[ubuntu/questing-proposed] linux-riscv 6.17.0-41.41.1 (Accepted)

Andy Whitcroft apw at canonical.com
Tue Jun 30 10:57:12 UTC 2026


linux-riscv (6.17.0-41.41.1) questing; urgency=medium

  * questing/linux-riscv: 6.17.0-41.41.1 -proposed tracker (LP: #2157481)

  [ Ubuntu: 6.17.0-41.41 ]

  * questing/linux: 6.17.0-41.41 -proposed tracker (LP: #2157484)
  * USB camera lost after suspend due to xhci endpoint_reset failure
    (LP: #2153966)
    - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
  * Add intel-speed-select  to linux-tools-$(uname -r) (LP: #2131077)
    - [Packaging] Add intel-speed-select to linux-tools
  * DGX Cloud GB300 clusters fail to build due zero dmac race in neighbor
    resolution (LP: #2154023)
    - IB/core: Fix zero dmac race in neighbor resolution
  * Internal display black screen on Intel Lunar Lake with eDP panel
    (LP: #2156312)
    - drm/i915/alpm: Allow LOBF only for platform that have Always on VRR TG
  * Kernel lockup on 6.17.0-1017-oem Lenovo P14s gen 6 AMD Ryzen AI 7 pro 350
    (LP: #2148538)
    - Revert "drm/amdgpu: don't attach the tlb fence for SI"
    - drm/amdgpu: rework how we handle TLB fences
  * Fix graceful fault handling after FPU softirq changes causes hard freeze
    on EFI runtime calls (LP: #2153976)
    - x86/efi: Fix graceful fault handling after FPU softirq changes
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399)
    - readdir: require opt-in for d_type flags
    - can: at91_can: Fix memory leak in at91_can_probe()
    - net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup()
    - can: gs_usb: gs_usb_receive_bulk_callback(): fix error message
    - net: bcmasp: fix early exit leak with fixed phy
    - net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins()
    - ipv6: use the right ifindex when replying to icmpv6 from localhost
    - ixgbe: fix memory leak and use-after-free in ixgbe_recovery_probe()
    - ixgbe: fix memory leaks in the ixgbe_recovery_probe() path
    - ixgbe: don't initialize aci lock in ixgbe_recovery_probe()
    - ice: stop counting UDP csum mismatch as rx_errors
    - net/mlx5e: Account for netdev stats in ndo_get_stats64
    - net: bridge: fix static key check
    - net: phy: micrel: fix clk warning when removing the driver
    - net/mlx5: fs, Fix inverted cap check in tx flow table root disconnect
    - net/mlx5: Initialize events outside devlink lock
    - net/mlx5: Fix vhca_id access call trace use before alloc
    - net/mlx5e: Skip ESN replay window setup for IPsec crypto offload
    - wifi: mac80211: parse all TTLM entries
    - wifi: mac80211: apply advertised TTLM from association response
    - scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg()
    - ASoC: soc-acpi-intel-ptl-match: fix name_prefix of rt1320-2
    - drm/xe: Skip address copy for sync-only execs
    - ASoC: Intel: sof_es8336: fix headphone GPIO logic inversion
    - gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler
    - drm/amd/pm: fix race in power state check before mutex lock
    - gpio: brcmstb: correct hwirq to bank map
    - kbuild: rpm-pkg: Generate debuginfo package manually
    - of/reserved_mem: Simplify the logic of fdt_scan_reserved_mem_reg_nodes()
    - of: reserved_mem: Allow reserved_mem framework detect "cma=" kernel
      param
    - bcache: fix improper use of bi_end_io
    - bcache: use bio cloning for detached device requests
    - bcache: fix I/O accounting leak in detached_dev_do_request
    - dma/pool: distinguish between missing and exhausted atomic pools
    - drm/xe/nvm: Manage nvm aux cleanup with devres
    - sched/deadline: Document dl_server
    - sched/deadline: Fix 'stuck' dl_server
    - writeback: fix 100% CPU usage when dirtytime_expire_interval is 0
    - pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver
    - pinctrl: meson: mark the GPIO controller as sleeping
    - pinctrl: qcom: sm8350-lpass-lpi: Merge with SC7280 to fix I2S2 and SWR
      TX pins
    - [Config] Remove CONFIG_PINCTRL_SM8350_LPASS_LPI
    - perf: Simplify get_perf_callchain() user logic
    - riscv: compat: fix COMPAT_UTS_MACHINE definition
    - rust: rbtree: fix documentation typo in CursorMut peek_next method
    - rust: kbuild: give `--config-path` to `rustfmt` in `.rsi` target
    - ASoC: fsl: imx-card: Do not force slot width to sample width
    - scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo()
    - ASoC: amd: yc: Add DMI quirk for Acer TravelMate P216-41-TCO
    - gpio: pca953x: mask interrupts in irq shutdown
    - kbuild: rust: clean libpin_init_internal in mrproper
    - scsi: qla2xxx: edif: Fix dma_free_coherent() size
    - ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machine
    - gpio: rockchip: Stop calling pinctrl for set_direction
    - mm/kasan: fix KASAN poisoning in vrealloc()
    - mptcp: only reset subflow errors when propagated
    - selftests: mptcp: check no dup close events after error
    - selftests: mptcp: check subflow errors in close events
    - selftests: mptcp: join: fix local endp not being tracked
    - mm/kfence: randomize the freelist on initialization
    - mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
    - mm/memory-failure: teach kill_accessing_process to accept hugetlb tail
      page pfn
    - rust: bits: always inline functions using build_assert with arguments
    - scripts: generate_rust_analyzer: Add pin_init -> compiler_builtins dep
    - scripts: generate_rust_analyzer: Add pin_init_internal deps
    - scripts: generate_rust_analyzer: remove sysroot assertion
    - scripts: generate_rust_analyzer: compile sysroot with correct edition
    - scripts: generate_rust_analyzer: fix resolution of #[pin_data] macros
    - scripts: generate_rust_analyzer: Add compiler_builtins -> core dep
    - drm/msm/a6xx: fix bogus hwcg register updates
    - drm/amd/pm: fix smu v13 soft clock frequency setting issue
    - drm/amd/pm: fix smu v14 soft clock frequency setting issue
    - drm/amdgpu/soc21: fix xclk for APUs
    - drm/amdgpu/gfx10: fix wptr reset in KGQ init
    - drm/amdgpu/gfx11: fix wptr reset in KGQ init
    - drm/amdgpu/gfx11: adjust KGQ reset sequence
    - drm/amdgpu/gfx12: fix wptr reset in KGQ init
    - drm/amdgpu/gfx12: adjust KGQ reset sequence
    - drm/amdgpu: Fix cond_exec handling in amdgpu_ib_schedule()
    - iommu/tegra241-cmdqv: Reset VCMDQ in tegra241_vcmdq_hw_init_user()
    - gpiolib: acpi: Fix potential out-of-boundary left shift
    - libbpf: Fix -Wdiscarded-qualifiers under C23
    - net/sched: act_ife: convert comma to semicolon
    - sched_ext: Don't kick CPUs running higher classes
    - sched_ext: Fix SCX_KICK_WAIT to work reliably
    - mptcp: avoid dup SUB_CLOSED events after disconnect
    - rust: kbuild: support `-Cjump-tables=n` for Rust 1.93.0
    - Upstream stable to v6.12.69, v6.18.9
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23163
    - drm/amdgpu: fix NULL pointer dereference in
      amdgpu_gmc_filter_faults_remove
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23170
    - drm/imx/tve: fix probe device leak
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23154
    - net: fix segmentation of forwarding fraglist GRO
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23161
    - mm/shmem, swap: fix race of truncate and swap entry split
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23157
    - btrfs: do not strictly require dirty metadata threshold for metadata
      writepages
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23168
    - flex_proportions: make fprop_new_period() hardirq safe
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23148
    - nvmet: fix race in nvmet_bio_done() leading to NULL pointer dereference
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23156
    - efivarfs: fix error propagation in efivar_entry_get()
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23159
    - perf: sched: Fix perf crash with new is_user_task() helper
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23162
    - drm/xe/nvm: Fix double-free on aux add failure
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23158
    - gpio: virtuser: fix UAF in configfs release path
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23152
    - wifi: mac80211: correctly decode TTLM with default link map
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23167
    - nfc: nci: Fix race between rfkill and nci_unregister_device().
