{"id":"CLSA-2025-1757963029","summary":"kernel-uek: Fix of 194 CVEs","details":"- rds: tcp: block BH in TCP callbacks\n- kexec: Improve & fix crash_exclude_mem_range() to handle overlapping ranges\n- module: correctly exit module_kallsyms_on_each_symbol when fn() != 0\n- module: potential uninitialized return in module_kallsyms_on_each_symbol()\n- module: use RCU to synchronize find_module\n- kallsyms: refactor {,module_}kallsyms_on_each_symbol\n- LTS tag: v5.4.295\n- scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops\n- arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() {CVE-2025-38320}\n- perf: Fix sample vs do_exit() {CVE-2025-38424}\n- s390/pci: Fix __pcilg_mio_inuser() inline assembly\n- rtc: test: Fix invalid format specifier.\n- jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() {CVE-2025-38337}\n- mm/huge_memory: fix dereferencing invalid pmd migration entry {CVE-2025-37958}\n- rtc: Make rtc_time64_to_tm() support dates before 1970\n- rtc: Improve performance of rtc_time64_to_tm(). Add tests.\n- xprtrdma: fix pointer derefs in error cases of rpcrdma_ep_create {CVE-2022-48773}\n- posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() {CVE-2025-38352}\n- ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms\n- ARM: dts: am335x-bone-common: Increase MDIO reset deassert time\n- ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board\n- net: atm: fix /proc/net/atm/lec handling {CVE-2025-38180}\n- net: atm: add lec_mutex {CVE-2025-38323}\n- calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). {CVE-2025-38181}\n- tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer {CVE-2025-38184}\n- tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior\n- atm: atmtcp: Free invalid length skb in atmtcp_c_send(). {CVE-2025-38185}\n- mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). {CVE-2025-38324}\n- wifi: carl9170: do not ping device which has failed to load firmware {CVE-2025-38420}\n- aoe: clean device rq_list in aoedev_downdev() {CVE-2025-38326}\n- hwmon: (occ) fix unaligned accesses\n- drm/nouveau/bl: increase buffer size to avoid truncate warning\n- erofs: remove unused trace event erofs_destroy_inode\n- ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged\n- ALSA: hda/intel: Add Thinkpad E15 to PM deny list\n- Input: sparcspkr - avoid unannotated fall-through\n- HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() {CVE-2025-38103}\n- atm: Revert atm_account_tx() if copy_from_iter_full() fails. {CVE-2025-38190}\n- selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len\n- scsi: s390: zfcp: Ensure synchronous unit_add\n- scsi: storvsc: Increase the timeouts to storvsc_timeout\n- jffs2: check jffs2_prealloc_raw_node_refs() result in few other places {CVE-2025-38328}\n- jffs2: check that raw node were preallocated before writing summary {CVE-2025-38194}\n- drivers/rapidio/rio_cm.c: prevent possible heap overwrite {CVE-2025-38090}\n- powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery\n- platform/x86: dell_rbu: Stop overwriting data buffer\n- platform: Add Surface platform directory\n- Revert \"bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first\"\n- tee: Prevent size calculation wraparound on 32-bit kernels\n- ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY\n- bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value\n- watchdog: da9052_wdt: respect TWDMIN\n- i40e: fix MMIO write access to an invalid page in i40e_clear_hw {CVE-2025-38200}\n- sock: Correct error checking condition for (assign|release)_proto_idx()\n- scsi: lpfc: Use memcpy() for BIOS version {CVE-2025-38332}\n- vxlan: Do not treat dst cache initialization errors as fatal\n- clk: rockchip: rk3036: mark ddrphy as critical\n- wifi: mac80211: do not offer a mesh path if forwarding is disabled\n- net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info\n- pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()\n- pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction()\n- pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction()\n- pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()\n- ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT\n- tcp: fix initial tp-\u003ercvq_space.space value for passive TS enabled flows\n- tcp: always seek for minimal rtt in tcp_rcv_rtt_update()\n- net: dlink: add synchronization for stats update\n- sctp: Do not wake readers in __sctp_write_space()\n- emulex/benet: correct command version selection in be_cmd_get_stats()\n- i2c: designware: Invoke runtime suspend on quick slave re-registration\n- net: macb: Check return value of dma_set_mask_and_coherent()\n- cpufreq: Force sync policy boost with global boost on sysfs update\n- nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults\n- media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() {CVE-2025-38237}\n- media: tc358743: ignore video while HPD is low\n- drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB\n- jfs: Fix null-ptr-deref in jfs_ioc_trim {CVE-2025-38203}\n- drm/amdgpu/gfx9: fix CSIB handling\n- drm/amdgpu/gfx8: fix CSIB handling\n- jfs: fix array-index-out-of-bounds read in add_missing_indices {CVE-2025-38204}\n- drm/amdgpu/gfx7: fix CSIB handling\n- drm/amdgpu/gfx10: fix CSIB handling\n- drm/msm/a6xx: Increase HFI response timeout\n- drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit()\n- media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition\n- drm/msm/hdmi: add runtime PM calls to DDC transfer function\n- drm/bridge: analogix_dp: Add irq flag IRQF_NO_AUTOEN instead of calling disable_irq()\n- sunrpc: update nextcheck time when adding new cache entries\n- drm/amdgpu/gfx6: fix CSIB handling\n- ACPI: battery: negate current when discharging\n- PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()\n- power: supply: bq27xxx: Retrieve again when busy\n- ACPICA: fix acpi parse and parseext cache leaks {CVE-2025-38344}\n- ACPICA: Avoid sequence overread in call to strncmp()\n- ACPICA: fix acpi operand cache leak in dswstate.c {CVE-2025-38345}\n- iio: adc: ad7606_spi: fix reg write value mask\n- PCI: Fix lock symmetry in pci_slot_unlock()\n- PCI: Add ACS quirk for Loongson PCIe\n- uio_hv_generic: Use correct size for interrupt and monitor pages\n- regulator: max14577: Add error check for max14577_read_reg()\n- mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS\n- staging: iio: ad5933: Correct settling cycles encoding per datasheet\n- net: ch9200: fix uninitialised access during mii_nway_restart {CVE-2025-38086}\n- ftrace: Fix UAF when lookup kallsym after ftrace disabled {CVE-2025-38346}\n- dm-mirror: fix a tiny race condition\n- mtd: nand: sunxi: Add randomizer configuration before randomizer enable\n- mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk\n- mm: fix ratelimit_pages update error in dirty_ratio_handler()\n- ipc: fix to protect IPCS lookups using RCU {CVE-2025-38212}\n- parisc: fix building with gcc-15\n- vgacon: Add check for