[El-errata] ELSA-2025-20470 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jul 17 21:49:11 UTC 2025 

Oracle Linux Security Advisory ELSA-2025-20470

http://linux.oracle.com/errata/ELSA-2025-20470.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:


aarch64:
bpftool-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-container-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-container-debug-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-core-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-debug-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-debug-core-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-debug-devel-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-debug-modules-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-debug-modules-extra-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-devel-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-doc-5.15.0-310.184.5.2.el9uek.noarch.rpm
kernel-uek-modules-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek-modules-extra-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek64k-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek64k-core-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek64k-devel-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek64k-modules-5.15.0-310.184.5.2.el9uek.aarch64.rpm
kernel-uek64k-modules-extra-5.15.0-310.184.5.2.el9uek.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-uek-5.15.0-310.184.5.2.el9uek.src.rpm

Related CVEs:

CVE-2023-52572
CVE-2023-52621
CVE-2023-52757
CVE-2024-26686
CVE-2024-26739
CVE-2024-26952
CVE-2024-27402
CVE-2024-35790
CVE-2024-35866
CVE-2024-35867
CVE-2024-35943
CVE-2024-36350
CVE-2024-36357
CVE-2024-36908
CVE-2024-38540
CVE-2024-38541
CVE-2024-42160
CVE-2024-42322
CVE-2024-44938
CVE-2024-46742
CVE-2024-46751
CVE-2024-46774
CVE-2024-46784
CVE-2024-46816
CVE-2024-49960
CVE-2024-49989
CVE-2024-50047
CVE-2024-50125
CVE-2024-50258
CVE-2024-50272
CVE-2024-50280
CVE-2024-53128
CVE-2024-53185
CVE-2024-53203
CVE-2024-54458
CVE-2024-56551
CVE-2024-56599
CVE-2024-56655
CVE-2024-56658
CVE-2024-56751
CVE-2025-21681
CVE-2025-21839
CVE-2025-21853
CVE-2025-22027
CVE-2025-22062
CVE-2025-23140
CVE-2025-23142
CVE-2025-23144
CVE-2025-23145
CVE-2025-23146
CVE-2025-23147
CVE-2025-23148
CVE-2025-23150
CVE-2025-23151
CVE-2025-23156
CVE-2025-23157
CVE-2025-23158
CVE-2025-23159
CVE-2025-23161
CVE-2025-23163
CVE-2025-37738
CVE-2025-37739
CVE-2025-37740
CVE-2025-37741
CVE-2025-37742
CVE-2025-37749
CVE-2025-37752
CVE-2025-37756
CVE-2025-37757
CVE-2025-37758
CVE-2025-37765
CVE-2025-37766
CVE-2025-37767
CVE-2025-37768
CVE-2025-37770
CVE-2025-37771
CVE-2025-37773
CVE-2025-37780
CVE-2025-37781
CVE-2025-37787
CVE-2025-37788
CVE-2025-37789
CVE-2025-37790
CVE-2025-37792
CVE-2025-37794
CVE-2025-37796
CVE-2025-37797
CVE-2025-37803
CVE-2025-37805
CVE-2025-37808
CVE-2025-37810
CVE-2025-37812
CVE-2025-37817
CVE-2025-37819
CVE-2025-37823
CVE-2025-37824
CVE-2025-37829
CVE-2025-37830
CVE-2025-37836
CVE-2025-37838
CVE-2025-37839
CVE-2025-37840
CVE-2025-37841
CVE-2025-37844
CVE-2025-37850
CVE-2025-37857
CVE-2025-37858
CVE-2025-37859
CVE-2025-37862
CVE-2025-37867
CVE-2025-37875
CVE-2025-37881
CVE-2025-37883
CVE-2025-37885
CVE-2025-37890
CVE-2025-37892
CVE-2025-37905
CVE-2025-37909
CVE-2025-37911
CVE-2025-37913
CVE-2025-37914
CVE-2025-37915
CVE-2025-37923
CVE-2025-37927
CVE-2025-37929
CVE-2025-37930
CVE-2025-37940
CVE-2025-37949
CVE-2025-37967
CVE-2025-37969
CVE-2025-37970
CVE-2025-37982
CVE-2025-37983
CVE-2025-37985
CVE-2025-37989
CVE-2025-37990
CVE-2025-37991
CVE-2025-37992
CVE-2025-37994
CVE-2025-37995
CVE-2025-37997
CVE-2025-37998
CVE-2025-38005
CVE-2025-38009
CVE-2025-38023
CVE-2025-38024
CVE-2025-38031
CVE-2025-38089




Description of changes:

[5.15.0-310.184.5.2.el9uek]
- sunrpc: handle SVC_GARBAGE during svc auth processing as auth error (Jeff Layton)   {CVE-2025-38089}
- net_sched: sch_sfq: move the limit validation (Octavian Purdila)   {CVE-2025-37752}
- net_sched: sch_sfq: use a temporary work area for validating configuration (Octavian Purdila) 
- net_sched: sch_sfq: don't allow 1 packet limit (Octavian Purdila) 
- net_sched: sch_sfq: handle bigger packets (Eric Dumazet) 
- net_sched: sch_sfq: annotate data-races around q->perturb_period (Eric Dumazet) 
- block: assign bi_bdev for cloned bios in blk_rq_prep_clone (Christoph Hellwig)  [Orabug: 37931495]
- fs/proc: do_task_stat: use __for_each_thread() (Oleg Nesterov)  [Orabug: 38081922]

[5.15.0-310.184.5.1.el9uek]
- Add Zen34 clients (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- x86/process: Move the buffer clearing before MONITOR (Kim Phillips)  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- Add normal counters (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- KVM: SVM: Advertize TSA CPUID bits to guests (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- x86/bugs: Add a Transient Scheduler Attacks mitigation (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- x86/bugs: Rename MDS machinery to something more generic (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- x86/CPU/AMD: Add ZenX generations flags (Borislav Petkov (AMD))  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}
- x86/bugs: Free X86_BUG_AMD_APIC_C1E and X86_BUG_AMD_E400 bits (Boris Ostrovsky)  [Orabug: 38023240]  {CVE-2024-36350} {CVE-2024-36357}

[5.15.0-310.184.5.el9uek]
- sched/numa: skip VMA scanning on memory pinned to one NUMA node via cpuset.mems (Libo Chen)  [Orabug: 38070120]
- bridge: netfilter: Fix forwarding of fragmented packets (Ido Schimmel)  [Orabug: 38069363]
- Revert "net: bridge: IP defragmentation failing for jumboframes" (Venkat Venkatsubra)  [Orabug: 38069363]
- vhost-scsi: Change def inline_sg_cnt and max_io_vqs for exadata (Mike Christie)  [Orabug: 38053186]
- rds: ib: Add cm_id generation scheme in order to detect new ones (Håkon Bugge)  [Orabug: 37799170]
- Revert "i2c: designware: Fix corrupted memory seen in the ISR" (Vijay Kumar)  [Orabug: 37771338]
- ipmi:ssif: Improve detecting during probing (Corey Minyard)  [Orabug: 37771338]
- ipmi: ssif: replace strlcpy with strscpy (Jason Wang)  [Orabug: 37771338]
- uek-rpm: Enable CONFIG_SERIAL_RP2 as m (Samasth Norway Ananda)  [Orabug: 37459981]
- serial: update the rp2 driver code (Samasth Norway Ananda)  [Orabug: 37459981]

[5.15.0-310.184.4.el9uek]
- vhost-scsi: Fix log flooding with target does not exist errors (Mike Christie) [Orabug: 37424174]
- mm: do not write protect COW mappings when preserving across exec (Anthony Yznaga) [Orabug: 37734242]
- mm: hold the source mmap write lock when copying PTEs (Anthony Yznaga) [Orabug: 37734242]
- uek-rpm: Bluefield 3: Enable CONFIG_CONTIG_ALLOC (Thomas Tai) [Orabug: 38067846]