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23173
    - net/mlx5e: TC, delete flows only for existing peers
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23166
    - ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23171
    - bonding: fix use-after-free due to enslave fail after slave array update
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23150
    - nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame().
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23169
    - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23164
    - rocker: fix memory leak in rocker_world_port_post_fini()
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23172
    - net: wwan: t7xx: fix potential skb->frags overflow in RX path
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23165
    - sfc: fix deadlock in RSS config read
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23212
    - bonding: annotate data-races around slave->last_rx
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23160
    - octeon_ep: Fix memory leak in octep_device_setup()
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23151
    - Bluetooth: MGMT: Fix memory leak in set_ssp_complete
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23146
    - Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work
  * Questing update: upstream stable patchset 2026-06-15 (LP: #2156399) //
    CVE-2026-23147
    - btrfs: zlib: fix the folio leak on S390 hardware acceleration
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362)
    - arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links
    - arm64: dts: rockchip: Fix wrong register range of rk3576 gpu
    - perf parse-events: Fix evsel allocation failure
    - Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump()
    - btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE
    - dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
    - pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
    - wifi: ath12k: don't force radio frequency check in freq_to_idx()
    - ata: ahci: Do not read the per port area for unimplemented ports
    - ata: libata: Call ata_dev_config_lpm() for ATAPI devices
    - ata: libata-sata: Improve link_power_management_supported sysfs
      attribute
    - ata: libata: Add cpr_log to ata_dev_print_features() early return
    - ata: libata: Add DIPM and HIPM to ata_dev_print_features() early return
    - ata: libata: Print features also for ATAPI devices
    - wifi: ath12k: cancel scan only on active scan vdev
    - wifi: ath12k: Fix scan state stuck in ABORTING after
      cancel_remain_on_channel
    - wifi: ath12k: Fix wrong P2P device link id issue
    - ice: initialize ring_stats->syncp
    - ice: Avoid detrimental cleanup for bond during interface stop
    - ice: Fix incorrect timeout ice_release_res()
    - igc: Restore default Qbv schedule when changing channels
    - igc: fix race condition in TX timestamp read for register 0
    - net: usb: dm9601: remove broken SR9700 support
    - selftests: net: fib-onlink-tests: Convert to use namespaces by default
    - net: freescale: ucc_geth: Return early when TBI PHY can't be found
    - can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
      usb_submit_urb() error
    - amd-xgbe: avoid misleading per-packet error log
    - tools: ynl: Specify --no-line-number in ynl-regen.sh.
    - veth: fix data race in veth_get_ethtool_stats
    - pwm: Ensure ioctl() returns a negative errno on error
    - octeontx2: cn10k: fix RX flowid TCAM mask handling
    - wifi: mac80211: don't perform DA check on S1G beacon
    - serial: 8250_pci: Fix broken RS485 for F81504/508/512
    - comedi: dmm32at: serialize use of paged registers
    - w1: fix redundant counter decrement in w1_attach_slave_device()
    - Revert "nfc/nci: Add the inconsistency check between the input data
      length and count"
    - Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
    - Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
    - scsi: storvsc: Process unsupported MODE_SENSE_10
    - i2c: spacemit: drop IRQF_ONESHOT flag from IRQ request
    - ARM: dts: microchip: sama7d65: fix the ranges property for flx9
    - ARM: dts: microchip: sama7d65: fix size-cells property for i2c3
    - arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
    - arm64: dts: rockchip: remove dangerous max-link-speed from helios64
    - arm64: dts: rockchip: Fix voltage threshold for volume keys for
      Pinephone Pro
    - arm64: dts: rockchip: Fix headphones widget name on NanoPi M5
    - arm64: dts: rockchip: Configure MCLK for analog sound on NanoPi M5
    - x86/kfence: avoid writing L1TF-vulnerable PTEs
    - comedi: Fix getting range information for subdevices 16 to 255
    - mm/rmap: fix two comments related to huge_pmd_unshare()
    - mm: restore per-memcg proactive reclaim with !CONFIG_NUMA
    - iio: adc: ad7280a: handle spi_setup() errors in probe()
    - iio: adc: ad7606: Fix incorrect type for error return variable
    - kconfig: fix static linking of nconf
    - riscv: clocksource: Fix stimecmp update hazard on RV32
    - riscv: suspend: Fix stimecmp update hazard on RV32
    - platform/mellanox: Fix SN5640/SN5610 LED platform data
    - ALSA: usb: Increase volume range that triggers a warning
    - iommu/amd: Fix error path in amd_iommu_probe_device()
    - drm/xe: Disable timestamp WA on VFs
    - drm/mediatek: dpi: Find next bridge during probe
    - drm/imagination: Wait for FW trace update command completion
    - vsock/test: Do not filter kallsyms by symbol type
    - ice: Fix persistent failure in ice_get_rxfh
    - idpf: read lower clock bits inside the time sandwich
    - net: hns3: fix data race in hns3_fetch_stats
    - idpf: Fix data race in idpf_net_dim
    - be2net: fix data race in be_get_new_eqd
    - net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
    - net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
    - usbnet: limit max_mtu based on device's hard_mtu
    - Octeontx2-pf: Update xdp features
    - clocksource: Reduce watchdog readout delay limit to prevent false
      positives
    - drm/xe/pm: Add scope-based cleanup helper for runtime PM
    - drm/xe: Update wedged.mode only after successful reset policy change
    - ublk: fix ublksrv pid handling for pid namespaces
    - selftests/ublk: fix IO thread idle check
    - selftests/ublk: fix error handling for starting device
    - selftests/ublk: fix garbage output in foreground mode
    - sched/fair: Fix pelt clock sync when entering idle
    - drm/amd/pm: Fix si_dpm mmCG_THERMAL_INT setting
    - drm/amd/pm: Don't clear SI SMC table when setting power limit
    - drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
    - drm/amdgpu: fix type for wptr in ring backup
    - drm/nouveau: add missing DCB connector types
    - drm/nouveau: implement missing DCB connector types; gracefully handle
      unknown connectors
    - selftests: net: amt: wait longer for connection before sending packets
    - net: bcmasp: Fix network filter wake for asp-3.0
    - net: dsa: fix off-by-one in maximum bridge ID determination
    - net: pcs: pcs-mtk-lynxi: report in-band capability for 2500Base-X
    - octeontx2-af: Fix error handling
    - net: openvswitch: fix data race in ovs_vport_get_upcall_stats
    - vsock/test: fix seqpacket message bounds test
    - x86: make page fault handling disable interrupts properly
    - panic: add note that 'panic_print' parameter is deprecated
    - panic: clean up message about deprecated 'panic_print' parameter
    - panic: only warn about deprecated panic_print on write access
    - of: fix reference count leak in of_alias_scan()
    - of: platform: Use default match table for /firmware
    - iio: accel: adxl380: fix handling of unavailable "INT1" interrupt
    - iio: accel: iis328dq: fix gain values
    - iio: adc: ad9467: fix ad9434 vref mask
    - iio: adc: exynos_adc: fix OF populate on driver rebind
    - iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot
    - iio: chemical: scd4x: fix reported channel endianness
    - iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
    - ALSA: hda/realtek: Add quirk for Samsung 730QED to fix headphone
    - mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
    - wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
    - octeontx2: Fix otx2_dma_map_page() error return code
    - slimbus: core: fix runtime PM imbalance on report present
    - mei: trace: treat reg parameter as string
    - s390/ap: Fix wrong APQN fill calculation