vc_origin address range in vgacon_scroll() {CVE-2025-38213}\n- fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var {CVE-2025-38214}\n- EDAC/altera: Use correct write width with the INTTEST register\n- NFC: nci: uart: Set tty-\u003edisc_data only in success path {CVE-2025-38416}\n- f2fs: prevent kernel warning due to negative i_nlink from corrupted image {CVE-2025-38219}\n- Input: ims-pcu - check record size in ims_pcu_flash_firmware() {CVE-2025-38428}\n- ext4: fix calculation of credits for extent tree modification\n- ext4: inline: fix len overflow in ext4_prepare_inline_data {CVE-2025-38222}\n- bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device\n- ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 {CVE-2025-38336}\n- ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()\n- media: v4l2-dev: fix error handling in __video_register_device()\n- media: gspca: Add error handling for stv06xx_read_sensor()\n- wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723\n- nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request {CVE-2025-38430}\n- wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() {CVE-2025-38348}\n- gfs2: move msleep to sleepable context\n- configfs: Do not override creating attribute file failure in populate_attrs()\n- net: usb: aqc111: debug info before sanitation\n- calipso: unlock rcu before returning -EAFNOSUPPORT\n- xen/arm: call uaccess_ttbr0_enable for dm_op hypercall\n- usb: Flush altsetting 0 endpoints before reinitializating them after reset.\n- fs/filesystems: Fix potential unsigned integer underflow in fs_name()\n- net/mdiobus: Fix potential out-of-bounds read/write access {CVE-2025-38111}\n- drm/amd/display: Do not add '-mhard-float' to dcn2{1,0}_resource.o for clang\n- drm/amd/display: Do not add '-mhard-float' to dml_ccflags for clang\n- MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option\n- x86/boot/compressed: prefer cc-option for CFLAGS additions\n- net: mdio: C22 is now optional, EOPNOTSUPP if not provided\n- net_sched: tbf: fix a race in tbf_change()\n- net_sched: red: fix a race in __red_change() {CVE-2025-38108}\n- net_sched: prio: fix a race in prio_tune() {CVE-2025-38083}\n- net/mlx5: Fix return value when searching for existing flow group\n- net/mlx5: Wait for inactive autogroups\n- i40e: retry VFLR handling if there is ongoing VF reset\n- i40e: return false from i40e_reset_vf if reset is in progress\n- net_sched: sch_sfq: fix a potential crash on gso_skb handling {CVE-2025-38115}\n- scsi: iscsi: Fix incorrect error path labels for flashnode operations\n- NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes {CVE-2022-48829}\n- NFSD: Fix ia_size underflow {CVE-2022-48828}\n- Input: synaptics-rmi - fix crash with unsupported versions of F34\n- Input: synaptics-rmi4 - convert to use sysfs_emit() APIs\n- pmdomain: core: Fix error checking in genpd_dev_pm_attach_by_id()\n- do_change_type(): refuse to operate on unmounted/not ours mounts {CVE-2025-38498}\n- ice: create new Tx scheduler nodes for new queues only\n- Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION\n- net/mlx4_en: Prevent potential integer overflow calculating Hz\n- vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()\n- serial: Fix potential null-ptr-deref in mlb_usio_probe() {CVE-2025-38135}\n- usb: renesas_usbhs: Reorder clock handling and power management in probe {CVE-2025-38136}\n- rtc: Fix offset calculation for .start_secs \u003c 0\n- rtc: sh: assign correct interrupts with DT\n- perf record: Fix incorrect --user-regs comments\n- perf tests switch-tracking: Fix timestamp comparison\n- mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE\n- mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()\n- rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()\n- perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3\n- perf ui browser hists: Set actions-\u003ethread before calling do_zoom_thread()\n- fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() {CVE-2025-38312}\n- soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() {CVE-2025-38145}\n- soc: aspeed: lpc: Fix impossible judgment condition\n- arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou\n- ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device\n- bus: fsl-mc: fix double-free on mc_dev {CVE-2025-38313}\n- nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()\n- nilfs2: add pointer check for nilfs_direct_propagate()\n- Squashfs: check return result of sb_min_blocksize {CVE-2025-38415}\n- ARM: dts: at91: at91sam9263: fix NAND chip selects\n- ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select\n- f2fs: fix to correct check conditions in f2fs_cross_rename\n- f2fs: use d_inode(dentry) cleanup dentry-\u003ed_inode\n- calipso: Don't call calipso functions for AF_INET sk. {CVE-2025-38147}\n- net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy\n- net: usb: aqc111: fix error handling of usbnet read calls {CVE-2025-38153}\n- netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy\n- wifi: ath9k_htc: Abort software beacon handling if disabled {CVE-2025-38157}\n- bpf: Fix WARN() in get_bpf_raw_tp_regs {CVE-2025-38285}\n- pinctrl: at91: Fix possible out-of-boundary access {CVE-2025-38286}\n- ktls, sockmap: Fix missing uncharge operation\n- netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it\n- f2fs: clean up w/ fscrypt_is_bounce_page()\n- RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h\n- wifi: rtw88: do not ignore hardware read error during DPK\n- net: ncsi: Fix GCPS 64-bit member variables\n- f2fs: fix to do sanity check on sbi-\u003etotal_valid_block_count {CVE-2025-38163}\n- drm/tegra: rgb: Fix the unbound reference count\n- drm/vkms: Adjust vkms_state-\u003eactive_planes allocation type\n- drm: rcar-du: Fix memory leak in rcar_du_vsps_init()\n- selftests/seccomp: fix syscall_restart test for arm compat\n- firmware: psci: Fix refcount leak in psci_dt_init\n- m68k: mac: Fix macintosh_config for Mac II\n- drm/vmwgfx: Add seqno waiter for sync_files\n- spi: sh-msiof: Fix maximum DMA transfer size\n- ACPI: OSI: Stop advertising support for \"3.0 _SCP Extensions\"\n- x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()\n- PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()\n- EDAC/skx_common: Fix general protection fault {CVE-2025-38298}\n- crypto: marvell/cesa - Avoid empty transfer descriptor\n- crypto: marvell/cesa - Handle zero-length skcipher requests {CVE-2025-38173}\n- x86/cpu: Sanitize CPUID(0x80000000) output\n- perf/core: Fix broken throttling when max_samples_per_tick=1\n- gfs2: gfs2_create_inode error handling fix\n- netfilter: nft_socket: fix sk refcount leaks {CVE-2024-46855}\n- thunderbolt: Do not double dequeue a configuration request {CVE-2025-38174}\n- usb: usbtmc: Fix timeout value in get_stb\n- usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device\n- usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE\n- pinctrl: armada-37xx: set