- mm: shmem: remove unnecessary warning in shmem_writepage() (Ricardo Cañuelo Navarro) [Orabug: 38091965]
- shmem: add support to ignore swap (Luis Chamberlain) [Orabug: 38091965]
- shmem: update documentation (Luis Chamberlain) [Orabug: 38091965]
- shmem: skip page split if we're not reclaiming (Luis Chamberlain) [Orabug: 38091965]
- shmem: move reclaim check early on writepages() (Luis Chamberlain) [Orabug: 38091965]
- shmem: set shmem_writepage() variables early (Luis Chamberlain) [Orabug: 38091965]
- shmem: remove check for folio lock on writepage() (Luis Chamberlain) [Orabug: 38091965]

[5.15.0-310.184.3.el9uek]
- x86/its: Fix undefined reference to cpu_wants_rethunk_at() (Pawan Gupta)
- padata: do not leak refcount in reorder_work (Dominik Grzegorzek) [Orabug: 38094844] {CVE-2025-38031}
- Revert "drm/amd: Keep display off while going into S4" (Mario Limonciello)
- memcg: always call cond_resched() after fn() (Breno Leitao)
- lib: cpu_rmap: Use allocator for rmap entries (Eli Cohen) [Orabug: 38037237]
- uek-rpm: build the fwctl mlx5 driver on UEK (Qing Huang) [Orabug: 37810637]
- fwctl: Adapt upstream code for UEK7 (Mikhael Goikhman) [Orabug: 37810637]
- mlx5: Create an auxiliary device for fwctl_mlx5 (Saeed Mahameed) [Orabug: 37810637]
- fwctl/mlx5: Support for communicating with mlx5 fw (Saeed Mahameed) [Orabug: 37810637]
- fwctl: Add documentation (Jason Gunthorpe) [Orabug: 37810637]
- fwctl: FWCTL_RPC to execute a Remote Procedure Call to device firmware (Jason Gunthorpe) [Orabug: 37810637]
- taint: Add TAINT_FWCTL (Jason Gunthorpe) [Orabug: 37810637]
- fwctl: FWCTL_INFO to return basic information about the device (Jason Gunthorpe) [Orabug: 37810637]
- fwctl: Basic ioctl dispatch for the character device (Jason Gunthorpe) [Orabug: 37810637]
- fwctl: Add basic structure for a class subsystem with a cdev (Jason Gunthorpe) [Orabug: 37810637]
- net/mlx5: Add IFC related stuff for data direct (Yishai Hadas) [Orabug: 37810637]
- Documentation: Add detailed explanation for 'N' taint flag (Benjamin Poirier) [Orabug: 37810637]
- kernel/panic: initialize taint_flags[] using a macro (Jani Nikula) [Orabug: 37810637]
- kernel/panic: return early from print_tainted() when not tainted (Jani Nikula) [Orabug: 37810637]
- tools: Add new "test" taint to kernel-chktaint (Joe Fradley) [Orabug: 37810637]
- panic: use error_report_end tracepoint on warnings (Marco Elver) [Orabug: 37810637]
- Revert "fwctl: Add basic structure for a class subsystem with a cdev" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: Basic ioctl dispatch for the character device" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: FWCTL_INFO to return basic information about the device" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: FWCTL_RPC to execute a Remote Procedure Call to device firmware" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl/mlx5: Support for communicating with mlx5 fw" (Qing Huang) [Orabug: 37810637]
- Revert "mlx5: Create an auxiliary device for fwctl_mlx5" (Qing Huang) [Orabug: 37810637]
- Revert "taint: Add TAINT_FWCTL" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: Adapt code for UEK7" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl/mlx5: Add INTERNAL_DEV_RES uctx capability" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: Allow up to 4k devices" (Qing Huang) [Orabug: 37810637]
- Revert "fwctl: Expand adaption of code for UEK7" (Qing Huang) [Orabug: 37810637]
- Revert "uek-rpm: build the fwctl mlx5 driver on UEK" (Qing Huang) [Orabug: 37810637]

[5.15.0-310.184.2.el9uek]
- LTS version: v5.15.184 (Vijayendra Suman)
- netfilter: nf_tables: do not defer rule destruction via call_rcu (Florian Westphal) [Orabug: 38071844] {CVE-2024-56655}
- netfilter: nf_tables: wait for rcu grace period on net_device removal (Pablo Neira Ayuso)
- netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx (Florian Westphal)
- btrfs: do not clean up repair bio if submit fails (Josef Bacik)
- btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() (Filipe Manana) [Orabug: 37074536] {CVE-2024-46751}
- sctp: add mutual exclusion in proc_sctp_do_udp_port() (Eric Dumazet) [Orabug: 37844338] {CVE-2025-22062}
- selftests/mm: compaction_test: support platform with huge mount of memory (Feng Tang)
- usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() (Gong, Ruiqi)
- usb: typec: fix potential array underflow in ucsi_ccg_sync_control() (Dan Carpenter) [Orabug: 37433551] {CVE-2024-53203}
- usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group (Rd Babiera) [Orabug: 36642199] {CVE-2024-35790}
- usb: typec: ucsi: displayport: Fix deadlock (Andrei Kuchynski) [Orabug: 37977019] {CVE-2025-37967}
- clocksource/i8253: Use raw_spinlock_irqsave() in clockevent_i8253_disable() (Sebastian Andrzej Siewior)
- block: fix direct io NOWAIT flag not work (Fengnan Chang)
- dmaengine: idxd: fix memory leak in error handling path of idxd_setup_groups (Shuai Xue)
- dmaengine: idxd: fix memory leak in error handling path of idxd_setup_engines (Shuai Xue)
- dmaengine: ti: k3-udma: Use cap_mask directly from dma_device structure instead of a local copy (Yemike Abhilash Chandra)
- dmaengine: ti: k3-udma: Add missing locking (Ronald Wahl) [Orabug: 38094757] {CVE-2025-38005}
- wifi: mt76: disable napi on driver removal (Fedor Pchelkin) [Orabug: 38094771] {CVE-2025-38009}
- phy: renesas: rcar-gen3-usb2: Set timing registers only once (Claudiu Beznea)
- phy: Fix error handling in tegra_xusb_port_init (Ma Ke)
- tracing: samples: Initialize trace_array_printk() with the correct function (Steven Rostedt)
- ftrace: Fix preemption accounting for stacktrace filter command (Donglin Peng)
- ftrace: Fix preemption accounting for stacktrace trigger command (Donglin Peng)
- ALSA: usb-audio: Add sample rate quirk for Microdia JP001 USB Camera (Nicolas Chauvet)
- ALSA: usb-audio: Add sample rate quirk for Audioengine D1 (Christian Heusel)
- ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() (Xu Wang)
- ACPI: PPTT: Fix processor subtable walk (Jeremy Linton)
- btrfs: fix discard worker infinite loop after disabling discard (Filipe Manana)
- dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted" (Nathan Lynch)
- x86/its: FineIBT-paranoid vs ITS (Peter Zijlstra)
- x86/speculation: Remove the extra #ifdef around CALL_NOSPEC (Pawan Gupta)
- x86/speculation: Add a conditional CS prefix to CALL_NOSPEC (Pawan Gupta)
- x86/speculation: Simplify and make CALL_NOSPEC consistent (Pawan Gupta)
- x86,nospec: Simplify {JMP,CALL}_NOSPEC (Peter Zijlstra)
- NFSv4/pnfs: Reset the layout state after a layoutreturn (Trond Myklebust)
- qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() (Abdun Nihaal)