    - s390/boot/vmlinux.lds.S: Ensure bzImage ends with SecureBoot trailer
    - platform/x86: hp-bioscfg: Fix automatic module loading
    - pmdomain:rockchip: Fix init genpd as GENPD_STATE_ON before regulator
      ready
    - rust: io: always inline functions using build_assert with arguments
    - perf/x86/intel: Do not enable BTS for guests
    - net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick
    - net: txgbe: remove the redundant data return in SW-FW mailbox
    - drm/amdgpu: remove frame cntl for gfx v12
    - drm/xe: Adjust page count tracepoints in shrinker
    - drm/xe: fix WQ_MEM_RECLAIM passed as max_active to alloc_workqueue()
    - gpio: cdev: Correct return code on memory allocation failure
    - gpio: cdev: Fix resource leaks on errors in gpiolib_cdev_register()
    - mm: fix some typos in mm module
    - mm/hugetlb: fix two comments related to huge_pmd_unshare()
    - iio: core: Replace lockdep_set_class() + mutex_init() by combined call
    - iio: core: add separate lockdep class for info_exist_lock
    - arm64: dts: qcom: talos: Correct UFS clocks ordering
    - irqchip/renesas-rzv2h: Prevent TINT spurious interrupt during resume
    - mm/vma: enforce VMA fork limit on unfaulted,faulted mremap merge too
    - Revert "ALSA: usb: Increase volume range that triggers a warning"
    - Upstream stable to v6.12.68, v6.18.8
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23077
    - mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23079
    - gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23108
    - can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23080
    - can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23061
    - can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23075
    - can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23058
    - can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23085
    - irqchip/gic-v3-its: Avoid truncating memory addresses
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23118
    - rxrpc: Fix data-race warning and potential load/store tearing
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23116
    - pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23098
    - netrom: fix double-free in nr_route_frame()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23063
    - uacce: ensure safe queue release with state management
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23056
    - uacce: implement mremap in uacce_vm_ops to return -EPERM
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23094
    - uacce: fix isolate sysfs check condition
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23096
    - uacce: fix cdev handling in the cleanup path
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23088
    - tracing: Fix crash on synthetic stacktrace field usage
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23090
    - slimbus: core: fix device reference leak on report present
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23093
    - ksmbd: smbd: fix dma_unmap_sg() nents
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23128
    - arm64: Set __nocfi on swsusp_arch_resume()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23102
    - arm64/fpsimd: signal: Fix restoration of SVE context
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23107
    - arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23114
    - arm64/fpsimd: ptrace: Fix SVE writes on !SME systems
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23073
    - wifi: rsi: Fix memory corruption due to not set vif driver data size
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23135
    - wifi: ath12k: fix dma_free_coherent() pointer
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23133
    - wifi: ath10k: fix dma_free_coherent() pointer
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23067
    - iommu/io-pgtable-arm: fix size_t signedness bug in unmap path
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2025-71200
    - mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400
      mode
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23089
    - ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23078
    - ALSA: scarlett2: Fix buffer overflow in config retrieval
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23076
    - ALSA: ctxfi: Fix potential OOB access in audio mixer handling
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23092
    - iio: dac: ad3552r-hs: fix out-of-bound write in
      ad3552r_hs_write_data_source
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2025-71199
    - iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc
      driver
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23097
    - migrate: correct lock ordering for hugetlb file folios
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23101
    - leds: led-class: Only Add LED to leds_list when it is fully ready
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23070
    - Octeontx2-af: Add proper checks for fwdata
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23129
    - dpll: Prevent duplicate registrations
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23064
    - net/sched: act_ife: avoid possible NULL deref
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23086
    - vsock/virtio: cap TX credit to local buffer size
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23069
    - vsock/virtio: fix potential underflow in virtio_transport_get_credit()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23119
    - bonding: provide a net pointer to __skb_flow_dissect()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23084
    - be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23124
    - ipv6: annotate data-race in ndisc_router_discovery()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23121
    - mISDN: annotate data-race around dev->work
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23081
    - net: phy: intel-xway: fix OF node refcount leakage
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23104
    - ice: fix devlink reload call trace
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23126
    - netdevsim: fix a race issue related to the operation on bpf_bound_progs
      list
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23059
    - scsi: qla2xxx: Sanitize payload size to prevent member overflow
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23110
    - scsi: core: Wake up the error handler when final completions race
      against each other
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23065
    - platform/x86/amd: Fix memory leak in wbrf_record()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23071
    - regmap: Fix race condition in hwspinlock irqsave routine
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23068
    - spi: spi-sprd-adi: Fix double free in probe error path
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23123
    - interconnect: debugfs: initialize src_node and dst_node to empty strings
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2025-71198
    - iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event
      detection
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23113
    - io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23106
    - timekeeping: Adjust the leap state for the correct auxiliary timekeeper
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23100
    - mm/hugetlb: fix hugetlb_pmd_shared()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23062
    - platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23131
    - platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23109
    - fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23066
    - rxrpc: Fix recvmsg() unconditional requeue
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23087
    - scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2025-71197
    - w1: therm: Fix off-by-one buffer overflow in alarms_store
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23115
    - serial: Fix not set tty->port race condition
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23105
    - net/sched: qfq: Use cl_is_active to determine whether class is active in
      qfq_rm_from_ag
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23103
    - ipvlan: Make the addrs_lock be per port
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23120
    - l2tp: avoid one data-race in l2tp_tunnel_del_work()
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23083
    - fou: Don't allow 0 for FOU_ATTR_IPPROTO.