GPIO output value before setting direction\n- pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs \u003e 31\n- net/mlx5: Add poll-eq API to be used by ULP's\n- net/rds: poll eq during user-reset\n- perf: Fix perf_event_validate_size() lockdep splat {CVE-2023-6931}\n- perf: Fix perf_event_validate_size() {CVE-2023-6931}\n- net/mlx5: set graceful_period to 0 to allow multiple transmission queue recovery\n- pwm: mediatek: Ensure to disable clocks in error path\n- Revert \"mmc: sdhci: Disable SD card clock before changing parameters\"\n- net/sched: Always pass notifications when child class becomes empty {CVE-2025-38350}\n- x86/bpf: Classic BPF program can fail when BHB barrier is used\n- Add Zen34 clients {CVE-2024-36350}\n- x86/process: Move the buffer clearing before MONITOR {CVE-2024-36350}\n- KVM: SVM: Advertize TSA CPUID bits to guests {CVE-2024-36350}\n- x86/bugs: Add a Transient Scheduler Attacks mitigation {CVE-2024-36350}\n- KVM: x86: add support for CPUID leaf 0x80000021 {CVE-2024-36350}\n- x86/bugs: Rename MDS machinery to something more generic {CVE-2024-36350}\n- x86/CPU/AMD: Add ZenX generations flags {CVE-2024-36350}\n- x86/bugs: Free X86_BUG_AMD_APIC_C1E and X86_BUG_AMD_E400 bits {CVE-2024-36350}\n- Revert \"x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2\" on v6.6 and older\n- tracing: Fix compilation warning on arm32\n- PM: sleep: Fix power.is_suspended cleanup for direct-complete devices\n- LTS tag: v5.4.294\n- platform/x86: thinkpad_acpi: Ignore battery threshold change event notification\n- platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys\n- spi: spi-sun4i: fix early activation\n- um: let 'make clean' properly clean underlying SUBARCH as well\n- platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS\n- nfs: don't share pNFS DS connections between net namespaces\n- HID: quirks: Add ADATA XPG alpha wireless mouse support\n- coredump: hand a pidfd to the usermode coredump helper\n- fork: use pidfd_prepare()\n- pid: add pidfd_prepare()\n- pidfd: check pid has attached task in fdinfo\n- coredump: fix error handling for replace_fd()\n- net_sched: hfsc: Address reentrant enqueue adding class to eltree twice {CVE-2025-38001}\n- smb: client: Reset all search buffer pointers when releasing buffer\n- smb: client: Fix use-after-free in cifs_fill_dirent {CVE-2025-38051}\n- drm/i915/gvt: fix unterminated-string-initialization warning\n- netfilter: nf_tables: do not defer rule destruction via call_rcu {CVE-2024-56655}\n- netfilter: nf_tables: wait for rcu grace period on net_device removal {CVE-2024-56655}\n- netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx\n- kbuild: Disable -Wdefault-const-init-unsafe\n- spi: spi-fsl-dspi: restrict register range for regmap access\n- mm/page_alloc.c: avoid infinite retries caused by cpuset race\n- drm/edid: fixed the bug that hdr metadata was not reset\n- llc: fix data loss when reading from a socket in llc_ui_recvmsg()\n- ALSA: pcm: Fix race of buffer access at PCM OSS layer {CVE-2025-38078}\n- can: bcm: add missing rcu read protection for procfs content {CVE-2025-38003}\n- can: bcm: add locking for bcm_op runtime updates {CVE-2025-38004}\n- crypto: algif_hash - fix double free in hash_accept {CVE-2025-38079}\n- sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() {CVE-2025-38000}\n- net: dwmac-sun8i: Use parsed internal PHY address instead of 1\n- bridge: netfilter: Fix forwarding of fragmented packets\n- xfrm: Sanitize marks before insert\n- __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock {CVE-2025-38058}\n- xenbus: Allow PVH dom0 a non-local xenstore\n- btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref {CVE-2025-38034}\n- nvmet-tcp: don't restore null sk_state_change {CVE-2025-38035}\n- ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013\n- pinctrl: meson: define the pull up/down resistor value as 60 kOhm\n- drm: Add valid clones check\n- drm/atomic: clarify the rules around drm_atomic_state-\u003eallow_modeset\n- regulator: ad5398: Add device tree support\n- wifi: rtw88: Don't use static local variable in rtw8822b_set_tx_power_index_by_rate\n- bpftool: Fix readlink usage in get_fd_type\n- HID: usbkbd: Fix the bit shift number for LED_KANA\n- scsi: st: Restore some drive settings after reset\n- scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine\n- rcu: fix header guard for rcu_all_qs()\n- rcu: handle quiescent states for PREEMPT_RCU=n, PREEMPT_COUNT=y\n- vxlan: Annotate FDB data races {CVE-2025-38037}\n- hwmon: (xgene-hwmon) use appropriate type for the latency value\n- ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure().\n- net/mlx5e: reduce rep rxq depth to 256 for ECPF\n- net/mlx5e: set the tx_queue_len for pfifo_fast\n- net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB\n- phy: core: don't require set_mode() callback for phy_get_mode() to work\n- net/mlx4_core: Avoid impossible mlx4_db_alloc() order value\n- smack: recognize ipv4 CIPSO w/o categories\n- pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map\n- ASoC: ops: Enforce platform maximum on initial value\n- net/mlx5: Apply rate-limiting to high temperature warning\n- net/mlx5: Modify LSB bitmask in temperature event to include only the first bit\n- ACPI: HED: Always initialize before evged\n- PCI: Fix old_size lower bound in calculate_iosize() too\n- EDAC/ie31200: work around false positive build warning\n- net: pktgen: fix access outside of user given buffer in pktgen_thread_write() {CVE-2025-38061}\n- wifi: rtw88: Fix rtw_init_ht_cap() for RTL8814AU\n- scsi: mpt3sas: Send a diag reset if target reset fails\n- MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core\n- MIPS: Use arch specific syscall name match function\n- cpuidle: menu: Avoid discarding useful information\n- x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus()\n- bonding: report duplicate MAC address in all situations\n- net: xgene-v2: remove incorrect ACPI_PTR annotation\n- drm/amdkfd: KFD release_work possible circular locking\n- net/mlx5: Avoid report two health errors on same syndrome\n- fpga: altera-cvp: Increase credit timeout\n- drm/mediatek: mtk_dpi: Add checks for reg_h_fre_con existence\n- hwmon: (gpio-fan) Add missing mutex locks\n- x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2\n- net: pktgen: fix mpls maximum labels list parsing\n- pinctrl: bcm281xx: Use \"unsigned int\" instead of bare \"unsigned\"\n- media: cx231xx: set device_caps for 417 {CVE-2025-38044}\n- orangefs: Do not truncate file size {CVE-2025-38065}\n- dm cache: prevent BUG_ON by blocking retries on failed device resumes {CVE-2025-38066}\n- media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe()\n- ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114\n- ieee802154: ca8210: Use proper setters and getters for bitwise types\n- rtc: ds1307: stop disabling alarms on probe\n- powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7\n- mmc: sdhci: Disable SD card clock