{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.17.0-12-generic", "linux-image-6.17.0-12-generic", "linux-modules-6.17.0-12-generic", "linux-riscv-headers-6.17.0-12", "linux-riscv-tools-6.17.0-12", "linux-tools-6.17.0-12-generic" ], "removed": [ "linux-headers-6.17.0-8-generic", "linux-image-6.17.0-8-generic", "linux-modules-6.17.0-8-generic", "linux-riscv-headers-6.17.0-8", "linux-riscv-tools-6.17.0-8", "linux-tools-6.17.0-8-generic" ], "diff": [ "gir1.2-glib-2.0:riscv64", "inetutils-telnet", "libc-bin", "libc-dev-bin", "libc6:riscv64", "libc6-dev:riscv64", "libglib2.0-0t64:riscv64", "libglib2.0-bin", "libglib2.0-data", "libldap-common", "libldap2:riscv64", "libnss-systemd:riscv64", "libpam-systemd:riscv64", "libpython3.13:riscv64", "libpython3.13-minimal:riscv64", "libpython3.13-stdlib:riscv64", "libsystemd-shared:riscv64", "libsystemd0:riscv64", "libudev1:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "locales", "python3.13", "python3.13-gdbm", "python3.13-minimal", "systemd", "systemd-cryptsetup", "systemd-resolved", "systemd-sysv", "telnet", "udev" ] } }, "diff": { "deb": [ { "name": "gir1.2-glib-2.0:riscv64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.2", "version": "2.86.0-2ubuntu0.2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.3", "version": "2.86.0-2ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype-fdo.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.86.0-2ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:38:28 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "inetutils-telnet", "from_version": { "source_package_name": "inetutils", "source_package_version": "2:2.6-1ubuntu3", "version": "2:2.6-1ubuntu3" }, "to_version": { "source_package_name": "inetutils", "source_package_version": "2:2.6-1ubuntu3.1", "version": "2:2.6-1ubuntu3.1" }, "cves": [ { "cve": "CVE-2026-24061", "url": "https://ubuntu.com/security/CVE-2026-24061", "cve_description": "telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.", "cve_priority": "high", "cve_public_date": "2026-01-21 07:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24061", "url": "https://ubuntu.com/security/CVE-2026-24061", "cve_description": "telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.", "cve_priority": "high", "cve_public_date": "2026-01-21 07:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: telnetd remote authentication bypass", " - debian/patches/CVE-2026-24061-1.patch: fix injection bug with bogus", " user names in telnetd/utility.c.", " - debian/patches/CVE-2026-24061-2.patch: sanitize all variable", " expansions in telnetd/utility.c.", " - debian/patches/CVE-2026-24061-3.patch: fix compiler warning in", " telnetd/utility.c.", " - CVE-2026-24061", "" ], "package": "inetutils", "version": "2:2.6-1ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 30 Jan 2026 11:13:12 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3", "version": "2.42-0ubuntu3" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3.1", "version": "2.42-0ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-0ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:59:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-dev-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3", "version": "2.42-0ubuntu3" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3.1", "version": "2.42-0ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-0ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:59:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6:riscv64", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3", "version": "2.42-0ubuntu3" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3.1", "version": "2.42-0ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-0ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:59:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6-dev:riscv64", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3", "version": "2.42-0ubuntu3" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3.1", "version": "2.42-0ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-0ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:59:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64:riscv64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.2", "version": "2.86.0-2ubuntu0.2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.3", "version": "2.86.0-2ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype-fdo.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.86.0-2ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:38:28 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.2", "version": "2.86.0-2ubuntu0.2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.3", "version": "2.86.0-2ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype-fdo.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.86.0-2ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:38:28 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.2", "version": "2.86.0-2ubuntu0.2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.86.0-2ubuntu0.3", "version": "2.86.0-2ubuntu0.3" }, "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1484", "url": "https://ubuntu.com/security/CVE-2026-1484", "cve_description": "A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1485", "url": "https://ubuntu.com/security/CVE-2026-1485", "cve_description": "A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.", "cve_priority": "medium", "cve_public_date": "2026-01-27 14:15:00 UTC" }, { "cve": "CVE-2026-1489", "url": "https://ubuntu.com/security/CVE-2026-1489", "cve_description": "A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.", "cve_priority": "medium", "cve_public_date": "2026-01-27 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in Base64 encoding", " - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential", " overflow in glib/gbase64.c.", " - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is", " within allocated size in glib/gbase64.c.", " - CVE-2026-1484", " * SECURITY UPDATE: buffer underflow via header length", " - debian/patches/CVE-2026-1485.patch: do not overflow if header is", " longer than MAXINT in gio/gcontenttype-fdo.c.", " - CVE-2026-1485", " * SECURITY UPDATE: integer overflow via Unicode case conversion", " - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks", " length in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size", " in glib/guniprop.c.", " - debian/patches/CVE-2026-1489-4.patch: add test debug information when", " parsing input files in glib/tests/unicode.c.", " - CVE-2026-1489", "" ], "package": "glib2.0", "version": "2.86.0-2ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 28 Jan 2026 12:38:28 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libldap-common", "from_version": { "source_package_name": "openldap", "source_package_version": "2.6.10+dfsg-1ubuntu2", "version": "2.6.10+dfsg-1ubuntu2" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.6.10+dfsg-1ubuntu2.1", "version": "2.6.10+dfsg-1ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2119884, 2125685, 2121816 ], "changes": [ { "cves": [], "log": [ "", " * Fix slapd apparmor profile (LP: #2119884)", " - d/rules: fix dh_apparmor being skipped in -indep for -arch slapd package", " - d/rules: remove override_dh_auto_build target re-added with \"Enable AppArmor", " support\" by mistake, removed in 2.6.9+dfsg-1", " - d/apparmor-profile: add systemd-notify support", " - d/t/slapd: test if running in apparmor enforce mode", " * pbkdf2 iteration configuration support (LP: #2125685)", " - d/p/lp2125685-pbkdf2-configurable-rounds: make iterations configurable", " - d/p/lp2125685-pbkdf2-fix-iteration-arg: fix iteration argument index", " - d/t/pbkdf2-contrib: test if pbkdf2 hashing rounds are adjustable", " * d/t/ppm-contrib: test ppm password quality module (LP: #2121816)", "" ], "package": "openldap", "version": "2.6.10+dfsg-1ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2119884, 2125685, 2121816 ], "author": "Jonas Jelten ", "date": "Thu, 25 Sep 2025 15:45:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libldap2:riscv64", "from_version": { "source_package_name": "openldap", "source_package_version": "2.6.10+dfsg-1ubuntu2", "version": "2.6.10+dfsg-1ubuntu2" }, "to_version": { "source_package_name": "openldap", "source_package_version": "2.6.10+dfsg-1ubuntu2.1", "version": "2.6.10+dfsg-1ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2119884, 2125685, 2121816 ], "changes": [ { "cves": [], "log": [ "", " * Fix slapd apparmor profile (LP: #2119884)", " - d/rules: fix dh_apparmor being skipped in -indep for -arch slapd package", " - d/rules: remove override_dh_auto_build target re-added with \"Enable AppArmor", " support\" by mistake, removed in 2.6.9+dfsg-1", " - d/apparmor-profile: add systemd-notify support", " - d/t/slapd: test if running in apparmor enforce mode", " * pbkdf2 iteration configuration support (LP: #2125685)", " - d/p/lp2125685-pbkdf2-configurable-rounds: make iterations configurable", " - d/p/lp2125685-pbkdf2-fix-iteration-arg: fix iteration argument index", " - d/t/pbkdf2-contrib: test if pbkdf2 hashing rounds are adjustable", " * d/t/ppm-contrib: test ppm password quality module (LP: #2121816)", "" ], "package": "openldap", "version": "2.6.10+dfsg-1ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2119884, 2125685, 2121816 ], "author": "Jonas Jelten ", "date": "Thu, 25 Sep 2025 15:45:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13:riscv64", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal:riscv64", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib:riscv64", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1:riscv64", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-12.12.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 11:09:30 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.17.0-9.9.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 04 Dec 2025 16:25:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-12.12.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 11:09:30 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.17.0-9.9.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 04 Dec 2025 16:25:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-12.12.