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23095
    - gue: Fix skb memleak with inner IP protocol 0.
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23125
    - sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23072
    - l2tp: Fix memleak in l2tp_udp_encap_recv().
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23099
    - bonding: limit BOND_MODE_8023AD to Ethernet devices
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23057
    - vsock/virtio: Coalesce only linear skb
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23122
    - igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue
  * Questing update: upstream stable patchset 2026-06-10 (LP: #2156362) //
    CVE-2026-23130
    - wifi: ath12k: fix dead lock while flushing management frames
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193)
    - efi/cper: Fix cper_bits_to_str buffer handling and return value
    - ASoC: codecs: wsa884x: fix codec initialisation
    - ASoC: codecs: wsa883x: fix unnecessary initialisation
    - io_uring: move local task_work in exit cancel loop
    - xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
    - xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
    - pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
    - drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
    - drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
    - drm/rockchip: vop2: Add delay between poll registers
    - drm/rockchip: vop2: Only wait for changed layer cfg done when there is
      pending cfgdone bits
    - PM: EM: Fix incorrect description of the cost field in struct
      em_perf_state
    - ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
    - Bluetooth: hci_sync: enable PA Sync Lost event
    - net: bridge: annotate data-races around fdb->{updated,used}
    - net: update netdev_lock_{type,name}
    - vsock/test: add a final full barrier after run all tests
    - net/mlx5e: Restore destroying state bit after profile cleanup
    - btrfs: fix memory leaks in create_space_info() error paths
    - cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
    - ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
    - ALSA: hda/cirrus_scodec_test: Fix test suite name
    - selftests: drv-net: fix RPS mask handling for high CPU numbers
    - ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
    - ASoC: tlv320adcx140: fix word length
    - drm/amd/display: Show link name in PSR status message
    - drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
    - drm/amdkfd: No need to suspend whole MES to evict process
    - mm: describe @flags parameter in memalloc_flags_save()
    - textsearch: describe @list member in ts_ops search
    - mm, kfence: describe @slab parameter in __kfence_obj_info()
    - mips: fix HIGHMEM initialization
    - drivers/dax: add some missing kerneldoc comment fields for struct
      dev_dax
    - NFS: Fix size read races in truncate, fallocate and copy offload
    - dmaengine: xilinx_dma: Fix uninitialized addr_width when
      "xlnx,addrwidth" property is missing
    - phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
    - phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
    - landlock: Fix TCP handling of short AF_UNSPEC addresses
    - selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
    - selftests/landlock: Remove invalid unix socket bind()
    - landlock: Fix wrong type usage
    - phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
    - selftests/landlock: Properly close a file descriptor
    - soundwire: bus: fix off-by-one when allocating slave IDs
    - i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
    - i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume
      progress
    - sched/deadline: Avoid double update_rq_clock()
    - sched: Deadline has dynamic priority
    - HID: usbhid: paper over wrong bNumDescriptor field
    - selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22
    - scsi: core: Fix error handler encryption support
    - selftests: kvm: replace numbered sync points with actions
    - selftests: kvm: try getting XFD and XSAVE state out of sync
    - ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
    - ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X
    - ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED
    - can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit.