before changing parameters\n- netfilter: conntrack: Bound nf_conntrack sysctl writes\n- posix-timers: Add cond_resched() to posix_timer_add() search loop\n- xen: Add support for XenServer 6.1 platform device {CVE-2025-38046}\n- dm: restrict dm device size to 2^63-512 bytes\n- kbuild: fix argument parsing in scripts/config\n- scsi: st: ERASE does not change tape location\n- scsi: st: Tighten the page format heuristics with MODE SELECT\n- ext4: reorder capability check last\n- um: Update min_low_pfn to match changes in uml_reserved\n- um: Store full CSGSFS and SS register from mcontext\n- btrfs: send: return -ENAMETOOLONG when attempting a path that is too long\n- btrfs: avoid linker error in btrfs_find_create_tree_block()\n- i2c: pxa: fix call balance of i2c-\u003eclk handling routines\n- mmc: host: Wait for Vdd to settle on card power off\n- libnvdimm/labels: Fix divide error in nd_label_data_init() {CVE-2025-38072}\n- pNFS/flexfiles: Report ENETDOWN as a connection error\n- tools/build: Don't pass test log files to linker\n- dql: Fix dql-\u003elimit value when reset.\n- SUNRPC: rpc_clnt_set_transport() must not change the autobind setting\n- NFSv4: Treat ENETUNREACH errors as fatal for state recovery\n- fbdev: core: tileblit: Implement missing margin clearing for tileblit\n- fbdev: fsl-diu-fb: add missing device_remove_file()\n- mailbox: use error ret code of of_parse_phandle_with_args()\n- kconfig: merge_config: use an empty file as initfile\n- cgroup: Fix compilation issue due to cgroup_mutex not being exported\n- dma-mapping: avoid potential unused data compilation warning\n- scsi: target: iscsi: Fix timeout on deleted connection {CVE-2025-38075}\n- openvswitch: Fix unsafe attribute parsing in output_userspace() {CVE-2025-37998}\n- Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5\n- Input: synaptics - enable SMBus for HP Elitebook 850 G1\n- clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable()\n- phy: renesas: rcar-gen3-usb2: Set timing registers only once\n- phy: Fix error handling in tegra_xusb_port_init\n- ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2()\n- NFSv4/pnfs: Reset the layout state after a layoutreturn\n- NFSv4/pnfs: pnfs_set_layout_stateid() should update the layout cred\n- qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()\n- ALSA: sh: SND_AICA should depend on SH_DMA_API\n- net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING\n- spi: loopback-test: Do not split 1024-byte hexdumps\n- nfs: handle failure of nfs_get_lock_context in unlock path {CVE-2025-38023}\n- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug {CVE-2025-38024}\n- iio: chemical: sps30: use aligned_s64 for timestamp\n- iio: adc: ad7768-1: Fix insufficient alignment of timestamp.\n- staging: axis-fifo: Correct handling of tx_fifo_depth for size validation\n- staging: axis-fifo: avoid parsing ignored device tree properties\n- staging: axis-fifo: Remove hardware resets for user errors\n- staging: axis-fifo: replace spinlock with mutex\n- platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection\n- do_umount(): add missing barrier before refcount checks in sync case\n- MIPS: Fix MAX_REG_OFFSET\n- iio: adc: dln2: Use aligned_s64 for timestamp\n- types: Complement the aligned types with signed 64-bit one\n- usb: usbtmc: Fix erroneous generic_read ioctl return\n- usb: usbtmc: Fix erroneous wait_srq ioctl return\n- usb: usbtmc: Fix erroneous get_stb ioctl error returns\n- USB: usbtmc: use interruptible sleep in usbtmc_read\n- usb: typec: ucsi: displayport: Fix NULL pointer access {CVE-2025-37994}\n- usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition\n- ocfs2: stop quota recovery before disabling quotas\n- ocfs2: implement handshaking with ocfs2 recovery thread\n- ocfs2: switch osb-\u003edisable_recovery to enum\n- module: ensure that kobject_put() is safe for module type kobjects {CVE-2025-37995}\n- xenbus: Use kref to track req lifetime {CVE-2025-37949}\n- usb: uhci-platform: Make the clock really optional\n- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo {CVE-2025-37969}\n- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo {CVE-2025-37970}\n- iio: adis16201: Correct inclinometer channel resolution\n- iio: adc: ad7606: fix serial register access\n- staging: iio: adc: ad7816: Correct conditional logic for store mode\n- Input: synaptics - enable InterTouch on Dell Precision M3800\n- Input: synaptics - enable InterTouch on Dynabook Portege X30L-G\n- Input: synaptics - enable InterTouch on Dynabook Portege X30-D\n- net: dsa: b53: fix learning on VLAN unaware bridges\n- netfilter: ipset: fix region locking in hash types {CVE-2025-37997}\n- sch_htb: make htb_deactivate() idempotent {CVE-2025-37953}\n- dm: fix copying after src array boundaries {CVE-2025-37902}\n- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid {CVE-2025-37927}\n- arm64: dts: rockchip: fix iface clock-name on px30 iommus\n- usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling\n- usb: chipidea: ci_hdrc_imx: use dev_err_probe()\n- usb: chipidea: imx: refine the error handling for hsic\n- usb: chipidea: imx: change hsic power regulator as optional\n- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() {CVE-2025-37819}\n- irqchip/gic-v2m: Mark a few functions __init\n- irqchip/gic-v2m: Add const to of_device_id\n- sch_htb: make htb_qlen_notify() idempotent {CVE-2025-37953}\n- of: module: add buffer overflow check in of_modalias() {CVE-2024-38541}\n- PCI: imx6: Skip controller_id generation logic for i.MX7D\n- net: fec: ERR007885 Workaround for conventional TX\n- net: lan743x: Fix memleak issue when GSO enabled {CVE-2025-37909}\n- lan743x: fix endianness when accessing descriptors\n- lan743x: remove redundant initialization of variable current_head_index\n- nvme-tcp: fix premature queue removal and I/O failover\n- net: dlink: Correct endianness handling of led_mode\n- net_sched: qfq: Fix double list add in class with netem as child qdisc {CVE-2025-37913}\n- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc {CVE-2025-37890}\n- net_sched: drr: Fix double list add in class with netem as child qdisc {CVE-2025-37915}\n- net/mlx5: E-Switch, Initialize MAC Address for Default GID\n- tracing: Fix oob write in trace_seq_to_buffer() {CVE-2025-37923}\n- dm: always update the array size in realloc_argv on success {CVE-2025-37902}\n- dm-integrity: fix a warning on invalid table line\n- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() {CVE-2025-37990}\n- amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload\n- parisc: Fix double SIGFPE crash {CVE-2025-37991}\n- i2c: imx-lpi2c: Fix clock count when probe defers\n- EDAC/altera: Set DDR and SDMMC interrupt mask before registration\n- EDAC/altera: Test the correct error reg offset\n- scsi: qedf: Wait for stag work during unload\n- scsi: qedf: Don't process stag work during unload and recovery\n- rds: ib: Add cm_id generation scheme in order to detect new