- ALSA: sh: SND_AICA should depend on SH_DMA_API (Geert Uytterhoeven)
- net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING (Vladimir Oltean)
- net: cadence: macb: Fix a possible deadlock in macb_halt_tx. (Mathieu Othacehe)
- net_sched: Flush gso_skb list too during ->change() (Cong Wang) [Orabug: 37998129] {CVE-2025-37992}
- spi: loopback-test: Do not split 1024-byte hexdumps (Geert Uytterhoeven)
- nfs: handle failure of nfs_get_lock_context in unlock path (Li Lingfeng) [Orabug: 38094819] {CVE-2025-38023}
- RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug (Zhu Yanjun) [Orabug: 38094828] {CVE-2025-38024}
- iio: chemical: sps30: use aligned_s64 for timestamp (David Lechner)
- iio: adc: ad7768-1: Fix insufficient alignment of timestamp. (Jonathan Cameron)
- tracing: probes: Fix a possible race in trace_probe_log APIs (Masami Hiramatsu)
- platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection (Hans de Goede)
- LTS version: v5.15.183 (Vijayendra Suman)
- Revert "net: phy: microchip: force IRQ polling mode for lan88xx" (Greg Kroah-Hartman)
- do_umount(): add missing barrier before refcount checks in sync case (Al Viro)
- drm/panel: simple: Update timings for AUO G101EVN010 (Kevin Baker)
- MIPS: Fix MAX_REG_OFFSET (Thorsten Blum)
- iio: adc: dln2: Use aligned_s64 for timestamp (Jonathan Cameron)
- types: Complement the aligned types with signed 64-bit one (Andy Shevchenko)
- usb: usbtmc: Fix erroneous generic_read ioctl return (Dave Penkler)
- usb: usbtmc: Fix erroneous wait_srq ioctl return (Dave Penkler)
- usb: usbtmc: Fix erroneous get_stb ioctl error returns (Dave Penkler)
- USB: usbtmc: use interruptible sleep in usbtmc_read (Oliver Neukum)
- usb: typec: ucsi: displayport: Fix NULL pointer access (Andrei Kuchynski) [Orabug: 38015127] {CVE-2025-37994}
- usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition (Rd Babiera)
- usb: host: tegra: Prevent host controller crash when OTG port is used (Jim Lin)
- usb: gadget: tegra-xudc: ACK ST_RC after clearing CTRL_RUN (Wayne Chang)
- usb: cdnsp: fix L1 resume issue for RTL_REVISION_NEW_LPM version (Pawel Laszczak)
- usb: cdnsp: Fix issue with resuming from L1 (Pawel Laszczak)
- ocfs2: stop quota recovery before disabling quotas (Jan Kara)
- ocfs2: implement handshaking with ocfs2 recovery thread (Jan Kara)
- ocfs2: switch osb->disable_recovery to enum (Jan Kara)
- module: ensure that kobject_put() is safe for module type kobjects (Dmitry Antipov) [Orabug: 38015132] {CVE-2025-37995}
- xenbus: Use kref to track req lifetime (Jason Andryuk) [Orabug: 37976935] {CVE-2025-37949}
- usb: uhci-platform: Make the clock really optional (Alexey Charkov)
- drm/amd/display: Fix wrong handling for AUX_DEFER case (Wayne Lin)
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_tagged_fifo (Silvano Seva) [Orabug: 37977032] {CVE-2025-37969}
- iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo (Silvano Seva) [Orabug: 37977038] {CVE-2025-37970}
- iio: adis16201: Correct inclinometer channel resolution (Gabriel)
- iio: adc: ad7606: fix serial register access (Angelo Dureghello)
- staging: axis-fifo: Correct handling of tx_fifo_depth for size validation (Gabriel)
- staging: axis-fifo: Remove hardware resets for user errors (Gabriel)
- staging: iio: adc: ad7816: Correct conditional logic for store mode (Gabriel)
- Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 (Aditya Garg)
- Input: synaptics - enable SMBus for HP Elitebook 850 G1 (Dmitry Torokhov)
- Input: synaptics - enable InterTouch on Dell Precision M3800 (Aditya Garg)
- Input: synaptics - enable InterTouch on Dynabook Portege X30L-G (Aditya Garg)
- Input: synaptics - enable InterTouch on Dynabook Portege X30-D (Manuel Fombuena)
- net: dsa: b53: fix learning on VLAN unaware bridges (Jonas Gorski)
- net: dsa: b53: always rejoin default untagged VLAN on bridge leave (Jonas Gorski)
- net: dsa: b53: fix VLAN ID for untagged vlan on bridge leave (Jonas Gorski)
- net: dsa: b53: fix flushing old pvid VLAN on pvid change (Jonas Gorski)
- net: dsa: b53: fix clearing PVID of a port (Jonas Gorski)
- net: dsa: b53: allow leaky reserved multicast (Jonas Gorski)
- netfilter: ipset: fix region locking in hash types (Jozsef Kadlecsik) [Orabug: 38015142] {CVE-2025-37997}
- can: gw: fix RCU/BH usage in cgw_create_job() (Oliver Hartkopp)
- can: gw: use call_rcu() instead of costly synchronize_rcu() (Eric Dumazet)
- gre: Fix again IPv6 link-local address generation. (Guillaume Nault)
- openvswitch: Fix unsafe attribute parsing in output_userspace() (Eelco Chaudron) [Orabug: 38015149] {CVE-2025-37998}
- can: mcp251xfd: mcp251xfd_remove(): fix order of unregistration calls (Marc Kleine-Budde)
- can: mcan: m_can_class_unregister(): fix order of unregistration calls (Marc Kleine-Budde)
- LTS version: v5.15.182 (Vijayendra Suman)
- dm: fix copying after src array boundaries (Tudor Ambarus)
- iommu/arm-smmu-v3: Fix iommu_device_probe bug due to duplicated stream ids (Nicolin Chen)
- iommu/arm-smmu-v3: Use the new rb tree helpers (Jason Gunthorpe)
- irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() (Suzuki K Poulose) [Orabug: 37930013] {CVE-2025-37819}
- irqchip/gic-v2m: Mark a few functions __init (Thomas Gleixner)
- irqchip/gic-v2m: Add const to of_device_id (Xiang Wangx)
- Revert "drm/meson: vclk: fix calculation of 59.94 fractional rates" (Christian Hewitt)
- net: phy: microchip: force IRQ polling mode for lan88xx (Fiona Klute)
- ARM: dts: opos6ul: add ksz8081 phy properties (Sébastien Szymanski)
- firmware: arm_scmi: Balance device refcount when destroying devices (Cristian Marussi) [Orabug: 37976753] {CVE-2025-37905}
- net: hns3: fix deadlock issue when externel_lb and reset are executed together (Yonglong Liu)
- of: module: add buffer overflow check in of_modalias() (Sergey Shtylyov) [Orabug: 36753381] {CVE-2024-38541}
- PCI: imx6: Skip controller_id generation logic for i.MX7D (Richard Zhu)
- net: hns3: defer calling ptp_clock_register() (Jian Shen)
- net: hns3: fixed debugfs tm_qset size (Hao Lan)
- net: hns3: fix an interrupt residual problem (Yonglong Liu)
- net: hns3: add support for external loopback test (Yonglong Liu)
- net: hns3: store rx VLAN tag offload state for VF (Jian Shen)
- net: fec: ERR007885 Workaround for conventional TX (Mattias Barthel)
- net: lan743x: Fix memleak issue when GSO enabled (Thangaraj Samynathan) [Orabug: 37976766] {CVE-2025-37909}
- nvme-tcp: fix premature queue removal and I/O failover (Michael Liang)
- bnxt_en: Fix ethtool -d byte order for 32-bit values (Michael Chan)
- bnxt_en: Fix out-of-bound memcpy() during ethtool -w (Shruti Parab) [Orabug: 37976774] {CVE-2025-37911}
- bnxt_en: Fix coredump logic to free allocated buffer (Shruti Parab)