    - tools/testing/selftests: add tests for !tgt, src mremap() merges
    - tools/testing/selftests: add forked (un)/faulted VMA merge tests
    - tools/testing/selftests: fix gup_longterm for unknown fs
    - xfs: set max_agbno to allow sparse alloc of last full inode chunk
    - xfs: Fix the return value of xfs_rtcopy_summary()
    - virtio-net: don't schedule delayed refill worker
    - x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
    - phy: rockchip: inno-usb2: fix communication disruption in gadget mode
    - phy: ti: gmii-sel: fix regmap leak on probe failure
    - phy: freescale: imx8m-pcie: assert phy reset during power on
    - phy: rockchip: inno-usb2: fix disconnection in gadget mode
    - phy: fsl-imx8mq-usb: fix typec orientation switch when built as module
    - phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
    - usb: gadget: uvc: fix interval_duration calculation
    - usb: gadget: uvc: fix req_payload_size calculation
    - usb: dwc3: Check for USB4 IP_NAME
    - usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor
    - USB: OHCI/UHCI: Add soft dependencies on ehci_platform
    - USB: serial: option: add Telit LE910 MBIM composition
    - USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
    - nvme-pci: disable secondary temp for Wodposit WPBSNM8
    - ASoC: codecs: wsa881x: fix unnecessary initialisation
    - hrtimer: Fix softirq base check in update_needs_ipi()
    - EDAC/x38: Fix a resource leak in x38_probe1()
    - EDAC/i3200: Fix a resource leak in i3200_probe1()
    - x86/resctrl: Add missing resctrl initialization for Hygon
    - x86/resctrl: Fix memory bandwidth counter width for Hygon
    - nvme: fix PCIe subsystem reset controller state transition
    - mm: kmsan: fix poisoning of high-order non-compound pages
    - mm: numa,memblock: include <asm/numa.h> for 'numa_nodes_parsed'
    - mm/zswap: fix error pointer free in zswap_cpu_comp_prepare()
    - mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
    - mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup
      failure
    - mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure
    - LoongArch: Fix PMU counter allocation for mixed-type event groups
    - LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended
    - drm/amd/display: Bump the HDMI clock to 340MHz
    - drm/amd/display: Initialise backlight level values from hw
    - drm/amd: Clean up kfd node on surprise disconnect
    - drm/amdgpu: make sure userqs are enabled in userq IOCTLs
    - drm/amdkfd: fix a memory leak in device_queue_manager_init()
    - drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
    - drm/panel: simple: restore connector_type fallback
    - drm/sysfb: Remove duplicate declarations
    - drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
    - LoongArch: dts: loongson-2k0500: Add default interrupt controller
      address cells
    - LoongArch: dts: loongson-2k1000: Add default interrupt controller
      address cells
    - LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names
    - LoongArch: dts: loongson-2k2000: Add default interrupt controller
      address cells
    - LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
    - LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
    - LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
    - dmaengine: apple-admac: Add "apple,t8103-admac" compatible
    - dmaengine: cv1800b-dmamux: fix device leak on route allocation
    - dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure
    - dmaengine: lpc32xx-dmamux: fix device leak on route allocation
    - dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
    - dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
    - dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
    - dmaengine: ti: k3-udma: fix device leak on udma lookup
    - x86/mm: use 'ptdesc' when freeing PMD pages
    - x86/mm: use pagetable_free()
    - HID: intel-ish-hid: Fix -Wcast-function-type-strict in
      devm_ishtp_alloc_workqueue()
    - mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection
    - mm/page_alloc: batch page freeing in decay_pcp_high
    - Upstream stable to v6.12.67, v6.18.7
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23025
    - mm/page_alloc: prevent pcp corruption with SMP=n
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71194
    - btrfs: fix deadlock in wait_current_trans() due to ignored transaction
      type
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71185
    - dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71186
    - dmaengine: stm32: dmamux: fix device leak on route allocation
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71187
    - dmaengine: sh: rz-dmac: fix device leak on probe failure
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23026
    - dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71188
    - dmaengine: lpc18xx-dmamux: fix device leak on route allocation
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71163
    - dmaengine: idxd: fix device leaks on compat bind and unbind
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71189
    - dmaengine: dw: dmamux: fix OF node leak on route allocation failure
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71190
    - dmaengine: bcm-sba-raid: fix device leak on probe
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71191
    - dmaengine: at_hdmac: fix device leak on of_dma_xlate()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23049
    - drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23144
    - mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23142
    - mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir
      setup failure
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23012
    - mm/damon/core: remove call_control in inactive contexts
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23055
    - i2c: riic: Move suspend handling to NOIRQ phase
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23145
    - ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23009
    - xhci: sideband: don't dereference freed ring when removing sideband
      endpoint
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23030
    - phy: rockchip: inno-usb2: Fix a double free bug in
      rockchip_usb2phy_probe()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23002
    - lib/buildid: use __kernel_read() for sleepable context
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23052
    - ftrace: Do not over-allocate ftrace memory
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-22997
    - net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session
      upon receiving the second rts
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23031
    - can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23032
    - null_blk: fix kmemleak by releasing references to fault configfs items
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23033
    - dmaengine: omap-dma: fix dma_pool resource leak in error paths
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71196
    - phy: stm32-usphyc: Fix off by one in probe()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71193
    - phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71162
    - dmaengine: tegra-adma: Fix use-after-free
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2025-71195
    - dmaengine: xilinx: xdma: Fix regmap max_register
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23034
    - drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23051
    - drm/amdgpu: fix drm panic null pointer when driver not support atomic
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23006
    - ASoC: tlv320adcx140: fix null pointer
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-22999
    - net/sched: sch_qfq: do not free existing class in qfq_change_class()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23010
    - ipv6: Fix use-after-free in inet6_addr_del().
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23004
    - dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23054
    - net: hv_netvsc: reject RSS hash key programming without RX indirection
      table
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23013
    - net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23035
    - net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-22996
    - net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23000
