[El-errata] ELSA-2026-50145 Important: Oracle Linux 9 Unbreakable Enterprise kernel security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Mar 13 05:13:19 UTC 2026 

Oracle Linux Security Advisory ELSA-2026-50145

http://linux.oracle.com/errata/ELSA-2026-50145.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
bpftool-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-core-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-debug-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-debug-core-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-debug-devel-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-debug-modules-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-debug-modules-extra-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-devel-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-doc-5.15.0-318.199.3.2.el9uek.noarch.rpm
kernel-uek-modules-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-modules-extra-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-container-5.15.0-318.199.3.2.el9uek.x86_64.rpm
kernel-uek-container-debug-5.15.0-318.199.3.2.el9uek.x86_64.rpm



SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/kernel-uek-5.15.0-318.199.3.2.el9uek.src.rpm

Related CVEs:

CVE-2024-26655
CVE-2024-36903
CVE-2024-36927
CVE-2024-40928
CVE-2024-46830
CVE-2024-49968
CVE-2025-21979
CVE-2025-22022
CVE-2025-22111
CVE-2025-22119
CVE-2025-22121
CVE-2025-37860
CVE-2025-38007
CVE-2025-38022
CVE-2025-38057
CVE-2025-38129
CVE-2025-38232
CVE-2025-38556
CVE-2025-38591
CVE-2025-40110
CVE-2025-40149
CVE-2025-40164
CVE-2025-40256
CVE-2025-68211
CVE-2025-68254
CVE-2025-68255
CVE-2025-68261
CVE-2025-68264
CVE-2025-68282
CVE-2025-68337
CVE-2025-68346
CVE-2025-68349
CVE-2025-68354
CVE-2025-68362
CVE-2025-68364
CVE-2025-68366
CVE-2025-68367
CVE-2025-68372
CVE-2025-68724
CVE-2025-68725
CVE-2025-68732
CVE-2025-68740
CVE-2025-68746
CVE-2025-68757
CVE-2025-68759
CVE-2025-68764
CVE-2025-68771
CVE-2025-68776
CVE-2025-68780
CVE-2025-68782
CVE-2025-68783
CVE-2025-68785
CVE-2025-68788
CVE-2025-68795
CVE-2025-68803
CVE-2025-68813
CVE-2025-68815
CVE-2025-68816
CVE-2025-68818
CVE-2025-68819
CVE-2025-68820
CVE-2025-71066
CVE-2025-71068
CVE-2025-71075
CVE-2025-71077
CVE-2025-71082
CVE-2025-71083
CVE-2025-71084
CVE-2025-71085
CVE-2025-71087
CVE-2025-71091
CVE-2025-71093
CVE-2025-71094
CVE-2025-71096
CVE-2025-71097
CVE-2025-71098
CVE-2025-71104
CVE-2025-71108
CVE-2025-71111
CVE-2025-71113
CVE-2025-71114
CVE-2025-71116
CVE-2025-71118
CVE-2025-71120
CVE-2025-71125
CVE-2025-71127
CVE-2025-71131
CVE-2025-71132
CVE-2025-71133
CVE-2025-71146
CVE-2025-71147
CVE-2025-71154
CVE-2025-71182
CVE-2025-71190
CVE-2025-71194
CVE-2025-71197
CVE-2026-22976
CVE-2026-22977
CVE-2026-22978
CVE-2026-22980
CVE-2026-22984
CVE-2026-22988
CVE-2026-22990
CVE-2026-22991
CVE-2026-22992
CVE-2026-22997
CVE-2026-22998
CVE-2026-22999
CVE-2026-23001
CVE-2026-23003
CVE-2026-23011
CVE-2026-23020
CVE-2026-23021
CVE-2026-23038
CVE-2026-23047
CVE-2026-23049
CVE-2026-23058
CVE-2026-23060
CVE-2026-23061
CVE-2026-23071
CVE-2026-23073
CVE-2026-23074
CVE-2026-23076
CVE-2026-23084
CVE-2026-23085
CVE-2026-23087
CVE-2026-23089
CVE-2026-23091
CVE-2026-23097
CVE-2026-23099
CVE-2026-23101
CVE-2026-23103
CVE-2026-23105
CVE-2026-23108
CVE-2026-23111
CVE-2026-23119
CVE-2026-23120
CVE-2026-23121
CVE-2026-23124
CVE-2026-23125
CVE-2026-23133
CVE-2026-23139
CVE-2026-23145
CVE-2026-23146
CVE-2026-23164
CVE-2026-23202
CVE-2026-23209




Description of changes:

[5.15.0-318.199.3.2]
- macvlan: observe an RCU grace period in macvlan_common_newlink() error path (Eric Dumazet)  [Orabug: 39057366]
- macvlan: fix error recovery in macvlan_common_newlink() (Eric Dumazet)  [Orabug: 39057366]  {CVE-2026-23209}
- netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() (Andrew Fasano)  [Orabug: 39057346]  {CVE-2026-23111}
- net: tunnel: make skb_vlan_inet_prepare() return drop reasons (Menglong Dong)  [Orabug: 39055945]

[5.15.0-318.199.3.1]
- nvme-pci: fix stuck reset on concurrent DPC and HP (Keith Busch)  [Orabug: 39026355]
- nvme: cancel pending I/O if nvme controller is in terminal state (Nilay Shroff)  [Orabug: 39026355]
- nvme-pci: fix queue unquiesce check on slot_reset (Keith Busch)  [Orabug: 39026355]
- nvme: ensure disabling pairs with unquiesce (Keith Busch)  [Orabug: 39026355]

[5.15.0-318.199.3]
- hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (Kang Chen)
- spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer (Breno Leitao) [Orabug: 38970594] {CVE-2026-23202}
- spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer (Breno Leitao)
- spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer (Breno Leitao)
- x86/kfence: fix booting on 32bit non-PAE systems (Andrew Cooper)
- KVM: x86: Don't snapshot "max" TSC if host TSC is constant (Sean Christopherson) [Orabug: 38966500]
- KVM: x86: Accept KVM_[GS]ET_TSC_KHZ as a VM ioctl. (David Woodhouse) [Orabug: 38966500]
- sfc: fix NULL dereferences in ef100_process_design_param() (Edward Cree) [Orabug: 37855346] {CVE-2025-37860}
- Revert "net/rds: fix crash by expanding kref coverage to rds_incoming.i_conn" (Sharath Srinivasan) [Orabug: 38937481]
- Revert "net/rds: expand kref coverage to rds_notifier->n_conn" (Sharath Srinivasan) [Orabug: 38937481]

[5.15.0-318.199.2]
- drivers/soc/pensando/penfw: Add support for pcie serdes fw download. (Hiren Mehta) [Orabug: 38953591]
- arm64: pensando: Add support for kpcimgr dynamic event queue (Rob Gardner) [Orabug: 38928823]
- procfs: move dropping pde and pid from ->evict_inode() to ->free_inode() (Al Viro) [Orabug: 38945002]
- ext4/jbd2: skip sb flush when EIO happened (Wengang Wang) [Orabug: 38188749]
- jbd2: store more accurate errno in superblock when possible (Wengang Wang) [Orabug: 38188749]
- Revert "IB/mlx5: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923519]
- Revert "IB/core: Implement clear counters" (Sharath Srinivasan) [Orabug: 38923519]
- Revert "IB/core: Fix off-by-one attr index in setup_hw_port_stats" (Sharath Srinivasan) [Orabug: 38923519]
- drivers/soc/pensando/bsm: Fix various issues with secure-mode. (Hiren Mehta) [Orabug: 38944299]
- net/rds: wait_event_timeout until zero connections during rmmod (Sharath Srinivasan) [Orabug: 38928274]
- net/rds: rds_send_xmit should INIT_LIST_HEAD(&to_be_dropped) on restart (Sharath Srinivasan) [Orabug: 38928272]
- net/rds: fix rds_message memleak in rds_send_queue_rm (Sharath Srinivasan) [Orabug: 38928270]
- net/rds: fix rds_message memleak in rds_send_xmit (Sharath Srinivasan) [Orabug: 38923496]

[5.15.0-318.199.1]
- LTS version: v5.15.199 (Vijayendra Suman)
- wifi: cfg80211: init wiphy_work before allocating rfkill fails (Edward Adam Davis) [Orabug: 39004275] {CVE-2025-22119}
- wifi: cfg80211: fully move wiphy work to unbound workqueue (Johannes Berg)
- wifi: cfg80211: cancel wiphy_work before freeing wiphy (Miri Korenblit) [Orabug: 39004414] {CVE-2025-21979}
- wifi: cfg80211: fix wiphy delayed work queueing (Johannes Berg)
- wifi: cfg80211: use system_unbound_wq for wiphy work (Johannes Berg)
- team: Move team device type change at the end of team_port_add (Nikola Z. Ivanov)
- pinctrl: meson: mark the GPIO controller as sleeping (Bartosz Golaszewski)
- mptcp: avoid dup SUB_CLOSED events after disconnect (Matthieu Baerts)
- writeback: fix 100% CPU usage when dirtytime_expire_interval is 0 (Laveesh Bansal)
- drm/imx/tve: fix probe device leak (Johan Hovold)
- pinctrl: lpass-lpi: implement .get_direction() for the GPIO driver (Bartosz Golaszewski)
- net/sched: act_ife: convert comma to semicolon (Chen Ni)
- btrfs: prevent use-after-free on page private data in btrfs_subpage_clear_uptodate() (Jp Kobryn)
- drm/amdkfd: fix a memory leak in device_queue_manager_init() (Haoxiang Li)
- can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak (Marc Kleine-Budde)
- genirq/irq_sim: Initialize work context pointers properly (Gyeyoung Baek)
- HID: uclogic: Add NULL check in uclogic_input_configured() (Henry Martin) [Orabug: 39004242] {CVE-2025-38007}
