-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 02 Jul 2026 15:50:42 +0200 Source: linux-signed-i386 Architecture: source Version: 6.1.176+1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Changes: linux-signed-i386 (6.1.176+1) bookworm-security; urgency=high . * Sign kernel from linux 6.1.176-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.175 - [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA - [x86] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk - [arm64] media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() - [x86] ALSA: asihpi: avoid write overflow check warning - [x86] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF - can: mcp251x: add error handling for power enable in open and resume - btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() (CVE-2026-43117) - [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx - [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry (CVE-2026-43114) - [x86] ALSA: hda/realtek: add quirk for Framework F111:000F - wifi: wl1251: validate packet IDs before indexing tx_frames (CVE-2026-43113) - ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list - ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex - fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath (CVE-2026-43112) - [x86] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx - [x86] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) - HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 - [x86] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 - HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111) - ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 - wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110) - [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J - [armhf] soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching - [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency - PCI: hv: Set default NUMA node to 0 for devices without affinity info - [arm*] drm/vc4: Release runtime PM reference after binding V3D - [arm*] drm/vc4: Fix memory leak of BO array in hang state (CVE-2026-43105) - [arm*] drm/vc4: Fix a memory leak in hang state error path (CVE-2026-43104) - [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock - epoll: use refcount to reduce ep_mutex contention - eventpoll: defer struct eventpoll free to RCU grace period (CVE-2026-43074) - net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684) - net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103) - ipv4: icmp: fix null-ptr-deref in icmp_build_probe() (CVE-2026-43099) - nfc: s3fwrn5: allocate rx skb before consuming bytes (CVE-2026-43098) - tracing/probe: reject non-closed empty immediate strings - ixgbevf: add missing negotiate_features op to Hyper-V ops table (CVE-2026-43094) - e1000: check return value of e1000_read_eeprom - xsk: tighten UMEM headroom validation to account for tailroom and min frame (CVE-2026-43093) - xfrm_user: fix info leak in build_mapping() (CVE-2026-43089) - netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator (CVE-2026-43085) - netfilter: xt_multiport: validate range encoding in checkentry (CVE-2026-31681) - netfilter: ip6t_eui64: reject invalid MAC header for all packets (CVE-2026-31685) - af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673) - l2tp: Drop large packets with UDP encap (CVE-2026-43080) - [arm64,armhf] gpio: tegra: fix irq_release_resources calling enable instead of disable - [x86] perf/x86/intel/uncore: Skip discovery table for offline dies (CVE-2026-43079) - Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" (regression in 6.1.167) - netfilter: conntrack: add missing netlink policy validations (CVE-2026-31407) - [x86] drm/i915/psr: Do not use pipe_src as borders for SU area - nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629) - can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532) - [arm*] i2c: s3c24xx: check the size of the SMBUS message before using it (CVE-2026-31627) - staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() (CVE-2026-31626) - HID: alps: fix NULL pointer dereference in alps_raw_event() (CVE-2026-31625) - HID: core: clamp report_size in s32ton() to avoid undefined shift (CVE-2026-31624) - net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() (CVE-2026-31623) - NFC: digital: Bounds check NFC-A cascade depth in SDD response handler (CVE-2026-31622) - [arm*] drm/vc4: platform_get_irq_byname() returns an int (CVE-2026-43072) - ALSA: fireworks: bound device-supplied status before string array lookup (CVE-2026-31619) - fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (CVE-2026-31618) - usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() (CVE-2026-31617) - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() (CVE-2026-31616) - [arm64,armhf] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers (CVE-2026-31615) - ksmbd: validate EaNameLength in smb2_get_ea() (CVE-2026-31612) - ksmbd: require 3 sub-authorities before reading sub_auth[2] (CVE-2026-31611) - usbip: validate number_of_packets in usbip_pack_ret_submit() (CVE-2026-31607) - usb: storage: Expand range of matched versions for VL817 quirks entry - USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen - usb: port: add delay after usb_hub_set_port_power() - fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO (CVE-2026-31605) - staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603) - USB: serial: option: add Telit Cinterion FN990A MBIM composition - ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602) - dcache: Limit the minimal number of bucket to two (CVE-2026-43071) - media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections (CVE-2026-31599) - ocfs2: fix possible deadlock between unlink and dio_end_io_write (CVE-2026-31598) - ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY (CVE-2026-31597) - ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596) - [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION (CVE-2026-31590) - Revert "dmaengine: idxd: Fix not releasing workqueue on .release()" (regression in 6.1.168) - ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free (CVE-2025-39997) - net: add proper RCU protection to /proc/net/ptype (CVE-2026-23255) - net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() - bonding: return detailed error when loading native XDP fails - bonding: check xdp prog when set bond mode (CVE-2025-22105) - drm/amdgpu: remove two invalid BUG_ON()s (CVE-2025-68201) - nf_tables: nft_dynset: fix possible stateful expression memleak in error path (CVE-2026-23399) - rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630) - [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write values (CVE-2026-31588) - mm/kasan: fix double free for kasan pXds (CVE-2026-31686) - mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() (CVE-2026-31586) - media: vidtv: fix nfeeds state corruption on start_streaming failure (CVE-2026-31585) - media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583) - ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581) - bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580) - media: as102: fix to not free memory after the device is registered in as102_usb_probe() (CVE-2026-31578) - nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map (CVE-2026-31577) - media: vidtv: fix pass-by-value structs causing MSAN warnings (CVE-2026-43058) - media: hackrf: fix to not free memory after the device is registered in hackrf_probe() (CVE-2026-31576) - PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown (CVE-2026-31594) - ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442) - gfs2: Improve gfs2_consist_inode() usage - gfs2: Validate i_depth for exhash directories (CVE-2025-38710) - wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure (CVE-2026-23444) - net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864) - [arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V - [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V - ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() - ocfs2: validate inline data i_size during inode read (CVE-2026-43076) - ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075) - rxrpc: Fix key quota calculation for multitoken keys - rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642) - rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637) - [x86] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs - ublk: fix deadlock when reading partition table (CVE-2025-68823) - PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup (CVE-2026-31595) - [arm64,armhf] ASoC: qcom: q6apm: move component registration to unmanaged version (CVE-2026-31587) - rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066) - scsi: ufs: core: Fix use-after free in init error and remove paths (CVE-2025-21739) - ALSA: control: Avoid WARN() for symlink errors (CVE-2024-56657) - f2fs: fix null-ptr-deref in f2fs_submit_page_bio() (CVE-2024-53221) - wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922) - [arm64] mm: fix VA-range sanity check (CVE-2023-53989) - rxrpc: Fix anonymous key handling - rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676) - fs/ntfs3: validate rec->used in journal-replay file record check (CVE-2026-31716) - fuse: reject oversized dirents in page cache (CVE-2026-31694) - fuse: quiet down complaints in fuse_conn_limit_write - smb: server: fix active_num_conn leak on transport allocation failure (CVE-2026-31711) - smb: server: fix max_connections off-by-one in tcp accept path - smb: client: require a full NFS mode SID before reading mode bits (CVE-2026-43350) - smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path (CVE-2026-31708) - ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment (CVE-2026-31705) - ksmbd: use check_add_overflow() to prevent u16 DACL size overflow (CVE-2026-31704) - f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() (CVE-2026-31702) - ALSA: usb-audio: apply quirk for MOONDROP JU Jiu - ALSA: caiaq: take a reference on the USB device in create_card() (CVE-2026-31701) - crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed (CVE-2026-31699) - crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed (CVE-2026-31698) - crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed (CVE-2026-31697) - rxrpc: Fix missing validation of ticket length in non-XDR key preparsing (CVE-2026-31696) - ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018) - ALSA: usb-audio: Avoid false E-MU sample-rate notifications - ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch - usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() - ALSA: usb-audio: Evaluate packsize caps at the right place - drm/nouveau: fix u32 overflow in pushbuf reloc bounds check (CVE-2026-46006) - [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() (CVE-2026-46022) - [x86] ibmasm: fix OOB reads in command_file_write due to missing size checks (CVE-2026-45994) - [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message() (CVE-2026-46064) - firmware: google: framebuffer: Do not mark framebuffer as busy - padata: Fix pd UAF once and for all (CVE-2025-38584) - padata: Remove comment for reorder_work - drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array - drm/amdgpu: Limit BO list entry count to prevent resource exhaustion (CVE-2026-23468) - net: enetc: fix the deadlock of enetc_mdio_lock (CVE-2025-40347) - blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none (CVE-2023-53292) - [arm64] set __exception_irq_entry with __irq_entry as a default (CVE-2023-54322) - regset: use kvzalloc() for regset_get_alloc() - device property: Make modifications of fwnode "flags" thread safe - ocfs2: split transactions in dio completion to avoid credit exhaustion (CVE-2026-46080) - driver core: Don't let a device probe until it's ready - wifi: rtw88: check for PCI upstream bridge existence - f2fs: fix to detect potential corrupted nid in free_nid_list (CVE-2025-68315) - crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493) - [arm*] media: amphion: Fix race between m2m job_abort and device_run (CVE-2026-46058) - ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() (CVE-2026-46088) - net: caif: clear client service pointer on teardown (CVE-2026-46098) - net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102) - PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown (CVE-2026-46009) - Revert "ALSA: usb: Increase volume range that triggers a warning" (regression in 6.1.162) - lib/ts_kmp: fix integer overflow in pattern length calculation - net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047) - ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() (CVE-2026-46002) - ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049) - ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes - erofs: fix the out-of-bounds nameoff handling for trailing dirents (CVE-2026-46078) - md/raid10: fix deadlock with check operation and nowait requests (CVE-2026-46050) - nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 - nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set - rbd: fix null-ptr-deref when device_add_disk() fails (CVE-2026-46079) - io_uring/timeout: check unused sqe fields - iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() - io_uring/poll: fix signed comparison in io_poll_get_ownership() (CVE-2026-52933) - io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE - ALSA: core: Fix potential data race at fasync handling - ALSA: caiaq: Fix control_put() result and cache rollback - ALSA: caiaq: Handle probe errors properly (CVE-2026-46004) - ALSA: 6fire: Fix input volume change detection - iio: adc: ad7768-1: fix one-shot mode data acquisition - net: rds: fix MR cleanup on copy error (CVE-2026-46053) - net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027) - net: ks8851: Reinstate disabling of BHs around IRQ handler (CVE-2026-46031) - RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv (CVE-2026-46043) - ipv4: icmp: validate reply type before using icmp_pointers (CVE-2026-46037) - libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() (CVE-2026-46024) - power: supply: axp288_charger: Do not cancel work before initializing it - randomize_kstack: Maintain kstack_offset per task - mmc: block: use single block write in retry - [arm64] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration - tpm: tpm_tis: add error logging for data transfer - userfaultfd: allow registration of ranges below mmap_min_addr - [x86] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state - [x86] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 - [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 (CVE-2026-45987) - [x86] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (CVE-2026-46082) - [x86] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts - [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode - [x86] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT - [x86] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN - [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) - [x86] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT - [x86] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS - [x86] KVM: nSVM: Add missing consistency check for nCR3 validity - mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285) - io_uring/poll: fix multishot recv missing EOF on wakeup race - ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() (CVE-2026-46046) - md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051) - md/raid5: validate payload size before accessing journal metadata (CVE-2026-46070) - inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails (CVE-2026-46040) - tcp: call sk_data_ready() after listener migration (CVE-2026-46015) - taskstats: set version in TGID exit notifications - Bluetooth: hci_event: fix potential UAF in SSP passkey handlers (CVE-2026-46056) - can: ucan: fix devres lifetime (CVE-2026-46103) - [arm64] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit - [armel,armhf] crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup (CVE-2026-46019) - [arm*] crypto: ccree - fix a memory leak in cc_mac_digest() (CVE-2026-45986) - [armel,armhf] crypto: atmel-tdes - fix DMA sync direction (CVE-2026-46077) - crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path (CVE-2026-46075) - dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023) - IB/core: Fix zero dmac race in neighbor resolution - ntfs3: add buffer boundary checks to run_unpack() (CVE-2026-46072) - ntfs3: fix integer overflow in run_unpack() volume boundary check (CVE-2026-46062) - rtmutex: Use waiter::task instead of current in remove_waiter() (CVE-2026-43499) - scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails (CVE-2026-45997) - seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode - crypto: authencesn - reject short ahash digests during instance creation (CVE-2026-46033) - ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path - ALSA: caiaq: Don't abort when no input device is available - ipv6: rpl: reserve mac_len headroom when recompressed SRH grows (CVE-2026-43501) - drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276) - ALSA: caiaq: fix usb_dev refcount leak on probe failure - net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (CVE-2026-46099) - netfilter: reject zero shift in nft_bitwise (CVE-2026-46101) - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() (CVE-2026-46149) - ipmi: Add limits to event and receive message requests (CVE-2026-46177) - ipmi: Check event message buffer response for bad data (CVE-2026-46128) - ipmi:si: Return state to normal if message allocation fails (CVE-2026-46108) - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free (CVE-2026-43497) - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams (CVE-2026-46179) - [arm64,armhf] spi: rockchip: fix controller deregistration - drm/amd/display: Do not skip unrelated mode changes in DSC validation (CVE-2026-31488) - [arm64,armhf] spi: meson-spicc: Fix double-put in remove path (CVE-2026-31489) - ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449) - [x86] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN (CVE-2026-46113) - flow_dissector: do not dissect PPPoE PFC frames (CVE-2026-46306) - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked (CVE-2026-43496) - Bluetooth: hci_sync: Remove remaining dependencies of hci_request - Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock (CVE-2026-31500) - ice: Fix memory leak in ice_set_ringparam() (CVE-2026-23389) - exit: prevent preemption of oopsing TASK_DEAD task (CVE-2026-46173) - wifi: mt76: mt7921: fix a potential clc buffer length underflow (CVE-2026-46136) - wifi: b43legacy: enforce bounds check on firmware key index in RX path (CVE-2026-46163) - wifi: rsi: fix kthread lifetime race between self-exit and external-stop (CVE-2026-46187) - wifi: ath5k: do not access array OOB (CVE-2026-46307) - wifi: b43: enforce bounds check on firmware key index in b43_rx() (CVE-2026-46122) - usb: usblp: fix heap leak in IEEE 1284 device ID via short response (CVE-2026-46151) - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl (CVE-2026-46167) - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() (CVE-2026-46146) - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths (CVE-2026-46109) - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172) - Bluetooth: virtio_bt: clamp rx length before skb_put (CVE-2026-46123) - Bluetooth: virtio_bt: validate rx pkt_type header length (CVE-2026-46186) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() (CVE-2026-45835) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() (CVE-2026-45834) - fanotify: fix false positive on permission events (CVE-2026-46150) - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo (CVE-2026-46132) - sound: ua101: fix division by zero at probe (CVE-2026-46184) - ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120) - net/rds: handle zerocopy send cleanup before the message is queued (CVE-2026-43502) - [x86] hwmon: (corsair-psu) Close HID device on probe errors - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - [arm64] extcon: ptn5150: handle pending IRQ events during system resume - [arm64] hv_sock: fix ARM64 support - [ppc64el] ibmveth: Disable GSO for packets with small MSS (CVE-2026-46273) - udf: reject descriptors with oversized CRC length - spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301) - [ppc64el] cpuidle: powerpc: avoid double