    - net/mlx5e: Fix crash on profile change rollback failure
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23011
    - ipv4: ip_gre: make ipgre_header() robust
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23007
    - block: zero non-PI portion of auto integrity buffer
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23001
    - macvlan: fix possible UAF in macvlan_forward_source()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23003
    - ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23141
    - btrfs: send: check for inline extents in range_is_hole_in_parent()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23036
    - btrfs: release path before iget_failed() in btrfs_read_locked_inode()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-22998
    - nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23037
    - can: etas_es58x: allow partial RX URB allocation to succeed
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23008
    - drm/vmwgfx: Fix KMS with 3D on HW version 10
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23038
    - pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23053
    - NFS: Fix a deadlock involving nfs_release_folio()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23050
    - pNFS: Fix a deadlock when returning a delegation during open()
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23143
    - virtio_net: Fix misalignment bug in struct virtnet_info
  * Questing update: upstream stable patchset 2026-06-09 (LP: #2156193) //
    CVE-2026-23005
    - x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749)
    - NFSD: Fix permission check for read access to executable-only files
    - nfsd: use correct loop termination in nfsd4_revoke_states()
    - NFSD: net ref data still needs to be freed even if net hasn't startup
    - NFSD: Remove NFSERR_EAGAIN
    - atm: Fix dma_free_coherent() size
    - net: do not write to msg_get_inq in callee
    - arm64: Fix cleared E0POE bit after cpu_suspend()/resume()
    - mei: me: add nova lake point S DID
    - lib/crypto: aes: Fix missing MMU protection for AES S-box
    - counter: 104-quad-8: Fix incorrect return value in IRQ handler
    - riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped
    - Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-
      disable"
    - ALSA: ac97bus: Use guard() for mutex locks
    - ALSA: hda/tas2781: properly initialize speaker_id for TAS2563
    - arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP
    - drm/amd/display: Apply e4479aecf658 to dml
    - drm/amdgpu: Fix query for VPE block_type and ip_count
    - drm/atomic-helper: Export and namespace some functions
    - drm/pl111: Fix error handling in pl111_amba_probe
    - drm/tidss: Fix enable/disable order
    - drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[]
    - gpio: rockchip: mark the GPIO controller as sleeping
    - io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic
    - PCI: meson: Report that link is up while in ASPM L0s and L1 states
    - pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
    - Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable
      order"
    - wifi: mac80211: restore non-chanctx injection behaviour
    - ublk: reorder tag_set initialization before queue allocation
    - ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback
    - csky: fix csky_cmpxchg_fixup not working
    - ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
    - alpha: don't reference obsolete termio struct for TC* constants
    - dm-snapshot: fix 'scheduling while atomic' on real-time kernels
    - NFSv4: ensure the open stateid seqid doesn't go backwards
    - ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again)
    - NFS: Fix up the automount fs_context to use the correct cred
    - ALSA: hda/realtek: Add support for ASUS UM3406GA
    - drm/amd/display: shrink struct members
    - smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value
    - smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value
    - smb/client: fix NT_STATUS_NO_DATA_DETECTED value
    - scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
    - scsi: ufs: core: Fix EH failure after W-LUN resume error
    - scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe
      failure scanned in again after probe failed"
    - btrfs: fix qgroup_snapshot_quick_inherit() squota bug
    - btrfs: qgroup: update all parent qgroups when doing quick inherit
    - arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix
      schema warnings
    - arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema
      warnings
    - gpio: it87: balance superio enter/exit calls in error path
    - HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value
    - HID: Intel-thc-hid: Intel-thc: Fix wrong register reading
    - pinctrl: mediatek: mt8189: restore previous register base name array
      order
    - crypto: qat - fix duplicate restarting msg during AER error
    - arm64: dts: imx8qm-mek: correct the light sensor interrupt type to low
      level
    - arm64: dts: add off-on-delay-us for usdhc2 regulator
    - ARM: dts: imx6q-ba16: fix RTC interrupt level
    - arm64: dts: freescale: moduline-display: fix compatible
    - arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells
    - arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics
      i.MX8M Plus DHCOM
    - arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart
    - arm64: dts: mba8mx: Fix Ethernet PHY IRQ support
    - netfilter: nft_set_pipapo: fix range overlap detection
    - netfilter: nft_synproxy: avoid possible data-race on update operation
    - gpiolib: remove unnecessary 'out of memory' messages
    - gpiolib: add support to register sparse pin range
    - gpiolib: add a common prefix to GPIO descriptor flags
    - gpiolib: rename GPIO chip printk macros
    - gpio: pca953x: handle short interrupt pulses on PCAL devices
    - netfilter: nf_tables: fix memory leak in nf_tables_newrule()
    - bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
    - inet: ping: Fix icmp out counting
    - net: phy: mxl-86110: Add power management and soft reset support
    - netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
    - net/mlx5: Lag, multipath, give priority for routes with smaller network
      prefix
    - net/mlx5e: Don't gate FEC histograms on ppcnt_statistical_group
    - net/mlx5e: Don't print error message due to invalid module
    - net: wwan: iosm: Fix memory leak in ipc_mux_deinit()
    - bnxt_en: Fix potential data corruption with HW GRO/LRO
    - drm/amd/pm: fix wrong pcie parameter on navi1x
    - drm/amd/pm: force send pcie parmater on navi1x
    - vsock: Make accept()ed sockets use custom setsockopt()
    - btrfs: only enforce free space tree if v1 cache is required for bs < ps
      cases
    - riscv: cpufeature: Fix Zk bundled extension missing Zknh
    - riscv: pgtable: Cleanup useless VA_USER_XXX definitions
    - PCI/VGA: Don't assume the only VGA device on a system is `boot_vga`
    - idpf: keep the netdev when a reset fails
    - idpf: convert vport state to bitmap
    - idpf: fix issue with ethtool -n command display
    - idpf: Fix RSS LUT configuration on down interfaces
    - idpf: Fix error handling in idpf_vport_open()
    - idpf: cap maximum Rx buffer size
    - Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude
      configurable"
    - net: sfp: return the number of written bytes for smbus single byte
      access
    - net: netdevsim: fix inconsistent carrier state after link/unlink
    - block: don't merge bios with different app_tags
    - trace: ftrace_dump_on_oops[] is not exported, make it static
    - net: airoha: Fix schedule while atomic in airoha_ppe_deinit()
    - net: enetc: fix build warning when PAGE_SIZE is greater than 128K
    - ublk: fix use-after-free in ublk_partition_scan_work
    - irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness
    - erofs: don't bother with s_stack_depth increasing for now
    - erofs: fix file-backed mounts no longer working on EROFS partitions
    - btrfs: truncate ordered extent when skipping writeback past i_size
    - btrfs: use variable for end offset in extent_writepage_io()
    - btrfs: fix beyond-EOF write handling
    - gpio: mpsse: add quirk support
    - net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant
    - powercap: fix race condition in register_control_type()