ones\n- x86/its: BPF can crash in bpf_jit_comp.c when ITS is enabled\n- shmem: add support to ignore swap\n- shmem: update documentation\n- mm: hold the source mmap write lock when copying PTEs\n- mm: do not write protect COW mappings when preserving across exec\n- mm: differentiate copying PTEs for preservation from copying for fork\n- mm/fork: Pass new vma pointer into copy_page_range()\n- xen/swiotlb: relax alignment requirements\n- Reapply \"xen/swiotlb: add alignment check for dma buffers\"\n- dmaengine: Revert \"dmaengine: dmatest: Fix dmatest waiting less when interrupted\"\n- nvme: unblock ctrl state transition for firmware update\n- memcg: always call cond_resched() after fn()\n- ACPI: PPTT: Fix processor subtable walk\n- LTS tag: v5.4.293\n- MIPS: cm: Fix warning if MIPS_CM is disabled\n- crypto: atmel-sha204a - Set hwrng quality to lowest possible\n- comedi: jr3_pci: Fix synchronous deletion of timer\n- md/raid1: Add check for missing source disk in process_checks()\n- scsi: pm80xx: Set phy_attached to zero when device is gone\n- ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls\n- selftests: ublk: fix test_stripe_04\n- udmabuf: fix a buf size overflow issue during udmabuf creation {CVE-2025-37803}\n- KVM: s390: Don't use %pK through tracepoints\n- sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP\n- ntb: reduce stack usage in idt_scan_mws\n- qibfs: fix _another_ leak {CVE-2025-37983}\n- usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() {CVE-2025-37881}\n- dmaengine: dmatest: Fix dmatest waiting less when interrupted\n- usb: host: max3421-hcd: Add missing spi_device_id table\n- parisc: PDT: Fix missing prototype warning\n- clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec()\n- crypto: null - Use spin lock instead of mutex {CVE-2025-37808}\n- MIPS: cm: Detect CM quirks from device tree\n- USB: VLI disk crashes if LPM is used\n- usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive\n- usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive\n- usb: dwc3: gadget: check that event count does not exceed event buffer length {CVE-2025-37810}\n- USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02)\n- usb: cdns3: Fix deadlock when using NCM gadget {CVE-2025-37812}\n- USB: serial: simple: add OWON HDS200 series oscilloscope support\n- USB: serial: option: add Sierra Wireless EM9291\n- USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe\n- serial: sifive: lock port in startup()/shutdown() callbacks\n- USB: storage: quirk for ADATA Portable HDD CH94\n- mcb: fix a double free bug in chameleon_parse_gdd() {CVE-2025-37817}\n- virtio_console: fix missing byte order handling for cols and rows\n- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too {CVE-2025-37823}\n- net_sched: hfsc: Fix a UAF vulnerability in class handling {CVE-2025-37797}\n- tipc: fix NULL pointer dereference in tipc_mon_reinit_self() {CVE-2025-37824}\n- net: phy: leds: fix memory leak {CVE-2025-37989}\n- cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() {CVE-2025-37829}\n- drm/amd/pm: Prevent division by zero {CVE-2025-37766}\n- misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error\n- misc: pci_endpoint_test: Use INTX instead of LEGACY\n- PCI: Rename PCI_IRQ_LEGACY to PCI_IRQ_INTX\n- iio: adc: ad7768-1: Fix conversion result sign\n- iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check\n- net: dsa: mv88e6xxx: fix VTU methods for 6320 family\n- media: vim2m: print device name after registering device\n- ext4: fix OOB read when checking dotdot dir {CVE-2025-37785}\n- ext4: optimize __ext4_check_dir_entry()\n- ext4: don't over-report free space or inodes in statvfs\n- ext4: code cleanup for ext4_statfs_project()\n- ext4: simplify checking quota limits in ext4_statfs()\n- platform/x86: ISST: Correct command storage data length\n- MIPS: ds1287: Match ds1287_set_base_clock() function types\n- MIPS: cevt-ds1287: Add missing ds1287.h include\n- MIPS: dec: Declare which_prom() as static\n- virtio-net: Add validation for used length {CVE-2021-47352}\n- RDMA/srpt: Support specifying the srpt_service_guid parameter {CVE-2024-26744}\n- openvswitch: fix lockup on tx to unregistering netdev with carrier {CVE-2025-21681}\n- net: openvswitch: fix race on port output {CVE-2025-21681}\n- mmc: cqhci: Fix checking of CQHCI_HALT state\n- nvmet-fc: Remove unused functions\n- usb: dwc3: support continuous runtime PM with dual role\n- misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type\n- misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error {CVE-2025-23140}\n- tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). {CVE-2024-50154}\n- powerpc/prom_init: Use -ffreestanding to avoid a reference to bcmp\n- kbuild: Add '-fno-builtin-wcslen'\n- cpufreq: Reference count policy in cpufreq_update_limits()\n- drm/sti: remove duplicate object names\n- drm/nouveau: prime: fix ttm_bo_delayed_delete oops {CVE-2025-37765}\n- drm/repaper: fix integer overflows in repeat functions\n- module: sign with sha512 instead of sha1 by default\n- perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR\n- perf/x86/intel: Allow to update user space GPRs from PEBS records\n- virtiofs: add filesystem context source name check {CVE-2025-37773}\n- riscv: Avoid fortify warning in syscall_get_arguments()\n- isofs: Prevent the use of too small fid {CVE-2025-37780}\n- i2c: cros-ec-tunnel: defer probe if parent EC is not present {CVE-2025-37781}\n- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key {CVE-2025-37782}\n- btrfs: correctly escape subvol in btrfs_show_options()\n- nfs: add missing selections of CONFIG_CRC32\n- nfs: move nfs_fhandle_hash to common include file\n- NFSD: Constify @fh argument of knfsd_fh_hash()\n- asus-laptop: Fix an uninitialized variable\n- writeback: fix false warning in inode_to_wb()\n- net: b53: enable BPDU reception for management port\n- net: openvswitch: fix nested key length validation in the set() action {CVE-2025-37789}\n- Revert \"wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()\" {CVE-2025-37795}\n- Bluetooth: btrtl: Prevent potential NULL dereference {CVE-2025-37792}\n- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address\n- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()\n- scsi: iscsi: Fix missing scsi_host_put() in error path\n- wifi: wl1251: fix memory leak in wl1251_tx_work {CVE-2025-37982}\n- wifi: mac80211: Purge vif txq in ieee80211_do_stop() {CVE-2025-37794}\n- wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() {CVE-2025-37795}\n- wifi: at76c50x: fix use after free access in at76_disconnect {CVE-2025-37796}\n- HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition {CVE-2025-37838}\n- pwm: mediatek: always use bus clock for PWM on MT7622\n- Bluetooth: hci_uart: Fix another race during initialization {CVE-2025-23139}\n- x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions()\n- PCI: Fix reference leak in pci_alloc_child_bus()\n- of/irq: Fix device node