* CVE-2025-38699 - scsi: bfa: Double-free fix {CVE-2025-38699} * CVE-2025-38697 - jfs: upper bound check of tree index in dbAllocAG {CVE-2025-38697} * CVE-2025-39823 - KVM: x86: use array_index_nospec with indices that come from guest {CVE-2025-39823} * CVE-2025-39689 - ftrace: Also allocate and copy hash for reading of filter files {CVE-2025-39689} * CVE-2025-39749 - rcu: Protect ->defer_qs_iw_pending from data race {CVE-2025-39749} * CVE-2025-38728 - smb3: fix for slab out of bounds on mount to ksmbd {CVE-2025-38728} * CVE-2025-38676 - iommu/amd: Avoid stack buffer overflow from kernel cmdline {CVE-2025-38676} * CVE-2025-38574 - pptp: ensure minimal skb length in pptp_xmit() {CVE-2025-38574} * CVE-2025-38572 - ipv6: reject malicious packets in ipv6_gso_segment() {CVE-2025-38572} * CVE-2025-38685 - fbdev: Fix vmalloc out-of-bounds write in fast_imageblit {CVE-2025-38685} * CVE-2025-38563 - vm_ops: rename .split() callback to .may_split() {CVE-2025-38563} - perf/core: Prevent VMA split of buffer mappings {CVE-2025-38563} * CVE-2025-38702 - fbdev: fix potential buffer overflow in do_register_framebuffer() {CVE-2025-38702} * CVE-2025-39911 - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path {CVE-2025-39911} * CVE-2025-39971 - i40e: fix idx validation in config queues msg {CVE-2025-39971} * CVE-2025-40154 - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping {CVE-2025-40154} * CVE-2025-39973 - i40e: increase max descriptors for XL710 {CVE-2025-39973} - i40e: add validation for ring_len param {CVE-2025-39973} * CVE-2022-49026 - e100: Fix possible use after free in e100_xmit_prepare {CVE-2022-49026} * CVE-2025-38724 - nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() {CVE-2025-38724} * CVE-2025-39853 - i40e: Fix potential invalid access when MAC list is empty {CVE-2025-39853} * CVE-2025-39860 - Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() {CVE-2025-39860} * CVE-2025-39891 - wifi: mwifiex: Initialize the chan_stats array to zero {CVE-2025-39891} * CVE-2025-38530 - comedi: pcl812: Fix bit shift out of bounds {CVE-2025-38530} * CVE-2025-38529 - comedi: aio_iiro_16: Fix bit shift out of bounds {CVE-2025-38529} * CVE-2025-38497 - usb: gadget: configfs: Fix OOB read on empty string write {CVE-2025-38497} * CVE-2025-38483 - comedi: das16m1: Fix bit shift out of bounds {CVE-2025-38483} * CVE-2025-38482 - comedi: das6402: Fix bit shift out of bounds {CVE-2025-38482} * CVE-2025-39702 - ipv6: sr: Fix MAC comparison to be constant-time {CVE-2025-39702} * CVE-2025-39730 - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() {CVE-2025-39730} * CVE-2025-39841 - scsi: lpfc: Fix buffer free/clear order in deferred receive path {CVE-2025-39841} * CVE-2025-39817 - efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare {CVE-2025-39817} * CVE-2025-38494 - HID: core: ensure the allocated report buffer can contain the reserved report ID {CVE-2025-38494} - HID: core: ensure __hid_request reserves the report ID as the first byte {CVE-2025-38494} - HID: core: do not bypass hid_hw_raw_request {CVE-2025-38494} * CVE-2025-39757 - ALSA: usb-audio: Validate UAC3 cluster segment descriptors {CVE-2025-39757} * CVE-2025-38527 - smb: client: fix use-after-free in cifs_oplock_break {CVE-2025-38527} * CVE-2023-52854 - padata: Fix refcnt handling in padata_free_shell() {CVE-2023-52854} * CVE-2024-35867 - smb: client: fix potential UAF in cifs_stats_proc_show() {CVE-2024-35867} * CVE-2024-50061 - i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition {CVE-2024-50061} * CVE-2025-39965 - xfrm: Duplicate SPI Handling {CVE-2025-39965} * CVE-2025-22107 - net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() {CVE-2025-22107} * CVE-2025-37928 - dm-bufio: don't schedule in atomic context {CVE-2025-37928} * CVE-2025-37927 - iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid {CVE-2025-37927} * CVE-2025-37915 - net_sched: drr: Fix double list add in class with netem as child qdisc {CVE-2025-37915} * CVE-2025-37913 - net_sched: qfq: Fix double list add in class with netem as child qdisc {CVE-2025-37913} * CVE-2025-37817 - mcb: fix a double free bug in chameleon_parse_gdd() {CVE-2025-37817} * CVE-2025-38204 - jfs: fix array-index-out-of-bounds read in add_missing_indices {CVE-2025-38204} * CVE-2025-38323 - net: atm: add lec_mutex {CVE-2025-38323} * CVE-2025-38346 - ftrace: Fix UAF when lookup kallsym after ftrace disabled {CVE-2025-38346} * CVE-2025-38348 - wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() {CVE-2025-38348} * CVE-2025-38415 - Squashfs: check return result of sb_min_blocksize {CVE-2025-38415} * CVE-2025-38416 - NFC: nci: uart: Set tty->disc_data only in success path {CVE-2025-38416} * CVE-2025-38428 - Input: ims-pcu - check record size in ims_pcu_flash_firmware() {CVE-2025-38428} * CVE-2025-38102 - VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify {CVE-2025-38102} * CVE-2025-38245 - atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). {CVE-2025-38245} * CVE-2025-38249 - ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() {CVE-2025-38249} * CVE-2025-38377 - rose: fix dangling neighbour pointers in rose_rt_device_down() {CVE-2025-38377} * CVE-2025-38389 - drm/i915/gt: Fix timeline left held on VMA alloc error {CVE-2025-38389} * CVE-2025-38395 - regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods {CVE-2025-38395} * CVE-2025-38401 - mtk-sd: Prevent memory corruption from DMA map failure {CVE-2025-38401} * CVE-2025-38445 - md/raid1: Fix stack memory use after return in raid1_reshape {CVE-2025-38445} * CVE-2025-38459 - atm: clip: Fix infinite recursive call of clip_push(). {CVE-2025-38459} * CVE-2025-39863 - wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work {CVE-2025-39863} * CVE-2025-38068 - crypto: lzo - Fix compression buffer overrun {CVE-2025-38068} * CVE-2025-21726 - padata: avoid UAF for reorder_work {CVE-2025-21726} * CVE-2025-39760 - usb: core: config: Prevent OOB read in SS endpoint companion parsing {CVE-2025-39760} * CVE-2022-49698 - netfilter: use get_random_u32 instead of prandom {CVE-2022-49698} * CVE-2025-38198 - fbcon: Introduce wrapper for console->fb_info lookup {CVE-2025-38198} - fbcon: Make sure modelist not set on unregistered console {CVE-2025-38198} * CVE-2025-38422 - net: lan743x: Add support for 4 Tx queues {CVE-2025-38422} - net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices {CVE-2025-38422} - net: lan743x: Add PCI11010 / PCI11414 device IDs {CVE-2025-38422} * CVE-2025-38375 - virtio-net: ensure the received length does not exceed allocated size {CVE-2025-38375} * CVE-2025-39901 - i40e: remove read access to debugfs files {CVE-2025-39901} * CVE-2025-39810 - bnxt_en: Fix memory corruption when FW resources change during ifdown {CVE-2025-39810} * CVE-2025-39905 - net: phylink: add lock for serializing concurrent pl->phydev writes with resolver {CVE-2025-39905} * CVE-2025-39993 - media: imon: reorganize serialization {CVE-2025-39993} - media: rc: fix races with imon_disconnect() {CVE-2025-39993} * CVE-2025-39883 - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory {CVE-2025-39883} * Miscellaneous upstream changes - net: atm: fix /proc/net/atm/lec handling {CVE-2025-38323}