    - powercap: fix sscanf() error return value handling
    - accel/amdxdna: Block running under a hypervisor
    - drm/amd/display: Fix DP no audio issue
    - spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ
    - drm/amdkfd: Fix improper NULL termination of queue restore SMI event
      string
    - block: validate pi_offset integrity limit
    - ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025
    - ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL
    - ASoC: fsl_sai: Add missing registers to cache default
    - scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
    - spi: cadence-quadspi: Prevent lost complete() call during indirect read
    - bpf: Make variables in bpf_prog_test_run_xdp less confusing
    - bpf: Support specifying linear xdp packet data size for
      BPF_PROG_TEST_RUN
    - ata: libata-core: Disable LPM on ST2000DM008-2FR102
    - ALSA: usb-audio: Update for native DSD support quirks
    - bpf: test_run: Fix ctx leak in bpf_prog_test_run_xdp error path
    - Upstream stable to v6.12.66, v6.18.5, v6.18.6
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23140
    - bpf, test_run: Subtract size of xdp_frame from allowed metadata size
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71182
    - can: j1939: make j1939_session_activate() fail if device is no longer
      registered
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71160
    - netfilter: nf_tables: avoid chain re-validation if possible
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22994
    - bpf: Fix reference count leak in bpf_prog_test_run_xdp()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23015
    - gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71158
    - gpio: mpsse: ensure worker is torn down
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23021
    - net: usb: pegasus: fix memory leak in update_eth_regs_async()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22976
    - net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate
      in qfq_reset
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22987
    - net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23042
    - idpf: fix aux device unplugging when rdma is not supported by vport
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22993
    - idpf: Fix RSS LUT NULL ptr issue after soft reset
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22985
    - idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23024
    - idpf: fix memory leak of flow steer list on rmmod
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23017
    - idpf: fix error handling in the init_task on load
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23022
    - idpf: fix memory leak in idpf_vc_core_deinit()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23023
    - idpf: fix memory leak in idpf_vport_rel()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22981
    - idpf: detach and close netdevs while handling a reset
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22979
    - net: fix memory leak in skb_segment_list for GRO packets
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23018
    - btrfs: release path before initializing extent tree in
      btrfs_read_locked_inode()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23014
    - perf: Ensure swevent hrtimer is properly destroyed
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23046
    - virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23045
    - net/ena: fix missing lock when update devlink params
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22977
    - net: sock: fix hardened usercopy panic in sock_recv_errqueue
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22982
    - net: mscc: ocelot: Fix crash when adding interface under a lag
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23019
    - net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23139
    - netfilter: nf_conncount: update last_gc only when GC has been performed
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22986
    - gpiolib: fix race condition for gdev->srcu
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71201
    - netfs: Fix early read unlock of page with EOF in middle
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23137
    - of: unittest: Fix memory leak in unittest_data_add()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71184
    - btrfs: fix NULL dereference on root when tracing inode eviction
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71161
    - dm-verity: disable recursive forward error correction
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23047
    - libceph: make calc_target() set t->paused, not just clear it
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23136
    - libceph: reset sparse-read state in osd_fault()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22992
    - libceph: return the handler error from mon_handle_auth_done()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22991
    - libceph: make free_choose_arg_map() resilient to partial allocation
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22990
    - libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22978
    - wifi: avoid kernel-infoleak from struct iw_point
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23044
    - PM: hibernate: Fix crash when freeing invalid crypto compressor
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71192
    - ALSA: ac97: fix a double free in snd_ac97_controller_register()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23138
    - tracing: Add recursion protection in kernel stack trace recording
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71180
    - counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2025-71183
    - btrfs: always detect conflicting inodes when logging inode refs
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-23020
    - net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22989
    - nfsd: check that server is running in unlock_filesystem
  * Questing update: upstream stable patchset 2026-06-01 (LP: #2154749) //
    CVE-2026-22980
    - nfsd: provide locking for v4_end_grace
  * CVE-2026-46316 // CVE-2026-46317
    - KVM: arm64: Reassign nested_mmus array behind mmu_lock
  * CVE-2026-46316
    - KVM: arm64: vgic-its: Drop the translation cache reference only for the
      erased entry
    - KVM: arm64: Take the SRCU lock for page table walks in fault injection
      and AT emulation
  * CVE-2026-43402
    - kthread: consolidate kthread exit paths to prevent use-after-free
    - bpf: drop kthread_exit from noreturn_deny
  * CVE-2026-31444
    - ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
  * CVE-2026-43037
    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
  * CVE-2026-45988
    - rxrpc: Fix re-decryption of RESPONSE packets
  * CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * CVE-2026-46195
    - smb: client: validate dacloffset before building DACL pointers
  * CVE-2026-31402
    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
  * CVE-2026-43378
    - smb: server: fix use-after-free in smb2_open()
  * CVE-2026-31657
    - batman-adv: hold claim backbone gateways by reference
  * CVE-2026-46266
    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
  * CVE-2026-46289
    - lib/scatterlist: fix length calculations in extract_kvec_to_sg
  * CVE-2026-31436
    - dmaengine: idxd: fix possible wrong descriptor completion in
      llist_abort_desc()
  * CVE-2026-31649
    - net: stmmac: fix integer underflow in chain mode
  * CVE-2026-31659
    - batman-adv: reject oversized global TT response buffers
  * CVE-2026-31448
    - ext4: avoid infinite loops caused by residual data
  * CVE-2026-43071
    - dcache: Limit the minimal number of bucket to two
  * CVE-2026-31478
    - ksmbd: replace hardcoded hdr2_len with offsetof() in
      smb2_calc_max_out_buf_len()
  * CVE-2026-31682
    - bridge: br_nd_send: linearize skb before parsing ND options
  * CVE-2026-43117
    - btrfs: tracepoints: get correct superblock from dentry in event
      btrfs_sync_file()
  * CVE-2026-31669
    - mptcp: fix slab-use-after-free in __inet_lookup_established
  * CVE-2026-46115
    - block: add pgmap check to biovec_phys_mergeable
  * CVE-2026-45898
    - RDMA/iwcm: Fix workqueue list corruption by removing work_list
  * CVE-2026-46244
