: mt76: mt7925: Fix possible oob access in
mt7925_mac_write_txwi_80211()
- i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock"
- drm/xe/reg_sr: Fix leak on xa_store failure
- net_sched: sch_fq: clear q->band_pkt_count[] in fq_reset()
- ata: libata-core: fix cancellation of a port deferred qc work
- ata: libata-eh: correctly handle deferred qc timeouts
- ata: libata: cancel pending work after clearing deferred_qc
- ata: libata-eh: Fix detection of deferred qc timeouts
- Upstream stable to v6.6.129, v6.6.130, v6.12.76, v6.12.77
* Noble update: upstream stable patchset 2026-05-28 (LP: #2154496) //
CVE-2026-43067
- ext4: handle wraparound when searching for blocks for indirect mapped
blocks
* Noble update: upstream stable patchset 2026-05-28 (LP: #2154496) //
CVE-2025-39930
- ASoC: simple-card-utils: Don't use __free(device_node) at
graph_util_parse_dai()
* CVE-2026-46244
- netfilter: nft_inner: Fix IPv6 inner_thoff desync
* CVE-2026-43185
- ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
* CVE-2026-46289
- lib/scatterlist: fix length calculations in extract_kvec_to_sg
* CVE-2026-46119
- libceph: Fix slab-out-of-bounds access in auth message processing
* CVE-2026-46135
- nvmet-tcp: fix race between ICReq handling and queue teardown
* CVE-2026-46185
- smb/client: fix out-of-bounds read in symlink_data()
* CVE-2026-46195
- smb: client: validate dacloffset before building DACL pointers
* CVE-2026-46115
- block: add pgmap check to biovec_phys_mergeable
* CVE-2026-43501
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
* CVE-2026-45988
- rxrpc: Fix re-decryption of RESPONSE packets
* CVE-2026-46043
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
* CVE-2026-43493
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests
* CVE-2026-43071
- dcache: Limit the minimal number of bucket to two
* CVE-2026-31685
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
* CVE-2026-43117
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file()
* CVE-2026-43114
- netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry
* CVE-2026-31607
- usbip: validate number_of_packets in usbip_pack_ret_submit()
* CVE-2026-31659
- batman-adv: reject oversized global TT response buffers
* CVE-2026-31649
- net: stmmac: fix integer underflow in chain mode
* CVE-2026-31657
- batman-adv: hold claim backbone gateways by reference
* CVE-2026-31637
- rxrpc: reject undecryptable rxkad response tickets
* CVE-2026-31669
- mptcp: fix slab-use-after-free in __inet_lookup_established
* CVE-2026-31668
- seg6: separate dst_cache for input and output paths in seg6 lwtunnel
* CVE-2026-43011
- net/x25: Fix potential double free of skb
* CVE-2026-43037
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
* CVE-2026-43341
- net/ipv6: ioam6: prevent schema length wraparound in trace fill
* CVE-2026-43038
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
* CVE-2026-31682
- bridge: br_nd_send: linearize skb before parsing ND options
* CVE-2026-31436
- dmaengine: idxd: fix possible wrong descriptor completion in
llist_abort_desc()
* CVE-2026-43384
- net/tcp-ao: Fix MAC comparison to be constant-time
* CVE-2026-31448
- ext4: get rid of ppath in ext4_find_extent()
- ext4: get rid of ppath in ext4_ext_create_new_leaf()
- ext4: get rid of ppath in ext4_ext_insert_extent()
- ext4: avoid infinite loops caused by residual data
* CVE-2026-31478
- ksmbd: replace hardcoded hdr2_len with offsetof() in
smb2_calc_max_out_buf_len()
* CVE-2026-23428
- ksmbd: fix use-after-free of share_conf in compound request
* CVE-2026-23450
- net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
* CVE-2026-23455
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
* CVE-2026-31402
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
* CVE-2026-43383
- net/tcp-md5: Fix MAC comparison to be constant-time
* CVE-2026-43378
- smb: server: fix use-after-free in smb2_open()
* CVE-2026-46243
- smb: client: reject userspace cifs.spnego descriptions
* CVE-2026-43414
- scsi: qla2xxx: Completely fix fcport double free
* CVE-2026-43407
- libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
* CVE-2026-43406
- libceph: prevent potential out-of-bounds reads in
process_message_header()
linux-lowlatency-hwe-6.8 (6.8.0-134.134.1~22.04.1) jammy; urgency=medium
* jammy/linux-lowlatency-hwe-6.8: 6.8.0-134.134.1~22.04.1 -proposed tracker (LP: #2158408)