- net: ipv6: fix UDPv6 GSO segmentation with NAT (Felix Fietkau)
- net: dlink: Correct endianness handling of led_mode (Simon Horman)
- net_sched: qfq: Fix double list add in class with netem as child qdisc (Victor Nogueira) [Orabug: 37976784] {CVE-2025-37913}
- net_sched: ets: Fix double list add in class with netem as child qdisc (Victor Nogueira) [Orabug: 37976789] {CVE-2025-37914}
- net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc (Victor Nogueira) [Orabug: 37967411] {CVE-2025-37890}
- net_sched: drr: Fix double list add in class with netem as child qdisc (Victor Nogueira) [Orabug: 37976793] {CVE-2025-37915}
- net: ethernet: mtk-star-emac: rearm interrupts in rx_poll only when advised (Louis-Alexis Eyraud)
- net: ethernet: mtk-star-emac: fix spinlock recursion issues on rx/tx poll (Louis-Alexis Eyraud)
- net: ethernet: mtk-star-emac: separate tx/rx handling with two NAPIs (Biao Huang)
- net/mlx5: E-switch, Fix error handling for enabling roce (Chris Mi)
- net/mlx5: E-Switch, Initialize MAC Address for Default GID (Maor Gottlieb)
- net/sched: act_mirred: don't override retval if we already lost the skb (Jakub Kicinski) [Orabug: 36530679] {CVE-2024-26739}
- KVM: x86: Load DR6 with guest value only before entering .vcpu_run() loop (Sean Christopherson) [Orabug: 37685666] {CVE-2025-21839}
- tracing: Fix oob write in trace_seq_to_buffer() (Jeongjun Park) [Orabug: 37976822] {CVE-2025-37923}
- iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57) (Mingcong Bai)
- iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid (Pavel Paklov) [Orabug: 37976837] {CVE-2025-37927}
- dm: always update the array size in realloc_argv on success (Benjamin Marzinski)
- dm-integrity: fix a warning on invalid table line (Mikulas Patocka)
- wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() (Xu Wang) [Orabug: 37977120] {CVE-2025-37990}
- mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe (Ruslan Piasetskyi)
- amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload (Vishal Badole)
- parisc: Fix double SIGFPE crash (Helge Deller) [Orabug: 37977128] {CVE-2025-37991}
- arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays (Will Deacon) [Orabug: 38071958] {CVE-2025-37929}
- i2c: imx-lpi2c: Fix clock count when probe defers (Clark Wang)
- EDAC/altera: Set DDR and SDMMC interrupt mask before registration (Niravkumar L Rabara)
- EDAC/altera: Test the correct error reg offset (Niravkumar L Rabara)
- drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill() (Philipp Stanner) [Orabug: 37976851] {CVE-2025-37930}
- ALSA: usb-audio: Add second USB ID for Jabra Evolve 65 headset (Joachim Priesner)
- LTS version: v5.15.181 (Vijayendra Suman)
- PCI: Release resource invalidated by coalescing (Ross Lagerwall)
- PCI: Fix dropping valid root bus resources with .end = zero (Geert Uytterhoeven)
- PCI: Fix use-after-free in pci_bus_release_domain_nr() (Rob Herring)
- nvme: fixup scan failure for non-ANA multipath controllers (Hannes Reinecke)
- MIPS: cm: Fix warning if MIPS_CM is disabled (Thomas Bogendoerfer)
- xdp: Reset bpf_redirect_info before running a xdp's BPF prog. (Sebastian Andrzej Siewior)
- drm/amd/display: fix double free issue during amdgpu module unload (Tim Huang) [Orabug: 37206238] {CVE-2024-49989}
- net: dsa: mv88e6xxx: enable .port_set_policy() for 6320 family (Marek Behún)
- net: dsa: mv88e6xxx: enable PVT for 6321 switch (Marek Behún)
- net: dsa: mv88e6xxx: fix atu_move_port_mask for 6341 family (Marek Behún)
- crypto: atmel-sha204a - Set hwrng quality to lowest possible (Marek Behún)
- comedi: jr3_pci: Fix synchronous deletion of timer (Ian Abbott)
- jfs: define xtree root and page independently (Dave Kleikamp)
- md/raid1: Add check for missing source disk in process_checks() (Meir Elisha)
- ubsan: Fix panic from test_ubsan_out_of_bounds (Mostafa Saleh)
- loop: aio inherit the ioprio of original request (Yunlong Xing)
- scsi: pm80xx: Set phy_attached to zero when device is gone (Igor Pylypiv)
- scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes (Xingui Yang)
- ext4: make block validity check resistent to sb bh corruption (Ojaswin Mujoo)
- nvmet-fc: put ref when assoc->del_work is already scheduled (Daniel Wagner)
- nvmet-fc: take tgtport reference only once (Daniel Wagner)
- x86/bugs: Don't fill RSB on context switch with eIBRS (Josh Poimboeuf)
- x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline (Josh Poimboeuf)
- x86/bugs: Use SBPB in write_ibpb() if applicable (Josh Poimboeuf)
- selftests/mincore: Allow read-ahead pages to reach the end of the file (Qiuxu Zhuo)
- objtool: Stop UNRET validation on UD2 (Josh Poimboeuf)
- nvme: re-read ANA log page after ns scan completes (Hannes Reinecke)
- ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls (Jean-Marc Eurin)
- nvme: requeue namespace scan on missed AENs (Hannes Reinecke)
- xen: Change xen-acpi-processor dom0 dependency (Jason Andryuk)
- selftests: ublk: fix test_stripe_04 (Ming Lei)
- udmabuf: fix a buf size overflow issue during udmabuf creation (Xiaogang Chen) [Orabug: 37929938] {CVE-2025-37803}
- KVM: s390: Don't use %pK through tracepoints (Thomas Weißschuh)
- sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP (Oleg Nesterov)
- ntb: reduce stack usage in idt_scan_mws (Arnd Bergmann)
- qibfs: fix _another_ leak (Al Viro) [Orabug: 37977083] {CVE-2025-37983}
- objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior in wcd934x_slim_irq_handler() (Josh Poimboeuf)
- usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() (Chenyuan Yang) [Orabug: 37937503] {CVE-2025-37881}
- usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running (Michał Pecio)
- dmaengine: dmatest: Fix dmatest waiting less when interrupted (Vinicius Costa Gomes)
- sound/virtio: Fix cancel_sync warnings on uninitialized work_structs (John Stultz) [Orabug: 37929953] {CVE-2025-37805}
- usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield (Andy Shevchenko)
- fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size (Edward Adam Davis)
- usb: host: max3421-hcd: Add missing spi_device_id table (Alexander Stein)
- s390/tty: Fix a potential memory leak bug (Haoxiang Li)
- s390/sclp: Add check for get_zeroed_page() (Haoxiang Li) [Orabug: 37937517] {CVE-2025-37883}
- parisc: PDT: Fix missing prototype warning (Yu-Chun Lin)
- clk: check for disabled clock-provider in of_clk_get_hw_from_clkspec() (Heiko Stuebner)
- crypto: null - Use spin lock instead of mutex (Herbert Xu) [Orabug: 37929973] {CVE-2025-37808}
- MIPS: cm: Detect CM quirks from device tree (Gregory Clement)
- USB: wdm: add annotation (Oliver Neukum)
- USB: wdm: wdm_wwan_port_tx_complete mutex in atomic context (Oliver Neukum)