refcount leakages in of_irq_init()\n- of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()\n- of/irq: Fix device node refcount leakages in of_irq_count()\n- ntb: use 64-bit arithmetic for the MSI doorbell mask\n- gpio: zynq: Fix wakeup source leaks on device unbind\n- ftrace: Add cond_resched() to ftrace_graph_set_hash() {CVE-2025-37940}\n- dm-integrity: set ti-\u003eerror on memory allocation failure\n- crypto: ccp - Fix check for the primary ASP device\n- thermal/drivers/rockchip: Add missing rk3328 mapping entry\n- sctp: detect and prevent references to a freed transport in sendmsg {CVE-2025-23142}\n- mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock\n- sparc/mm: disable preemption in lazy mmu mode\n- arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string\n- mtd: rawnand: Add status chack in r852_ready()\n- mtd: inftlcore: Add error check for inftl_read_oob() {CVE-2025-37892}\n- lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets\n- locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()\n- jbd2: remove wrong sb-\u003es_sequence check {CVE-2025-37839}\n- i3c: Add NULL pointer check in i3c_master_queue_ibi() {CVE-2025-23147}\n- ext4: fix off-by-one error in do_split {CVE-2025-23150}\n- wifi: mac80211: fix integer overflow in hwmp_route_info_get()\n- net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family\n- media: venus: hfi_parser: add check to avoid out of bound access {CVE-2025-23157}\n- media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO\n- media: i2c: ov7251: Set enable GPIO low in probe\n- media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()\n- media: streamzap: prevent processing IR data on URB failure\n- mtd: rawnand: brcmnand: fix PM resume warning {CVE-2025-37840}\n- arm64: cputype: Add MIDR_CORTEX_A76AE\n- xenfs/xensyms: respect hypervisor's \"next\" indication\n- media: siano: Fix error handling in smsdvb_module_init()\n- media: venus: hfi: add check to handle incorrect queue size {CVE-2025-23158}\n- media: venus: hfi: add a check to handle OOB in sfr region {CVE-2025-23159}\n- media: i2c: adv748x: Fix test pattern selection mask\n- ext4: don't treat fhandle lookup of ea_inode as FS corruption\n- ext4: reject casefold inode flag without casefold feature\n- bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags\n- bpf: Add endian modifiers to fix endian warnings\n- pwm: fsl-ftm: Handle clk_get_rate() returning 0\n- pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() {CVE-2025-37850}\n- pwm: mediatek: Always use bus clock\n- fbdev: omapfb: Add 'plane' value check {CVE-2025-37851}\n- drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off\n- drm/amdkfd: Fix pqm_destroy_queue race with GPU reset\n- drm/amdkfd: clamp queue size to minimum\n- drm: panel-orientation-quirks: Add new quirk for GPD Win 2\n- drm: panel-orientation-quirks: Add support for AYANEO 2S\n- drm: allow encoder mode_set even when connectors change for crtc\n- Bluetooth: hci_uart: fix race during initialization {CVE-2025-23139}\n- tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER\n- net: vlan: don't propagate flags on open {CVE-2025-23163}\n- wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table\n- scsi: st: Fix array overflow in st_setup() {CVE-2025-37857}\n- ext4: ignore xattrs past end {CVE-2025-37738}\n- ext4: protect ext4_release_dquot against freezing\n- ahci: add PCI ID for Marvell 88SE9215 SATA Controller\n- ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode\n- jfs: add sanity check for agwidth in dbMount {CVE-2025-37740}\n- jfs: Prevent copying of nlink with value 0 from disk inode {CVE-2025-37741}\n- fs/jfs: Prevent integer overflow in AG size calculation {CVE-2025-37858}\n- fs/jfs: cast inactags to s64 to prevent potential overflow\n- page_pool: avoid infinite loop to schedule delayed worker {CVE-2025-37859}\n- ALSA: usb-audio: Fix CME quirk for UF series keyboards\n- ALSA: hda: intel: Fix Optimus when GPU has no sound\n- HID: pidff: Fix null pointer dereference in pidff_find_fields {CVE-2025-37862}\n- HID: pidff: Do not send effect envelope if it's empty\n- HID: pidff: Convert infinite length from Linux API to PID standard\n- xen/mcelog: Add __nonstring annotations for unterminated strings\n- perf: arm_pmu: Don't disable counter in armpmu_add()\n- x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine\n- pm: cpupower: bench: Prevent NULL dereference on malloc failure {CVE-2025-37841}\n- net: ppp: Add bound checking for skb data on ppp_sync_txmung {CVE-2025-37749}\n- ata: sata_sx4: Add error handling in pdc20621_i2c_read()\n- ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones\n- tipc: fix memory leak in tipc_link_xmit {CVE-2025-37757}\n- ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() {CVE-2025-37758}\n- x86/bhi: Do not set BHI_DIS_S in 32-bit mode\n- x86/bpf: Add IBHF call at end of classic BPF\n- x86/bpf: Call branch history clearing sequence on exit\n- certs: Reference revocation list for all keyrings\n- RDS: use get_user_pages_fast() in rdma_pin_pages()\n- x86/bugs: Enabling Retbleed and SRSO mitigation can taint the kernel\n- selftest/x86/bugs: Add selftests for ITS {CVE-2024-28956}\n- x86/its: Align RETs in BHB clear sequence to avoid thunking {CVE-2024-28956}\n- x86/its: Add \"vmexit\" option to skip mitigation on some CPUs {CVE-2024-28956}\n- x86/its: Enable Indirect Target Selection mitigation {CVE-2024-28956}\n- x86/its: Add support for ITS-safe return thunk {CVE-2024-28956}\n- x86/its: Add support for ITS-safe indirect thunk {CVE-2024-28956}\n- x86/its: Enumerate Indirect Target Selection (ITS) bug {CVE-2024-28956}\n- Documentation: x86/bugs/its: Add ITS documentation {CVE-2024-28956}\n- certs: Add new Oracle Linux Driver Signing (key 1) certificate\n- net/mlx5e: Don't call cleanup on profile rollback failure {CVE-2024-50146}\n- net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() {CVE-2024-50000}\n- net/mlx5: Fix error path in multi-packet WQE transmit {CVE-2024-50001}\n- net/mlx5: Discard command completions in internal error {CVE-2024-38555}\n- net/mlx5e: fix a potential double-free in fs_any_create_groups {CVE-2023-52667}\n- net/mlx5: Reclaim max 50K pages at once\n- LTS tag: v5.4.292\n- jfs: add index corruption check to DT_GETPAGE()\n- tracing: Fix use-after-free in print_graph_function_flags during tracer switching {CVE-2025-22035}\n- mmc: sdhci-pxav3: set NEED_RSP_BUSY capability\n- ACPI: resource: Skip IRQ override on ASUS Vivobook 14 X1404VAP\n- x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs {CVE-2025-22045}\n- x86/tsc: Always save/restore TSC sched_clock() on suspend/resume\n- ntb_perf: Delete duplicate dmaengine_unmap_put() call in perf_copy_chunk()\n- can: flexcan: only change CAN state when link up in system PM\n- arcnet: Add NULL check in com20020pci_probe() {CVE-2025-22054}\n- net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on destroy\n- ipv6: fix omitted netlink attributes when using