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 11:09:30 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.17.0-9.9.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 04 Dec 2025 16:25:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-12.12.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 11:09:30 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.17.0-9.9.1", "" ], "package": "linux-meta-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 04 Dec 2025 16:25:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "locales", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3", "version": "2.42-0ubuntu3" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-0ubuntu3.1", "version": "2.42-0ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-0ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 13:59:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-gdbm", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.2", "version": "3.13.7-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.7-1ubuntu0.3", "version": "3.13.7-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-12084", "url": "https://ubuntu.com/security/CVE-2025-12084", "cve_description": "When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.", "cve_priority": "medium", "cve_public_date": "2025-12-03 19:15:00 UTC" }, { "cve": "CVE-2025-13837", "url": "https://ubuntu.com/security/CVE-2025-13837", "cve_description": "When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Header injection in email messages where addresses are not", " sanitized.", " - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash", " in Lib/email/_header_value_parser.py. Add test in", " Lib/test/test_email/test__header_value_parser.py.", " - CVE-2025-11468", " * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML", " documents.", " - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace", " with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument", " to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.", " - CVE-2025-12084", " * SECURITY UPDATE: OOM and denial of service when opening malicious plist", " file.", " - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read", " with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.", " - CVE-2025-13837", " * SECURITY UPDATE: Header injection in user controlled data URLs in urllib.", " - debian/patches/CVE-2025-15282.patch: Add control character checks in", " Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " imaplib.", " - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in", " Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.", " * SECURITY UPDATE: Command injection through user controlled commands in", " poplib.", " - debian/patches/CVE-2025-15367.patch: Add control character regex check", " in Lib/poplib.py. Add test in Lib/test/test_poplib.py.", " - CVE-2025-15367", " * SECURITY UPDATE: HTTP header injection in user controlled cookie values.", " - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and", " checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.", " - CVE-2026-0672", " * SECURITY UPDATE: HTTP header injection in user controlled headers and", " values with newlines.", " - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in", " Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and", " Lib/test/test_wsgiref.py.", " - CVE-2026-0865", "" ], "package": "python3.13", "version": "3.13.7-1ubuntu0.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 22 Jan 2026 16:45:57 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-cryptsetup", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "telnet", "from_version": { "source_package_name": "inetutils", "source_package_version": "2:2.6-1ubuntu3", "version": "0.17+2.6-1ubuntu3" }, "to_version": { "source_package_name": "inetutils", "source_package_version": "2:2.6-1ubuntu3.1", "version": "0.17+2.6-1ubuntu3.1" }, "cves": [ { "cve": "CVE-2026-24061", "url": "https://ubuntu.com/security/CVE-2026-24061", "cve_description": "telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.", "cve_priority": "high", "cve_public_date": "2026-01-21 07:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24061", "url": "https://ubuntu.com/security/CVE-2026-24061", "cve_description": "telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a \"-f root\" value for the USER environment variable.", "cve_priority": "high", "cve_public_date": "2026-01-21 07:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: telnetd remote authentication bypass", " - debian/patches/CVE-2026-24061-1.patch: fix injection bug with bogus", " user names in telnetd/utility.c.", " - debian/patches/CVE-2026-24061-2.patch: sanitize all variable", " expansions in telnetd/utility.c.", " - debian/patches/CVE-2026-24061-3.patch: fix compiler warning in", " telnetd/utility.c.", " - CVE-2026-24061", "" ], "package": "inetutils", "version": "2:2.6-1ubuntu3.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 30 Jan 2026 11:13:12 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2", "version": "257.9-0ubuntu2" }, "to_version": { "source_package_name": "systemd", "source_package_version": "257.9-0ubuntu2.1", "version": "257.9-0ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2134334 ], "changes": [ { "cves": [], "log": [ "", " * net_id: depending on new udev prop, include/exclude PCI domain from netif names", " (LP: #2134334)", "" ], "package": "systemd", "version": "257.9-0ubuntu2.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2134334 ], "author": "Robert Malz ", "date": "Mon, 08 Dec 2025 09:30:21 -0500" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-headers-6.17.0-12-generic version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-headers-6.17.0-12-generic version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-image-6.17.0-12-generic version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-image-6.17.0-12-generic version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-modules-6.17.0-12-generic version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-modules-6.17.0-12-generic version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-headers-6.17.0-12", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-riscv-headers-6.17.0-12 version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-riscv-headers-6.17.0-12 version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-riscv-tools-6.17.0-12", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-riscv-tools-6.17.0-12 version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-riscv-tools-6.17.0-12 version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-6.17.0-12-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-12.12.1", "version": "6.17.0-12.12.1" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" }, { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138113, 2138115, 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40214", "url": "https://ubuntu.com/security/CVE-2025-40214", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages. 1) 1-a. Create a single cyclic reference with many sockets 1-b. close() all sockets 1-c. Trigger GC 2) 2-a. Pass sk-A to an embryo sk-B 2-b. Pass sk-X to sk-X 2-c. Trigger GC 3) 3-a. accept() the embryo sk-B 3-b. Pass sk-B to sk-C 3-c. close() the in-flight sk-A 3-d. Trigger GC As of 2-c, sk-A and sk-X are linked to unix_unvisited_vertices, and unix_walk_scc() groups them into two different SCCs: unix_sk(sk-A)->vertex->scc_index = 2 (UNIX_VERTEX_INDEX_START) unix_sk(sk-X)->vertex->scc_index = 3 Once GC completes, unix_graph_grouped is set to true. Also, unix_graph_maybe_cyclic is set to true due to sk-X's cyclic self-reference, which makes close() trigger GC. At 3-b, unix_add_edge() allocates unix_sk(sk-B)->vertex and links it to unix_unvisited_vertices. unix_update_graph() is called at 3-a. and 3-b., but neither unix_graph_grouped nor unix_graph_maybe_cyclic is changed because both sk-B's listener and sk-C are not in-flight. 3-c decrements sk-A's file refcnt to 1. Since unix_graph_grouped is true at 3-d, unix_walk_scc_fast() is finally called and iterates 3 sockets sk-A, sk-B, and sk-X: sk-A -> sk-B (-> sk-C) sk-X -> sk-X This is totally fine. All of them are not yet close()d and should be grouped into different SCCs. However, unix_vertex_dead() misjudges that sk-A and sk-B are in the same SCC and sk-A is dead. unix_sk(sk-A)->scc_index == unix_sk(sk-B)->scc_index <-- Wrong! && sk-A's file refcnt == unix_sk(sk-A)->vertex->out_degree ^-- 1 in-flight count for sk-B -> sk-A is dead !? The problem is that unix_add_edge() does not initialise scc_index. Stage 1) is used for heap spraying, making a newly allocated vertex have vertex->scc_index == 2 (UNIX_VERTEX_INDEX_START) set by unix_walk_scc() at 1-c. Let's track the max SCC index from the previous unix_walk_scc() call and assign the max + 1 to a new vertex's scc_index. This way, we can continue to avoid Tarjan's algorithm while preventing misjudgments.", "cve_priority": "high", "cve_public_date": "2025-12-04 13:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-12.12.1 -proposed tracker (LP: #2138113)", "", " [ Ubuntu: 6.17.0-12.12 ]", "", " * questing/linux: 6.17.0-12.12 -proposed tracker (LP: #2138115)", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40214", " - af_unix: Initialise scc_index in unix_add_edge().", "" ], "package": "linux-riscv", "version": "6.17.0-12.12.