- USB: wdm: close race between wdm_open and wdm_wwan_port_stop (Oliver Neukum) [Orabug: 37977098] {CVE-2025-37985}
- USB: wdm: handle IO errors in wdm_wwan_port_start (Oliver Neukum)
- USB: VLI disk crashes if LPM is used (Oliver Neukum)
- usb: quirks: Add delay init quirk for SanDisk 3.2Gen1 Flash Drive (Miao Li)
- usb: quirks: add DELAY_INIT quirk for Silicon Motion Flash Drive (Miao Li)
- usb: dwc3: gadget: check that event count does not exceed event buffer length (Frode Isaksen) [Orabug: 37929981] {CVE-2025-37810}
- USB: OHCI: Add quirk for LS7A OHCI controller (rev 0x02) (Huacai Chen)
- usb: chipidea: ci_hdrc_imx: implement usb_phy_init() error handling (Fedor Pchelkin)
- usb: chipidea: ci_hdrc_imx: fix call balance of regulator routines (Fedor Pchelkin)
- usb: cdns3: Fix deadlock when using NCM gadget (Ralph Siemsen) [Orabug: 37929988] {CVE-2025-37812}
- USB: serial: simple: add OWON HDS200 series oscilloscope support (Craig Hesling)
- USB: serial: option: add Sierra Wireless EM9291 (Adam Xue)
- USB: serial: ftdi_sio: add support for Abacus Electrics Optical Probe (Michael Ehrenreich)
- serial: sifive: lock port in startup()/shutdown() callbacks (Ryo Takakura)
- KVM: x86: Reset IRTE to host control if *new* route isn't postable (Sean Christopherson) [Orabug: 37937535] {CVE-2025-37885}
- mei: me: add panther lake H DID (Alexander Usyskin)
- USB: storage: quirk for ADATA Portable HDD CH94 (Oliver Neukum)
- mcb: fix a double free bug in chameleon_parse_gdd() (Haoxiang Li) [Orabug: 37930000] {CVE-2025-37817}
- KVM: SVM: Allocate IR data using atomic allocation (Sean Christopherson)
- drm/amd/display: Fix gpu reset in multidisplay config (Roman Li)
- net: selftests: initialize TCP header and skb payload with zero (Oleksij Rempel)
- virtio_console: fix missing byte order handling for cols and rows (Halil Pasic)
- iommu/amd: Return an error if vCPU affinity is set for non-vCPU IRTE (Sean Christopherson)
- net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too (Cong Wang) [Orabug: 37930028] {CVE-2025-37823}
- net_sched: hfsc: Fix a UAF vulnerability in class handling (Cong Wang) [Orabug: 37908484] {CVE-2025-37797}
- tipc: fix NULL pointer dereference in tipc_mon_reinit_self() (Tung Nguyen) [Orabug: 37930039] {CVE-2025-37824}
- net: phy: leds: fix memory leak (Qingfang Deng) [Orabug: 37977112] {CVE-2025-37989}
- cpufreq: cppc: Fix invalid return value in .get() callback (Marc Zyngier)
- cpufreq: scpi: Fix null-ptr-deref in scpi_cpufreq_get_rate() (Henry Martin) [Orabug: 37930051] {CVE-2025-37829}
- cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() (Henry Martin) [Orabug: 37930056] {CVE-2025-37830}
- dma/contiguous: avoid warning about unused size_bytes (Arnd Bergmann)
- drm/msm/a6xx: Fix stale rpmh votes from GPU (Akhil P Oommen)
- drm/msm/a6xx: Avoid gx gbit halt during rpm suspend (Akhil P Oommen)
- drm/msm/a6xx: Handle GMU prepare-slumber hfi failure (Akhil P Oommen)
- drm/msm/a6xx: Improve gpu recovery sequence (Akhil P Oommen)
- string: Add load_unaligned_zeropad() code path to sized_strscpy() (Peter Collingbourne)
- kmsan: disable strscpy() optimization under KMSAN (Alexander Potapenko)
- selftests/mm: generate a temporary mountpoint for cgroup filesystem (Mark Brown)
- ksmbd: Prevent integer overflow in calculation of deadtime (Denis Arefev)
- PCI: Fix reference leak in pci_register_host_bridge() (Ma Ke) [Orabug: 37937272] {CVE-2025-37836}
- PCI: Assign PCI domain IDs by ida_alloc() (Pali Rohár)
- PCI: Coalesce host bridge contiguous apertures (Kai-Heng Feng)
- gpio: tegra186: fix resource handling in ACPI probe path (Guixin Liu)
- cifs: fix integer overflow in match_server() (Roman Smirnov)
- cifs: avoid NULL pointer dereference in dbg call (Alexandra Diupina) [Orabug: 37937310] {CVE-2025-37844}
- cifs: print TIDs as hex (Enzo Matsumiya)
- backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() (Herve Codina) [Orabug: 37901610] {CVE-2025-23144}
- backlight: led_bl: Convert to platform remove callback returning void (Uwe Kleine-König)
- iio: adc: ad7768-1: Fix conversion result sign (Sergiu Cuciurean)
- iio: adc: ad7768-1: Move setting of val a bit later to avoid unnecessary return value check (Jonathan Cameron)
- soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe() (Chenyuan Yang) [Orabug: 37901625] {CVE-2025-23148}
- soc: samsung: exynos-chipid: Pass revision reg offsets (Sam Protsenko)
- soc: samsung: exynos-chipid: avoid soc_device_to_device() (Krzysztof Kozlowski)
- net: dsa: mv88e6xxx: fix VTU methods for 6320 family (Marek Behún)
- auxdisplay: hd44780: Fix an API misuse in hd44780.c (Haoxiang Li)
- auxdisplay: hd44780: Convert to platform remove callback returning void (Uwe Kleine-König)
- media: streamzap: fix race between device disconnection and urb callback (Murad Masimov) [Orabug: 37844171] {CVE-2025-22027}
- media: streamzap: remove unused struct members (Sean Young)
- media: streamzap: less chatter (Sean Young)
- media: streamzap: no need for usb pid/vid in device name (Sean Young)
- media: streamzap: remove unnecessary ir_raw_event_reset and handle (Sean Young)
- module: sign with sha512 instead of sha1 by default (Thorsten Leemhuis)
- Bluetooth: SCO: Fix UAF on sco_sock_timeout (Luiz Augusto von Dentz) [Orabug: 37252400] {CVE-2024-50125}
- f2fs: Add inline to f2fs_build_fault_attr() stub (Nathan Chancellor)
- pmdomain: ti: Add a null pointer check to the omap_prm_domain_init (Kunwu Chan) [Orabug: 36643315] {CVE-2024-35943}
- f2fs: check validation of fault attrs in f2fs_build_fault_attr() (Chao Yu) [Orabug: 36897956] {CVE-2024-42160}
- mm: fix apply_to_existing_page_range() (Kirill A. Shutemov)
- fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats (Oleg Nesterov) [Orabug: 36530401] {CVE-2024-26686}
- drm/i915/gt: Cleanup partial engine discovery failures (Chris Wilson)
- dm cache: fix flushing uninitialized delayed_work on cache_ctr error (Ming-Hung Tsai) [Orabug: 37298744] {CVE-2024-50280}
- jfs: Fix shift-out-of-bounds in dbDiscardAG (Pei Li) [Orabug: 36993154] {CVE-2024-44938}
- MIPS: ds1287: Match ds1287_set_base_clock() function types (Yuli Wang)
- MIPS: cevt-ds1287: Add missing ds1287.h include (Yuli Wang)
- MIPS: dec: Declare which_prom() as static (Yuli Wang)
- net: defer final 'struct net' free in netns dismantle (Eric Dumazet) [Orabug: 37434229] {CVE-2024-56658}
- scsi: ufs: bsg: Set bsg_queue to NULL after removal (Guixin Liu) [Orabug: 37649536] {CVE-2024-54458}
- openvswitch: fix lockup on tx to unregistering netdev with carrier (Ilya Maximets) [Orabug: 38071902] {CVE-2025-21681}
- net: openvswitch: fix race on port output (Felix Huettner)
- ipvs: properly dereference pe in ip_vs_add_service (Chen Hanxiao) [Orabug: 36964418] {CVE-2024-42322}