- HID: uclogic: Correct devm device reference for hidinput input_dev name (Rahul Rameshbabu)
- wifi: mac80211: move TDLS work to wiphy work (Johannes Berg)
- wifi: mac80211: use wiphy work for sdata->work (Johannes Berg)
- wifi: cfg80211: add a work abstraction with special semantics (Johannes Berg)
- Bluetooth: Fix hci_suspend_sync crash (Ying Hsu)
- net: stmmac: make sure that ptp_rate is not 0 before configuring EST (Alexis Lothoré)
- usbnet: Fix using smp_processor_id() in preemptible code warnings (Zqiang) [Orabug: 38649206] {CVE-2025-40164}
- NFSD: fix race between nfsd registration and exports_proc (Maninder Singh) [Orabug: 38158712] {CVE-2025-38232}
- ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (Luis Henriques)
- espintcp: fix skb leaks (Sabrina Dubroca) [Orabug: 38094997] {CVE-2025-38057}
- fs/ntfs3: Initialize allocated memory before use (Bartlomiej Kubik)
- ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency (Namjae Jeon)
- drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED (Gaosheng Cui)
- ksm: use range-walk function to jump over holes in scan_get_next_rmap_item (Pedro Demarchi Gomes) [Orabug: 38773375] {CVE-2025-68211}
- mm/pagewalk: add walk_page_range_vma() (David Hildenbrand)
- ksmbd: smbd: fix dma_unmap_sg() nents (Thomas Fourier)
- mei: trace: treat reg parameter as string (Alexander Usyskin)
- ALSA: scarlett2: Fix buffer overflow in config retrieval (Samasth Norway Ananda)
- nvme: fix PCIe subsystem reset controller state transition (Nilay Shroff)
- nvme-pci: do not directly handle subsys reset fallout (Keith Busch)
- nvme-fc: rename free_ctrl callback to match name pattern (Daniel Wagner)
- xfs: set max_agbno to allow sparse alloc of last full inode chunk (Brian Foster)
- dmaengine: stm32: dmamux: fix device leak on route allocation (Johan Hovold)
- dmaengine: stm32: dmamux: fix OF node leak on route allocation failure (Johan Hovold)
- w1: therm: Fix off-by-one buffer overflow in alarms_store (Thorsten Blum) [Orabug: 38930799] {CVE-2025-71197}
- w1: w1_therm: use swap() to make code cleaner (Yang Guang)
- arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s (Geraldo Nascimento)
- scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() (Abdun Nihaal) [Orabug: 38931015] {CVE-2026-23087}
- iio: adc: exynos_adc: fix OF populate on driver rebind (Johan Hovold)
- of: platform: Use default match table for /firmware (Rob Herring)
- comedi: Fix getting range information for subdevices 16 to 255 (Ian Abbott)
- tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock(). (Kuniyuki Iwashima) [Orabug: 38649138] {CVE-2025-40149}
- net: Add locking to protect skb->dev access in ip_output (Sharath Chandra Vurukala)
- mptcp: only reset subflow errors when propagated (Matthieu Baerts)
- scsi: qla2xxx: edif: Fix dma_free_coherent() size (Thomas Fourier)
- scsi: be2iscsi: Fix a memory leak in beiscsi_boot_get_sinfo() (Haoxiang Li)
- ASoC: fsl: imx-card: Do not force slot width to sample width (Fabio Estevam)
- dma/pool: distinguish between missing and exhausted atomic pools (Sai Sree Kartheek Adivi)
- gpiolib: acpi: use BIT_ULL() for u64 mask in address space handler (Denis Sergeev)
- scsi: firewire: sbp-target: Fix overflow in sbp_make_tpg() (Kery Qi)
- net: bridge: fix static key check (Martin Kaiser)
- nfc: nci: Fix race between rfkill and nci_unregister_device(). (Kuniyuki Iwashima)
- net/mlx5e: Account for netdev stats in ndo_get_stats64 (Gal Pressman)
- net/mlx5e: Report rx_discards_phy via rx_dropped (Yafang Shao)
- ice: stop counting UDP csum mismatch as rx_errors (Jesse Brandeburg)
- nfc: llcp: Fix memleak in nfc_llcp_send_ui_frame(). (Kuniyuki Iwashima)
- rocker: fix memory leak in rocker_world_port_post_fini() (Kery Qi) [Orabug: 38970353] {CVE-2026-23164}
- ipv6: use the right ifindex when replying to icmpv6 from localhost (Fernando Fernandez Mancera)
- net: mvpp2: cls: Fix memory leak in mvpp2_ethtool_cls_rule_ins() (Zilin Guan)
- net/mlx5: Fix memory leak in esw_acl_ingress_lgcy_setup() (Zilin Guan)
- Bluetooth: hci_uart: fix null-ptr-deref in hci_uart_write_work (Jia-Hong Su) [Orabug: 38970605] {CVE-2026-23146}
- bpf: Reject narrower access to pointer ctx fields (Paul Chaignon) [Orabug: 38335081] {CVE-2025-38591}
- bpf: Do not let BPF test infra emit invalid GSO types to stack (Daniel Borkmann) [Orabug: 38798882] {CVE-2025-68725}
- migrate: correct lock ordering for hugetlb file folios (Matthew Wilcox) [Orabug: 38931067] {CVE-2026-23097}
- can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak (Marc Kleine-Budde) [Orabug: 38931121] {CVE-2026-23108}
- can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak (Marc Kleine-Budde)
- can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak (Marc Kleine-Budde) [Orabug: 38930883] {CVE-2026-23061}
- can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak (Marc Kleine-Budde) [Orabug: 38930860] {CVE-2026-23058}
- irqchip/gic-v3-its: Avoid truncating memory addresses (Arnd Bergmann) [Orabug: 38931002] {CVE-2026-23085}
- perf/x86/intel: Do not enable BTS for guests (Fernand Sieber)
- netrom: fix double-free in nr_route_frame() (Jeongjun Park)
- uacce: ensure safe queue release with state management (Chenghai Huang)
- uacce: implement mremap in uacce_vm_ops to return -EPERM (Yang Shen)
- uacce: fix cdev handling in the cleanup path (Wenkai Lin)
- intel_th: fix device leak on output open() (Johan Hovold) [Orabug: 38931041] {CVE-2026-23091}
- slimbus: core: fix device reference leak on report present (Johan Hovold)
- slimbus: core: fix runtime PM imbalance on report present (Johan Hovold)
- octeontx2: Fix otx2_dma_map_page() error return code (Thomas Fourier)
- arm64: Set __nocfi on swsusp_arch_resume() (Zhaoyang Huang)
- wifi: rsi: Fix memory corruption due to not set vif driver data size (Marek Vasut) [Orabug: 38930941] {CVE-2026-23073}
- wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize() (Dan Carpenter)
- wifi: ath10k: fix dma_free_coherent() pointer (Thomas Fourier) [Orabug: 38970255] {CVE-2026-23133}
- mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function (Matthew Schwartz)
- ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() (Berk Cem Goksel) [Orabug: 38931030] {CVE-2026-23089}
- ALSA: ctxfi: Fix potential OOB access in audio mixer handling (Takashi Iwai) [Orabug: 38930967] {CVE-2026-23076}
- iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl (Andreas Kübrich)
- iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver (Pei Xiao)
- iio: adc: ad9467: fix ad9434 vref mask (Tomas Melin)
- of: fix reference count leak in of_alias_scan() (Weigang He)
- leds: led-class: Only Add LED to leds_list when it is fully ready (Hans de Goede) [Orabug: 38931092] {CVE-2026-23101}
- x86: make page fault handling disable interrupts properly (Cedric Xing)
- net/sched: act_ife: avoid possible NULL deref (Eric Dumazet)
- octeontx2-af: Fix error handling (Ratheesh Kannoth)
- bonding: provide a net pointer to __skb_flow_dissect() (Eric Dumazet) [Orabug: 38970200] {CVE-2026-23119}
- be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list (Andrey Vatoropin) [Orabug: 38930993] {CVE-2026-23084}
- drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2) (Timur Kristóf)
- drm/amd/pm: Don't clear SI SMC table when setting power limit (Timur Kristóf)
- usbnet: limit max_mtu based on device's hard_mtu (Laurent Vivier)
- ipv6: annotate data-race in ndisc_router_discovery() (Eric Dumazet) [Orabug: 38970223] {CVE-2026-23124}
- mISDN: annotate data-race around dev->work (Eric Dumazet) [Orabug: 38970211] {CVE-2026-23121}
- net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue (Jijie Shao)
- net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M (Jijie Shao)
- ALSA: usb: Increase volume range that triggers a warning (Arun Raghavan)
- regmap: Fix race condition in hwspinlock irqsave routine (Cheng-Yu Lee) [Orabug: 38930931] {CVE-2026-23071}
- iio: adc: ad7280a: handle spi_setup() errors in probe() (Pavel Zhigulin)
- staging:iio:adc:ad7280a: Register define cleanup. (Jonathan Cameron)
- x86/kfence: avoid writing L1TF-vulnerable PTEs (Andrew Cooper)