[ Ubuntu-lowlatency: 6.8.0-134.134.1 ]
* noble/linux-lowlatency: 6.8.0-134.134.1 -proposed tracker (LP: #2158409)
[ Ubuntu: 6.8.0-134.134 ]
* noble/linux: 6.8.0-134.134 -proposed tracker (LP: #2158432)
* ext4: writeback causes kernel oops when low on space (LP: #2158377)
- ext4: get rid of ppath in get_ext_path()
linux-lowlatency-hwe-6.8 (6.8.0-131.131.1~22.04.1) jammy; urgency=medium
* jammy/linux-lowlatency-hwe-6.8: 6.8.0-131.131.1~22.04.1 -proposed tracker (LP: #2157173)
[ Ubuntu-lowlatency: 6.8.0-131.131.1 ]
* noble/linux-lowlatency: 6.8.0-131.131.1 -proposed tracker (LP: #2157174)
[ Ubuntu: 6.8.0-131.131 ]
* noble/linux: 6.8.0-131.131 -proposed tracker (LP: #2157196)
* Packaging resync (LP: #1786013)
- [Packaging] update annotations scripts
* CVE-2026-46244
- netfilter: nft_inner: Fix IPv6 inner_thoff desync
* CVE-2026-43185
- ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
* CVE-2026-46289
- lib/scatterlist: fix length calculations in extract_kvec_to_sg
* CVE-2026-46119
- libceph: Fix slab-out-of-bounds access in auth message processing
* CVE-2026-46135
- nvmet-tcp: fix race between ICReq handling and queue teardown
* CVE-2026-46185
- smb/client: fix out-of-bounds read in symlink_data()
* CVE-2026-46195
- smb: client: validate dacloffset before building DACL pointers
* CVE-2026-46115
- block: add pgmap check to biovec_phys_mergeable
* CVE-2026-43501
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
* CVE-2026-45988
- rxrpc: Fix re-decryption of RESPONSE packets
* CVE-2026-46043
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
* CVE-2026-43493
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests
* CVE-2026-43071
- dcache: Limit the minimal number of bucket to two
* CVE-2026-31685
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
* CVE-2026-43117
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file()
* CVE-2026-43114
- netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry
* CVE-2026-31607
- usbip: validate number_of_packets in usbip_pack_ret_submit()
* CVE-2026-31659
- batman-adv: reject oversized global TT response buffers
* CVE-2026-31649
- net: stmmac: fix integer underflow in chain mode
* CVE-2026-31657
- batman-adv: hold claim backbone gateways by reference
* CVE-2026-31637
- rxrpc: reject undecryptable rxkad response tickets
* CVE-2026-31669
- mptcp: fix slab-use-after-free in __inet_lookup_established
* CVE-2026-31668
- seg6: separate dst_cache for input and output paths in seg6 lwtunnel
* CVE-2026-43011
- net/x25: Fix potential double free of skb
* CVE-2026-43037
- ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
* CVE-2026-43341
- net/ipv6: ioam6: prevent schema length wraparound in trace fill
* CVE-2026-43038
- ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
* CVE-2026-31682
- bridge: br_nd_send: linearize skb before parsing ND options
* CVE-2026-31436
- dmaengine: idxd: fix possible wrong descriptor completion in
llist_abort_desc()
* CVE-2026-43384
- net/tcp-ao: Fix MAC comparison to be constant-time
* CVE-2026-31448
- ext4: get rid of ppath in ext4_find_extent()
- ext4: get rid of ppath in ext4_ext_create_new_leaf()
- ext4: get rid of ppath in ext4_ext_insert_extent()
- ext4: avoid infinite loops caused by residual data
* CVE-2026-31478
- ksmbd: replace hardcoded hdr2_len with offsetof() in
smb2_calc_max_out_buf_len()
* CVE-2026-23428
- ksmbd: fix use-after-free of share_conf in compound request
* CVE-2026-23450
- net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
* CVE-2026-23455
- netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
* CVE-2026-31402
- nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
* CVE-2026-43383
- net/tcp-md5: Fix MAC comparison to be constant-time
* CVE-2026-43378
- smb: server: fix use-after-free in smb2_open()
* CVE-2026-46243
- smb: client: reject userspace cifs.spnego descriptions
* CVE-2026-43414
- scsi: qla2xxx: Completely fix fcport double free
* CVE-2026-43407
- libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
* CVE-2026-43406
- libceph: prevent potential out-of-bounds reads in
process_message_header()
Date: 2026-07-04 16:50:13.231095+00:00
Changed-By: Edoardo Canepa <edoardo.canepa at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-136.136.2~22.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the jammy-changes
mailing list