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138113, 2138115 ], "author": "Sarah Emery ", "date": "Thu, 15 Jan 2026 10:49:19 +0100" }, { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" } ], "log": [ "", " * questing/linux-riscv: 6.17.0-9.9.1 -proposed tracker (LP: #2133508)", "", " [ Ubuntu: 6.17.0-9.9 ]", "", " * questing/linux: 6.17.0-9.9 -proposed tracker (LP: #2132302)", " * The machine didn’t go into suspend and got stuck (LP: #2132095)", " - platform/x86: alienware-wmi-wmax: Fix NULL pointer dereference in sleep", " handlers", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", " * kernel crash on bootup for some arm64 machines (LP: #2129770)", " - KVM: arm64: Guard PMSCR_EL1 initialization with SPE presence check", " * crash when reading from /sys/kernel/tracing/rv/enabled_monitors", " (LP: #2131136)", " - rv: Fully convert enabled_monitors to use list_head as iterator", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", " * Re-enable INTEL_SKL_INT3472 for kernels >= 6.16 for Intel IPU camera", " (LP: #2128792)", " - Revert \"UBUNTU: [Config] FTBFS: disable INTEL_SKL_INT3472\"", " - Revert \"UBUNTU: SAUCE: platform/x86: int3472: Add handshake GPIO", " function\"", " * Support Samsung S5K3J1 sensor for Intel MIPI camera (LP: #2121852)", " - SAUCE: media: ipu-bridge: Support s5k3j1 sensor", " * Questing update: v6.17.4 upstream stable release (LP: #2131259)", " - fs: always return zero on success from replace_fd()", " - fscontext: do not consume log entries when returning -EMSGSIZE", " - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range()", " - arm64: map [_text, _stext) virtual address range non-executable+read-", " only", " - rseq: Protect event mask against membarrier IPI", " - statmount: don't call path_put() under namespace semaphore", " - listmount: don't call path_put() under namespace semaphore", " - clocksource/drivers/clps711x: Fix resource leaks in error paths", " - memcg: skip cgroup_file_notify if spinning is not allowed", " - page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches", " - PM: runtime: Update kerneldoc return codes", " - dma-mapping: fix direction in dma_alloc direction traces", " - cpufreq: Make drivers using CPUFREQ_ETERNAL specify transition latency", " - nfsd: unregister with rpcbind when deleting a transport", " - KVM: x86: Add helper to retrieve current value of user return MSR", " - KVM: SVM: Emulate PERF_CNTR_GLOBAL_STATUS_SET for PerfMonV2", " - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE", " - media: v4l2-subdev: Fix alloc failure check in", " v4l2_subdev_call_state_try()", " - asm-generic/io.h: Skip trace helpers if rwmmio events are disabled", " - clk: npcm: select CONFIG_AUXILIARY_BUS", " - clk: thead: th1520-ap: describe gate clocks with clk_gate", " - clk: thead: th1520-ap: fix parent of padctrl0 clock", " - clk: thead: Correct parent for DPU pixel clocks", " - clk: renesas: r9a08g045: Add MSTOP for GPIO", " - perf disasm: Avoid undefined behavior in incrementing NULL", " - perf test trace_btf_enum: Skip if permissions are insufficient", " - perf evsel: Avoid container_of on a NULL leader", " - libperf event: Ensure tracing data is multiple of 8 sized", " - clk: qcom: common: Fix NULL vs IS_ERR() check in qcom_cc_icc_register()", " - clk: qcom: Select the intended config in QCS_DISPCC_615", " - perf parse-events: Handle fake PMUs in CPU terms", " - clk: at91: peripheral: fix return value", " - clk: renesas: cpg-mssr: Fix memory leak in cpg_mssr_reserved_init()", " - perf: Completely remove possibility to override MAX_NR_CPUS", " - perf drm_pmu: Fix fd_dir leaks in for_each_drm_fdinfo_in_dir()", " - perf util: Fix compression checks returning -1 as bool", " - rtc: x1205: Fix Xicor X1205 vendor prefix", " - rtc: optee: fix memory leak on driver removal", " - perf arm_spe: Correct setting remote access", " - perf arm_spe: Correct memory level for remote access", " - perf vendor events arm64 AmpereOneX: Fix typo - should be", " l1d_cache_access_prefetches", " - perf test: AMD IBS swfilt skip kernel tests if paranoia is >1", " - perf test shell lbr: Avoid failures with perf event paranoia", " - perf trace: Fix IS_ERR() vs NULL check bug", " - perf session: Fix handling when buffer exceeds 2 GiB", " - perf test: Don't leak workload gopipe in PERF_RECORD_*", " - perf evsel: Fix uniquification when PMU given without suffix", " - perf test: Avoid uncore_imc/clockticks in uniquification test", " - perf evsel: Ensure the fallback message is always written to", " - perf build-id: Ensure snprintf string is empty when size is 0", " - clk: mediatek: mt8195-infra_ao: Fix parent for infra_ao_hdmi_26m", " - clk: mediatek: clk-mux: Do not pass flags to", " clk_mux_determine_rate_flags()", " - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate()", " - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver", " - clk: tegra: do not overallocate memory for bpmp clocks", " - nfsd: fix assignment of ia_ctime.tv_nsec on delegated mtime update", " - nfsd: ignore ATTR_DELEG when checking ia_valid before notify_change()", " - vfs: add ATTR_CTIME_SET flag", " - nfsd: use ATTR_CTIME_SET for delegated ctime updates", " - nfsd: track original timestamps in nfs4_delegation", " - nfsd: fix SETATTR updates for delegated timestamps", " - nfsd: fix timestamp updates in CB_GETATTR", " - tracing: Fix the bug where bpf_get_stackid returns -EFAULT on the ARM64", " - PM: core: Annotate loops walking device links as _srcu", " - PM: core: Add two macros for walking device links", " - PM: sleep: Do not wait on SYNC_STATE_ONLY device links", " - cpufreq: tegra186: Set target frequency for all cpus in policy", " - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue", " - perf bpf-filter: Fix opts declaration on older libbpfs", " - scsi: ufs: sysfs: Make HID attributes visible", " - mshv: Handle NEED_RESCHED_LAZY before transferring to guest", " - perf bpf_counter: Fix handling of cpumap fixing hybrid", " - ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size", " - ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer", " size", " - ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead", " of buffer time", " - LoongArch: Add cflag -fno-isolate-erroneous-paths-dereference", " - LoongArch: Fix build error for LTO with LLVM-18", " - LoongArch: Init acpi_gbl_use_global_lock to false", " - ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel", " - net: usb: lan78xx: Fix lost EEPROM read timeout error(-ETIMEDOUT) in", " lan78xx_read_raw_eeprom", " - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter()", " - drm/xe/hw_engine_group: Fix double write lock release in error path", " - drm/xe/i2c: Don't rely on d3cold.allowed flag in system PM path", " - s390/cio: Update purge function to unregister the unused subchannels", " - drm/vmwgfx: Fix a null-ptr access in the cursor snooper", " - drm/vmwgfx: Fix Use-after-free in validation", " - drm/vmwgfx: Fix copy-paste typo in validation", " - net/sctp: fix a null dereference in sctp_disposition", " sctp_sf_do_5_1D_ce()", " - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request().", " - net: mscc: ocelot: Fix use-after-free caused by cyclic delayed work", " - selftest: net: ovpn: Fix uninit return values", " - ice: ice_adapter: release xa entry on adapter allocation failure", " - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe", " - tools build: Align warning options with perf", " - perf python: split Clang options when invoking Popen", " - tcp: take care of zero tp->window_clamp in tcp_set_rcvlowat()", " - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call", " - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes", " - mailbox: zynqmp-ipi: Fix out-of-bounds access in mailbox cleanup loop", " - mailbox: zynqmp-ipi: Fix SGI cleanup on unbind", " - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6}", " - net: mdio: mdio-i2c: Hold the i2c bus lock during smbus transactions", " - net: sparx5/lan969x: fix flooding configuration on bridge join/leave", " - net/mlx5: Prevent tunnel mode conflicts between FDB and NIC IPsec tables", " - net/mlx5e: Prevent tunnel reformat when tunnel mode not allowed", " - mailbox: mtk-cmdq: Remove pm_runtime APIs from cmdq_mbox_send_data()", " - drm/amdgpu: Add additional DCE6 SCL registers", " - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs", " - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6", " - drm/amd/display: Properly disable scaling on DCE6", " - drm/amd/display: Disable scaling on DCE6 for now", " - drm/amdkfd: Fix kfd process ref leaking when userptr unmapping", " - net: pse-pd: tps23881: Fix current measurement scaling", " - crypto: skcipher - Fix reqsize handling", " - netfilter: nft_objref: validate objref and objrefmap expressions", " - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu()", " - selftests: netfilter: nft_fib.sh: fix spurious test failures", " - selftests: netfilter: query conntrack state to check for port clash", " resolution", " - io_uring/zcrx: increment fallback loop src offset", " - net: airoha: Fix loopback mode configuration for GDM2 port", " - cifs: Fix copy_to_iter return value check", " - smb: client: fix missing timestamp updates after utime(2)", " - rtc: isl12022: Fix initial enable_irq/disable_irq balance", " - cifs: Query EA $LXMOD in cifs_query_path_info() for WSL reparse points", " - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single", " - gpio: wcd934x: mark the GPIO controller as sleeping", " - bpf: Avoid RCU context warning when unpinning htab with internal structs", " - kbuild: always create intermediate vmlinux.unstripped", " - kbuild: keep .modinfo section in vmlinux.unstripped", " - kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux", " - kbuild: Add '.rel.