clear when breaking snooze - [x86] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64,armhf] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64,armhf] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens (CVE-2026-46143) - [arm64,armhf] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path (CVE-2026-46129) - dm-thin: fix metadata refcount underflow (CVE-2026-46107) - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing (CVE-2026-46294) - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size (CVE-2026-46303) - isofs: validate block number from NFS file handle in isofs_export_iget (CVE-2026-46124) - libceph: Fix slab-out-of-bounds access in auth message processing (CVE-2026-46119) - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies (CVE-2026-46161) - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304) - openvswitch: vport: fix self-deadlock on release of tunnel ports (CVE-2026-46165) - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() (CVE-2026-46112) - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in symlink_data() (CVE-2026-46185) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - [x86] power: supply: max17042: avoid overflow when determining health - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() (CVE-2026-46178) - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() (CVE-2026-46127) - RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133) - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path (CVE-2026-46189) - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt (CVE-2026-46168) - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - f2fs: compress: change the first parameter of page_array_{alloc,free} to sbi - f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic (CVE-2025-38627) - exit: Sleep at TASK_IDLE when waiting for application core dump - media: uvcvideo: Enable VB2_DMABUF for metadata stream - [x86] staging: media: atomisp: Disallow all private IOCTLs (CVE-2026-46205) - media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236) - media: rc: streamzap: Error handling in probe - media: saa7164: add ioremap return checks and cleanups (CVE-2026-46235) - [x86] platform/x86: hp-wmi: Ignore backlight and FnLock events - media: pci: zoran: fix potential memory leak in zoran_probe() - media: dib8000: avoid division by 0 in dib8000_set_dds() - [armhf] media: omap3isp: drop the use count of v4l2 pipeline - [arm64,armhf] spi: imx: fix runtime pm leak on probe deferral - [armel,armhf] spi: orion: fix clock imbalance on registration failure - drm/amdgpu: Add bounds checking to ib_{get,set}_value (CVE-2026-46218) - drm/amdgpu/vce: Prevent partial address patches - drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (CVE-2026-46199) - drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (CVE-2026-46230) - drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() (CVE-2026-46209) - drm/amdkfd: validate SVM ioctl nattr against buffer size (CVE-2026-46197) - drm/radeon: add missing revision check for CI - drm/amdgpu: zero-initialize GART table on allocation - drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ - drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission (CVE-2026-46220) - drm/amdgpu/pm: add missing revision check for CI - drm/amdgpu/pm: align Hawaii mclk workaround with radeon - sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL (CVE-2026-46227) - batman-adv: fix integer overflow on buff_pos (CVE-2026-46198) - batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206) - batman-adv: stop caching unowned originator pointers in BAT IV (CVE-2026-46238) - batman-adv: bla: prevent use-after-free when deleting claims (CVE-2026-46212) - batman-adv: bla: only purge non-released claims (CVE-2026-46233) - batman-adv: bla: put backbone reference on failed claim hash insert (CVE-2026-46231) - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() (CVE-2026-45836) - mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()` - mtd: spi-nor: sst: Fix write enable before AAI sequence - vsock: fix buffer size clamping order (CVE-2026-46234) - vsock/virtio: fix accept queue count leak on transport mismatch (CVE-2026-46214) - drm/amdgpu/vcn3: Avoid overflow on msg bound check - drm/amdgpu/vcn4: Avoid overflow on msg bound check - mtd: spi-nor: sst: Fix SST write failure - bcache: fix uninitialized closure object - blk-cgroup: wait for blkcg cleanup before initializing new disk - fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START (CVE-2026-53130) - drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128) - nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() (CVE-2026-53320) - pstore/ram: fix resource leak when ioremap() fails - devres: fix missing node debug info in devm_krealloc() - debugfs: check for NULL pointer in debugfs_create_str() - hrtimers: Update the return type of enqueue_hrtimer() - hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns() - hrtimer: Reduce trace noise in hrtimer_start() - locking: Fix rwlock support in - firmware: dmi: Correct an indexing error in dmi.h - wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt() - wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet (CVE-2026-53112) - bpf: Add CHECKSUM_COMPLETE to bpf test progs - bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap (CVE-2026-53111) - kernel: param: rename locate_module_kobject - kernel: globalize lookup_or_create_module_kobject() - bpf, devmap: Remove unnecessary if check in for loop - bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path (CVE-2026-53096) - wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap() - r8152: fix incorrect register write to USB_UPHY_XTAL - [ppc64el] powerpc/crash: fix backup region offset update to elfcorehdr - macvlan: annotate data-races around port->bc_queue_len_used - bpf: fix end-of-list detection in cgroup_storage_get_next_key() (CVE-2026-45838) - wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093) - bpf: Drop task_to_inode and inet_conn_established from lsm sleepable hooks - bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() (CVE-2026-45839) - [arm64] ACPI: AGDI: fix missing newline in error message - [arm64] kexec: Remove duplicate allocation for trans_pgd - [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb (CVE-2026-53088) - [arm64] net: bcmgenet: Remove TX ring full logging - [arm64] net: bcmgenet: Remove custom ndo_poll_controller() - [arm64] net: bcmgenet: add bcmgenet_has_* helpers - [arm64] net: bcmgenet: move DESC_INDEX flow to ring 0 - [arm64] net: bcmgenet: support reclaiming unsent Tx packets - [arm64] net: bcmgenet: switch to use 64bit statistics - [arm64] net: bcmgenet: fix racing timeout handler (CVE-2026-53086) - netfilter: xt_socket: enable defrag after all other checks - netfilter: nft_fwd_netdev: check ttl/hl before forwarding - 6pack: propagage new tty types - net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf (CVE-2026-53082) - net/sched: act_ct: Only release RCU read lock after ct_ft (CVE-2026-46319) - net/rds: Optimize rds_ib_laddr_check - net/rds: Restrict use of RDS/IB to the initial network namespace (CVE-2026-53077) - ppp: require CAP_NET_ADMIN in target netns for unattached ioctls (CVE-2026-53075) - bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb (CVE-2026-53074) - Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds MTU - Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073) - Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER (CVE-2026-53072) - Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp (CVE-2026-53071) - sctp: fix missing encap_port propagation for GSO fragments - net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master (CVE-2026-53069) - [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check (CVE-2026-53068) - [arm*] drm/sun4i: backend: fix error pointer dereference (CVE-2026-53066) * [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065) - dm cache: fix null-deref with concurrent writes in passthrough mode (CVE-2026-53064) - dm cache: fix write path cache coherency in passthrough mode - dm cache: fix write hang in passthrough mode (CVE-2026-53063) - dm cache policy smq: fix missing locks in invalidating cache blocks (CVE-2026-53062) - dm cache: fix concurrent write failure in passthrough mode - dm cache: support shrinking the origin device - dm cache: fix dirty mapping checking in passthrough mode switching (CVE-2026-53061) - dm cache metadata: fix memory leak on metadata abort retry (CVE-2026-53060) - dm log: fix out-of-bounds write due to region_count overflow (CVE-2026-53059) - [arm64] spi: fsl-qspi: Use reinit_completion() for repeated operations - [arm*] drm/sun4i: Fix resource leaks - drm/amdgpu: Add default case in DVI mode validation - dm init: ensure device probing has finished in dm-mod.waitfor= - padata: Remove cpu online check from cpu add and removal - padata: Put CPU offline callback in ONLINE section to allow failure (CVE-2026-53314) - drm/amdgpu/gfx10: look at the right prop for gfx queue priority - [arm64] drm/msm/dpu: fix mismatch between power and frequency (CVE-2026-53056) - [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0 - [arm64,armhf] drm/panel: simple: Correct G190EAN01 prepare timing - ALSA: core: Validate compress device numbers without dynamic minors - drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled - drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs - drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock - drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0 - drm/amd/pm/ci: Clear EnabledForActivity field for memory levels - drm/amd/pm/ci: Fill DW8 fields from SMC - drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board - [arm64] drm/msm/a6xx: Fix HLSQ register dumping - [arm64] drm/msm/shrinker: Fix can_block() logic - [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers - [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node - [arm64] ASoC: fsl_micfil: Fix event generation in micfil_quality_set() - [arm*] ASoC: qcom: qdsp6: topology: check widget type before accessing data (CVE-2026-53052) - PCI: Enable AtomicOps only if Root Port supports them - ALSA: scarlett2: Add missing sentinel initializer field - [x86] ASoC: SOF: amd: Fix for