    - netfilter: nft_inner: Fix IPv6 inner_thoff desync
  * CVE-2026-43493
    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests
  * CVE-2026-43186
    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
  * CVE-2026-31685
    - netfilter: ip6t_eui64: reject invalid MAC header for all packets
  * CVE-2026-43114
    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
      expiry
  * CVE-2026-46325
    - RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
  * CVE-2026-31668
    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel
  * CVE-2026-43197
    - netconsole: avoid OOB reads, msg is not nul-terminated
  * CVE-2026-43083
    - net: ioam6: fix OOB and missing lock
  * CVE-2026-46043
    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
  * CVE-2026-23428
    - ksmbd: fix use-after-free of share_conf in compound request
  * CVE-2026-23450
    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
  * CVE-2026-46185
    - smb/client: fix out-of-bounds read in symlink_data()
  * CVE-2026-23455
    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
  * CVE-2026-46119
    - libceph: Fix slab-out-of-bounds access in auth message processing
  * CVE-2026-46039
    - rxgk: Fix potential integer overflow in length check
  * CVE-2026-23427
    - ksmbd: fix use-after-free in durable v2 replay of active file handles
  * CVE-2026-31718
    - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
  * CVE-2026-31637
    - rxrpc: reject undecryptable rxkad response tickets
  * CVE-2026-43011
    - net/x25: Fix potential double free of skb
  * CVE-2026-43038
    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
  * CVE-2026-31635
    - rxrpc: fix oversized RESPONSE authenticator length check
  * CVE-2026-43501
    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
  * CVE-2026-43125
    - dlm: validate length in dlm_search_rsb_tree
  * CVE-2026-43185
    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
  * CVE-2026-43341
    - net/ipv6: ioam6: prevent schema length wraparound in trace fill
  * CVE-2026-31607
    - usbip: validate number_of_packets in usbip_pack_ret_submit()
  * CVE-2026-43384
    - net/tcp-ao: Fix MAC comparison to be constant-time
  * CVE-2026-43383
    - net/tcp-md5: Fix MAC comparison to be constant-time
  * CVE-2026-43376
    - ksmbd: fix use-after-free by using call_rcu() for oplock_info
  * CVE-2026-46243
    - smb: client: reject userspace cifs.spnego descriptions
  * CVE-2026-43414
    - scsi: qla2xxx: Completely fix fcport double free
  * CVE-2026-43407
    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
  * CVE-2026-43406
    - libceph: prevent potential out-of-bounds reads in
      process_message_header()
  * CVE-2026-43304
    - libceph: define and enforce CEPH_MAX_KEY_LEN
  * CVE-2026-22984
    - libceph: prevent potential out-of-bounds reads in handle_auth_done()

linux-riscv (6.17.0-40.40.1) questing; urgency=medium

  * questing/linux-riscv: 6.17.0-40.40.1 -proposed tracker (LP: #2157627)

  [ Ubuntu: 6.17.0-40.40 ]

  * questing/linux: 6.17.0-40.40 -proposed tracker (LP: #2157631)
  * CVE-2026-43037
    - ip6_tunnel: clear skb2->cb[] in ip4ip6_err()

linux-riscv (6.17.0-39.39.1) questing; urgency=medium

  * questing/linux-riscv: 6.17.0-39.39.1 -proposed tracker (LP: #2157141)

  [ Ubuntu: 6.17.0-39.39 ]

  * questing/linux: 6.17.0-39.39 -proposed tracker (LP: #2157145)
  * Packaging resync (LP: #1786013)
    - [Packaging] update annotations scripts
  * CVE-2026-45988
    - rxrpc: Fix re-decryption of RESPONSE packets
  * CVE-2026-46135
    - nvmet-tcp: fix race between ICReq handling and queue teardown
  * CVE-2026-46195
    - smb: client: validate dacloffset before building DACL pointers
  * CVE-2026-31402
    - nfsd: fix heap overflow in NFSv4.0 LOCK replay cache
  * CVE-2026-43378
    - smb: server: fix use-after-free in smb2_open()
  * CVE-2026-31657
    - batman-adv: hold claim backbone gateways by reference
  * CVE-2026-46266
    - inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP
  * CVE-2026-46289
    - lib/scatterlist: fix length calculations in extract_kvec_to_sg
  * CVE-2026-31436
    - dmaengine: idxd: fix possible wrong descriptor completion in
      llist_abort_desc()
  * CVE-2026-31649
    - net: stmmac: fix integer underflow in chain mode
  * CVE-2026-31659
    - batman-adv: reject oversized global TT response buffers
  * CVE-2026-31448
    - ext4: avoid infinite loops caused by residual data
  * CVE-2026-43071
    - dcache: Limit the minimal number of bucket to two
  * CVE-2026-31478
    - ksmbd: replace hardcoded hdr2_len with offsetof() in
      smb2_calc_max_out_buf_len()
  * CVE-2026-31682
    - bridge: br_nd_send: linearize skb before parsing ND options
  * CVE-2026-43117
    - btrfs: tracepoints: get correct superblock from dentry in event
      btrfs_sync_file()
  * CVE-2026-31669
    - mptcp: fix slab-use-after-free in __inet_lookup_established
  * CVE-2026-46115
    - block: add pgmap check to biovec_phys_mergeable
  * CVE-2026-45898
    - RDMA/iwcm: Fix workqueue list corruption by removing work_list
  * CVE-2026-46244
    - netfilter: nft_inner: Fix IPv6 inner_thoff desync
  * CVE-2026-43493
    - crypto: pcrypt - Fix handling of MAY_BACKLOG requests
  * CVE-2026-43186
    - ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
  * CVE-2026-31685
    - netfilter: ip6t_eui64: reject invalid MAC header for all packets
  * CVE-2026-43114
    - netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
      expiry
  * CVE-2026-46325
    - RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE
  * CVE-2026-31668
    - seg6: separate dst_cache for input and output paths in seg6 lwtunnel
  * CVE-2026-43197
    - netconsole: avoid OOB reads, msg is not nul-terminated
  * CVE-2026-43083
    - net: ioam6: fix OOB and missing lock
  * CVE-2026-46043
    - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
  * CVE-2026-23428
    - ksmbd: fix use-after-free of share_conf in compound request
  * CVE-2026-23450
    - net/smc: fix NULL dereference and UAF in smc_tcp_syn_recv_sock()
  * CVE-2026-46185
    - smb/client: fix out-of-bounds read in symlink_data()
  * CVE-2026-23455
    - netfilter: nf_conntrack_h323: check for zero length in DecodeQ931()
  * CVE-2026-46119
    - libceph: Fix slab-out-of-bounds access in auth message processing
  * CVE-2026-46039
    - rxgk: Fix potential integer overflow in length check
  * CVE-2026-23427
    - ksmbd: fix use-after-free in durable v2 replay of active file handles
  * CVE-2026-31718
    - ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger
  * CVE-2026-31637
    - rxrpc: reject undecryptable rxkad response tickets
  * CVE-2026-43011
    - net/x25: Fix potential double free of skb
  * CVE-2026-43038
    - ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach()
  * CVE-2026-31635
    - rxrpc: fix oversized RESPONSE authenticator length check
  * CVE-2026-43501
    - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
  * CVE-2026-43125
    - dlm: validate length in dlm_search_rsb_tree
  * CVE-2026-46316
    - KVM: arm64: vgic-its: Drop the translation cache reference only for the
      erased entry
  * CVE-2026-43185
    - ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
  * CVE-2026-43341
    - net/ipv6: ioam6: prevent schema length wraparound in trace fill
  * CVE-2026-31607
    - usbip: validate number_of_packets in usbip_pack_ret_submit()
  * CVE-2026-43402
    - kthread: consolidate kthread exit paths to prevent use-after-free
  * CVE-2026-43384
    - net/tcp-ao: Fix MAC comparison to be constant-time
  * CVE-2026-43383
    - net/tcp-md5: Fix MAC comparison to be constant-time
  * CVE-2026-43376
    - ksmbd: fix use-after-free by using call_rcu() for oplock_info
  * CVE-2026-46243
    - smb: client: reject userspace cifs.spnego descriptions
  * CVE-2026-43414
    - scsi: qla2xxx: Completely fix fcport double free
  * CVE-2026-43407
    - libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()
  * CVE-2026-43406
    - libceph: prevent potential out-of-bounds reads in
      process_message_header()
  * CVE-2026-43304
    - libceph: define and enforce CEPH_MAX_KEY_LEN
  * CVE-2026-22984
    - libceph: prevent potential out-of-bounds reads in handle_auth_done()

Date: 2026-06-24 13:55:12.047736+00:00
Changed-By: Sarah Emery <sarah.emery at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-riscv/6.17.0-41.41.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Questing-changes mailing list