- ext4: fix timer use-after-free on failed mount (Xiaxi Shen) [Orabug: 37206114] {CVE-2024-49960}
- blk-iocost: do not WARN if iocg was already offlined (Li Nan) [Orabug: 36683303] {CVE-2024-36908}
- blk-cgroup: support to track if policy is online (Yu Kuai)
- bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers (Hou Tao) [Orabug: 37283326] {CVE-2023-52621}
- bpf: avoid holding freeze_mutex during mmap operation (Andrii Nakryiko) [Orabug: 37702062] {CVE-2025-21853}
- sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers (Qun-Wei Lin) [Orabug: 37388807] {CVE-2024-53128}
- smb: client: fix potential UAF in cifs_stats_proc_show() (Paulo Alcantara) [Orabug: 36642549] {CVE-2024-35867}
- smb: client: fix potential deadlock when releasing mids (Paulo Alcantara) [Orabug: 37283429] {CVE-2023-52757}
- smb/server: fix potential null-ptr-deref of lease_ctx_info in smb2_open() (Chenxiaosong) [Orabug: 37074481] {CVE-2024-46742}
- smb: client: fix NULL ptr deref in crypto_aead_setkey() (Paulo Alcantara) [Orabug: 38071970] {CVE-2024-53185}
- smb: client: fix UAF in async decryption (Enzo Matsumiya) [Orabug: 37206489] {CVE-2024-50047}
- cifs: Fix UAF in cifs_demultiplex_thread() (Zhang Xiaoxu) [Orabug: 36983926] {CVE-2023-52572}
- smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (Paulo Alcantara)
- ksmbd: fix potencial out-of-bounds when buffer offset is invalid (Namjae Jeon) [Orabug: 36596770] {CVE-2024-26952}
- smb: client: fix potential UAF in cifs_dump_full_key() (Paulo Alcantara) [Orabug: 36642544] {CVE-2024-35866}
- nvmet-fc: Remove unused functions (Yuli Wang)
- landlock: Add the errata interface (Mickaël Salaün)
- drm/amdgpu: fix usage slab after free (Vitaly Prosyak) [Orabug: 37433728] {CVE-2024-56551}
- drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing (Srinivasan Shanmugam)
- drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' (Srinivasan Shanmugam)
- drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links (Hersen Wu) [Orabug: 37116370] {CVE-2024-46816}
- wifi: ath10k: avoid NULL pointer error during sdio remove (Kang Yang) [Orabug: 37433947] {CVE-2024-56599}
- phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function (Miaoqian Lin)
- powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() (Nathan Lynch) [Orabug: 37074647] {CVE-2024-46774}
- x86/pvh: Call C code via the kernel virtual mapping (Ard Biesheuvel)
- net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup (Souradeep Chakrabarti) [Orabug: 37074695] {CVE-2024-46784}
- bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq (Michal Schmidt) [Orabug: 36753377] {CVE-2024-38540}
- phonet/pep: fix racy skb_queue_empty() use (Remi Denis-Courmont) [Orabug: 36642006] {CVE-2024-27402}
- filemap: Fix bounds checking in filemap_read() (Trond Myklebust) [Orabug: 37298710] {CVE-2024-50272}
- net: fix crash when config small gso_max_size/gso_ipv4_max_size (Wang Liang) [Orabug: 37268692] {CVE-2024-50258}
- ipv6: release nexthop on device removal (Paolo Abeni) [Orabug: 37434497] {CVE-2024-56751}
- misc: pci_endpoint_test: Fix 'irq_type' to convey the correct type (Kunihiko Hayashi)
- misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error (Kunihiko Hayashi)
- misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error (Kunihiko Hayashi) [Orabug: 37901585] {CVE-2025-23140}
- mptcp: sockopt: fix getting IPV6_V6ONLY (Matthieu Baerts)
- kbuild: Add '-fno-builtin-wcslen' (Nathan Chancellor)
- cpufreq: Reference count policy in cpufreq_update_limits() (Rafael J. Wysocki)
- KVM: arm64: Eagerly switch ZCR_EL{1,2} (Mark Rutland)
- KVM: arm64: Calculate cptr_el2 traps on activating traps (Fuad Tabba)
- KVM: arm64: Remove VHE host restore of CPACR_EL1.ZEN (Mark Rutland)
- KVM: arm64: Remove host FPSIMD saving for non-protected KVM (Mark Rutland)
- KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state (Mark Rutland)
- arm64/fpsimd: Stop using TIF_SVE to manage register saving in KVM (Mark Brown)
- arm64/fpsimd: Have KVM explicitly say which FP registers to save (Mark Brown)
- arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE (Mark Brown)
- KVM: arm64: Discard any SVE state when entering KVM guests (Mark Brown)
- KVM: arm64: Always start with clearing SVE flag on load (Marc Zyngier)
- KVM: arm64: Get rid of host SVE tracking/saving (Mark Brown)
- drm/sti: remove duplicate object names (Rolf Eike Beer)
- drm/nouveau: prime: fix ttm_bo_delayed_delete oops (Chris Bainbridge) [Orabug: 37901817] {CVE-2025-37765}
- drm/amdgpu/dma_buf: fix page_link check (Matthew Auld)
- drm/amd/pm/powerplay/hwmgr/vega20_thermal: Prevent division by zero (Denis Arefev) [Orabug: 37901823,37901827,37901830,37901840,37901847] {CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37770,CVE-2025-37771}
- drm/amd/pm/swsmu/smu13/smu_v13_0: Prevent division by zero (Denis Arefev) [Orabug: 37901823,37901827,37901830,37901840,37901847] {CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37770,CVE-2025-37771}
- drm/amd/pm/powerplay/hwmgr/smu7_thermal: Prevent division by zero (Denis Arefev) [Orabug: 37901823,37901827,37901830,37901840,37901847] {CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37770,CVE-2025-37771}
- drm/amd/pm/powerplay: Prevent division by zero (Denis Arefev) [Orabug: 37901823,37901827,37901830,37901840,37901847] {CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37770,CVE-2025-37771}
- drm/amd/pm: Prevent division by zero (Denis Arefev) [Orabug: 37901823,37901827,37901830,37901840,37901847] {CVE-2025-37766,CVE-2025-37767,CVE-2025-37768,CVE-2025-37770,CVE-2025-37771}
- drm/repaper: fix integer overflows in repeat functions (Nikita Zhandarovich)
- perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR (Kan Liang)
- perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX (Kan Liang)
- perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR (Kan Liang)
- perf/x86/intel: Allow to update user space GPRs from PEBS records (Dapeng Mi)
- virtiofs: add filesystem context source name check (Xiangsheng Hou) [Orabug: 37901854] {CVE-2025-37773}
- tracing: Fix filter string testing (Steven Rostedt)
- riscv: Avoid fortify warning in syscall_get_arguments() (Nathan Chancellor)
- mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable() (Baoquan He)
- loop: LOOP_SET_FD: send uevents for partitions (Thomas Weißschuh)
- loop: properly send KOBJ_CHANGED uevent for disk device (Thomas Weißschuh)
- isofs: Prevent the use of too small fid (Edward Adam Davis) [Orabug: 37901889] {CVE-2025-37780}
- i2c: cros-ec-tunnel: defer probe if parent EC is not present (Thadeu Lima de Souza Cascardo) [Orabug: 37901896] {CVE-2025-37781}
- hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key (Vasiliy Kovalev)
- crypto: caam/qi - Fix drv_ctx refcount bug (Herbert Xu)
- btrfs: correctly escape subvol in btrfs_show_options() (Johannes Kimmel)
- nfs: add missing selections of CONFIG_CRC32 (Eric Biggers)
- nfs: move nfs_fhandle_hash to common include file (Jeff Layton)
- asus-laptop: Fix an uninitialized variable (Denis Arefev)
- ASoC: codecs:lpass-wsa-macro: Fix logic of enabling vi channels (Srinivas Kandagatla)
- ASoC: codecs:lpass-wsa-macro: Fix vi feedback rate (Srinivas Kandagatla)
- writeback: fix false warning in inode_to_wb() (Andreas Gruenbacher)
- riscv: KGDB: Remove ".option norvc/.option rvc" for kgdb_compiled_break (Yuli Wang)
- riscv: KGDB: Do not inline arch_kgdb_breakpoint() (Yuli Wang)
- riscv: Properly export reserved regions in /proc/iomem (Björn Töpel)
- net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del() fails (Vladimir Oltean)
- net: dsa: mv88e6xxx: avoid unregistering devlink regions which were never registered (Vladimir Oltean) [Orabug: 37901916] {CVE-2025-37787}
- net: b53: enable BPDU reception for management port (Jonas Gorski)
- cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path (Abdun Nihaal) [Orabug: 37901919] {CVE-2025-37788}
- net: openvswitch: fix nested key length validation in the set() action (Ilya Maximets) [Orabug: 37901922] {CVE-2025-37789}
- net: mctp: Set SOCK_RCU_FREE (Matt Johnston) [Orabug: 37901929] {CVE-2025-37790}
- igc: cleanup PTP module if probe fails (Christopher S Hall)
- igc: handle the IGC_PTP_ENABLED flag correctly (Christopher S Hall)
- igc: move ktime snapshot into PTM retry loop (Christopher S Hall)
- igc: fix PTM cycle trigger logic (Christopher S Hall) [Orabug: 37937458] {CVE-2025-37875}
- Revert "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" (Johannes Berg)
- Bluetooth: l2cap: Check encryption key size on incoming connection (Frédéric Danis)
- Bluetooth: btrtl: Prevent potential NULL dereference (Dan Carpenter) [Orabug: 37901933] {CVE-2025-37792}
- Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid address (Luiz Augusto von Dentz)
- RDMA/core: Silence oversized kvmalloc() warning (Shay Drory) [Orabug: 37937427] {CVE-2025-37867}
- RDMA/hns: Fix wrong maximum DMA segment size (Chengchang Tang)
- RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe() (Yue Haibing)
- md/raid10: fix missing discard IO accounting (Yu Kuai)
- scsi: iscsi: Fix missing scsi_host_put() in error path (Miaoqian Lin)
- wifi: wl1251: fix memory leak in wl1251_tx_work (Abdun Nihaal) [Orabug: 37977075] {CVE-2025-37982}
- wifi: mac80211: Purge vif txq in ieee80211_do_stop() (Remi Pommarel) [Orabug: 37901939] {CVE-2025-37794}
- wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() (Remi Pommarel)
- wifi: at76c50x: fix use after free access in at76_disconnect (Abdun Nihaal) [Orabug: 37901952] {CVE-2025-37796}
- scsi: hisi_sas: Enable force phy when SATA disk directly connected (Xingui Yang)
- scsi: libsas: Add struct sas_tmf_task (John Garry)
- scsi: libsas: Delete lldd_clear_aca callback (John Garry)
- scsi: hisi_sas: Fix setting of hisi_sas_slot.is_internal (John Garry)
- scsi: hisi_sas: Factor out task prep and delivery code (John Garry)
- scsi: hisi_sas: Pass abort structure for internal abort (John Garry)
- scsi: hisi_sas: Start delivery hisi_sas_task_exec() directly (John Garry)
- Bluetooth: hci_uart: Fix another race during initialization (Arseniy Krasnov)
- x86/e820: Fix handling of subpage regions when calculating nosave ranges in e820__register_nosave_regions() (Myrrh Periwinkle)
- ACPI: platform-profile: Fix CFI violation when accessing sysfs files (Nathan Chancellor)
- arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists (Douglas Anderson)
- HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition (Kaixin Wang) [Orabug: 37855340] {CVE-2025-37838}
- pinctrl: qcom: Clear latched interrupt status when changing IRQ type (Stephan Gerhold)
- PCI: Fix reference leak in pci_alloc_child_bus() (Ma Ke)
- PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe() (Stanimir Varbanov)
- of/irq: Fix device node refcount leakages in of_irq_init() (Zijun Hu)
- of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() (Zijun Hu)
- of/irq: Fix device node refcount leakages in of_irq_count() (Zijun Hu)
- ntb: use 64-bit arithmetic for the MSI doorbell mask (Fedor Pchelkin)
- gpio: zynq: Fix wakeup source leaks on device unbind (Krzysztof Kozlowski)
- ftrace: Add cond_resched() to ftrace_graph_set_hash() (Zhoumin) [Orabug: 37976892] {CVE-2025-37940}
- dm-integrity: set ti->error on memory allocation failure (Mikulas Patocka)
- crypto: ccp - Fix check for the primary ASP device (Tom Lendacky)
- thermal/drivers/rockchip: Add missing rk3328 mapping entry (Trevor Woerner)
- sctp: detect and prevent references to a freed transport in sendmsg (Ricardo Cañuelo Navarro) [Orabug: 37901596] {CVE-2025-23142}
- mm/hwpoison: do not send SIGBUS to processes with recovered clean pages (Shuai Xue)
- mm: add missing release barrier on PGDAT_RECLAIM_LOCKED unlock (Mathieu Desnoyers)
- sparc/mm: disable preemption in lazy mmu mode (Ryan Roberts)
- arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string (Chen-Yu Tsai)
- mtd: rawnand: Add status chack in r852_ready() (Xu Wang)
- mtd: inftlcore: Add error check for inftl_read_oob() (Xu Wang) [Orabug: 37976719] {CVE-2025-37892}
- mptcp: only inc MPJoinAckHMacFailure for HMAC failures (Matthieu Baerts)
- mptcp: fix NULL pointer in can_accept_new_subflow (Gang Yan) [Orabug: 37901614] {CVE-2025-23145}
- lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets (T Pratham)
- locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class() (Boqun Feng)
- mfd: ene-kb3930: Fix a potential NULL pointer dereference (Chenyuan Yang) [Orabug: 37901617] {CVE-2025-23146}
- jbd2: remove wrong sb->s_sequence check (Jan Kara) [Orabug: 37937282] {CVE-2025-37839}
- i3c: Add NULL pointer check in i3c_master_queue_ibi() (Manjunatha Venkatesh) [Orabug: 37901621] {CVE-2025-23147}
- i3c: master: svc: Use readsb helper for reading MDB (Stanley Chu)
- vdpa/mlx5: Fix oversized null mkey longer than 32bit (Si-Wei Liu)
- ext4: fix off-by-one error in do_split (Artem Sadovnikov) [Orabug: 37901630] {CVE-2025-23150}
- bus: mhi: host: Fix race between unprepare and queue_buf (Jeffrey Hugo) [Orabug: 37901637] {CVE-2025-23151}
- ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path (Alexey Klimov)
- wifi: mac80211: fix integer overflow in hwmp_route_info_get() (Gavrilov Ilia)
- wifi: mt76: Add check for devm_kstrdup() (Haoxiang Li)
- clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup (Alexandre Torgue)
- mtd: Replace kcalloc() with devm_kcalloc() (Jiasheng Jiang)
- net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family (Marek Behún)
- mtd: Add check for devm_kcalloc() (Jiasheng Jiang)
- media: venus: hfi_parser: refactor hfi packet parsing logic (Vikash Garodia) [Orabug: 37901647] {CVE-2025-23156}
- media: venus: hfi_parser: add check to avoid out of bound access (Vikash Garodia) [Orabug: 37901652] {CVE-2025-23157}
- media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO (Sakari Ailus)
- media: i2c: ov7251: Set enable GPIO low in probe (Sakari Ailus)
- media: i2c: ccs: Set the device's runtime PM status correctly in probe (Sakari Ailus)
- media: i2c: ccs: Set the device's runtime PM status correctly in remove (Sakari Ailus)
- media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf() (Karina Yankevich)
- media: streamzap: prevent processing IR data on URB failure (Murad Masimov)
- mtd: rawnand: brcmnand: fix PM resume warning (Kamal Dasu) [Orabug: 37937291] {CVE-2025-37840}
- spi: cadence-qspi: Fix probe on AM62A LP SK (Miquel Raynal)
- arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list (Douglas Anderson)
- arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB (Douglas Anderson)
- arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list (Douglas Anderson)
- arm64: cputype: Add MIDR_CORTEX_A76AE (Douglas Anderson)
- xenfs/xensyms: respect hypervisor's "next" indication (Jan Beulich)
- media: siano: Fix error handling in smsdvb_module_init() (Yuan Can)
- media: vim2m: print device name after registering device (Matthew Majewski)
- media: venus: hfi: add check to handle incorrect queue size (Vikash Garodia) [Orabug: 37901656] {CVE-2025-23158}
- media: venus: hfi: add a check to handle OOB in sfr region (Vikash Garodia) [Orabug: 37901661] {CVE-2025-23159}
- media: i2c: adv748x: Fix test pattern selection mask (Niklas Söderlund)
- ext4: don't treat fhandle lookup of ea_inode as FS corruption (Jann Horn)
- bpf: support SKF_NET_OFF and SKF_LL_OFF on skb frags (Willem de Bruijn)
- bpf: Add endian modifiers to fix endian warnings (Ben Dooks)
- pwm: fsl-ftm: Handle clk_get_rate() returning 0 (Uwe Kleine-König)
- pwm: rcar: Improve register calculation (Uwe Kleine-König)
- pwm: rcar: Simplify multiplication/shift logic (Geert Uytterhoeven)
- pwm: mediatek: Prevent divide-by-zero in pwm_mediatek_config() (Josh Poimboeuf) [Orabug: 37937328] {CVE-2025-37850}
- ktest: Fix Test Failures Due to Missing LOG_FILE Directories (Ayush Jain)
- fbdev: omapfb: Add 'plane' value check (Leonid Arapov)
- PCI: vmd: Make vmd_dev::cfg_lock a raw_spinlock_t type (Ryo Takakura) [Orabug: 37901667] {CVE-2025-23161}
- drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off (AngeloGioacchino Del Regno)
- drm/amdkfd: Fix pqm_destroy_queue race with GPU reset (Philip Yang)
- drm/amdkfd: clamp queue size to minimum (David Yat Sin)
- drivers: base: devres: Allow to release group on device release (Lucas De Marchi)
- drm/bridge: panel: forbid initializing a panel with unknown connector type (Luca Ceresoli)
- drm: panel-orientation-quirks: Add new quirk for GPD Win 2 (Andrew Wyatt)
- drm: panel-orientation-quirks: Add support for AYANEO 2S (Andrew Wyatt)
- drm/amd/display: Update Cursor request mode to the beginning prefetch always (Zhikai Zhai)
- drm: allow encoder mode_set even when connectors change for crtc (Abhinav Kumar)
- Bluetooth: hci_uart: fix race during initialization (Arseniy Krasnov)
- tracing: fix return value in __ftrace_event_enable_disable for TRACE_REG_UNREGISTER (Gabriele Paoloni)
- net: vlan: don't propagate flags on open (Stanislav Fomichev) [Orabug: 37901683] {CVE-2025-23163}
- wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table (Icenowy Zheng)
- scsi: st: Fix array overflow in st_setup() (Kai Mäkisara) [Orabug: 37937378] {CVE-2025-37857}
- ext4: ignore xattrs past end (Bhupesh) [Orabug: 37901690] {CVE-2025-37738}
- ext4: protect ext4_release_dquot against freezing (Ojaswin Mujoo)
- ahci: add PCI ID for Marvell 88SE9215 SATA Controller (Daniel Kral)
- f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() (Chao Yu) [Orabug: 37901700] {CVE-2025-37739}
- ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode (Niklas Cassel)
- jfs: add sanity check for agwidth in dbMount (Edward Adam Davis) [Orabug: 37901706] {CVE-2025-37740}
- jfs: Prevent copying of nlink with value 0 from disk inode (Edward Adam Davis) [Orabug: 37901715] {CVE-2025-37741}
- fs/jfs: Prevent integer overflow in AG size calculation (Rand Deeb) [Orabug: 37937386] {CVE-2025-37858}
- fs/jfs: cast inactags to s64 to prevent potential overflow (Rand Deeb)
- jfs: Fix uninit-value access of imap allocated in the diMount() function (Zhongqiu Han) [Orabug: 37901723] {CVE-2025-37742}
- page_pool: avoid infinite loop to schedule delayed worker (Jason Xing) [Orabug: 37937394] {CVE-2025-37859}
- ALSA: usb-audio: Fix CME quirk for UF series keyboards (Ricard Wanderlof)
- ASoC: fsl_audmix: register card device depends on 'dais' property (Shengjiu Wang)
- ALSA: hda: intel: Fix Optimus when GPU has no sound (Maxim Mikityanskiy)
- HID: pidff: Fix null pointer dereference in pidff_find_fields (Tomasz Pakuła) [Orabug: 37937409] {CVE-2025-37862}
- HID: pidff: Do not send effect envelope if it's empty (Tomasz Pakuła)
- HID: pidff: Convert infinite length from Linux API to PID standard (Tomasz Pakuła)
- xen/mcelog: Add __nonstring annotations for unterminated strings (Kees Cook)
- arm64: cputype: Add QCOM_CPU_PART_KRYO_3XX_GOLD (Douglas Anderson)
- perf: arm_pmu: Don't disable counter in armpmu_add() (Mark Rutland)
- x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD when running in a virtual machine (Max Grobecker)
- pm: cpupower: bench: Prevent NULL dereference on malloc failure (Zhongqiu Han) [Orabug: 37937296] {CVE-2025-37841}
- umount: Allow superblock owners to force umount (Trond Myklebust)
- nft_set_pipapo: fix incorrect avx2 match of 5th field octet (Florian Westphal)
- net: ppp: Add bound checking for skb data on ppp_sync_txmung (Arnaud Lecomte) [Orabug: 37901765] {CVE-2025-37749}
- nvmet-fcloop: swap list_add_tail arguments (Daniel Wagner)
- ata: sata_sx4: Add error handling in pdc20621_i2c_read() (Xu Wang)
- ata: sata_sx4: Drop pointless VPRINTK() calls and convert the remaining ones (Hannes Reinecke)
- net: ethtool: Don't call .cleanup_data when prepare_data fails (Maxime Chevallier)
- net: tls: explicitly disallow disconnect (Jakub Kicinski) [Orabug: 37901782] {CVE-2025-37756}
- tipc: fix memory leak in tipc_link_xmit (Tung Nguyen) [Orabug: 37901789] {CVE-2025-37757}
- ata: pata_pxa: Fix potential NULL pointer dereference in pxa_ata_probe() (Henry Martin) [Orabug: 37901795] {CVE-2025-37758}

More information about the El-errata mailing list