- scsi: storvsc: Process unsupported MODE_SENSE_10 (Long Li)
- Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA (Feng)
- Input: i8042 - add quirks for MECHREVO Wujie 15X Pro (Gongqi)
- Revert "nfc/nci: Add the inconsistency check between the input data length and count" (Thadeu Lima de Souza Cascardo)
- w1: fix redundant counter decrement in w1_attach_slave_device() (Haoxiang Li)
- comedi: dmm32at: serialize use of paged registers (Ian Abbott)
- crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec (Taeyang Lee) [Orabug: 38930875] {CVE-2026-23060}
- net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag (Jamal Hadi Salim) [Orabug: 38931111] {CVE-2026-23105}
- net/sched: Enforce that teql can only be used as root qdisc (Jamal Hadi Salim) [Orabug: 38930949] {CVE-2026-23074}
- ipvlan: Make the addrs_lock be per port (Dmitry Skorodumov) [Orabug: 38931103] {CVE-2026-23103}
- l2tp: avoid one data-race in l2tp_tunnel_del_work() (Eric Dumazet) [Orabug: 38970203] {CVE-2026-23120}
- fou: Don't allow 0 for FOU_ATTR_IPPROTO. (Kuniyuki Iwashima)
- net: fou: use policy and operation tables generated from the spec (Jakub Kicinski)
- net: fou: rename the source for linking (Jakub Kicinski)
- netlink: add a proto specification for FOU (Jakub Kicinski)
- gue: Fix skb memleak with inner IP protocol 0. (Kuniyuki Iwashima)
- amd-xgbe: avoid misleading per-packet error log (Raju Rangoju)
- sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT (Xin Long) [Orabug: 38970226] {CVE-2026-23125}
- bonding: limit BOND_MODE_8023AD to Ethernet devices (Eric Dumazet) [Orabug: 38931080] {CVE-2026-23099}
- net: usb: dm9601: remove broken SR9700 support (Ethan Nelson-Moore)
- testptp: Add option to open PHC in readonly mode (Wojtek Wasko)
- selftest/ptp: update ptp selftest to exercise the gettimex options (Mahesh Bandewar)
- ptp: add testptp mask test (Xabier Marquiegui)
- selftests/ptp: Add -X option for testing PTP_SYS_OFFSET_PRECISE (Alex Maftei)
- selftests/ptp: Add -x option for testing PTP_SYS_OFFSET_EXTENDED (Alex Maftei)
- testptp: Add support for testing ptp_clock_info .adjphase callback (Rahul Rameshbabu)
- testptp: add option to shift clock by nanoseconds (Maciek Machnikowski)
- ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE. (Wojtek Wasko)
- posix-clock: Store file pointer in struct posix_clock_context (Wojtek Wasko)
- Fix memory leak in posix_clock_open() (Linus Torvalds) [Orabug: 39004188] {CVE-2024-26655}
- posix-clock: introduce posix_clock_context concept (Xabier Marquiegui)
- btrfs: fix deadlock in wait_current_trans() due to ignored transaction type (Robbie Ko) [Orabug: 38930779] {CVE-2025-71194}
- dmaengine: ti: k3-udma: fix device leak on udma lookup (Johan Hovold)
- dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation (Johan Hovold)
- dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation (Johan Hovold)
- dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() (Biju Das)
- dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() (Miaoqian Lin)
- dmaengine: lpc18xx-dmamux: fix device leak on route allocation (Johan Hovold)
- dmaengine: idxd: fix device leaks on compat bind and unbind (Johan Hovold)
- dmaengine: bcm-sba-raid: fix device leak on probe (Johan Hovold) [Orabug: 38914728] {CVE-2025-71190}
- dmaengine: at_hdmac: fix device leak on of_dma_xlate() (Johan Hovold)
- drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() (Haoxiang Li)
- drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel (Marek Vasut) [Orabug: 38930830] {CVE-2026-23049}
- drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare (Lyude Paul)
- mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free (Aboorva Devarajan)
- x86/resctrl: Fix memory bandwidth counter width for Hygon (Xiaochen Shen)
- x86/resctrl: Add missing resctrl initialization for Hygon (Xiaochen Shen)
- EDAC/i3200: Fix a resource leak in i3200_probe1() (Haoxiang Li)
- EDAC/x38: Fix a resource leak in x38_probe1() (Haoxiang Li)
- hrtimer: Fix softirq base check in update_needs_ipi() (Thomas Weißschuh)
- ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref (Yangerkun) [Orabug: 38970601] {CVE-2026-23145}
- nvme-pci: disable secondary temp for Wodposit WPBSNM8 (Ilikara Zheng)
- USB: serial: ftdi_sio: add support for PICAXE AXE027 cable (Ethan Nelson-Moore)
- USB: serial: option: add Telit LE910 MBIM composition (Ulrich Mohr)
- USB: OHCI/UHCI: Add soft dependencies on ehci_platform (Huacai Chen)
- usb: dwc3: Check for USB4 IP_NAME (Thinh Nguyen)
- phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 (Wayne Chang)
- phy: rockchip: inno-usb2: fix communication disruption in gadget mode (Luca Ceresoli)
- phy: rockchip: inno-usb2: fix disconnection in gadget mode (Louis Chauvet)
- x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers (Dan Williams)
- net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts (Tetsuo Handa) [Orabug: 38887710] {CVE-2026-22997}
- ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer (Jaroslav Kysela)
- HID: usbhid: paper over wrong bNumDescriptor field (Benjamin Tissoires)
- dmaengine: omap-dma: fix dma_pool resource leak in error paths (Xu Wang)
- phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) (Krzysztof Kozlowski)
- phy: stm32-usphyc: Fix off by one in probe() (Dan Carpenter)
- dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing (Suraj Gupta)
- dmaengine: tegra-adma: Fix use-after-free (Sheetal)
- mm, kfence: describe @slab parameter in __kfence_obj_info() (Bagas Sanjaya)
- textsearch: describe @list member in ts_ops search (Bagas Sanjaya)
- ASoC: tlv320adcx140: fix word length (Emil Svendsen)
- net/sched: sch_qfq: do not free existing class in qfq_change_class() (Eric Dumazet) [Orabug: 38887718] {CVE-2026-22999}
- selftests: drv-net: fix RPS mask handling for high CPU numbers (Gal Pressman)
- net/mlx5e: Restore destroying state bit after profile cleanup (Saeed Mahameed)
- vsock/test: add a final full barrier after run all tests (Stefano Garzarella)
- ipv4: ip_gre: make ipgre_header() robust (Eric Dumazet) [Orabug: 38887758] {CVE-2026-23011}
- macvlan: fix possible UAF in macvlan_forward_source() (Eric Dumazet) [Orabug: 38887730] {CVE-2026-23001}
- net: update netdev_lock_{type,name} (Eric Dumazet)
- ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() (Eric Dumazet) [Orabug: 38887738] {CVE-2026-23003}
- nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec (Shivam Kumar) [Orabug: 38887714] {CVE-2026-22998}
- nvmet-tcp: remove boilerplate code (Maurizio Lombardi)
- can: etas_es58x: allow partial RX URB allocation to succeed (Szymon Wilczek)
- pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() (Zilin Guan) [Orabug: 38914816] {CVE-2026-23038}
- LTS version: v5.15.198 (Vijayendra Suman)
- NFS: add barriers when testing for NFS_FSDATA_BLOCKED (Neil Brown)
- NFS: unlink/rmdir shouldn't call d_delete() twice on ENOENT (Neil Brown)
- efi/cper: Fix cper_bits_to_str buffer handling and return value (Dandan Zhang)
- firmware: imx: scu-irq: Set mu_resource_id before get handle (Peng Fan)
- scsi: sg: Fix occasional bogus elapsed time that exceeds timeout (Michal Rábek)
- ASoC: fsl_sai: Add missing registers to cache default (Alexander Stein)
- can: j1939: make j1939_session_activate() fail if device is no longer registered (Tetsuo Handa) [Orabug: 38914675] {CVE-2025-71182}
- powercap: fix sscanf() error return value handling (Sumeet Pawnikar)
- powercap: fix race condition in register_control_type() (Sumeet Pawnikar)
- blk-throttle: Set BIO_THROTTLED when bio has been throttled (Laibin Qiu)
- pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping (Bartosz Golaszewski)
- pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells (Andy Shevchenko)
- counter: interrupt-cnt: Drop IRQF_NO_THREAD flag (Alexander Sverdlin)
- nfsd: provide locking for v4_end_grace (Neil Brown) [Orabug: 38887659] {CVE-2026-22980}
- NFSD: Remove NFSERR_EAGAIN (Chuck Lever)
- nfs_common: factor out nfs_errtbl and nfs_stat_to_errno (Mike Snitzer)