RTEXT_FILTER_SKIP_STATS\n- vsock: avoid timeout during connect() if the socket is closing\n- net_sched: skbprio: Remove overly strict queue assertions {CVE-2025-38637}\n- netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets {CVE-2025-22063}\n- ntb: intel: Fix using link status DB's\n- ntb_hw_switchtec: Fix shift-out-of-bounds in switchtec_ntb_mw_set_trans {CVE-2023-53034}\n- spufs: fix a leak in spufs_create_context() {CVE-2025-22071}\n- spufs: fix a leak on spufs_new_file() failure {CVE-2025-22073}\n- hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}\n- can: statistics: use atomic access in hot path\n- locking/semaphore: Use wake_q to wake up processes outside lock critical section\n- sched/deadline: Use online cpus for validating runtime\n- affs: don't write overlarge OFS data block size fields\n- affs: generate OFS sequence numbers starting at 1\n- wifi: iwlwifi: fw: allocate chained SG tables for dump\n- sched/smt: Always inline sched_smt_active()\n- octeontx2-af: Fix mbox INTR handler when num VFs \u003e 64\n- ring-buffer: Fix bytes_dropped calculation issue\n- objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds() {CVE-2025-37937}\n- fs/procfs: fix the comment above proc_pid_wchan()\n- perf python: Check if there is space to copy all the event\n- perf python: Decrement the refcount of just created event on failure\n- perf python: Fixup description of sample.id event member\n- ocfs2: validate l_tree_depth to avoid out-of-bounds access {CVE-2025-22079}\n- kexec: initialize ELF lowest address to ULONG_MAX\n- perf units: Fix insufficient array space\n- iio: accel: mma8452: Ensure error return on failure to matching oversampling ratio\n- coresight: catu: Fix number of pages while using 64k pages\n- isofs: fix KMSAN uninit-value bug in do_isofs_readdir()\n- x86/dumpstack: Fix inaccurate unwinding from exception stacks due to misplaced assignment\n- mfd: sm501: Switch to BIT() to mitigate integer overflows\n- RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow {CVE-2025-22086}\n- power: supply: max77693: Fix wrong conversion of charge input threshold value\n- x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1\n- clk: amlogic: g12a: fix mmc A peripheral clock\n- clk: amlogic: gxbb: drop non existing 32k clock parent\n- clk: amlogic: g12b: fix cluster A parent data\n- IB/mad: Check available slots before posting receive WRs\n- clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent\n- pinctrl: renesas: rza2: Fix missing of_node_put() call\n- lib: 842: Improve error handling in sw842_compress()\n- clk: amlogic: gxbb: drop incorrect flag on 32k clock\n- fbdev: sm501fb: Add some geometry checks.\n- mdacon: rework dependency list\n- fbdev: au1100fb: Move a variable assignment behind a null pointer check\n- PCI: pciehp: Don't enable HPIE when resuming in poll mode\n- PCI: Remove stray put_device() in pci_register_host_bridge()\n- PCI/portdrv: Only disable pciehp interrupts early when needed\n- PCI/ASPM: Fix link state exit during switch upstream function removal {CVE-2024-58093}\n- drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member\n- ALSA: hda/realtek: Always honor no_shutup_pins\n- perf/ring_buffer: Allow the EPOLLRDNORM flag for poll\n- lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()\n- PM: sleep: Fix handling devices with direct_complete set on errors\n- thermal: int340x: Add NULL check for adev {CVE-2025-23136}\n- EDAC/ie31200: Fix the error path order of ie31200_init()\n- EDAC/ie31200: Fix the DIMM size mask for several SoCs\n- EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer\n- selinux: Chain up tool resolving errors in install_policy.sh\n- x86/platform: Only allow CONFIG_EISA for 32-bit\n- x86/fpu: Avoid copying dynamic FP state from init_task in arch_dup_task_struct()\n- cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()\n- x86/mm/pat: cpa-test: fix length for CPA_ARRAY test\n- memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove {CVE-2025-22020}\n- net: usb: qmi_wwan: add Telit Cinterion FE990B composition\n- net: usb: qmi_wwan: add Telit Cinterion FN990B composition\n- tty: serial: 8250: Add some more device IDs\n- counter: stm32-lptimer-cnt: fix error handling when enabling\n- netfilter: socket: Lookup orig tuple for IPv6 SNAT {CVE-2025-22021}\n- ARM: Remove address checking for MMUless devices\n- ARM: 9351/1: fault: Add \"cut here\" line for prefetch aborts\n- ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()\n- atm: Fix NULL pointer dereference {CVE-2025-22018}\n- HID: hid-plantronics: Add mic mute mapping and generalize quirks\n- ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names\n- drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() {CVE-2025-21996}\n- batman-adv: Ignore own maximum aggregation size during RX\n- ARM: shmobile: smp: Enforce shmobile_smp_* alignment\n- mmc: atmel-mci: Add missing clk_disable_unprepare()\n- drm/v3d: Don't run jobs that have errors flagged in its fence\n- i2c: omap: fix IRQ storms\n- net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES\n- net: atm: fix use after free in lec_send() {CVE-2025-22004}\n- ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().\n- ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). {CVE-2025-22005}\n- Bluetooth: Fix error code in chan_alloc_skb_cb() {CVE-2025-22007}\n- RDMA/hns: Fix wrong value of max_sge_rd\n- RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path\n- xfrm_output: Force software GSO only in tunnel mode\n- firmware: imx-scu: fix OF node leak in .probe()\n- i2c: sis630: Fix an error handling path in sis630_probe()\n- i2c: ali15x3: Fix an error handling path in ali15x3_probe()\n- i2c: ali1535: Fix an error handling path in ali1535_probe()\n- ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()\n- drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()\n- qlcnic: fix memory leak issues in qlcnic_sriov_common.c\n- drm/amd/display: Assign normalized_pix_clk when color depth = 14 {CVE-2025-21956}\n- drm/atomic: Filter out redundant DPMS calls\n- x86/microcode/AMD: Fix out-of-bounds on systems with CPU-less NUMA nodes {CVE-2025-21991}\n- USB: serial: option: match on interface class for Telit FN990B\n- USB: serial: option: fix Telit Cinterion FE990A name\n- USB: serial: option: add Telit Cinterion FE990B compositions\n- USB: serial: ftdi_sio: add support for Altera USB Blaster 3\n- block: fix 'kmem_cache of name 'bio-108' already exists'\n- drm/nouveau: Do not override forced connector status\n- x86/irq: Define trace events conditionally\n- fuse: don't truncate cached, mutated symlink\n- nvme: only allow entering LIVE from CONNECTING state\n- sctp: Fix undefined behavior in left shift operation\n- nvmet-rdma: recheck queue state is LIVE in state lock in recv done\n- ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()\n- s390/cio: Fix CHPID \"configure\" attribute caching\n- HID: ignore non-functional sensor in HP 5MP Camera {CVE-2025-21992}\n- HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell\n- ACPI: resource: IRQ override for Eluktronics MECH-17\n- scsi: qla1280: Fix kernel oops when debug level \u003e 2 {CVE-2025-21957}\n- iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() {CVE-2025-21993}\n- powercap: call put_device() on an error path in powercap_register_control_type()\n- hrtimers: Mark is_migration_base() with __always_inline\n- nvme-fc: go straight to connecting state when initializing\n- net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices\n- netfilter: nft_exthdr: fix offset with ipv4_find_option()\n- net_sched: Prevent creation of classes with TC_H_ROOT {CVE-2025-21971}\n- ipvs: prevent integer overflow in do_ip_vs_get_ctl()\n- netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() {CVE-2025-21959}\n- Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()\n- drivers/hv: Replace binary semaphore with mutex\n- netpoll: hold rcu read lock in __netpoll_send_skb()\n- netpoll: netpoll_send_skb() returns transmit status\n- netpoll: move netpoll_send_skb() out of line\n- netpoll: remove dev argument from netpoll_send_skb_on_dev()\n- netpoll: Fix use correct return type for ndo_start_xmit()\n- pinctrl: bcm281xx: Fix incorrect regmap max_registers value\n- sched/isolation: Prevent boot crash when the boot CPU is nohz_full\n- clockevents/drivers/i8253: Fix stop sequence for timer 0\n- RDS: avoid using offlined CPU during reconnect\n- x86/microcode/AMD: Clean the cache if update did not load microcode\n- x86/microcode/AMD: Add finalize_late_load() microcode_op\n- x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches\n- x86/microcode/AMD: Add some forgotten models to the SHA check\n- x86/microcode/AMD: Load only SHA256-checksummed patches {CVE-2025-22047}\n- x86/microcode/AMD: Flush patch buffer mapping after application\n- x86/microcode/AMD: Stash BSP's CPUID(1).EAX and patch size\n- nvme: fix deadlock between reset and scan","modified":"2026-05-27T11:35:55.680785833Z","published":"2025-09-15T19:03:53Z","upstream":["CVE-2021-47352","CVE-2022-48773","CVE-2022-48828","CVE-2022-48829","CVE-2023-52667","CVE-2023-53034","CVE-2023-6931","CVE-2024-26744","CVE-2024-28956","CVE-2024-36350","CVE-2024-38541","CVE-2024-38555","CVE-2024-46855","CVE-2024-50000","CVE-2024-50001","CVE-2024-50146","CVE-2024-50154","CVE-2024-56655","CVE-2024-58093","CVE-2025-21681","CVE-2025-21956","CVE-2025-21957","CVE-2025-21959","CVE-2025-21971","CVE-2025-21991","CVE-2025-21992","CVE-2025-21993","CVE-2025-21996","CVE-2025-22004","CVE-2025-22005","CVE-2025-22007","CVE-2025-22018","CVE-2025-22020","CVE-2025-22021","CVE-2025-22035","CVE-2025-22045","CVE-2025-22047","CVE-2025-22054","CVE-2025-22063","CVE-2025-22071","CVE-2025-22073","CVE-2025-22079","CVE-2025-22086","CVE-2025-23136","CVE-2025-23139","CVE-2025-23140","CVE-2025-23142","CVE-2025-23147","CVE-2025-23150","CVE-2025-23157","CVE-2025-23158","CVE-2025-23159","CVE-2025-23163","CVE-2025-37738","CVE-2025-37740","CVE-2025-37741","CVE-2025-37749","CVE-2025-37757","CVE-2025-37758","CVE-2025-37765","CVE-2025-37766","CVE-2025-37773","CVE-2025-37780","CVE-2025-37781","CVE-2025-37782","CVE-2025-37785","CVE-2025-37789","CVE-2025-37792","CVE-2025-37794","CVE-2025-37795","CVE-2025-37796","CVE-2025-37797","CVE-2025-37803","CVE-2025-37808","CVE-2025-37810","CVE-2025-37812","CVE-2025-37817","CVE-2025-37819","CVE-2025-37823","CVE-2025-37824","CVE-2025-37829","CVE-2025-37838","CVE-2025-37839","CVE-2025-37840","CVE-2025-37841","CVE-2025-37850","CVE-2025-37851","CVE-2025-37857","CVE-2025-37858","CVE-2025-37859","CVE-2025-37862","CVE-2025-37881","CVE-2025-37890","CVE-2025-37892","CVE-2025-37902","CVE-2025-37909","CVE-2025-37913","CVE-2025-37915","CVE-2025-37923","CVE-2025-37927","CVE-2025-37937","CVE-2025-37940","CVE-2025-37949","CVE-2025-37953","CVE-2025-37958","CVE-2025-37969","CVE-2025-37970","CVE-2025-37982","CVE-2025-37983","CVE-2025-37989","CVE-2025-37990","CVE-2025-37991","CVE-2025-37994","CVE-2025-37995","CVE-2025-37997","CVE-2025-37998","CVE-2025-38000","CVE-2025-38001","CVE-2025-38003","CVE-2025-38004","CVE-2025-38023","CVE-2025-38024","CVE-2025-38034","CVE-2025-38035","CVE-2025-38037","CVE-2025-38044","CVE-2025-38046","CVE-2025-38051","CVE-2025-38058","CVE-2025-38061","CVE-2025-38065","CVE-2025-38066","CVE-2025-38072","CVE-2025-38075","CVE-2025-38078","CVE-2025-38079","CVE-2025-38083","CVE-2025-38086","CVE-2025-38090","CVE-2025-38103","CVE-2025-38108","CVE-2025-38111","CVE-2025-38115","CVE-2025-38135","CVE-2025-38136","CVE-2025-38145","CVE-2025-38147","CVE-2025-38153","CVE-2025-38157","CVE-2025-38163","CVE-2025-38173","CVE-2025-38174","CVE-2025-38180","CVE-2025-38181","CVE-2025-38184","CVE-2025-38185","CVE-2025-38190","CVE-2025-38194","CVE-2025-38200","CVE-2025-38203","CVE-2025-38204","CVE-2025-38212","CVE-2025-38213","CVE-2025-38214","CVE-2025-38219","CVE-2025-38222","CVE-2025-38237","CVE-2025-38285","CVE-2025-38286","CVE-2025-38298","CVE-2025-38312","CVE-2025-38313","CVE-2025-38320","CVE-2025-38323","CVE-2025-38324","CVE-2025-38326","CVE-2025-38328","CVE-2025-38332","CVE-2025-38336","CVE-2025-38337","CVE-2025-38344","CVE-2025-38345","CVE-2025-38346","CVE-2025-38348","CVE-2025-38350","CVE-2025-38352","CVE-2025-38415","CVE-2025-38416","CVE-2025-38420","CVE-2025-38424","CVE-2025-38428","CVE-2025-38430","CVE-2025-38498","CVE-2025-38637"],"references":[{"type":"ADVISORY","url":"https://errata.tuxcare.com/els_os/oraclelinux7els/CLSA-2025-1757963029.html"}],"affected":[{"package":{"name":"bpftool","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/bpftool?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-container","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-container?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-container-debug","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-container-debug?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-debug","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-debug?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-debug-devel","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-debug-devel?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-devel","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-devel?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-headers","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-headers?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"kernel-uek-tools","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/kernel-uek-tools?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"perf","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/perf?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}},{"package":{"name":"python-perf","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/python-perf?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.17-2136.338.4.2.el7uek.tuxcare.els2"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2025-1757963029.json"}}],"schema_version":"1.7.5"}