*' strip pattern for vmlinux", " - s390: vmlinux.lds.S: Reorder sections", " - s390/vmlinux.lds.S: Move .vmlinux.info to end of allocatable sections", " - ACPICA: acpidump: drop ACPI_NONSTRING attribute from file_name", " - ACPI: property: Fix buffer properties extraction for subnodes", " - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT", " - ACPICA: Debugger: drop ACPI_NONSTRING attribute from name_seg", " - ACPI: debug: fix signedness issues in read/write helpers", " - ACPI: battery: Add synchronization between interface updates", " - arm64: dts: qcom: msm8916: Add missing MDSS reset", " - arm64: dts: qcom: msm8939: Add missing MDSS reset", " - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees", " - Revert \"UBUNTU: SAUCE: arm64: dts: qcom: x1e80100-pmics: Disable pm8010", " by default\"", " - arm64: dts: qcom: x1e80100-pmics: Disable pm8010 by default", " - arm64: dts: ti: k3-am62a-main: Fix main padcfg length", " - arm64: dts: ti: k3-am62p: Fix supported hardware for 1GHz OPP", " - arm64: kprobes: call set_memory_rox() for kprobe page", " - arm64: mte: Do not flag the zero page as PG_mte_tagged", " - ARM: AM33xx: Implement TI advisory 1.0.36 (EMU0/EMU1 pins state on", " reset)", " - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in", " amx3_idle_init", " - firmware: arm_scmi: quirk: Prevent writes to string constants", " - perf/arm-cmn: Fix CMN S3 DTM offset", " - KVM: s390: Fix to clear PTE when discarding a swapped page", " - KVM: arm64: Fix debug checking for np-guests using huge mappings", " - KVM: arm64: Fix page leak in user_mem_abort()", " - x86/kvm: Force legacy PCI hole to UC when overriding MTRRs for TDX/SNP", " - KVM: SVM: Re-load current, not host, TSC_AUX on #VMEXIT from SEV-ES", " guest", " - KVM: TDX: Fix uninitialized error code for __tdx_bringup()", " - dt-bindings: phy: rockchip-inno-csi-dphy: make power-domains non-", " required", " - xen: take system_transition_mutex on suspend", " - xen/events: Cleanup find_virq() return codes", " - xen/manage: Fix suspend error path", " - xen/events: Return -EEXIST for bound VIRQs", " - xen/events: Update virq_to_irq on migration", " - firmware: exynos-acpm: fix PMIC returned errno", " - firmware: meson_sm: fix device leak at probe", " - media: cec: extron-da-hd-4k-plus: drop external-module make commands", " - media: cx18: Add missing check after DMA map", " - media: i2c: mt9p031: fix mbus code initialization", " - media: i2c: mt9v111: fix incorrect type for ret", " - media: mc: Fix MUST_CONNECT handling for pads with no links", " - media: pci: ivtv: Add missing check after DMA map", " - media: pci: mg4b: fix uninitialized iio scan data", " - media: platform: mtk-mdp3: Add missing MT8188 compatible to comp_dt_ids", " - media: s5p-mfc: remove an unused/uninitialized variable", " - media: staging/ipu7: fix isys device runtime PM usage in firmware", " closing", " - media: uvcvideo: Avoid variable shadowing in uvc_ctrl_cleanup_fh", " - media: venus: firmware: Use correct reset sequence for IRIS2", " - media: venus: pm_helpers: add fallback for the opp-table", " - media: vivid: fix disappearing messages", " - media: vsp1: Export missing vsp1_isp_free_buffer symbol", " - media: ti: j721e-csi2rx: Use devm_of_platform_populate", " - media: ti: j721e-csi2rx: Fix source subdev link creation", " - media: lirc: Fix error handling in lirc_register()", " - drm/exynos: exynos7_drm_decon: remove ctx->suspended", " - drm/panthor: Fix memory leak in panthor_ioctl_group_create()", " - drm/msm/a6xx: Fix PDC sleep sequence", " - drm/rcar-du: dsi: Fix 1/2/3 lane support", " - drm/nouveau: fix bad ret code in nouveau_bo_move_prep", " - drm/xe/uapi: loosen used tracking restriction", " - drm/amd/display: Incorrect Mirror Cositing", " - drm/amd/display: Enable Dynamic DTBCLK Switch", " - drm/amd/display: Fix unsafe uses of kernel mode FPU", " - blk-crypto: fix missing blktrace bio split events", " - btrfs: avoid potential out-of-bounds in btrfs_encode_fh()", " - bus: mhi: ep: Fix chained transfer handling in read path", " - bus: mhi: host: Do not use uninitialized 'dev' pointer in", " mhi_init_irq_setup()", " - cdx: Fix device node reference leak in cdx_msi_domain_init", " - clk: qcom: tcsrcc-x1e80100: Set the bi_tcxo as parent to eDP refclk", " - clk: samsung: exynos990: Use PLL_CON0 for PLL parent muxes", " - clk: samsung: exynos990: Fix CMU_TOP mux/div bit widths", " - clk: samsung: exynos990: Replace bogus divs with fixed-factor clocks", " - copy_sighand: Handle architectures where sizeof(unsigned long) <", " sizeof(u64)", " - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay", " - cpufreq: intel_pstate: Fix object lifecycle issue in", " update_qos_request()", " - crypto: aspeed - Fix dma_unmap_sg() direction", " - crypto: atmel - Fix dma_unmap_sg() direction", " - crypto: rockchip - Fix dma_unmap_sg() nents value", " - eventpoll: Replace rwlock with spinlock", " - fbdev: Fix logic error in \"offb\" name match", " - fs/ntfs3: Fix a resource leak bug in wnd_extend()", " - fs: quota: create dedicated workqueue for quota_release_work", " - fsnotify: pass correct offset to fsnotify_mmap_perm()", " - fuse: fix possibly missing fuse_copy_finish() call in fuse_notify()", " - fuse: fix livelock in synchronous file put from fuseblk workers", " - gpio: mpfs: fix setting gpio direction to output", " - i3c: Fix default I2C adapter timeout value", " - iio/adc/pac1934: fix channel disable configuration", " - iio: dac: ad5360: use int type to store negative error codes", " - iio: dac: ad5421: use int type to store negative error codes", " - iio: frequency: adf4350: Fix prescaler usage.", " - iio: xilinx-ams: Fix AMS_ALARM_THR_DIRECT_MASK", " - iio: xilinx-ams: Unmask interrupts after updating alarms", " - init: handle bootloader identifier in kernel parameters", " - iio: imu: inv_icm42600: Simplify pm_runtime setup", " - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in", " resume", " - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime", " suspended", " - iommu/vt-d: PRS isn't usable if PDS isn't supported", " - ipmi: Rework user message limit handling", " - ipmi:msghandler:Change seq_lock to a mutex", " - kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in", " sys_prlimit64() paths", " - KEYS: trusted_tpm1: Compare HMAC values in constant time", " - kho: only fill kimage if KHO is finalized", " - lib/genalloc: fix device leak in of_gen_pool_get()", " - loop: fix backing file reference leak on validation error", " - md: fix mssing blktrace bio split events", " - of: unittest: Fix device reference count leak in", " of_unittest_pci_node_verify", " - openat2: don't trigger automounts with RESOLVE_NO_XDEV", " - padata: Reset next CPU when reorder sequence wraps around", " - parisc: don't reference obsolete termio struct for TC* constants", " - parisc: Remove spurious if statement from raw_copy_from_user()", " - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk", " - pinctrl: samsung: Drop unused S3C24xx driver data", " - PM: EM: Fix late boot with holes in CPU topology", " - PM: hibernate: Fix hybrid-sleep", " - PM: hibernate: Restrict GFP mask in power_down()", " - power: supply: max77976_charger: fix constant current reporting", " - powerpc/powernv/pci: Fix underflow and leak issue", " - powerpc/pseries/msi: Fix potential underflow and leak issue", " - pwm: berlin: Fix wrong register in suspend/resume", " - pwm: Fix incorrect variable used in error message", " - Revert \"ipmi: fix msg stack when IPMI is disconnected\"", " - sched/deadline: Fix race in push_dl_task()", " - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()", " - scsi: sd: Fix build warning in sd_revalidate_disk()", " - sctp: Fix MAC comparison to be constant-time", " - smb client: fix bug with newly created file in cached dir", " - sparc64: fix hugetlb for sun4u", " - sparc: fix error handling in scan_one_device()", " - xtensa: simdisk: add input size check in proc_write_simdisk", " - xsk: Harden userspace-supplied xdp_desc validation", " - mtd: rawnand: fsmc: Default to autodetect buswidth", " - mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N", " - mmc: core: SPI mode remove cmd7", " - mmc: mmc_spi: multiple block read remove read crc ack", " - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe", " - memory: stm32_omm: Fix req2ack update test", " - rtc: interface: Ensure alarm irq is enabled when UIE is enabled", " - rtc: interface: Fix long-standing race when setting alarm", " - rseq/selftests: Use weak symbol reference, not definition, to link with", " glibc", " - PCI: xilinx-nwl: Fix ECAM programming", " - PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock", " - PCI/sysfs: Ensure devices are powered for config reads", " - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV", " - PCI/ERR: Fix uevent on failure to recover", " - PCI/AER: Fix missing uevent on recovery when a reset is requested", " - PCI/AER: Support errors introduced by PCIe r6.0", " - PCI: Ensure relaxed tail alignment does not increase min_align", " - PCI: Fix failure detection during resource resize", " - PCI: j721e: Fix module autoloading", " - PCI: j721e: Fix programming sequence of \"strap\" settings", " - PCI: keystone: Use devm_request_irq() to free \"ks-pcie-error-irq\" on", " exit", " - PCI: rcar-gen4: Fix PHY initialization", " - PCI: rcar-host: Drop PMSR spinlock", " - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock", " - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()", " - PCI: tegra194: Handle errors in BPMP response", " - PCI: tegra194: Reset BARs when running in PCIe endpoint mode", " - PCI/pwrctrl: Fix device leak at registration", " - PCI/pwrctrl: Fix device and OF node leak at bus scan", " - PCI/pwrctrl: Fix device leak at device stop", " - spi: cadence-quadspi: Flush posted register writes before INDAC access", " - spi: cadence-quadspi: Flush posted register writes before DAC access", " - spi: cadence-quadspi: Fix cqspi_setup_flash()", " - xfs: use deferred intent items for reaping crosslinked blocks", " - x86/fred: Remove ENDBR64 from FRED entry points", " - x86/umip: Check that the instruction opcode is at least two bytes", " - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT", " aliases)", " - mptcp: pm: in-kernel: usable client side with C-flag", " - mptcp: reset blackhole on success with non-loopback ifaces", " - selftests: mptcp: join: validate C-flag + def limit", " - s390/cio/ioasm: Fix __xsch() condition code handling", " - s390/dasd: enforce dma_alignment to ensure proper buffer validation", " - s390/dasd: Return BLK_STS_INVAL for EINVAL from do_dasd_request", " - s390: Add -Wno-pointer-sign to KBUILD_CFLAGS_DECOMPRESSOR", " - slab: prevent warnings when slab obj_exts vector allocation fails", " - slab: mark slab->obj_exts allocation failures unconditionally", " - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again", " - wifi: iwlwifi: Fix dentry reference leak in iwl_mld_add_link_debugfs", " - wifi: rtw89: avoid possible TX wait initialization race", " - wifi: mt76: mt7925u: Add VID/PID for Netgear A9000", " - wifi: mt76: mt7921u: Add VID/PID for Netgear A7500", " - mm/thp: fix MTE tag mismatch when replacing zero-filled subpages", " - mm/rmap: fix soft-dirty and uffd-wp bit loss when remapping zero-filled", " mTHP subpage to shared zeropage", " - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations", " - mm/hugetlb: early exit from hugetlb_pages_alloc_boot() when", " max_huge_pages=0", " - mm/damon/vaddr: do not repeat pte_offset_map_lock() until success", " - mm/damon/lru_sort: use param_ctx for damon_attrs staging", " - nfsd: decouple the xprtsec policy check from check_nfsd_access()", " - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul()", " - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry", " - media: iris: Call correct power off callback in cleanup path", " - media: iris: Fix firmware reference leak and unmap memory after load", " - media: iris: fix module removal if firmware download failed", " - media: iris: vpu3x: Add MNoC low power handshake during hardware power-", " off", " - media: iris: Fix port streaming handling", " - media: iris: Fix buffer count reporting in internal buffer check", " - media: iris: Allow substate transition to load resources during output", " streaming", " - media: iris: Always destroy internal buffers on firmware release", " response", " - media: iris: Simplify session stop logic by relying on vb2 checks", " - media: iris: Update vbuf flags before v4l2_m2m_buf_done", " - media: iris: Send dummy buffer address for all codecs during drain", " - media: iris: Fix missing LAST flag handling during drain", " - media: iris: Fix format check for CAPTURE plane in try_fmt", " - media: iris: Allow stop on firmware only if start was issued.", " - ext4: add ext4_sb_bread_nofail() helper function for", " ext4_free_branches()", " - ext4: fail unaligned direct IO write with EINVAL", " - ext4: verify orphan file size is not too big", " - ext4: increase i_disksize to offset + len in", " ext4_update_disksize_before_punch()", " - ext4: correctly handle queries for metadata mappings", " - ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()", " - ext4: fix an off-by-one issue during moving extents", " - ext4: guard against EA inode refcount underflow in xattr update", " - ext4: validate ea_ino and size in check_xattrs", " - ACPICA: Allow to skip Global Lock initialization", " - ext4: free orphan info with kvfree", " - ipmi: Fix handling of messages with provided receive message pointer", " - Squashfs: add additional inode sanity checking", " - Squashfs: reject negative file sizes in squashfs_read_inode()", " - mm/ksm: fix incorrect KSM counter handling in mm_struct during fork", " - media: mc: Clear minor number before put device", " - arm64: dts: qcom: qcs615: add missing dt property in QUP SEs", " - ACPI: property: Disregard references in data-only subnode lists", " - ACPI: property: Add code comments explaining what is going on", " - ACPI: property: Do not pass NULL handles to acpi_attach_data()", " - irqchip/sifive-plic: Avoid interrupt ID 0 handling during suspend/resume", " - copy_file_range: limit size if in compat mode", " - minixfs: Verify inode mode when loading from disk", " - pid: Add a judgment for ns null in pid_nr_ns", " - fs: Add 'initramfs_options' to set initramfs mount options", " - cramfs: Verify inode mode when loading from disk", " - nsfs: validate extensible ioctls", " - mnt_ns_tree_remove(): DTRT if mnt_ns had never been added to mnt_ns_list", " - writeback: Avoid softlockup when switching many inodes", " - writeback: Avoid excessively long inode switching times", " - iomap: error out on file IO when there is no inline_data buffer", " - pidfs: validate extensible ioctls", " - mount: handle NULL values in mnt_ns_release()", " - Linux 6.17.4", " * Questing update: v6.17.4 upstream stable release (LP: #2131259) // Race", " condition in perf build causes build failure due to missing unistd_64.h", " header on arm64 (LP: #2131702)", " - perf tools: Fix arm64 libjvmti build by generating unistd_64.h", " * Questing update: v6.17.3 upstream stable release (LP: #2129610)", " - arch: copy_thread: pass clone_flags as u64", " - filelock: add FL_RECLAIM to show_fl_flags() macro", " - init: INITRAMFS_PRESERVE_MTIME should depend on BLK_DEV_INITRD", " - pid: use ns_capable_noaudit() when determining net sysctl permissions", " - Fix CC_HAS_ASM_GOTO_OUTPUT on non-x86 architectures", " - [Config]: Update CC configs for v6.17.3", " - seccomp: Fix a race with WAIT_KILLABLE_RECV if the tracer replies too", " fast", " - kbuild: Add missing $(objtree) prefix to powerpc crtsavres.o artifact", " - selftests: arm64: Check fread return value in exec_target", " - selftests: arm64: Fix -Waddress warning in tpidr2 test", " - kselftest/arm64/gcs: Correctly check return value when disabling GCS", " - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()", " - gfs2: Fix GLF_INVALIDATE_IN_PROGRESS flag clearing in do_xmote", " - gfs2: Remove space before newline", " - gfs2: Further sanitize lock_dlm.c", " - gfs2: Fix LM_FLAG_TRY* logic in add_to_queue", " - gfs2: Remove duplicate check in do_xmote", " - gfs2: Get rid of GLF_INVALIDATE_IN_PROGRESS", " - gfs2: do_xmote cleanup", " - gfs2: Add proper lockspace locking", " - powerpc/8xx: Remove left-over instruction and comments in", " DataStoreTLBMiss handler", " - powerpc/603: Really copy kernel PGD entries into all PGDIRs", " - powerpc/ftrace: ensure ftrace record ops are always set for NOPs", " - powerpc64/modules: correctly iterate over stubs in", " setup_ftrace_ool_stubs", " - uprobes: uprobe_warn should use passed task", " - raid6: riscv: Clean up unused header file inclusion", " - coresight: trbe: Prevent overflow in PERF_IDX2OFF()", " - perf: arm_spe: Prevent overflow in PERF_IDX2OFF()", " - erofs: avoid reading more for fragment maps", " - smb: client: fix sending the iwrap custom IRD/ORD negotiation messages", " - smb: server: fix IRD/ORD negotiation with the client", " - perf/x86/intel: Use early_initcall() to hook bts_init()", " - perf/x86/intel: Fix IA32_PMC_x_CFG_B MSRs access error", " - x86/vdso: Fix output operand size of RDPID", " - selftests: cgroup: Make test_pids backwards compatible", " - sched/fair: Get rid of sched_domains_curr_level hack for tl->cpumask()", " - [Config]: Update CONFIG_SCHED_MC for v6.17.3", " - lsm: CONFIG_LSM can depend on CONFIG_SECURITY", " - cpuset: fix failure to enable isolated partition when containing", " isolcpus", " - btrfs: return any hit error from extent_writepage_io()", " - btrfs: fix symbolic link reading when bs > ps", " - pinctrl: renesas: rzg2l: Fix invalid unsigned return in rzg3s_oen_read()", " - arm64: dts: renesas: rzg2lc-smarc: Disable CAN-FD channel0", " - bpf: Tidy verifier bug message", " - regmap: Remove superfluous check for !config in __regmap_init()", " - selftests/bpf: Copy test_kmods when installing selftest", " - rust: cpumask: Mark CpumaskVar as transparent", " - bpf/selftests: Fix test_tcpnotify_user", " - bpf: Remove migrate_disable in kprobe_multi_link_prog_run", " - libbpf: Fix reuse of DEVMAP", " - tools/nolibc: fix error return value of clock_nanosleep()", " - ARM: dts: renesas: porter: Fix CAN pin group", " - leds: max77705: Function return instead of variable assignment", " - leds: flash: leds-qcom-flash: Update torch current clamp setting", " - s390/bpf: Do not write tail call counter into helper and kfunc frames", " - s390/bpf: Write back tail call counter for BPF_PSEUDO_CALL", " - s390/bpf: Write back tail call counter for BPF_TRAMP_F_CALL_ORIG", " - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus()", " - arm64: dts: renesas: sparrow-hawk: Invert microSD voltage selector on", " EVTB1", " - arm64: dts: renesas: sparrow-hawk: Set VDDQ18_25_AVB voltage on EVTB1", " - libbpf: Export bpf_object__prepare symbol", " - firmware: arm_scmi: Mark VirtIO ready before registering", " scmi_virtio_driver", " - arm64: dts: imx93-kontron: Fix GPIO for panel regulator", " - arm64: dts: imx93-kontron: Fix USB port assignment", " - arm64: dts: imx95: Correct the lpuart7 and lpuart8 srcid", " - bpf: Remove preempt_disable in bpf_try_get_buffers", " - ACPI: processor: idle: Fix memory leak when register cpuidle device", " failed", " - genirq: Add irq_chip_(startup/shutdown)_parent()", " - PCI/MSI: Add startup/shutdown for per device domains", " - irqchip/sg2042-msi: Fix broken affinity setting", " - scripts/misc-check: update export checks for EXPORT_SYMBOL_FOR_MODULES()", " - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS", " - pinctrl: meson-gxl: add missing i2c_d pinmux", " - blk-mq: check kobject state_in_sysfs before deleting in", " blk_mq_unregister_hctx", " - selftests/futex: Remove the -g parameter from futex_priv_hash", " - ARM: at91: pm: fix MCKx restore routine", " - arm64: dts: apple: t8103-j457: Fix PCIe ethernet iommu-map", " - regulator: scmi: Use int type to store negative error codes", " - selftests/futex: Fix some futex_numa_mpol subtests", " - tools/nolibc: avoid error in dup2() if old fd equals new fd", " - selftests/nolibc: fix EXPECT_NZ macro", " - leds: leds-lp55xx: Use correct address for memory programming", " - PCI/MSI: Check MSI_FLAG_PCI_MSI_MASK_PARENT in", " cond_[startup|shutdown]_parent()", " - block: use int to store blk_stack_limits() return value", " - ARM: dts: stm32: stm32mp151c-plyaqm: Use correct dai-format property", " - dt-bindings: vendor-prefixes: Add undocumented vendor prefixes", " - genirq/test: Fix depth tests on architectures with NOREQUEST by default.", " - genirq/test: Select IRQ_DOMAIN", " - genirq/test: Depend on SPARSE_IRQ", " - genirq/test: Drop CONFIG_GENERIC_IRQ_MIGRATION assumptions", " - genirq/test: Ensure CPU 1 is online for hotplug test", " - selftests/bpf: Fix count write in testapp_xdp_metadata_copy()", " - vdso/datastore: Gate time data behind CONFIG_GENERIC_GETTIMEOFDAY", " - PM: sleep: core: Clear power.must_resume in noirq suspend error path", " - blk-mq: fix elevator depth_updated method", " - vdso: Add struct __kernel_old_timeval forward declaration to gettime.h", " - ARM: dts: ti: omap: am335x-baltos: Fix ti,en-ck32k-xtal property in DTS", " to use correct boolean syntax", " - ARM: dts: ti: omap: omap3-devkit8000-lcd: Fix ti,keep-vref-on property", " to use correct boolean syntax in DTS", " - ARM: dts: omap: am335x-cm-t335: Remove unused mcasp num-serializer", " property", " - PM / devfreq: mtk-cci: Fix potential error pointer dereference in", " probe()", " - power: supply: cw2015: Fix a alignment coding style issue", " - hwmon: (asus-ec-sensors) Narrow lock for X870E-CREATOR WIFI", " - pinctrl: renesas: Use int type to store negative error codes", " - pinctrl: eswin: Fix regulator error check and Kconfig dependency", " - null_blk: Fix the description of the cache_size module argument", " - blk-throttle: fix access race during throttle policy activation", " - selftests: vDSO: Fix -Wunitialized in powerpc VDSO_CALL() wrapper", " - selftests: vDSO: vdso_test_abi: Correctly skip whole test with missing", " vDSO", " - irqchip/gic-v5: Fix loop in gicv5_its_create_itt_two_level() cleanup", " path", " - irqchip/gic-v5: Fix error handling in gicv5_its_irq_domain_alloc()", " - tick: Do not set device to detached state in tick_shutdown()", " - arm64: dts: mediatek: mt8195: Remove suspend-breaking reset from pcie0", " - arm64: dts: mediatek: mt8183: Fix out of range pull values", " - nbd: restrict sockets to TCP and UDP", " - PM / devfreq: rockchip-dfi: double count on RK3588", " - firmware: firmware: meson-sm: fix compile-test default", " - dts: arm: amlogic: fix pwm node for c3", " - soc: mediatek: mtk-svs: fix device leaks on mt8183 probe failure", " - soc: mediatek: mtk-svs: fix device leaks on mt8192 probe failure", " - cpuidle: qcom-spm: fix device and OF node leaks at probe", " - block: cleanup bio_issue", " - block: initialize bio issue time in blk_mq_submit_bio()", " - block: factor out a helper bio_submit_split_bioset()", " - block: skip unnecessary checks for split bio", " - block: fix ordering of recursive split IO", " - blk-mq: remove useless checkings in blk_mq_update_nr_requests()", " - blk-mq: check invalid nr_requests in queue_requests_store()", " - blk-mq: convert to serialize updating nr_requests with", " update_nr_hwq_lock", " - blk-mq: cleanup shared tags case in blk_mq_update_nr_requests()", " - blk-mq: split bitmap grow and resize case in blk_mq_update_nr_requests()", " - blk-mq-sched: add new parameter nr_requests in blk_mq_alloc_sched_tags()", " - blk-mq: fix potential deadlock while nr_requests grown", " - arm64: dts: allwinner: a527: cubie-a5e: Add ethernet PHY reset setting", " - arm64: dts: allwinner: t527: avaota-a1: Add ethernet PHY reset setting", " - arm64: dts: rockchip: Add RTC on rk3576-evb1-v10", " - arm64: dts: rockchip: Add WiFi on rk3576-evb1-v10", " - arm64: dts: rockchip: Fix network on rk3576 evb1 board", " - arm64: dts: ti: k3-j742s2-mcu-wakeup: Override firmware-name for MCU R5F", " cores", " - arm64: dts: ti: k3: Rename rproc reserved-mem nodes to 'memory@addr'", " - Revert \"arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout", " locations\"", " - Revert \"arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x", " carveout locations\"", " - arm64: dts: mediatek: mt8188: Change efuse fallback compatible to mt8186", " - arm64: dts: mediatek: mt8186-tentacruel: Fix touchscreen model", " - arm64: dts: ti: k3-pinctrl: Fix the bug in existing macros", " - arm64: dts: renesas: r9a09g047e57-smarc: Fix gpio key's pin control node", " - arm64: dts: mediatek: mt6331: Fix pmic, regulators, rtc, keys node names", " - mmc: core: Fix variable shadowing in mmc_route_rpmb_frames()", " - arm64: dts: mediatek: mt6795-xperia-m5: Fix mmc0 latch-ck value", " - arm64: dts: mediatek: mt7986a: Fix PCI-Express T-PHY node address", " - arm64: dts: mediatek: mt8395-kontron-i1200: Fix MT6360 regulator nodes", " - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible", " - arm64: dts: allwinner: a527: cubie-a5e: Add LEDs", " - arm64: dts: allwinner: a527: cubie-a5e: Drop external 32.768 KHz crystal", " - arm64: dts: allwinner: t527: avaota-a1: hook up external 32k crystal", " - arm64: dts: allwinner: t527: orangepi-4a: hook up external 32k crystal", " - pwm: tiehrpwm: Don't drop runtime PM reference in .free()", " - pwm: tiehrpwm: Make code comment in .free() more useful", " - pwm: tiehrpwm: Fix various off-by-one errors in duty-cycle calculation", " - pwm: tiehrpwm: Fix corner case in clock divisor calculation", " - ACPICA: Apply ACPI_NONSTRING", " - ACPICA: Fix largest possible resource descriptor index", " - riscv, bpf: Sign extend struct ops return values properly", " - nvme-auth: update bi_directional flag", " - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op", " - nvmet-fcloop: call done callback even when remote port is gone", " - nvme-tcp: send only permitted commands for secure concat", " - i3c: master: svc: Use manual response for IBI events", " - i3c: master: svc: Recycle unused IBI slot", " - block: update validation of atomic writes boundary for stacked devices", " - block: fix stacking of atomic writes when atomics are not supported", " - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported", " - selftests/kselftest_harness: Add harness-selftest.expected to TEST_FILES", " - blk-throttle: fix throtl_data leak during disk release", " - bpf: Explicitly check accesses to bpf_sock_addr", " - mmc: select REGMAP_MMIO with MMC_LOONGSON2", " - selftests/futex: Fix futex_wait() for 32bit ARM", " - selftest/futex: Make the error check more precise for futex_numa_mpol", " - selftest/futex: Compile also with libnuma < 2.0.16", " - bpf: dont report verifier bug for missing bpf_scc_visit on speculative", " path", " - bpf, arm64: Call bpf_jit_binary_pack_finalize() in bpf_jit_free()", " - arm64: dts: apple: t600x: Add missing WiFi properties", " - arm64: dts: apple: t600x: Add bluetooth device nodes", " - arm64: dts: apple: Add ethernet0 alias for J375 template", " - selftests: always install UAPI headers to the correct directory", " - smp: Fix up and expand the smp_call_function_many() kerneldoc", " - mfd: max77705: max77705_charger: move active discharge setting to mfd", " parent", " - power: supply: max77705_charger: refactoring: rename charger to chg", " - power: supply: max77705_charger: use regfields for config registers", " - power: supply: max77705_charger: rework interrupts", " - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in", " host headers", " - spi: fix return code when spi device has too many chipselects", " - clocksource/drivers/timer-tegra186: Avoid 64-bit divide operation", " - clocksource/drivers/tegra186: Avoid 64-bit division", " - bpf: Mark kfuncs as __noclone", " - once: fix race by moving DO_ONCE to separate section", " - hwmon: (mlxreg-fan) Separate methods of fan setting coming from", " different subsystems", " - tools/nolibc: add stdbool.h to nolibc includes", " - thermal/drivers/qcom: Make LMH select QCOM_SCM", " - thermal/drivers/qcom/lmh: Add missing IRQ includes", " - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD", " - i2c: spacemit: ensure bus release check runs when wait_bus_idle() fails", " - i2c: spacemit: remove stop function to avoid bus error", " - i2c: spacemit: disable SDA glitch fix to avoid restart delay", " - i2c: spacemit: check SDA instead of SCL after bus reset", " - i2c: spacemit: ensure SDA is released after bus reset", " - i2c: designware: Fix clock issue when PM is disabled", " - i2c: designware: Add disabling clocks when probe fails", " - libbpf: Fix error when st-prefix_ops and ops from differ btf", " - bpf: Enforce expected_attach_type for tailcall compatibility", " - i3c: fix big-endian FIFO transfers", " - mfd: max77705: Setup the core driver as an interrupt controller", " - drm/sched: Fix a race in DRM_GPU_SCHED_STAT_NO_HANG test", " - drm/panel-edp: Add disable to 100ms for MNB601LS1-4", " - drm/display: bridge-connector: correct CEC bridge pointers in", " drm_bridge_connector_init", " - drm/panel-edp: Add 50ms disable delay for four panels", " - drm/vmwgfx: fix missing assignment to ts", " - drm/amd/display: Reduce Stack Usage by moving 'audio_output' into", " 'stream_res' v4", " - drm/panel: novatek-nt35560: Fix invalid return value", " - drm/amdgpu: fix link error for !PM_SLEEP", " - drm/amdgpu: Fix jpeg v4.0.3 poison irq call trace on sriov guest", " - drm/amdgpu: Fix vcn v4.0.3 poison irq call trace on sriov guest", " - PCI: endpoint: pci-ep-msi: Fix NULL vs IS_ERR() check in", " pci_epf_write_msi_msg()", " - PCI: xgene-msi: Return negative -EINVAL in xgene_msi_handler_setup()", " - drm/radeon/r600_cs: clean up of dead code in r600_cs", " - f2fs: fix condition in __allow_reserved_blocks()", " - f2fs: fix to avoid overflow while left shift operation", " - f2fs: fix to zero data after EOF for compressed file correctly", " - drm/bridge: it6505: select REGMAP_I2C", " - wifi: rtw88: Lock rtwdev->mutex before setting the LED", " - HID: steelseries: refactor probe() and remove()", " - media: zoran: Remove zoran_fh structure", " - phy: rockchip: naneng-combphy: Enable U3 OTG port for RK3568", " - drm/bridge: cdns-dsi: Fix the _atomic_check()", " - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup", " - usb: misc: qcom_eud: Access EUD_MODE_MANAGER2 through secure calls", " - PCI/pwrctrl: Fix double cleanup on devm_add_action_or_reset() failure", " - misc: pci_endpoint_test: Fix array underflow in", " pci_endpoint_test_ioctl()", " - serial: max310x: Add error checking in probe()", " - drm/amd/display: Remove redundant semicolons", " - drm/amd/display: Add NULL pointer checks in dc_stream cursor attribute", " functions", " - crypto: keembay - Add missing check after sg_nents_for_len()", " - hwrng: nomadik - add ARM_AMBA dependency", " - docs: iio: ad3552r: Fix malformed code-block directive", " - fwctl/mlx5: Fix memory alloc/free in mlx5ctl_fw_rpc()", " - scsi: pm80xx: Restore support for expanders", " - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod", " - scsi: libsas: Add dev_parent_is_expander() helper", " - scsi: pm80xx: Use dev_parent_is_expander() helper", " - scsi: pm80xx: Add helper function to get the local phy id", " - scsi: pm80xx: Fix pm8001_abort_task() for chip_8006 when using an", " expander", " - mptcp: Fix up subflow's memcg when CONFIG_SOCK_CGROUP_DATA=n.", " - scsi: myrs: Fix dma_alloc_coherent() error check", " - f2fs: fix to clear unusable_cap for checkpoint=enable", " - f2fs: fix to avoid NULL pointer dereference in", " f2fs_check_quota_consistency()", " - f2fs: fix to allow removing qf_name", " - Revert \"UBUNTU: SAUCE: drm/dp: drm_edp_backlight_set_level: do not", " always send 3-byte commands\"", " - drm/dp: drm_edp_backlight_set_level: do not always send 3-byte commands", " - crypto: octeontx2 - Call strscpy() with correct size argument", " - drm: re-allow no-op changes on non-primary planes in async flips", " - media: rj54n1cb0c: Fix memleak in rj54n1_probe()", " - media: staging/ipu7: convert to use pci_alloc_irq_vectors() API", " - media: staging/ipu7: Don't set name for IPU7 PCI device", " - media: staging/ipu7: cleanup the MMU correctly in IPU7 driver release", " - media: i2c: vd55g1: Fix duster