- NFS: trace: show TIMEDOUT instead of 0x6e (Chen Hanxiao)
- arp: do not assume dev_hard_header() does not change skb->head (Eric Dumazet) [Orabug: 39004363] {CVE-2026-22988}
- net: usb: pegasus: fix memory leak in update_eth_regs_async() (Petko Manolov) [Orabug: 38914761] {CVE-2026-23021}
- net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset (Xiang Mei) [Orabug: 38872325] {CVE-2026-22976}
- HID: quirks: work around VID/PID conflict for appledisplay (René Rebe)
- bnxt_en: Fix potential data corruption with HW GRO/LRO (Srijit Bose)
- net/mlx5e: Don't print error message due to invalid module (Gal Pressman)
- netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates (Di Zhu)
- net: sock: fix hardened usercopy panic in sock_recv_errqueue (Weiming Shi) [Orabug: 38877947] {CVE-2026-22977}
- inet: ping: Fix icmp out counting (Yuan Gao)
- net: mscc: ocelot: Fix crash when adding interface under a lag (Jerry Wu)
- bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress (Alexandre Knecht)
- net: marvell: prestera: fix NULL dereference on devlink_alloc() failure (Alok Tiwari)
- netfilter: nf_conncount: update last_gc only when GC has been performed (Fernando Fernandez Mancera) [Orabug: 38970278] {CVE-2026-23139}
- netfilter: nf_tables: fix memory leak in nf_tables_newrule() (Zilin Guan)
- netfilter: nft_synproxy: avoid possible data-race on update operation (Fernando Fernandez Mancera)
- ARM: dts: imx6q-ba16: fix RTC interrupt level (Ian Ray)
- arm64: dts: add off-on-delay-us for usdhc2 regulator (Haibo Chen)
- scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" (Xingui Yang)
- scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset (Wen Xiong)
- NFS: Fix up the automount fs_context to use the correct cred (Trond Myklebust)
- NFSv4: ensure the open stateid seqid doesn't go backwards (Scott Mayhew)
- alpha: don't reference obsolete termio struct for TC* constants (Sam James)
- ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels (Sebastian Andrzej Siewior)
- csky: fix csky_cmpxchg_fixup not working (Yang Li)
- ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() (Ye Bin) [Orabug: 37844521] {CVE-2025-22121}
- ext4: introduce ITAIL helper (Ye Bin)
- libceph: make calc_target() set t->paused, not just clear it (Ilya Dryomov) [Orabug: 38930821] {CVE-2026-23047}
- libceph: return the handler error from mon_handle_auth_done() (Ilya Dryomov) [Orabug: 38887697] {CVE-2026-22992}
- libceph: make free_choose_arg_map() resilient to partial allocation (Tuo Li) [Orabug: 38887691] {CVE-2026-22991}
- libceph: replace overzealous BUG_ON in osdmap_apply_incremental() (Ilya Dryomov) [Orabug: 38887685] {CVE-2026-22990}
- libceph: prevent potential out-of-bounds reads in handle_auth_done() (Ziming Zhang) [Orabug: 38887673] {CVE-2026-22984}
- wifi: avoid kernel-infoleak from struct iw_point (Eric Dumazet) [Orabug: 38887650] {CVE-2026-22978}
- drm/pl111: Fix error handling in pl111_amba_probe (Miaoqian Lin)
- lib/crypto: aes: Fix missing MMU protection for AES S-box (Eric Biggers)
- mei: me: add nova lake point S DID (Alexander Usyskin)
- net: 3com: 3c59x: fix possible null dereference in vortex_probe1() (Thomas Fourier) [Orabug: 38914755] {CVE-2026-23020}
- atm: Fix dma_free_coherent() size (Thomas Fourier)
- usb: gadget: lpc32xx_udc: fix clock imbalance in error path (Johan Hovold)
- net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() (Su Hui) [Orabug: 39004163] {CVE-2024-40928}
- firmware: arm_scmi: Fix unused notifier-block in unregister (Amitai Gottlieb)
- ext4: fix error message when rejecting the default hash (Gabriel Krisman Bertazi)
- ext4: factor out ext4_hash_info_init() (Jason Yan)
- ext4: filesystems without casefold feature cannot be mounted with siphash (Lizhi Xu) [Orabug: 37206152] {CVE-2024-49968}
- pwm: stm32: Always program polarity (Sean Nyekjaer)
- x86: remove __range_not_ok() (Arnd Bergmann)
- selftests: net: test_vxlan_under_vrf: fix HV connectivity test (Andrea Righi)
- ipv4: Fix uninit-value access in __ip_make_skb() (Shigeru Yoshida) [Orabug: 36683410] {CVE-2024-36927}
- ipv6: Fix potential uninit-value access in __ip6_make_skb() (Shigeru Yoshida) [Orabug: 36683284] {CVE-2024-36903}
- KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning (Justin Stitt)
- HID: core: Harden s32ton() against conversion to 0 bits (Alan Stern) [Orabug: 38334903] {CVE-2025-38556}
- KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS (Sean Christopherson) [Orabug: 37116451] {CVE-2024-46830}
- page_pool: Fix use-after-free in page_pool_recycle_in_ring (Dong Chenchen) [Orabug: 38152994] {CVE-2025-38129}
- drm/i915/selftests: fix subtraction overflow bug (Andrzej Hajda)
- mmc: core: use sysfs_emit() instead of sprintf() (Sergey Shtylyov)
- net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. (Thadeu Lima de Souza Cascardo) [Orabug: 37844500] {CVE-2025-22111}
- drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() (Thomas Zimmermann)
- wifi: mac80211: Discard Beacon frames to non-broadcast address (Jouni Malinen) [Orabug: 38852361] {CVE-2025-71127}
- ASoC: stm32: sai: fix OF node leak on probe (Johan Hovold)
- lockd: fix vfs_test_lock() calls (Neil Brown)
- powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages (David Hildenbrand)
- mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() (David Hildenbrand)
- mm/balloon_compaction: we cannot have isolated pages in the balloon list (David Hildenbrand)
- mm/balloon_compaction: make balloon page compaction callbacks static (Miaohe Lin)
- ASoC: stm32: sai: fix clk prepare imbalance on probe failure (Johan Hovold)
- ASoC: stm32: sai: Use the devm_clk_get_optional() helper (Christophe Jaillet)
- ASoC: stm: Use dev_err_probe() helper (Kuninori Morimoto)
- r8169: fix RTL8117 Wake-on-Lan in DASH mode (René Rebe)
- iommu/qcom: fix device leak on of_xlate() (Johan Hovold)
- powerpc/64s/slb: Fix SLB multihit issue during SLB preload (Donet Tom)
- PCI: brcmstb: Fix disabling L0s capability (Jim Quinlan)
- powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION (David Hildenbrand)
- media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled (Miaoqian Lin)
- media: samsung: exynos4-is: fix potential ABBA deadlock on init (Marek Szyprowski)
- NFSD: NFSv4 file creation neglects setting ACL (Chuck Lever) [Orabug: 38847872] {CVE-2025-68803}
- media: verisilicon: Protect G2 HEVC decoder against invalid DPB index (Nicolas Dufresne)
- media: vpif_capture: fix section mismatch (Johan Hovold)
- media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() (Haoxiang Li)
- SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf (Joshua Rogers) [Orabug: 38852341] {CVE-2025-71120}
- KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN (Jim Mattson)
- crypto: af_alg - zero initialize memory allocated via sock_kmalloc (Shivani Agarwal) [Orabug: 38852312] {CVE-2025-71113}
- svcrdma: bound check rq_pages index in inline path (Joshua Rogers) [Orabug: 38847976] {CVE-2025-71068}
- ARM: dts: microchip: sama7g5: fix uart fifo size to 32 (Nicolas Ferre)
- usb: ohci-nxp: fix device leak on probe failure (Johan Hovold)
- usb: ohci-nxp: Use helper function devm_clk_get_enabled() (Zhang Zekun)
- mptcp: pm: ignore unknown endpoint flags (Matthieu Baerts)
- usb: dwc3: keep susphy enabled during exit to avoid controller faults (Udipto Goswami)
- f2fs: fix to avoid updating zero-sized extent in extent cache (Chao Yu)
- f2fs: fix to propagate error from f2fs_enable_checkpoint() (Chao Yu)
- f2fs: use global inline_xattr_slab instead of per-sb slab cache (Chao Yu)
- f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() (Chao Yu)
- xfs: fix a memory leak in xfs_buf_item_init() (Haoxiang Li)
- KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit (Dongli Zhang)
- NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap (Chuck Lever)
- ALSA: wavefront: Fix integer overflow in sample size validation (Junrui Luo)
- ALSA: wavefront: Use standard print API (Takashi Iwai)
- ALSA: wavefront: Clear substream pointers on close (Junrui Luo)
- wifi: mt76: Fix DTS power-limits on little endian systems (Sven Eckelmann)