reading position updates from stream box. - [x86] ASoC: SOF: Prepare ipc_msg_data to be used with compress API - [x86] ASoC: SOF: Prepare set_stream_data_offset for compress API - [x86] ASoC: SOF: Add support for compress API for stream data/offset - [x86] ASoC: SOF: compress: return the configured codec from get_params - [i386] ALSA: sc6000: Use standard print API - [i386] ALSA: sc6000: Keep the programmed board state in card-private data - dm cache: fix missing return in invalidate_committed's error path - gfs2: Call unlock_new_inode before d_instantiate - quota: Fix race of dquot_scan_active() with quota deactivation (CVE-2026-53050) - gfs2: add some missing log locking (CVE-2026-53049) - gfs2: prevent NULL pointer dereference during unmount (CVE-2026-53048) - efi/capsule-loader: fix incorrect sizeof in phys array reallocation (CVE-2026-53047) - ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine (CVE-2026-53046) - [armhf] dts: mediatek: mt7623: fix efuse fallback compatible - [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045) - [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1) - [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count - [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count - [arm64] dts: qcom: sm8450: Fix GIC_ITS range length - [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes - [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot - unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure - ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043) - ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison (CVE-2026-53309) - [arm64] soc: qcom: aoss: compare against normalized cooling state - [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP - [arm64] xor: fix conflicting attributes for xor_block_template - ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041) - ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040) - ocfs2: validate group add input before caching (CVE-2026-53039) - soundwire: bus: demote UNATTACHED state warnings to dev_dbg() - [armhf] dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register() - tracing: Rebuild full_name on each hist_field_name() call - ima: check return value of crypto_shash_final() in boot aggregate - HID: asus: make asus_resume adhere to linux kernel coding standards - HID: asus: do not abort probe when not necessary - mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations - mtd: spi-nor: spansion: Rename s28hs512t prefix - mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/ addr_mode_nbytes - mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy bytes - mtd: spi-nor: spansion: Add support for Infineon S25FS256T - mtd: spi-nor: Allow post_sfdp hook to return errors - mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook - mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook - mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation - mtd: spi-nor: swp: check SR_TB flag when getting tb_mask - mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path - mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions - [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob - HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037) - [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check (CVE-2026-53036) - bpf, sockmap: Fix af_unix iter deadlock (CVE-2026-53035) - bpf, sockmap: Fix af_unix null-ptr-deref in proto update (CVE-2026-53034) - bpf, sockmap: Take state lock for af_unix iter (CVE-2026-53033) - bpf: Fix precedence bug in convert_bpf_ld_abs alignment check - bpf: allow UTF-8 literals in bpf_bprintf_prepare() - [armel,armhf] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT - perf branch: Avoid incrementing NULL - perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace - perf expr: Return -EINVAL for syntax error in expr__find_ids() - perf util: Kill die() prototype, dead for a long time - i3c: mipi-i3c-hci: fix IBI payload length calculation for final status - dev_printk: add new dev_err_probe() helpers - [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove - [s390x] tty: hvc_iucv: fix off-by-one in number of supported devices (CVE-2026-53306) - [x86] platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup - [armhf] mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata() - nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist() - fs/ntfs3: terminate the cached volume label after UTF-8 conversion (CVE-2026-53023) - [x86] platform/x86: dell_rbu: avoid uninit value usage in packet_size_write() - [x86] platform/x86: dell-wmi-sysman: bound enumeration string aggregation (CVE-2026-53022) - RDMA/core: Prefer NLA_NUL_STRING - scsi: sg: Resolve soft lockup issue when opening /dev/sgX (CVE-2026-53304) - scsi: target: core: Fix integer overflow in UNMAP bounds check (CVE-2026-53021) - [armhf] clk: imx: imx6q: Fix device node reference leak in pll6_bypassed() - [armhf] clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels() - [arm64] clk: imx8mq: Correct the CSI PHY sels - [arm64] clk: qoriq: avoid format string warning - [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init() - f2fs: Use sysfs_emit_at() to simplify code - f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() (CVE-2026-53303) - [x86] drm/i915: Constify watermark state checker - [x86] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update() - [x86] drm/i915: Loop over all active pipes in intel_mbus_dbox_update - [x86] drm/i915/wm: Verify the correct plane DDB entry - crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016) - [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT - [x86] PCMCIA: Fix garbled log messages for KERN_CONT - [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT - [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT - net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys - nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012) - net/sched: taprio: continue with other TXQs if one dequeue() failed - net/sched: taprio: refactor one skb dequeue from TXQ to separate function - net/sched: taprio: rename close_time to end_time - net/sched: taprio: fix use-after-free in advance_sched() on schedule switch (CVE-2026-53011) - container_of: remove container_of_safe() - container_of: add container_of_const() that preserves const-ness of the pointer - tcp: preserve const qualifier in tcp_sk() - tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans - tcp: annotate data-races around tp->bytes_sent - tcp: annotate data-races around tp->bytes_retrans - tcp: annotate data-races around tp->dsack_dups - tcp: annotate data-races around (tp->write_seq - tp->snd_nxt) - i40e: don't advertise IFF_SUPP_NOFCS - e1000e: Unroll PTP in probe error handling - ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006) - sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks (CVE-2026-53004) - pppoe: drop PFC frames (CVE-2026-53003) - openvswitch: cap upcall PID array size and pre-size vport replies (CVE-2026-45840) - netfilter: nft_osf: restrict it to ipv4 - netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO (CVE-2026-45841) - netfilter: conntrack: remove sprintf usage (CVE-2026-53002) - netfilter: xtables: restrict several matches to inet family (CVE-2026-53001) - ipvs: fix MTU check for GSO packets in tunnel mode - netfilter: nfnetlink_osf: fix out-of-bounds read on option matching (CVE-2026-52999) - netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check (CVE-2026-52998) - slip: reject VJ receive packets on instances with no rstate array (CVE-2026-45842) - slip: bound decode() reads against the compressed packet length (CVE-2026-45843) - [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number - ksmbd: destroy tree_conn_ida in ksmbd_session_destroy() - ksmbd: scope conn->binding slowpath to bound sessions only (CVE-2026-52911) - net/rds: zero per-item info buffer before handing it to visitors (CVE-2026-52995) - net_sched: sch_hhf: annotate data-races in hhf_dump_stats() - net/sched: sch_pie: annotate data-races in pie_dump_stats() - net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats() - net/sched: sch_red: annotate data-races in red_dump_stats() - net/sched: sch_sfb: annotate data-races in sfb_dump_stats() - nfp: fix swapped arguments in nfp_encode_basic_qdr() calls - tipc: fix double-free in tipc_buf_append() (CVE-2026-52993) - vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll() - fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992) - fbdev: offb: fix PCI device reference leak on probe failure - mailbox: mailbox-test: free channels on probe error (CVE-2026-53296) - cgroup/rdma: fix integer overflow in rdmacg_try_charge() - mailbox: add sanity check for channel array (CVE-2026-53295) - mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294) - btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent() - tracing: branch: Fix inverted check on stat tracer registration - nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers (CVE-2026-52989) - netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844) - nvme-pci: fix missed admin queue sq doorbell write - drm/amdgpu: fix spelling typos - drm/amdgpu/uvd3.1: Don't validate the firmware when already validated - drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2) - netfilter: xt_policy: fix strict mode inbound policy matching (CVE-2026-52920) - netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986) - [arm64,armhf] drivers/spi-rockchip.c : Remove redundant variable slave - [arm64,armhf] spi: rockchip: switch to use modern name - [arm64.armhf] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ - cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro() - netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985) - net/sched: netem: fix probability gaps in 4-state loss model - net/sched: netem: fix queue limit check to include reordered packets (CVE-2026-52984) - net/sched: netem: validate slot configuration - net/sched: netem: fix slot delay calculation overflow - net/sched: sch_choke: annotate data-races in choke_dump_stats() - net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats() - vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925) - net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit() (CVE-2026-52982) - net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit - neighbour: add RCU protection to neigh_tables[] - neigh: let neigh_xmit take skb ownership (CVE-2026-52981) - ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams - net: mctp i2c: check length before marking flow active - netfilter: skip recording stale or retransmitted INIT - sctp: discard stale INIT after handshake completion - ipv4: rename and move ip_route_output_tunnel() - ipv4: remove "proto" argument from udp_tunnel_dst_lookup() - ipv4: add new arguments to udp_tunnel_dst_lookup() - ipv6: rename and move ip6_dst_lookup_tunnel() - bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() (CVE-2026-45846) - net/sched: sch_cake: annotate data-races in cake_dump_stats() (V) - net: netconsole: move newline trimming to function - netconsole: propagate device name truncation in dev_name_store() - ALSA: hda/conexant: fix some typos - ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87 - ALSA: hda/conexant: Fix missing error check for jack detection (CVE-2026-53291) - futex: Prevent lockup in requeue-PI during signal/ timeout wakeup (CVE-2026-52977) - drm/amd/display: Allow DCE link encoder without AUX registers - drm/amd/display: Read EDID from VBIOS embedded panel info - bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner - net: bonding: add broadcast_neighbor option for 802.3ad - bonding: add support for per-port LACP actor priority - bonding: print churn state via netlink - bonding: 3ad: implement proper RCU rules for port->aggregator (CVE-2026-52975) - iavf: stop removing VLAN filters from PF on interface down - iavf: wait for PF confirmation before removing VLAN filters - iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler - ice: Pull common tasks into ice_vf_post_vsi_rebuild - ice: fix NULL pointer dereference in ice_reset_all_vfs() (CVE-2026-53289) - net: tls: fix strparser anchor skb leak on offload RX setup failure (CVE-2026-52974) - net/sched: cls_flower: revert unintended changes - smb: client: correctly handle ErrorContextData as a flexible array - smb: client: fix OOB reads parsing symlink error response (CVE-2026-31613) - net/sched: sch_pie: annotate more data-races in pie_dump_stats() - [arm64] net: bcmgenet: Initialize u64 stats seq counter - [arm64] net: bcmgenet: fix leaking free_bds - btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() - ALSA: misc: Use guard() for spin locks - ALSA: core: Serialize deferred fasync state checks - [x86] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close - [x86] ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data() - mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T - netconsole: avoid out-of-bounds access on empty string in trim_newline() - bonding: fix NULL pointer dereference in actor_port_prio setting - net: bonding: update the slave array for broadcast mode - crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972) - i40e: Cleanup PTP pins on probe failure - netfilter: nf_conntrack_sip: get helper before allocating expectation - audit: fix incorrect inheritable capability in CAPSET records (CVE-2026-53287) - netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970) - net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled - audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV - KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (CVE-2026-52969) - [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic (CVE-2026-52968) - [x86] KVM: x86: Fix Xen hypercall tracepoint argument assignment - smb/client: fix possible infinite loop and oob read in symlink_data() (CVE-2026-52967) - [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats - ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963) - ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962) - libceph: Fix potential out-of-bounds access in osdmap_decode() (CVE-2026-52958) - libceph: Fix potential null-ptr-deref in decode_choose_args() (CVE-2026-52957) - libceph: Fix potential out-of-bounds access in crush_decode() (CVE-2026-52955) - libceph: handle rbtree insertion error in decode_choose_args() (CVE-2026-52954) - [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX - [x86] drm/i915: skip __i915_request_skip() for already signaled requests - [arm64,armhf] drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout() - [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup - [x86] drm/gma500/oaktrail_lvds: fix hang on init failure (CVE-2026-53279) - [x86] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init - io-wq: check that the predecessor is hashed in io_wq_remove_pending() - net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494) - io_uring: prevent opcode speculation (CVE-2025-21863) - [s390x] debug: Reject zero-length input before trimming a newline - wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052) - [x86] Revert "x86/vdso: Fix output operand size of RDPID" - [s390x] Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()" (regression in 6.1.165) - sysfs: don't remove existing directory on update failure - ALSA: ua101: Reject too-short USB descriptors - ALSA: asihpi: Fix potential OOB array access at reading cache - net: wwan: iosm: fix potential memory leaks in ipc_imem_init() - Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() - Bluetooth: ISO: drop ISO_END frames received without prior ISO_START - Bluetooth: bnep: Fix UAF read of dev->name - Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths (CVE-2026-46275) - Bluetooth: MGMT: validate Add Extended Advertising Data length - phonet/pep: disable BH around forwarded sk_receive_skb() - [arm64] net: bcmgenet: keep RBUF EEE/PM disabled - net: ifb: report ethtool stats over num_tx_queues - netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915) - netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912) - netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921) - qed: fix double free in qed_cxt_tables_alloc() - ring-buffer: Fix reporting of missed events in iterator - vsock/vmci: fix UAF when peer resets connection during handshake - vsock/virtio: reset connection on receiving queue overflow - wifi: ath11k: clear shared SRNG pointer state on restart - ipv4: raw: reject IP_HDRINCL packets with ihl < 5 - ixgbevf: fix use-after-free in VEPA multicast source pruning - ice: fix setting promisc mode while adding VID filter - wifi: cfg80211: advance loop vars in cfg80211_merge_profile() - cifs: Fix busy dentry used after unmounting - tracing: Do not call map->ops->elt_free() if elt_alloc() fails - [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits - [x86] scsi: isci: Fix use-after-free in device removal path - [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure - RDMA/siw: Reject MPA FPDU length underflow before signed receive math - device property: set fwnode->secondary to NULL in fwnode_init() - drm/virtio: use uninterruptible resv lock for plane updates - drm/amd/display: Fix integer overflow in bios_get_image() - drm/amd/display: Validate GPIO pin LUT table size before iterating - drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async - batman-adv: mcast: fix use-after-free in orig_node RCU release - batman-adv: clear current gateway during teardown (CVE-2026-52926) - batman-adv: dat: handle forward allocation error (CVE-2026-52922) - batman-adv: fix fragment reassembly length accounting (CVE-2026-52914) - batman-adv: fix tp_meter counter underflow during shutdown (CVE-2026-52919) - batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916) - batman-adv: bla: fix report_work leak on backbone_gw purge - batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931) - batman-adv: tt: fix negative last_changeset_len - batman-adv: tt: fix negative tt_buff_len - HID: uclogic: Fix regression of input name assignment - netfilter: x_tables: unregister the templates first - tcp: Fix imbalanced icsk_accept_queue count. - ice: fix locking in ice_dcb_rebuild() - [arm64,armhf] phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access - irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT - wifi: ath11k: fix error path leaks in some WMI WOW calls - HID: quirks: really enable the intended work around for appledisplay - net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint (CVE-2026-52941) - ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics - [arm64] drm/msm/dsi: don't dump registers past the mapped region - [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN - [ppc64el] powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() - net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot - net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring - net: tls: prevent chain-after-chain in plain text SG - [arm64] drm/msm/snapshot: fix dumping of the unaligned regions - wifi: ath11k: Trigger sta disconnect on hardware restart - wifi: ath11k: update hw params for IPQ5018 - wifi: ath11k: update ce configurations for IPQ5018 - wifi: ath11k: remap ce register space for IPQ5018 - wifi: ath11k: update hal srng regs for IPQ5018 - wifi: ath11k: initialize hw_ops for IPQ5018 - wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap - wifi: ath11k: fix rssi station dump not updated in QCN9074 - wifi: ath11k: fix peer resolution on rx path when peer_id=0 - net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer - [x86] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL - [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL - [x86] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL - RDMA/rtrs: Fix use-after-free in path file creation cleanup - net: bridge: Flush multicast groups when snooping is disabled - bridge: mcast: Fix a possible use-after-free when removing a bridge port - tracing: Avoid NULL return from hist_field_name() on truncation - string: add mem_is_zero() helper to check if memory area is all zeros - gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n) - gpio: cdev: check if uAPI v2 config attributes are correctly zeroed - net: mana: validate rx_req_idx to prevent out-of-bounds array access - security/keys: fix missed RCU read section on lookup https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.176 - Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size - net/sched: cls_fw: fix NULL dereference of "old" filters before change() (CVE-2026-53080) - net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930) - net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked - drm: Remove plane hsub/vsub alignment requirement for core helpers - [armhf] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet (CVE-2026-43219) - nfc: llcp: Fix use-after-free in llcp_sock_release() - nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() - xfrm: Check for underflow in xfrm_state_mtu - nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems - netfilter: synproxy: refresh tcphdr after skb_ensure_writable - netfilter: xt_cpu: prefer raw_smp_processor_id - netfilter: ebtables: fix OOB read in compat_mtw_from_user (CVE-2026-52927) - tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321) - tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322) - net: netlink: fix sending unassigned nsid after assigned one - net: netlink: don't set nsid on local notifications - net/smc: Do not re-initialize smc hashtables - [s390x] net/iucv: fix locking in .getsockopt - ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() - [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors - net: hsr: fix potential OOB access in supervision frame handling - tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() - vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() - tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() - ASoC: codecs: simple-mux: Fix enum control bounds check - Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() - bonding: refuse to enslave CAN devices - ethtool: eeprom: add more safeties to EEPROM Netlink fallback - ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() - Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success - Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp - [arm*] gpio: rockchip: convert bank->clk to devm_clk_get_enabled() - net: mana: Add NULL guards in teardown path to prevent panic on attach failure - sctp: fix race between sctp_wait_for_connect and peeloff - ipv6: fix possible infinite loop in rt6_fill_node() - ipv6: fix possible infinite loop in fib6_select_path() - net: skbuff: fix pskb_carve leaking zcopy pages - batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913) - batman-adv: tvlv: abort OGM send on tvlv append failure - batman-adv: tt: reject oversized local TVLV buffers - batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface - batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934) - batman-adv: iv: recover OGM scheduling after forward packet error - batman-adv: tp_meter: directly shut down timer on cleanup - batman-adv: tt: fix TOCTOU race for reported vlans - batman-adv: tt: avoid empty VLAN responses - batman-adv: bla: avoid double decrement of bla.num_requests - mm/page_alloc: clear page->private in free_pages_prepare() (CVE-2026-43303) - bpf: Fix a few selftest failures due to llvm18 change - net/packet: convert po->tp_tx_has_off to an atomic flag - net/packet: convert po->tp_loss to an atomic flag - net/packet: convert po->has_vnet_hdr to an atomic flag - net/packet: convert po->running to an atomic flag - net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() (CVE-2026-31700) - [x86] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register - drm/dp: Add eDP 1.5 bit definition - [x86] drm/i915/psr: Read Intel DPCD workaround register - [x86] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used - net: gro: don't merge zcopy skbs (CVE-2026-46323) - phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table - phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X - hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock - hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock - hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock - iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer - usb: typec: ucsi: ccg: reject firmware images without a ':' record header - usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO - usb: typec: altmodes/displayport: validate count before reading Status Update VDO - [x86] usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() - usb: typec: ucsi: validate connector number in ucsi_connector_change() - USB: serial: safe_serial: fix memory corruption with small endpoint - HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse - Bluetooth: btusb: Allow firmware re-download when version matches - hpfs: fix a crash if hpfs_map_dnode_bitmap fails - ipc: limit next_id allocation to the valid ID range (CVE-2026-52923) - auxdisplay: line-display: fix OOB read on zero-length message_store() - Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() - Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn - Bluetooth: HIDP: fix missing length checks in hidp_input_report() - Bluetooth: ISO: fix UAF in iso_recv_frame - Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock - parport: Fix race between port and client registration (Closes: #1130365) - USB: cdc-acm: Fix bit overlap and move quirk definitions to header - wireguard: send: append trailer after expanding head - iio: dac: ad5686: fix input raw value check - iio: dac: ad5686: acquire lock when doing powerdown control - iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw - iio: gyro: itg3200: fix i2c read into the wrong stack location - iio: ssp_sensors: cancel delayed work_refresh on remove - iio: temperature: tsys01: fix broken PROM checksum validation - iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL - iio: light: cm3323: fix reg_conf not being initialized correctly - iio: buffer: hw-consumer: fix use-after-free in error path - USB: serial: omninet: fix memory corruption with small endpoint - usb: dwc2: Fix use after free in debug code - Input: elan_i2c - validate firmware size before use - bpf: sockmap: fix tail fragment offset in bpf_msg_push_data - macsec: fix replay protection at XPN lower-PN wrap - ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() - [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params - ipv6: exthdrs: refresh nh after handling HAO option - ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). - ipv6: validate extension header length before copying to cmsg - xfrm: input: hold netns during deferred transport reinjection - ip6: vti: Use ip6_tnl.net in vti6_changelink(). - HID: wacom: Fix OOB write in wacom_hid_set_device_mode() - iommu, debugobjects: avoid gcc-16.1 section mismatch warnings - nfc: hci: fix out-of-bounds read in HCP header parsing - xfrm: route MIGRATE notifications to caller's netns - xfrm: ah: use skb_to_full_sk in async output callbacks - netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check - [arm64] ASoC: qcom: q6asm-dai: close stream only when running - [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks - xfrm: esp: restore combined single-frag length gate - Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem - [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 - [x86] comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() - [x86] comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() - counter: Fix refcount leak in counter_alloc() error path - [i386] tty: serial: pch_uart: add check for dma_alloc_coherent() - [arm*] usb: chipidea: core: convert ci_role_switch to local variable - usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval - USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers - usb: storage: Add quirks for PNY Elite Portable SSD - usbip: vudc: Fix use after free bug in vudc_remove due to race condition - usb: usbtmc: check URB actual_length for interrupt-IN notifications - usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize - USB: serial: option: add MeiG SRM813Q - USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL - USB: serial: belkin_sa: validate interrupt status length - USB: serial: cypress_m8: validate interrupt packet headers - USB: serial: keyspan: fix missing indat transfer sanity check - USB: serial: mxuport: fix memory corruption with small endpoint - USB: serial: mct_u232: fix missing interrupt-in transfer sanity check - usb: gadget: net2280: Fix double free in probe error path - usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports - usb: gadget: f_fs: copy only received bytes on short ep0 read - thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() - thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow - scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker - scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 - scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf - scsi: target: iscsi: Validate CHAP_R length before base64 decode - drm/hyperv: validate resolution_count and fix WIN8 fallback - drm/hyperv: validate VMBus packet size in receive callback - [x86] drm/i915: Fix potential UAF in TTM object purge - drm/amd/pm/si: Disregard vblank time when no displays are connected - [arm64] serial: sh-sci: fix memory region release in error path - [arm64] serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma - drm/amdkfd: fix NULL pointer bug in svm_range_set_attr - drm/amdkfd: Check for pdd drm file first in CRIU restore path - HID: core: Add printk_ratelimited variants to hid_warn() etc - HID: pass the buffer size to hid_report_raw_event - HID: core: Fix size_t specifier in hid_report_raw_event() - RDMA/rxe: Complete the rxe_cleanup_task backport - USB: serial: digi_acceleport: fix memory corruption with small endpoints - [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug - netfilter: nf_tables: restore set elements when delete set fails (CVE-2024-27012) - USB: serial: cypress_m8: fix memory corruption with small endpoint - bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded (CVE-2026-23310) - usb: core: Fix SuperSpeed root hub wMaxPacketSize - bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910) - USB: serial: mct_u232: fix memory corruption with small endpoint - [amd64] dmaengine: idxd: Fix not releasing workqueue on .release() (CVE-2026-43064) - i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948) - ipv6: mcast: Fix use-after-free when processing MLD queries (CVE-2026-53275) - net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS (CVE-2026-53274) - tee: optee: prevent use-after-free when the client exits before the supplicant (CVE-2026-53273) - netfilter: xt_NFQUEUE: prefer raw_smp_processor_id - ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270) - netfilter: synproxy: add mutex to guard hook reference counting (CVE-2026-53269) - netfilter: conntrack_irc: fix possible out-of-bounds read (CVE-2026-53268) - netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266) - dm cache policy smq: check allocation under invalidate lock (CVE-2026-53265) - net/sched: act_api: use RCU with deferred freeing for action lifecycle (CVE-2026-53264) - 6lowpan: fix off-by-one in multicast context address compression (CVE-2026-53263) - pcnet32: stop holding device spin lock during napi_complete_done - net: Annotate sk->sk_write_space() for UDP SOCKMAP. - net: garp: fix unsigned integer underflow in garp_pdu_parse_attr - net: lan743x: permit VLAN-tagged packets up to configured MTU - [arm*] net: fec: fix pinctrl default state restore order on resume - Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() (CVE-2026-53256) - Bluetooth: MGMT: validate advertising TLV before type checks (CVE-2026-53255) - Bluetooth: RFCOMM: validate skb length in MCC handlers (CVE-2026-53254) - Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling - Bluetooth: bnep: reject short frames before parsing (CVE-2026-53253) - Bluetooth: fix memory leak in error path of hci_alloc_dev() (CVE-2026-53252) - Bluetooth: MGMT: Fix backward compatibility with userspace - ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249) - ptp: vclock: Switch from RCU to SRCU - vxlan: vnifilter: send notification on VNI add - vxlan: vnifilter: fix spurious notification on VNI update - ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() - net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr (CVE-2026-53245) - sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924) - ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp - signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() (CVE-2026-53352) - time: Fix off-by-one in settimeofday() usec validation - ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams (CVE-2026-53242) - fs/ntfs3: Return error for inconsistent extended attributes (CVE-2023-54125) - usb: gadget: f_ncm: Fix net_device lifecycle with device_move (CVE-2026-43421) - usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo - net: skbuff: fix missing zerocopy reference in pskb_carve helpers (CVE-2026-52943) - tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320) - [arm64] KVM: arm64: Remove VPIPT I-cache handling - [arm64] tlb: Allow XZR argument to TLBI ops - [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI - iomap: don't revert iov_iter on partially completed buffered writes - xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() (CVE-2026-53239) - netlabel: validate unlabeled address and mask attribute lengths (CVE-2026-53238) - ASoC: wm_adsp: Fix NULL dereference when removing firmware controls (CVE-2026-53350) - tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236) - net/mlx4: avoid GCC 10 __bad_copy_from() false positive - net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove (CVE-2026-52947) - ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228) - net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227) - r8152: reduce the control transfer of rtl8152_get_version() - r8152: Block future register access if register access fails - r8152: handle the return value of usb_reset_device() - sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225) - net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223) - net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion (CVE-2026-52939) - ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() (CVE-2026-53221) - rds: mark snapshot pages dirty in rds_info_getsockopt() - netfilter: nf_conntrack: destroy stale expectfn expectations on unregister (CVE-2026-53349) - netfilter: x_tables: avoid leaking percpu counter pointers (CVE-2026-53219) - netfilter: nf_log: validate MAC header was set before dumping it (CVE-2026-52942) - netfilter: nft_exthdr: fix register tracking for F_PRESENT flag (CVE-2026-53218) - [arm*] net: mvpp2: sync RX data at the hardware packet offset (CVE-2026-53217) - [arm*] net: mvpp2: limit XDP frame size to the RX buffer (CVE-2026-53216) - [arm*] net: mvpp2: Add metadata support for xdp mode - [arm*] net: mvpp2: refill RX buffers before XDP or skb use (CVE-2026-53215) - [arm*] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS - netfilter: ctnetlink: ensure safe access to master conntrack (CVE-2026-43116) - [arm*] drm/vc4: fix krealloc() memory leak (CVE-2026-53213) - netfilter: nft_tunnel: fix use-after-free on object destroy (CVE-2026-53212) - Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend (CVE-2026-53209) - Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig (CVE-2026-53208) - [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356) - ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL (CVE-2026-53198) - xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935) - USB: serial: io_ti: fix heap overflow in get_manuf_info() (CVE-2026-53196) - USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() (CVE-2026-53195) - USB: serial: option: add usb-id for Dell Wireless DW5826e-m - USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194) - ALSA: timer: Fix UAF at snd_timer_user_params() - drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() - RDMA/srp: bound SRP_RSP sense copy by the received length (CVE-2026-53186) - udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184) - [armhf] socfpga: Fix OF node refcount leak in SMP setup - [armel,armhf] 9474/1: io: avoid KASAN instrumentation of raw halfword I/O - [armel,armhf] 9475/1: entry: use byte load for KASAN VMAP stack shadow (CVE-2026-53343) - mptcp: fix retransmission loop when csum is enabled - mptcp: close TOCTOU race while computing rcv_wnd - mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183) - mptcp: sockopt: check timestamping ret value - wifi: nl80211: reject oversized EMA RNR lists (CVE-2026-53182) - vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181) - bnxt_en: Fix NULL pointer dereference (CVE-2026-53177) - IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN (CVE-2026-53176) - pidfd: refuse access to tasks that have started exiting harder - fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168) - [arm*] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() (CVE-2026-53339) - [armhf] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter - [arm*] i2c: tegra: Fix NOIRQ suspend/resume - [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) - [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard - ipc/shm: serialize orphan cleanup with shm_nattch updates (CVE-2026-52930) - [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context (CVE-2026-53161) - [arm*] misc: fastrpc: fix use-after-free race in fastrpc_map_create (CVE-2026-53160) - [arm*] misc: fastrpc: fix DMA address corruption due to find_vma misuse (CVE-2026-53159) - net/mlx5: Reorder completion before putting command entry in cmd_work_handler - net: bonding: fix NULL pointer dereference in bond_do_ioctl() (CVE-2026-53337) - [armel,armhf] net: mv643xx: fix OF node refcount - net: rds: clear i_sends on setup unwind (CVE-2026-53355) - mmc: core: Fix host controller programming for fixed driver type - [arm64] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC - mmc: sdhci: add signal voltage switch in sdhci_resume_host - sctp: diag: reject stale associations in dump_one path (CVE-2026-52917) - sctp: stream: fully roll back denied add-stream state (CVE-2026-52929) - thunderbolt: Reject zero-length property entries in validator (CVE-2026-53150) - thunderbolt: Bound root directory content to block size (CVE-2026-53149) - thunderbolt: Clamp XDomain response data copy to allocation size (CVE-2026-53148) - thunderbolt: Validate XDomain request packet size before type cast (CVE-2026-53147) - thunderbolt: Limit XDomain response copy to actual frame size (CVE-2026-53146) - slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock (CVE-2026-53331) - drm/amdgpu: restart the CS if some parts of the VM are still invalidated - drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size (CVE-2026-53137) - drm/amd/display: Clamp VBIOS HDMI retimer register count to array size (CVE-2026-53136) - drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs (CVE-2026-53135) - drm/amd/display: Use krealloc_array() in dal_vector_reserve() (CVE-2026-53329) - fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling (CVE-2026-52946) - mm/hugetlb: avoid false positive lockdep assertion - mm/damon/ops-common: call folio_test_lru() after folio_get() - mm/huge_memory: update file PMD counter before folio_put() (CVE-2026-53189) - f2fs: use kfree() instead of kvfree() to free some memory - f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally - f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() (CVE-2026-31715) - ksmbd: require minimum ACE size in smb_check_perm_dacl() (CVE-2026-31712) - smb: client: validate the whole DACL before rewriting it in cifsacl (CVE-2026-31709) - [arm64] mm: Enable batched TLB flush in unmap_hotplug_range() - lib: test_hmm: evict device pages on file close to avoid use-after-free (CVE-2026-46280) - wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() (CVE-2026-46069) - [arm*] spi: imx: Convert to platform remove callback returning void - [arm*] spi: imx: fix use-after-free on unbind (CVE-2026-45996) - thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021) - media: rc: ttusbir: respect DMA coherency rules - media: rc: igorplugusb: heed coherency rules - sched: Use u64 for bandwidth ratio calculations - net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026) - net: qrtr: ns: Change servers radix tree to xarray - net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038) - net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003) - net: bridge: use a stable FDB dst snapshot in RCU readers (CVE-2026-46086) - spi: fix resource leaks on device setup failure (CVE-2026-46083) - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info (CVE-2026-46065) - xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005) - udf: fix partition descriptor append bookkeeping (CVE-2026-45991) - hfsplus: fix uninit-value by validating catalog record size (CVE-2026-46169) - hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299) - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() (CVE-2026-45999) - ceph: only d_add() negative dentries when they are unhashed (CVE-2026-46052) - printk: add print_hex_dump_devel() - [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key (CVE-2026-46291) - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted (CVE-2026-46110) - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() (CVE-2026-46196) - wifi: mac80211: remove station if connection prep fails (CVE-2026-46125) - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task (CVE-2026-46180) - [arm*] usb: dwc3: Move GUID programming after PHY initialization - net: ipv4: stop checking crypto_ahash_alignmask - net: ipv6: stop checking crypto_ahash_alignmask - xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193) - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete (CVE-2026-46116) - [armhf] spi: sun4i: Convert to platform remove callback returning void - [armfh] spi: sun4i: switch to use modern name - [armhf] spi: sun4i: fix controller deregistration - spi: Convert to SPI_CONTROLLER_HALF_DUPLEX - [armhf] spi: spi-ti-qspi: Convert to platform remove callback returning void - [armhf] spi: spi-ti-qspi: switch to use modern name - [armhf] spi: ti-qspi: fix controller deregistration - [arm*] spi: sun6i: fix controller deregistration - [arm*] spi: s3c64xx: Use devm_clk_get_enabled() - [arm*] spi: s3c64xx: fix NULL-deref on driver unbind (CVE-2026-46296) - mtd: spi-nor: core: fix implicit declaration warning - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() (CVE-2026-46190) - [arm*] spi: tegra114: fix controller deregistration - [arm*] spi: tegra20-sflash: fix controller deregistration - mm/hugetlb_cma: round up per_node before logging it - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler (CVE-2026-43495) - fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191) - [i386] spi: topcliff-pch: Convert to platform remove callback returning void - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak (CVE-2026-46159) - tracing/probes: Limit size of event probe to 3K - btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type() - btrfs: fix double free in create_space_info_sub_group() error path (CVE-2026-46164) - pmdomain: core: Fix detach procedure for virtual devices in genpd (CVE-2026-46292) - smb: client: validate dacloffset before building DACL pointers (CVE-2026-46195) - smb: client: Use FullSessionKey for AES-256 encryption key derivation - btrfs: fix missing last_unlink_trans update when removing a directory (CVE-2026-46160) - mptcp: fastclose msk when linger time is 0 - mptcp: pm: prio: skip closed subflows - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137) - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix false alarm of lockdep on cp_global_sem lock - cgroup/cpuset: Reset DL migration state on can_attach() failure - genetlink: Use internal flags for multicast groups - smb: client: require net admin for CIFS SWN netlink - Bluetooth: hci_qca: Convert timeout from jiffies to ms - mm/memory: fix spurious warning when unmapping device-private/exclusive pages - Bluetooth: Init sk_peer_* on bt_sock_alloc - Bluetooth: serialize accept_q access (CVE-2026-52918) - net: hsr: defer node table free until after RCU readers - ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() - ice: fix VF queue configuration with low MTU values - mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient - [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index - mptcp: reset rcv wnd on disconnect - mptcp: do not drop partial packets - [x86] platform/x86/intel/vsec: Add private data for per-device data - [x86] platform/x86/intel/vsec: Create wrapper to walk PCI config space - [x86] platform/x86/intel/vsec: Make driver_data info const - [x86] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery - [arm64] spi: qup: switch to use modern name - [arm64] spi: qup: fix error pointer deref after DMA setup failure - [arm64] tlb: Flush walk cache when unsharing PMD tables - phy: tegra: xusb: Disable trk clk when not in use - phy: tegra: xusb: Fix per-pad high-speed termination calibration - iio: gyro: adis16260: fix division by zero in write_raw - iio: dac: ad5686: fix ref bit initialization for single-channel parts - ALSA: firewire-motu: Protect register DSP event queue positions - [armhf] serial: samsung_tty: Use port lock wrappers - [armhf] tty: serial: samsung: use u32 for register interactions - [armhf] tty: serial: samsung: Remove redundant port lock acquisition in rx helpers - [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths - [armhf] usb: musb: omap2430: Fix use-after-free in omap2430_probe() - usb: gadget: f_hid: tidy error handling in hidg_alloc - usb: gadget: f_hid: fix device reference leak in hidg_alloc() - usb: typec: ucsi: Check if power role change actually happened before handling - thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() - [arm64] tty: serial: qcom-geni-serial: remove unused symbols - [arm64] tty: serial: qcom-geni-serial: align #define values - [arm64] serial: qcom-geni: fix UART_RX_PAR_EN bit position - scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() - usb: typec: ucsi: Don't update power_supply on power role change if not connected - netfilter: nft_fib: fix stale stack leak via the OIFNAME register (CVE-2026-53134) - hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf (CVE-2026-53199) - mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb() - mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb folio - mm/hugetlb: rename folio_putback_active_hugetlb() to folio_putback_hugetlb() - mm/memory-failure: fix missing ->mf_stats count in hugetlb poison - mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison (CVE-2026-53207) - RDMA: Move DMA block iterator logic into dedicated files - RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133) - ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850) - blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init (CVE-2023-54271) - batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208) - batman-adv: tp_meter: fix tp_num leak on kmalloc failure - [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6 - perf build: Conditionally define NDEBUG - perf parse-events: Make YYDEBUG dependent on doing a debug build - perf build: Disable fewer bison warnings - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - ipmi:ssif: Fix a shutdown race - ipmi:ssif: Clean up kthread on errors (CVE-2026-46044) - usb: typec: tcpm: reset internal port states on soft reset AMS - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() (CVE-2026-43492) - ipmi:ssif: Remove unnecessary indention - ipmi:ssif: NULL thread on error - [arm*] drm/v3d: Reject empty multisync extension to prevent infinite loop (CVE-2026-46314) - [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263): + cputype: Add NVIDIA Olympus definitions + cputype: Add C1-Ultra definitions + cputype: Add C1-Premium definitions + errata: Mitigate TLBI errata on various Arm CPUs (CVE-2026-53354) + errata: Mitigate TLBI errata on NVIDIA Olympus CPU + errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU - [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter (regression in 6.1.165) - [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function (regression in 6.1.173) - r8152: Hold the rtnl_lock for all of reset - media: rc: ttusbir: fix inverted error logic - batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown - media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091) - ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops - batman-adv: tp_meter: fix race condition in send error reporting - batman-adv: tp_meter: avoid role confusion in tp_list - netfilter: require Ethernet MAC header before using eth_hdr() (CVE-2026-53131) . [ Ben Hutchings ] * Refresh "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets" * [rt] Add new signing key for Clark Williams * [rt] Update to 6.1.176-rt64: - ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT - [x86] kvm/vmx: guard regparm(0) on vmread_error_trampoline for x86_32 only * [x86] Revert "x86/CPU: Only try to mitigate FPDSS on Zen1" as redundant * Revert "net: ipv4: stop checking crypto_ahash_alignmask" * Revert "net: ipv6: stop checking crypto_ahash_alignmask" * Revert "Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()" * cgroup/cpuset: Fix misplaced call to reset_migrate_dl_data() * media: uvcvideo: Create an ID namespace for streaming output terminals * [ppc64el] cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state * Revert "media: rc: streamzap: Error handling in probe" * Revert "epoll: use refcount to reduce ep_mutex contention" (CVE-2025-38349, CVE-2026-46242) . [ Salvatore Bonaccorso ] * ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909) * net/sched: act_pedit: check static offsets a priori * net/sched: act_pedit: rate limit datapath messages * net/sched: fix pedit partial COW leading to page cache corruption (CVE-2026-46331) * net/sched: act_pedit: free pedit keys on bail from offset check Checksums-Sha1: 81251b1b496b7c1583175aa4517aa990051b46c5 13434 linux-signed-i386_6.1.176+1.dsc d412e941aaf1dc2da0eadbbe8f509d6861aba03b 850024 linux-signed-i386_6.1.176+1.tar.xz Checksums-Sha256: 5e12094beb65608c26530632856b5fb49294f1e096a8354c93895525e312a140 13434 linux-signed-i386_6.1.176+1.dsc 35a23b5a318189b90d749059477bf458013f98c88d3a4ea68d9439a9de1b189c 850024 linux-signed-i386_6.1.176+1.tar.xz Files: 353d166bf778569a0a544de72f9ba177 13434 kernel optional linux-signed-i386_6.1.176+1.dsc 7d09587943e540ad0b30478bf50fb0c4 850024 kernel optional linux-signed-i386_6.1.176+1.tar.xz -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSInBJdRTWyTRy0ztFCTVFtUgONCgUCakfEXgAKCRBCTVFtUgON CqFoAP4hJOazsRS0CN+xkdHxD/IHRfHLXv4btP2PB80rs2sDfAEAr2SFZaAIjUHz +YJOCME1OC04jcggd2adHrJ8XKUeFgc= =IlCM -----END PGP SIGNATURE-----