register address", " - drm/panel: Allow powering on panel follower after panel is enabled", " - HID: i2c-hid: Make elan touch controllers power on after panel is", " enabled", " - RDMA/mlx5: Better estimate max_qp_wr to reflect WQE count", " - RDMA/mlx5: Fix vport loopback forcing for MPV device", " - wifi: rtw88: Use led->brightness_set_blocking for PCI too", " - net: phy: introduce phy_id_compare_vendor() PHY ID helper", " - net: phy: as21xxx: better handle PHY HW reset on soft-reboot", " - PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()", " - fuse: remove unneeded offset assignment when filling write pages", " - PCI: qcom: Restrict port parsing only to PCIe bridge child nodes", " - cdx: don't select CONFIG_GENERIC_MSI_IRQ", " - PCI/ACPI: Fix pci_acpi_preserve_config() memory leak", " - HID: i2c-hid: Fix test in i2c_hid_core_register_panel_follower()", " - ALSA: lx_core: use int type to store negative error codes", " - media: st-delta: avoid excessive stack usage", " - drm/amdgpu/vcn: Add regdump helper functions", " - drm/amdgpu/vcn: Hold pg_lock before vcn power off", " - drm/amdgpu: Check vcn state before profile switch", " - accel/amdxdna: Use int instead of u32 to store error codes", " - efi: Explain OVMF acronym in OVMF_DEBUG_LOG help text", " - net: dst: introduce dst->dev_rcu", " - ipv6: mcast: Add ip6_mc_find_idev() helper", " - ipv6: start using dst_dev_rcu()", " - ipv6: use RCU in ip6_xmit()", " - ipv6: use RCU in ip6_output()", " - net: use dst_dev_rcu() in sk_setup_caps()", " - tcp_metrics: use dst_dev_net_rcu()", " - ipv4: start using dst_dev_rcu()", " - crypto: hisilicon/zip - remove unnecessary validation for high-", " performance mode configurations", " - crypto: hisilicon - re-enable address prefetch after device resuming", " - crypto: hisilicon - check the sva module status while enabling or", " disabling address prefetch", " - crypto: hisilicon/qm - check whether the input function and PF are on", " the same device", " - crypto: hisilicon/qm - request reserved interrupt for virtual function", " - inet: ping: check sock_net() in ping_get_port() and ping_lookup()", " - dmaengine: Fix dma_async_tx_descriptor->tx_submit documentation", " - coresight: trbe: Add ISB after TRBLIMITR write", " - coresight: Fix missing include for FIELD_GET", " - coresight: Only register perf symlink for sinks with alloc_buffer", " - drm/amdgpu: Power up UVD 3 for FW validation (v2)", " - drm/amd/pm: Disable ULV even if unsupported (v3)", " - drm/amd/pm: Fix si_upload_smc_data (v3)", " - drm/amd/pm: Adjust si_upload_smc_data register programming (v3)", " - drm/amd/pm: Treat zero vblank time as too short in si_dpm (v3)", " - drm/amd/pm: Disable MCLK switching with non-DC at 120 Hz+ (v2)", " - drm/amd/pm: Disable SCLK switching on Oland with high pixel clocks (v3)", " - wifi: mac80211: Make CONNECTION_MONITOR optional for MLO sta", " - wifi: mwifiex: send world regulatory domain to driver", " - wifi: brcmfmac: fix 43752 SDIO FWVID incorrectly labelled as Cypress", " (CYW)", " - drm/msm: Do not validate SSPP when it is not ready", " - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation", " - wifi: mac80211: consider links for validating SCAN_FLAG_AP in scan", " request during MLO", " - PCI: qcom: Add equalization settings for 8.0 GT/s and 32.0 GT/s", " - tcp: fix __tcp_close() to only send RST when required", " - fanotify: Validate the return value of mnt_ns_from_dentry() before", " dereferencing", " - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl()", " - usb: phy: twl6030: Fix incorrect type for ret", " - usb: gadget: configfs: Correctly set use_os_string at bind", " - tty: n_gsm: Don't block input queue by waiting MSC", " - misc: genwqe: Fix incorrect cmd field being reported in error", " - pps: fix warning in pps_register_cdev when register device fail", " - drm/msm: Fix obj leak in VM_BIND error path", " - drm/msm: Fix missing VM_BIND offset/range validation", " - wifi: iwlwifi: Remove redundant header files", " - drm/msm/mdp4: stop supporting no-IOMMU configuration", " - drm/msm: stop supporting no-IOMMU configuration", " - idpf: fix Rx descriptor ready check barrier in splitq", " - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping", " - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping", " - ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore", " - ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST", " - drm/msm: Fix bootup splat with separate_gpu_drm modparam", " - drm/msm/dpu: fix incorrect type for ret", " - wifi: mac80211: fix reporting of all valid links in sta_set_sinfo()", " - fs: ntfs3: Fix integer overflow in run_unpack()", " - fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist", " - iio: consumers: Fix handling of negative channel scale in", " iio_convert_raw_to_processed()", " - iio: consumers: Fix offset handling in iio_convert_raw_to_processed()", " - mm/slub: Fix cmp_loc_by_count() to return 0 when counts are equal", " - tools: ynl: fix undefined variable name", " - RDMA/mlx5: Fix page size bitmap calculation for KSM mode", " - netfilter: ipset: Remove unused htable_bits in macro ahash_region", " - ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable", " - HID: steelseries: Fix STEELSERIES_SRWS1 handling in steelseries_remove()", " - watchdog: intel_oc_wdt: Do not try to write into const memory", " - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the", " watchdog", " - PCI: endpoint: pci-epf-test: Fix doorbell test support", " - drivers/base/node: handle error properly in register_one_node()", " - RDMA/cm: Rate limit destroy CM ID timeout error message", " - wifi: mt76: mt7996: Fix mt7996_mcu_sta_ba wcid configuration", " - wifi: mt76: mt7996: Fix mt7996_mcu_bss_mld_tlv routine", " - wifi: mt76: fix potential memory leak in mt76_wmac_probe()", " - wifi: mt76: mt7996: Use proper link_id in link_sta_rc_update callback", " - wifi: mt76: mt7996: Check phy before init msta_link in", " mt7996_mac_sta_add_links()", " - wifi: mt76: mt7996: Fix tx-queues initialization for second phy on", " mt7996", " - wifi: mt76: mt7996: Fix RX packets configuration for primary WED device", " - wifi: mt76: mt7996: Convert mt7996_wed_rro_addr to LE", " - wifi: mt76: mt7915: fix mt7981 pre-calibration", " - wifi: mt76: mt7996: remove redundant per-phy mac80211 calls during", " restart", " - ASoC: Intel: hda-sdw-bpt: set persistent_buffer false", " - srcu/tiny: Remove preempt_disable/enable() in srcu_gp_start_if_needed()", " - drm/amdgpu: Fix allocating extra dwords for rings (v2)", " - f2fs: fix to update map->m_next_extent correctly in f2fs_map_blocks()", " - f2fs: fix to truncate first page in error path of f2fs_truncate()", " - f2fs: fix to avoid migrating empty section", " - f2fs: fix to mitigate overhead of f2fs_zero_post_eof_page()", " - RISC-V: KVM: Write hgatp register with valid mode bits", " - ALSA: pcm: Disable bottom softirqs as part of spin_lock_irq() on", " PREEMPT_RT", " - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message", " - scsi: qla2xxx: edif: Fix incorrect sign of error code", " - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES()", " - scsi: qla2xxx: Fix incorrect sign of error code in qla_nvme_xmt_ls_rsp()", " - HID: hidraw: tighten ioctl command parsing", " - f2fs: fix zero-sized extent for precache extents", " - smc: Fix use-after-free in __pnet_find_base_ndev().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in in smc_clc_prfx_set().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match().", " - smc: Use __sk_dst_get() and dst_dev_rcu() in smc_vlan_by_tcpsk().", " - tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().", " - mptcp: Call dst_release() in mptcp_active_enable().", " - mptcp: Use __sk_dst_get() and dst_dev_rcu() in mptcp_active_enable().", " - Revert \"usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems", " Running\"", " - RDMA/core: Resolve MAC of next-hop device without ARP support", " - IB/sa: Fix sa_local_svc_timeout_ms read race", " - Documentation: trace: historgram-design: Separate sched_waking histogram", " section heading and the following diagram", " - ASoC: SOF: ipc4-pcm: Fix incorrect comparison with number of tdm_slots", " - wifi: ath12k: initialize eirp_power before use", " - wifi: ath12k: fix overflow warning on num_pwr_levels", " - wifi: ath12k: fix signal in radiotap for WCN7850", " - wifi: ath12k: fix HAL_PHYRX_COMMON_USER_INFO handling in monitor mode", " - wifi: ath12k: fix the fetching of combined rssi", " - wifi: ath12k: Add fallback for invalid channel number in PHY metadata", " - wifi: ath12k: fix wrong logging ID used for CE", " - wifi: ath10k: avoid unnecessary wait for service ready message", " - iommu/vt-d: debugfs: Fix legacy mode page table dump logic", " - wifi: mac80211: fix Rx packet handling when pubsta information is not", " available", " - ASoC: Intel: sof_sdw: Prevent jump to NULL add_sidecar callback", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " UltraSPARC III", " - sparc: fix accurate exception reporting in copy_{from_to}_user for", " Niagara", " - sparc: fix accurate exception reporting in copy_to_user for Niagara 4", " - sparc: fix accurate exception reporting in copy_{from,to}_user for M7", " - vfio/pds: replace bitmap_free with vfree", " - crypto: comp - Use same definition of context alloc and free ops", " - crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs", " - wifi: ath12k: Fix peer lookup in ath12k_dp_mon_rx_deliver_msdu()", " - rpmsg: qcom_smd: Fix fallback to qcom,ipc parse", " - remoteproc: qcom_q6v5_mss: support loading MBN file on msm8974", " - RDMA/rxe: Fix race in do_task() when draining", " - selftests/mm: fix va_high_addr_switch.sh failure on x86_64", " - wifi: rtw89: fix leak in rtw89_core_send_nullfunc()", " - wifi: rtw89: avoid circular locking dependency in ser_state_run()", " - PCI: tegra194: Fix duplicate PLL disable in", " pex_ep_event_pex_rst_assert()", " - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice", " - remoteproc: qcom: pas: Shutdown lite ADSP DTB on X1E", " - wifi: ath12k: Refactor RX TID deletion handling into helper function", " - wifi: ath12k: Fix flush cache failure during RX queue update", " - wifi: cfg80211: fix width unit in cfg80211_radio_chandef_valid()", " - dm vdo: return