- btrfs: don't rewrite ret from inode_permission (Josef Bacik)
- tpm: Cap the number of PCR banks (Jarkko Sakkinen) [Orabug: 38848017] {CVE-2025-71077}
- jbd2: fix the inconsistency between checksum and data in memory for journal sb (Ye Bin)
- xhci: dbgtty: fix device unregister (Łukasz Bartosik)
- xhci: dbgtty: use IDR to support several dbc instances. (Mathias Nyman)
- usb: gadget: udc: fix use-after-free in usb_gadget_state_work (Jimmy Hu) [Orabug: 38773636] {CVE-2025-68282}
- usb: xhci: Apply the link chain quirk on NEC isoc endpoints (Michał Pecio) [Orabug: 37844150] {CVE-2025-22022}
- usb: xhci: move link chain bit quirk checks into one helper function. (Niklas Neronin)
- drm/vmwgfx: Fix a null-ptr access in the cursor snooper (Zack Rusin) [Orabug: 38643537] {CVE-2025-40110}
- virtio_console: fix order of fields cols and rows (Maximilian Immanuel Brandtner)
- kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules (Martin Nybo Andersen)
- mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() (Seongjae Park)
- mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() (Seongjae Park)
- mm/damon/tests/core-kunit: handle memory failure from damon_test_target() (Seongjae Park)
- mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() (Seongjae Park)
- mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() (Seongjae Park)
- mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() (Seongjae Park)
- mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() (Seongjae Park)
- mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() (Seongjae Park)
- RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem (Zhu Yanjun) [Orabug: 38094814] {CVE-2025-38022}
- mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() (Seongjae Park)
- mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() (Seongjae Park)
- drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb (Lyude Paul)
- drm/ttm: Avoid NULL pointer deref for evicted BOs (Simon Richter) [Orabug: 38848052] {CVE-2025-71083}
- drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers (Akhil P Oommen)
- net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write (Deepanshu Kartikey)
- net: usb: sr9700: fix incorrect command used to write single register (Ethan Nelson-Moore)
- nfsd: Drop the client reference in client_states_open() (Haoxiang Li)
- fjes: Add missing iounmap in fjes_hw_init() (Haoxiang Li)
- e1000: fix OOB in e1000_tbi_should_accept() (Guangshuo Li) [Orabug: 38848099] {CVE-2025-71093}
- RDMA/cm: Fix leaking the multicast GID table reference (Jason Gunthorpe) [Orabug: 38848058] {CVE-2025-71084}
- RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly (Jason Gunthorpe) [Orabug: 38848117] {CVE-2025-71096}
- idr: fix idr_alloc() returning an ID out of range (Matthew Wilcox)
- media: i2c: adv7842: Remove redundant cancel_delayed_work in probe (Duoming Zhou)
- media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe (Duoming Zhou)
- media: TDA1997x: Remove redundant cancel_delayed_work in probe (Duoming Zhou)
- media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() (Ivan Abramov)
- media: cec: Fix debugfs leak on bus_register() failure (Xu Wang)
- fbdev: tcx.c fix mem_map to correct smem_start offset (René Rebe)
- fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing (Thorsten Blum)
- fbdev: gbefb: fix to use physical address instead of dma address (René Rebe)
- dm-ebs: Mark full buffer dirty even on partial write (Uladzislau Rezki)
- media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() (Ivan Abramov)
- parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() (Sven Schnelle)
- parisc: entry.S: fix space adjustment on interruption for 64-bit userspace (Sven Schnelle)
- media: rc: st_rc: Fix reset control resource leak (Xu Wang)
- mfd: max77620: Fix potential IRQ chip conflict when probing two devices (Krzysztof Kozlowski)
- mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup (Johan Hovold)
- leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs (Christian Hitz)
- leds: leds-lp50xx: Allow LED 0 to be added to module bank (Christian Hitz)
- PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths (Lukas Wunner)
- HID: logitech-dj: Remove duplicate error logging (Hans de Goede)
- iommu/tegra: fix device leak on probe_device() (Johan Hovold)
- iommu/sun50i: fix device leak on of_xlate() (Johan Hovold)
- iommu/omap: fix device leaks on probe_device() (Johan Hovold)
- iommu/mediatek: fix device leak on of_xlate() (Johan Hovold)
- iommu/mediatek-v1: fix device leak on probe_device() (Johan Hovold)
- iommu/ipmmu-vmsa: fix device leak on of_xlate() (Johan Hovold)
- iommu/exynos: fix device leak on of_xlate() (Johan Hovold)
- iommu/apple-dart: fix device leak on of_xlate() (Johan Hovold)
- ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment. (Srinivas Kandagatla)
- ASoC: qcom: q6adm: the the copp device only during last instance (Srinivas Kandagatla)
- ASoC: qcom: q6asm-dai: perform correct state check before closing (Srinivas Kandagatla)
- ASoC: stm32: sai: fix device leak on probe (Johan Hovold)
- selftests/ftrace: traceonoff_triggers: strip off names (Yipeng Zou)
- RDMA/bnxt_re: fix dma_free_coherent() pointer (Thomas Fourier)
- RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation (Lihonggang)
- RDMA/bnxt_re: Fix to use correct page size for PDE table (Kalesh Ap)
- RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send (Alok Tiwari)
- RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() (Alok Tiwari)
- RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() (Jang Ingyu)
- RDMA/efa: Remove possible negative shift (Michael Margolin)
- RDMA/irdma: avoid invalid read in irdma_net_event (Michal Schmidt) [Orabug: 38852379] {CVE-2025-71133}
- net: rose: fix invalid array index in rose_kill_by_device() (Pwnverse)
- ipv4: Fix reference count leak when using error routes with nexthop objects (Ido Schimmel) [Orabug: 38848125] {CVE-2025-71097}
- ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() (Will Rosenberg) [Orabug: 38848061] {CVE-2025-71085}
- octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" (Anshumali Gaur)
- net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct (Bagas Sanjaya)
- net: usb: asix: validate PHY address before use (Deepanshu Kartikey) [Orabug: 38848107] {CVE-2025-71094}
- net: dsa: b53: skip multicast entries for fdb_dump() (Jonas Gorski)
- firewire: nosy: Fix dma_free_coherent() size (Thomas Fourier)
- genalloc.h: fix htmldocs warning (Andrew Morton)
- smc91x: fix broken irq-context in PREEMPT_RT (Levi Yun) [Orabug: 38852376] {CVE-2025-71132}
- net: usb: rtl8150: fix memory leak on usb_submit_urb() failure (Deepakkumar Karn) [Orabug: 38887620] {CVE-2025-71154}
- team: fix check for port enabled in team_queue_override_port_prio_changed() (Jiri Pirko) [Orabug: 38848088] {CVE-2025-71091}
- platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic (Junrui Luo)
- platform/x86: msi-laptop: add missing sysfs_remove_group() (Thomas Fourier)
- ip6_gre: make ip6gre_header() robust (Eric Dumazet) [Orabug: 38848131] {CVE-2025-71098}
- net: openvswitch: Avoid needlessly taking the RTNL on vport destroy (Toke Høiland-Jørgensen)
- net: mdio: aspeed: add dummy read to avoid read-after-write issue (Jacky Chou)
- net: mdio: aspeed: move reg accessing part into separate functions (Potin Lai)
- Bluetooth: btusb: revert use of devm_kzalloc in btusb (Raphael Pinsonneault-Thibeault) [Orabug: 38848044] {CVE-2025-71082}
- crypto: seqiv - Do not use req->iv after crypto_aead_encrypt (Herbert Xu) [Orabug: 38852370] {CVE-2025-71131}
- iavf: fix off-by-one issues in iavf_config_rss_reg() (Kohei Enju) [Orabug: 38848073] {CVE-2025-71087}
- i40e: Refactor argument of i40e_detect_recover_hung() (Ivan Vecera)
- i40e: Refactor argument of several client notification functions (Ivan Vecera)
- i40e: fix scheduling in set_rx_mode (Przemyslaw Korba)
- hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU (Gui-Dong Han)
- hwmon: (w83791d) Convert macros to functions to avoid TOCTOU (Gui-Dong Han) [Orabug: 38852300] {CVE-2025-71111}
- hwmon: (max16065) Use local variable to avoid TOCTOU (Gui-Dong Han)
- i2c: amd-mp2: fix reference leak in MP2 PCI device (Ma Ke)
- rpmsg: glink: fix rpmsg device leak (Srinivas Kandagatla)
- soc: amlogic: canvas: fix device leak on lookup (Johan Hovold)
- soc: qcom: ocmem: fix device leak on lookup (Johan Hovold)
- amba: tegra-ahb: Fix device leak on SMMU enable (Johan Hovold)
- drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() (Alex Deucher)
- io_uring: fix filename leak in __io_openat_prep() (Prithvi Tambewagh)
- svcrdma: return 0 on success from svc_rdma_copy_inline_range (Joshua Rogers)
- nfsd: Mark variable __maybe_unused to avoid W=1 build break (Andy Shevchenko)
- fsnotify: do not generate ACCESS/MODIFY events on child for special files (Amir Goldstein) [Orabug: 38847800] {CVE-2025-68788}
- tracing: Do not register unsupported perf events (Steven Rostedt) [Orabug: 38852355] {CVE-2025-71125}
- KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits (Sean Christopherson)
- KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) (Sean Christopherson)
- KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation (Yosry Ahmed)
- KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer (Fuqiang Wang) [Orabug: 38852273] {CVE-2025-71104}
- KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() (Fuqiang Wang)
- KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 (Sean Christopherson)
- libceph: make decode_pool() more resilient against corrupted osdmaps (Ilya Dryomov) [Orabug: 38852325] {CVE-2025-71116}
- parisc: Do not reprogram affinitiy on ASP chip (Helge Deller)
- scs: fix a wrong parameter in __scs_magic (Zhichi Lin)
- platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver (Tzung-Bi Shih)
- ocfs2: fix kernel BUG in ocfs2_find_victim_chain (Prithvi Tambewagh) [Orabug: 38847688] {CVE-2025-68771}
- media: vidtv: initialize local pointers upon transfer of memory ownership (Jeongjun Park)
- tools/testing/nvdimm: Use per-DIMM device handle (Alison Schofield)
- f2fs: fix return value of f2fs_recover_fsync_data() (Chao Yu)
- f2fs: invalidate dentry cache on failed whiteout creation (Deepanshu Kartikey)
- scsi: target: Reset t_task_cdb pointer in error case (Andrey Vatoropin) [Orabug: 38847770] {CVE-2025-68782}
- NFSD: use correct reservation type in nfsd4_scsi_fence_client (Dai Ngo)
- scsi: aic94xx: fix use-after-free in device removal path (Junrui Luo) [Orabug: 38848009] {CVE-2025-71075}
- scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" (Tony Battersby) [Orabug: 38847931] {CVE-2025-68818}
- cpufreq: nforce2: fix reference count leak in nforce2 (Miaoqian Lin)
- intel_th: Fix error handling in intel_th_output_open (Ma Ke)
- char: applicom: fix NULL pointer dereference in ac_ioctl (Tianchu Chen)
- usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() (Haoxiang Li)
- usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe (Miaoqian Lin)
- usb: phy: isp1301: fix non-OF device reference imbalance (Johan Hovold)
- USB: lpc32xx_udc: Fix error handling in probe (Ma Ke)
- phy: broadcom: bcm63xx-usbh: fix section mismatches (Johan Hovold)
- media: pvrusb2: Fix incorrect variable used in trace message (Colin Ian King)
- media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() (Jeongjun Park) [Orabug: 38847937] {CVE-2025-68819}
- usb: usb-storage: Maintain minimal modifications to the bcdDevice range. (Chenchangcheng)
- media: v4l2-mem2mem: Fix outdated documentation (Laurent Pinchart)
- jbd2: use a weaker annotation in journal handling (Byungchul Park)
- ext4: fix incorrect group number assertion in mb_check_buddy (Yongjian Sun)
- ext4: xattr: fix null pointer deref in ext4_raw_inode() (Karina Yankevich) [Orabug: 38848276] {CVE-2025-68820}
- ktest.pl: Fix uninitialized var in config-bisect.pl (Steven Rostedt)
- floppy: fix for PAGE_SIZE != 4KB (René Rebe)
- block: rate-limit capacity change info log (Li Chen)
- lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit (Eric Biggers)
- mmc: sdhci-msm: Avoid early clock doubling during HS400 transition (Sarthak Garg)
- KEYS: trusted: Fix a memory leak in tpm2_load_cmd (Jarkko Sakkinen) [Orabug: 38887597] {CVE-2025-71147}
- vhost/vsock: improve RCU read sections around vhost_vsock_get() (Stefano Garzarella)
- platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks (Chia-Lin Kao)
- nvme-fc: don't hold rport lock when putting ctrl (Daniel Wagner)
- serial: sprd: Return -EPROBE_DEFER when uart clock is not ready (Wenhua Lin)
- usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive. (Chenchangcheng)
- usb: xhci: limit run_graceperiod for only usb 3.0 devices (Hongyu Xie)
- usb: typec: ucsi: Handle incorrect num_connectors capability (Mark Pearson) [Orabug: 38852285] {CVE-2025-71108}
- usbip: Fix locking bug in RT-enabled kernels (Lizhi Xu)
- exfat: fix remount failure in different process environments (Yuezhang Mo)
- via_wdt: fix critical boot hang due to unnamed resource allocation (Li Qiang) [Orabug: 38852318] {CVE-2025-71114}
- scsi: qla2xxx: Use reinit_completion on mbx_intr_comp (Tony Battersby)
- scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive (Tony Battersby)
- scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled (Tony Battersby)
- powerpc/addnote: Fix overflow on 32-bit builds (Ben Collins)
- clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 (Josua Mayer)
- ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx (Matthias Schiffer)
- firmware: imx: scu-irq: Init workqueue before request mbox channel (Peng Fan)
- ipmi: Fix __scan_channels() failing to rescan channels (Jinhui Guo)
- ipmi: Fix the race between __scan_channels() and deliver_response() (Jinhui Guo)
- ALSA: usb-mixer: us16x08: validate meter packet indices (Shipei Qu) [Orabug: 38847775] {CVE-2025-68783}
- ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path (Xu Wang)
- ALSA: vxpocket: Fix resource leak in vxpocket_probe error path (Xu Wang)
- net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() (Shaurya Rane) [Orabug: 38847724] {CVE-2025-68776}
- mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig (Jared Kangas)
- spi: fsl-cpm: Check length parity before switching to 16 bit mode (Christophe Leroy)
- ACPI: CPPC: Fix missing PCC check for guaranteed_perf (Pengjie Zhang)
- Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table (Christoffer Sandberg)
- Input: ti_am335x_tsc - fix off-by-one error in wire_order validation (Junjie Cao)
- HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen (Ping Cheng)
- net: hns3: add VLAN id validation before using (Jian Shen)
- net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx (Jian Shen)
- net: hns3: Align type of some variables with their print type (Hao Chen)
- net: hns3: using the num_tqps in the vf driver to apply for resources (Jian Shen)
- net/mlx5: fw_tracer, Handle escaped percent properly (Shay Drory)
- net/mlx5: fw_tracer, Validate format string parameters (Shay Drory) [Orabug: 38847914] {CVE-2025-68816}
- ethtool: Avoid overflowing userspace buffer on stats query (Gal Pressman) [Orabug: 38847826] {CVE-2025-68795}
- net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers (Daniil Tatianin)
- net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats (Daniil Tatianin)
- ethtool: use phydev variable (Tom Rix)
- nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() (Dan Carpenter)
- net/sched: ets: Remove drr class from the active list if it changes to strict (Victor Nogueira) [Orabug: 38847910] {CVE-2025-68815}
- caif: fix integer underflow in cffrml_receive() (Junrui Luo)
- ipvs: fix ipv4 null-ptr-deref in route error path (Slavin Liu) [Orabug: 38847900] {CVE-2025-68813}
- netfilter: nf_conncount: fix leaked ct in error paths (Fernando Fernandez Mancera) [Orabug: 38974757] {CVE-2025-71146}
- broadcom: b44: prevent uninitialized value usage (Alexey Simakov)
- net: openvswitch: fix middle attribute validation in push_nsh() action (Ilya Maximets) [Orabug: 38847784] {CVE-2025-68785}
- mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats (Ido Schimmel)
- mlxsw: spectrum_router: Fix neighbour use-after-free (Ido Schimmel)
- ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() (Dmitry Skorodumov)
- net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change (Jamal Hadi Salim) [Orabug: 38847965] {CVE-2025-71066}
- netrom: Fix memory leak in nr_sendmsg() (Wang Liang)
- Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE (Gongwei Li)
- btrfs: scrub: always update btrfs_scrub_progress::last_physical (Qu Wenruo)
- hfsplus: fix volume corruption issue for generic/073 (Viacheslav Dubeyko)
- hfsplus: Verify inode mode when loading from disk (Tetsuo Handa)
- hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create (Yang Chenzhi)
- hfsplus: fix volume corruption issue for generic/070 (Viacheslav Dubeyko)
- fs/ntfs3: Support timestamps prior to epoch (Konstantin Komarov)
- livepatch: Match old_sympos 0 and 1 in klp_find_func() (Song Liu)
- cpufreq: s5pv210: fix refcount leak (Shuhao Fu)
- ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only (Sakari Ailus)
- ACPICA: Avoid walking the Namespace if start_node is NULL (Cryolitia Pukngae) [Orabug: 38852333] {CVE-2025-71118}
- x86/ptrace: Always inline trivial accessors (Peter Zijlstra)
- sched/deadline: only set free_cpus for online runqueues (Doug Berger) [Orabug: 38847753] {CVE-2025-68780}
- btrfs: fix memory leak of fs_devices in degraded seed device path (Deepanshu Kartikey)
- bpf, arm64: Do not audit capability check in do_jit() (Ondrej Mosnacek)
- spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers (Vishwaroop A)
- coresight: etm4x: Correct polling IDLE bit (Leo Yan)
- netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around (Nicklas Bo Jensen)
- NFS: Fix missing unlock in nfs_unlink() (Sun Ke)
- ASoC: fsl_xcvr: get channel status data when PHY is not exists (Shengjiu Wang)
- ALSA: dice: fix buffer overflow in detect_stream_formats() (Junrui Luo) [Orabug: 38798767] {CVE-2025-68346}
- usb: phy: Initialize struct usb_phy list_head (Diogo Ivo)
- usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt (Haotien Hsu)
- ocfs2: fix memory leak in ocfs2_merge_rec_left() (Dmitry Antipov)
- efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs (Mauro Carvalho Chehab)
- efi/cper: Adjust infopfx size to accept an extra space (Mauro Carvalho Chehab)
- efi/cper: Add a new helper function to print bitmasks (Mauro Carvalho Chehab)
- dm log-writes: Add missing set_freezable() for freezable kthread (Xu Wang)
- dm-raid: fix possible NULL dereference with undefined raid type (Alexey Simakov)
- ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() (Pangliyuan)
- ALSA: uapi: Fix typo in asound.h comment (Andres J Rosa)
- dma/pool: eliminate alloc_pages warning in atomic_pool_expand (Dave Kleikamp)
- blk-mq: Abort suspend when wakeup events are pending (Cong Zhang)
- ASoC: ak5558: Disable regulator when error happens (Shengjiu Wang)
- ASoC: ak4458: Disable regulator when error happens (Shengjiu Wang)
- ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() (Xu Wang)
- platform/x86: asus-wmi: use brightness_set_blocking() for kbd led (Anton Khirnov)
- fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() (Armin Wolf)
- NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags (Trond Myklebust) [Orabug: 38818237] {CVE-2025-68764}
- fs_context: drop the unused lsm_flags member (Ondrej Mosnacek)
- Revert "nfs: ignore SB_RDONLY when mounting nfs" (Trond Myklebust)
- Revert "nfs: clear SB_RDONLY before getting superblock" (Trond Myklebust)
- Revert "nfs: ignore SB_RDONLY when remounting nfs" (Trond Myklebust)
- NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid (Jonathan Curley) [Orabug: 38798775] {CVE-2025-68349}
- NFS: Initialise verifiers for visible dentries in nfs_atomic_open() (Trond Myklebust)
- NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open() (Trond Myklebust)
- NFSv4: Add some support for case insensitive filesystems (Trond Myklebust)
- fs/nls: Fix utf16 to utf8 conversion (Armin Wolf)
- NFS: Avoid changing nlink when file removes and attribute updates race (Trond Myklebust)
- NFS: don't unhash dentry during unlink/rename (Neil Brown)
- NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() (Trond Myklebust)
- fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() (Abdun Nihaal)
- pinctrl: single: Fix incorrect type for error return variable (Xu Wang)
- pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling (Matthijs Kooijman)
- perf tools: Fix split kallsyms DSO counting (Namhyung Kim)
- remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs (Alexandru Gagniuc)
- mtd: lpddr_cmds: fix signed shifts in lpddr_cmds (Ivan Stepchenko)
- net: stmmac: fix rx limit check in stmmac_rx_zc() (Alexey Kodanev)
- netfilter: nft_connlimit: update the count if add was skipped (Fernando Fernandez Mancera)
- netfilter: nf_conncount: rework API to use sk_buff directly (Fernando Fernandez Mancera)
- netfilter: nf_conncount: reduce unnecessary GC (William Tu)
- netfilter: flowtable: check for maximum number of encapsulations in bridge vlan (Pablo Neira Ayuso)
- regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex (Sparkhuang) [Orabug: 38798787] {CVE-2025-68354}
- ASoC: Intel: catpt: Fix error path in hw_params() (Cezary Rojewski)
- virtio: fix virtqueue_set_affinity() docs (Michael S. Tsirkin)
- virtio_vdpa: fix misleading return in void function (Alok Tiwari)
- ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation (Yongjian Sun)
- ext4: remove unused return value of __mb_check_buddy (Kemeng Shi)
- ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 (René Rebe)
- drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() (Dan Carpenter)
- ASoC: fsl_xcvr: clear the channel status control memory (Shengjiu Wang)
- ASoC: fsl_xcvr: Add support for i.MX93 platform (Chancel Liu)
- ASoC: fsl_xcvr: Add Counter registers (Shengjiu Wang)
- RDMA/irdma: Fix data race in irdma_free_pble (Krzysztof Czurylo)
- RDMA/irdma: Fix data race in irdma_sc_ccq_arm (Krzysztof Czurylo)
- iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal (Stephan Gerhold)
- backlight: lp855x: Fix lp855x.h kernel-doc warnings (Randy Dunlap)
- backlight: led-bl: Add devlink to supplier LEDs (Luca Ceresoli)
- backlight: led_bl: Take led_access lock when required (Mans Rullgard)
- wifi: ieee80211: correct FILS status codes (Ria Thomas)
- PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition (Shawn Lin)
- staging: fbtft: core: fix potential memory leak in fbtft_probe_common() (Jianglei Nie)
- mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() (Zilin Guan)
- crypto: ccree - Correctly handle return of sg_nents_for_len (Xu Wang)
- selftests/bpf: Improve reliability of test_perf_branches_no_hw() (Matt Bobrowski)
- selftests/bpf: skip test_perf_branches_hw() on unsupported platforms (Matt Bobrowski)
- usb: dwc2: fix hang during suspend if set as peripheral (Jisheng Zhang)
- usb: dwc2: fix hang during shutdown if set as peripheral (Jisheng Zhang)
- usb: dwc2: disable platform lowlevel hw resources during shutdown (Jisheng Zhang)
- usb: chaoskey: fix locking for O_NONBLOCK (Oliver Neukum)
- ima: Handle error code returned by ima_filter_rule_match() (Zhao Yipeng) [Orabug: 38798922] {CVE-2025-68740}
- wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() (Seungjin Bae) [Orabug: 38798815] {CVE-2025-68362}
- mfd: mt6358-irq: Fix missing irq_domain_remove() in error path (Xu Wang)
- mfd: mt6397-irq: Fix missing irq_domain_remove() in error path (Xu Wang)
- pwm: bcm2835: Make sure the channel is enabled after pwm_request() (Uwe Kleine-König)
- drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue (Jay Liu)
- fs/ntfs3: Prevent memory leaks in add sub record (Edward Adam Davis)
- fs/ntfs3: out1 also needs to put mi (Edward Adam Davis)
- fs/ntfs3: Make ni_ins_new_attr return error (Konstantin Komarov)
- fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free (Konstantin Komarov)
- fs/ntfs3: Remove unused mi_mark_free (Konstantin Komarov)
- powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format (Ritesh Harjani)
- wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() (Abdun Nihaal) [Orabug: 38818222] {CVE-2025-68759}
- NFSD/blocklayout: Fix minlength check in proc_layoutget (Sergey Bashirov)
- watchdog: wdat_wdt: Fix ACPI table leak in probe function (Xu Wang)
- watchdog: wdat_wdt: Stop watchdog when uninstalling module (Liu Xinpeng)
- selftests/bpf: Fix failure paths in send_signal test (Alexei Starovoitov)
- ps3disk: use memcpy_{from,to}_bvec index (René Rebe)
- PCI: keystone: Exit ks_pcie_probe() for invalid mode (Siddharth Vadapalli)
- leds: netxbig: Fix GPIO descriptor leak in error paths (Xu Wang)
- scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls (Xu Wang)
- ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() (Xu Wang)
- ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() (Dmitry Antipov) [Orabug: 38798824] {CVE-2025-68364}
- lib/vsprintf: Check pointer before dereferencing in time_and_date() (Andy Shevchenko)
- clk: renesas: r9a06g032: Fix memory leak in error path (Xu Wang)
- coresight: etm4x: Add context synchronization before enabling trace (Leo Yan)
- coresight: etm4x: Extract the trace unit controlling (Leo Yan)
- coresight-etm4x: add isb() before reading the TRCSTATR (Yuanfang Zhang)
- coresight: etm4x: Use Trace Filtering controls dynamically (Suzuki K Poulose)
- coresight: etm4x: Save restore TRFCR_EL1 (Suzuki K Poulose)
- nbd: defer config unlock in nbd_genl_connect (Zheng Qixing) [Orabug: 38798833] {CVE-2025-68366}
- wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() (Abdun Nihaal)
- macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse (Long Li) [Orabug: 38798838] {CVE-2025-68367}
- powerpc/32: Fix unpaired stwcx. on interrupt exit (Christophe Leroy)
- RDMA/rtrs: server: Fix error handling in get_or_create_srv (Ma Ke)
- dt-bindings: PCI: amlogic: Fix the register name of the DBI region (Manivannan Sadhasivam)
- dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema (Neil Armstrong)
- scsi: stex: Fix reboot_notifier leak in probe error path (Xu Wang)
- nbd: defer config put in recv_work (Zheng Qixing) [Orabug: 38798851] {CVE-2025-68372}
- nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply() (Yu Kuai)
- nbd: clean up return value checking of sock_xmit() (Yu Kuai)
- regulator: core: disable supply if enabling main regulator fails (Gabor Juhos)
- perf/x86/intel: Correct large PEBS flag check (Dapeng Mi)
- ext4: correct the checking of quota files before moving extents (Zhang Yi)
- ext4: minor defrag code improvements (Eric Whitney)
- mfd: da9055: Fix missing regmap_del_irq_chip() in error path (Xu Wang)
- spi: tegra210-quad: Fix timeout handling (Vishwaroop A) [Orabug: 38798944] {CVE-2025-68746}
- spi: tegra210-quad: modify chip select (CS) deactivation (Vishwaroop A)
- scsi: target: Do not write NUL characters into ASCII configfs output (Bart Van Assche)
- power: supply: apm_power: only unset own apm_get_power_status (Ahelenia Ziemiańska)
- power: supply: wm831x: Check wm831x_set_bits() return value (Ivan Abramov)
- i3c: master: svc: Prevent incomplete IBI transaction (Stanley Chu)
- i3c: fix refcount inconsistency in i3c_master_register (Frank Li)
- pinctrl: stm32: fix hwspinlock resource leak in probe function (Xu Wang)
- x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() (Tengda Wu)
- x86: kmsan: don't instrument stack walking functions (Alexander Potapenko)
- kmsan: introduce __no_sanitize_memory and __no_kmsan_checks (Alexander Potapenko)
- compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer (Kees Cook)
- sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock(). (Kuniyuki Iwashima)
- phy: mscc: Fix PTP for VSC8574 and VSC8572 (Horatiu Vultur)
- firmware: imx: scu-irq: fix OF node leak in (Peng Fan)
- s390/ap: Don't leak debug feature files if AP instructions are not available (Heiko Carstens)
- s390/smp: Fix fallback CPU detection (Heiko Carstens)
- crypto: hisilicon/qm - restore original qos values (Nieweiqiang)
- crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id (Thorsten Blum) [Orabug: 38798875] {CVE-2025-68724}
- uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe (Li Qiang)
- arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl (Tim Harvey)
- iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member (Francesco Lavra)
- iio: imu: st_lsm6dsx: discard samples during filters settling time (Lorenzo Bianconi)
- iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine (Lorenzo Bianconi)
- inet: Avoid ehash lookup race in inet_ehash_insert() (Luoxuanqiang)
- rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() (Luoxuanqiang)
- ntfs3: Fix uninit buffer allocated by __getname() (Sidharth Seela)
- ntfs3: fix uninit memory after failed mi_read in mi_format_new (Raphael Pinsonneault-Thibeault)
- irqchip/qcom-irq-combiner: Fix section mismatch (Johan Hovold)
- USB: Fix descriptor count when handling invalid MBIM extended descriptor (Seungjin Bae)
- drm/vgem-fence: Fix potential deadlock on release (Janusz Krzysztofik) [Orabug: 38818212] {CVE-2025-68757}
- drm/panel: visionox-rm69299: Don't clear all mode flags (Guido Günther)
- gpu: host1x: Fix race in syncpt alloc/free (Mainak Sen) [Orabug: 38798899] {CVE-2025-68732}
- smack: fix bug: unprivileged task can create labels (Konstantin Andreev)
- staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing (Navaneeth K) [Orabug: 38773544] {CVE-2025-68254}
- staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing (Navaneeth K) [Orabug: 38773554] {CVE-2025-68255}
- comedi: check device's attached status in compat ioctls (Nikita Zhandarovich)
- comedi: multiq3: sanitize config options in multiq3_attach() (Nikita Zhandarovich)
- comedi: c6xdigio: Fix invalid PNP driver unregistration (Ian Abbott)
- HID: elecom: Add support for ELECOM M-XT3URBK (018F) (Naoki Ueki)
- platform/x86: huawei-wmi: add keys for HONOR models (Ston Jia)
- platform/x86: acer-wmi: Ignore backlight event (Armin Wolf)
- pinctrl: qcom: msm: Fix deadlock in pinmux configuration (Praveen Talari)
- bfs: Reconstruct file type when loading from disk (Tetsuo Handa)
- spi: imx: keep dma request disabled before dma transfer setup (Robin Gong)
- spi: xilinx: increase number of retries before declaring stall (Alvaro Gamez Machado)
- USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC (Johan Hovold)
- USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC (Johan Hovold)
- serial: add support of CPCI cards (Magne Bruno)
- USB: serial: ftdi_sio: match on interface number for jtag (Johan Hovold)
- USB: serial: option: move Telit 0x10c7 composition in the right place (Fabio Porcedda)
- USB: serial: option: add Telit Cinterion FE910C04 new compositions (Fabio Porcedda)
- USB: serial: option: add Foxconn T99W760 (Slark Xiao)
- comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() (Nikita Zhandarovich)
- ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() (Alexey Nepomnyashih) [Orabug: 38773587] {CVE-2025-68261}
- locking/spinlock/debug: Fix data-race in do_raw_write_lock (Alexander Sverdlin)
- ext4: refresh inline data size before write operations (Deepanshu Kartikey) [Orabug: 38773603] {CVE-2025-68264}
- jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted (Ye Bin) [Orabug: 38792633] {CVE-2025-68337}
- Documentation: process: Also mention Sasha Levin as stable tree maintainer (Bagas Sanjaya)
- leds: spi-byte: Use devm_led_classdev_register_ext() (Stefan Kalscheuer)
- leds: Replace all non-returning strlcpy with strscpy (Azeem Shaikh)
- drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR (Kai Song)
- dpaa2-mac: bail if the dpmacs fwnode is not found (Robert-Ionut Alexa)
- xfrm: flush all states in xfrm_state_fini (Sabrina Dubroca)
- xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added (Sabrina Dubroca) [Orabug: 39004269] {CVE-2025-40256}
- Revert "xfrm: destroy xfrm_state synchronously on net exit path" (Sabrina Dubroca)

More information about the El-errata mailing list