error on corrupted metadata in start_restoring_volume", " functions", " - coresight: fix indentation error in cscfg_remove_owned_csdev_configs()", " - coresight-etm4x: Conditionally access register TRCEXTINSELR", " - coresight: tmc: Support atclk", " - coresight: catu: Support atclk", " - coresight: etm4x: Support atclk", " - coresight: Appropriately disable programming clocks", " - coresight: Appropriately disable trace bus clocks", " - coresight: Avoid enable programming clock duplicately", " - coresight: trbe: Return NULL pointer for allocation failures", " - coresight: tpda: fix the logic to setup the element size", " - coresight: Fix incorrect handling for return value of devm_kzalloc", " - NFSv4.1: fix backchannel max_resp_sz verification check", " - net: ethtool: tsconfig: set command must provide a reply", " - netfilter: nfnetlink: reset nlh pointer during batch replay", " - netfilter: nf_conntrack: do not skip entries in /proc/net/nf_conntrack", " - scsi: ufs: core: Fix data race in CPU latency PM QoS request handling", " - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info()", " - usb: vhci-hcd: Prevent suspending virtually attached devices", " - PCI: rcar-gen4: Add missing 1ms delay after PWR reset assertion", " - PCI: rcar-gen4: Assure reset occurs before DBI access", " - PCI: rcar-gen4: Fix inverted break condition in PHY initialization", " - ASoC: qcom: sc8280xp: use sa8775p/ subdir for QCS9100 / QCS9075", " - iommu/vt-d: Disallow dirty tracking if incoherent page walk", " - iommu/selftest: prevent use of uninitialized variable", " - RDMA/siw: Always report immediate post SQ errors", " - net: enetc: Fix probing error message typo for the ENETCv4 PF driver", " - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast", " - ptp: Add a upper bound on max_vclocks", " - vhost: vringh: Fix copy_to_iter return value check", " - net: macb: remove illusion about TBQPH/RBQPH being per-queue", " - net: macb: move ring size computation to functions", " - net: macb: single dma_alloc_coherent() for DMA descriptors", " - Bluetooth: btintel_pcie: Refactor Device Coredump", " - Bluetooth: MGMT: Fix not exposing debug UUID on", " MGMT_OP_READ_EXP_FEATURES_INFO", " - Bluetooth: ISO: Fix possible UAF on iso_conn_free", " - Bluetooth: ISO: free rx_skb if not consumed", " - Bluetooth: ISO: don't leak skb in ISO_CONT RX", " - Bluetooth: hci_sync: Fix using random address for BIG/PA advertisements", " - KEYS: X.509: Fix Basic Constraints CA flag parsing", " - hwrng: ks-sa - fix division by zero in ks_sa_rng_init", " - cramfs: fix incorrect physical page address calculation", " - ocfs2: fix double free in user_cluster_connect()", " - drivers/base/node: fix double free in register_one_node()", " - f2fs: fix UAF issue in f2fs_merge_page_bio()", " - mtd: rawnand: atmel: Fix error handling path in", " atmel_nand_controller_add_nands", " - PCI: j721e: Fix incorrect error message in probe()", " - idpf: fix mismatched free function for dma_alloc_coherent", " - tcp: use skb->len instead of skb->truesize in tcp_can_ingest()", " - nfp: fix RSS hash key size when RSS is not supported", " - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not", " configurable", " - net: dlink: handle copy_thresh allocation failure", " - net/mlx5: Stop polling for command response if interface goes down", " - net/mlx5: pagealloc: Fix reclaim race during command interface teardown", " - net/mlx5: fw reset, add reset timeout work", " - smb: client: fix crypto buffers in non-linear memory", " - bonding: fix xfrm offload feature setup on active-backup mode", " - net: enetc: initialize SW PIR and CIR based HW PIR and CIR values", " - iommufd: Register iommufd mock devices with fwspec", " - Revert \"net/mlx5e: Update and set Xon/Xoff upon MTU set\"", " - NFSD: filecache: add STATX_DIOALIGN and STATX_DIO_READ_ALIGN support", " - nfs/localio: avoid issuing misaligned IO using O_DIRECT", " - octeontx2-vf: fix bitmap leak", " - octeontx2-pf: fix bitmap leak", " - vhost: vringh: Modify the return value check", " - selftests/bpf: Fix typos and grammar in test sources", " - selftests/bpf: move get_ksyms and get_addrs to trace_helpers.c", " - selftests/bpf: Fix realloc size in bpf_get_addrs", " - bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer", " - bpf: Reject negative offsets for ALU ops", " - tpm: Disable TPM2_TCG_HMAC by default", " - ALSA: hda/hdmi: Add pin fix for HP ProDesk model", " - ALSA: hda/realtek: Add quirk for HP Spectre 14t-ea100", " - Squashfs: fix uninit-value in squashfs_get_parent", " - uio_hv_generic: Let userspace take care of interrupt mask", " - hisi_acc_vfio_pci: Fix reference leak in hisi_acc_vfio_debug_init", " - io_uring/waitid: always prune wait queue entry in io_waitid_wait()", " - io_uring/zcrx: fix overshooting recv limit", " - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()", " - ASoC: SOF: ipc3-topology: Fix multi-core and static pipelines tear down", " - ASoC: codecs: wcd937x: set the comp soundwire port correctly", " - ASoC: codecs: wcd937x: make stub functions inline", " - ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples", " - ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA", " - fs: udf: fix OOB read in lengthAllocDescs handling", " - net: nfc: nci: Add parameter validation for packet data", " - mfd: rz-mtu3: Fix MTU5 NFCR register offset", " - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag", " - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data()", " - tracing: Fix lock imbalance in s_start() memory allocation failure path", " - tracing: Fix race condition in kprobe initialization causing NULL", " pointer dereference", " - tracing: Fix wakeup tracers on failure of acquiring calltime", " - tracing: Fix irqoff tracers on failure of acquiring calltime", " - tracing: Have trace_marker use per-cpu data to read user space", " - tracing: Fix tracing_mark_raw_write() to use buf and not ubuf", " - tracing: Stop fortify-string from warning in tracing_mark_raw_write()", " - dm: fix queue start/stop imbalance under suspend/load/resume races", " - dm: fix NULL pointer dereference in __dm_suspend()", " - LoongArch: Automatically disable kaslr if boot from kexec_file", " - pwm: loongson: Fix LOONGSON_PWM_FREQ_DEFAULT", " - LoongArch: BPF: Sign-extend struct ops return values properly", " - LoongArch: BPF: No support of struct argument in trampoline programs", " - LoongArch: BPF: Don't align trampoline size", " - LoongArch: BPF: Make trampoline size stable", " - LoongArch: BPF: Make error handling robust in", " arch_prepare_bpf_trampoline()", " - LoongArch: BPF: Remove duplicated bpf_flush_icache()", " - LoongArch: BPF: No text_poke() for kernel text", " - LoongArch: BPF: Remove duplicated flags check", " - LoongArch: BPF: Fix uninitialized symbol 'retval_off'", " - mm/ksm: fix flag-dropping behavior in ksm_madvise", " - ksmbd: Fix race condition in RPC handle list access", " - ksmbd: fix error code overwriting in smb2_get_info_filesystem()", " - ksmbd: add max ip connections parameter", " - ext4: fix potential null deref in ext4_mb_init()", " - ext4: fix checks for orphan inodes", " - KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid", " - fbdev: simplefb: Fix use after free in simplefb_detach_genpds()", " - mm: hugetlb: avoid soft lockup when mprotect to large memory area", " - selftests/mm: skip soft-dirty tests when CONFIG_MEM_SOFT_DIRTY is", " disabled", " - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe()", " - misc: fastrpc: Save actual DMA size in fastrpc_map structure", " - misc: fastrpc: Fix fastrpc_map_lookup operation", " - misc: fastrpc: fix possible map leak in fastrpc_put_args", " - misc: fastrpc: Skip reference for DMA handles", " - Input: atmel_mxt_ts - allow reset GPIO to sleep", " - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info", " leak", " - sunrpc: fix null pointer dereference on zero-length checksum", " - PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()", " - remoteproc: pru: Fix potential NULL pointer dereference in", " pru_rproc_set_ctable()", " - PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before", " release", " - thunderbolt: Fix use-after-free in tb_dp_dprx_work", " - tee: fix register_shm_helper()", " - pinctrl: check the return value of pinmux_ops::get_function_name()", " - bus: fsl-mc: Check return value of platform_get_resource()", " - net/9p: Fix buffer overflow in USB transport layer", " - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock", " - usb: typec: tipd: Clear interrupts first", " - arm64: dts: qcom: qcm2290: Disable USB SS bus instances in park mode", " - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call", " - scsi: ufs: core: Fix PM QoS mutex initialization", " - drm/amdgpu/vcn: Fix double-free of vcn dump buffer", " - Linux 6.17.3", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "" ], "package": "linux-riscv", "version": "6.17.0-9.9.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2133508, 2132302, 2132095, 2131046, 2115860, 2129770, 2131136, 2130552, 2128792, 2121852, 2131259, 2131259, 2131702, 2129610 ], "author": "Emil Renner Berthing ", "date": "Mon, 01 Dec 2025 16:40:19 +0100" } ], "notes": "linux-tools-6.17.0-12-generic version '6.17.0-12.12.1' (source package linux-riscv version '6.17.0-12.12.1') was added. linux-tools-6.17.0-12-generic version '6.17.0-12.12.1' has the same source package name, linux-riscv, as removed package linux-headers-6.17.0-8-generic. As such we can use the source package version of the removed package, '6.17.0-8.8.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.17.0-8-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.17.0-8-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-8-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-headers-6.17.0-8", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-riscv-tools-6.17.0-8", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.17.0-8-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.17.0-8.8.1", "version": "6.17.0-8.8.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from release image serial 20260131 to 20260206", "from_series": "questing", "to_series": "questing", "from_serial": "20260131", "to_serial": "20260206", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }