Oracle Linux Security Advisory ELSA-2026-50095 http://linux.oracle.com/errata/ELSA-2026-50095.html
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: aarch64: bpftool-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-container-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-container-debug-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-core-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-debug-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-debug-core-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-debug-devel-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-debug-modules-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-debug-modules-extra-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-devel-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-doc-5.15.0-316.196.4.2.el9uek.noarch.rpm kernel-uek-modules-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek-modules-extra-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek64k-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek64k-core-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek64k-devel-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek64k-modules-5.15.0-316.196.4.2.el9uek.aarch64.rpm kernel-uek64k-modules-extra-5.15.0-316.196.4.2.el9uek.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/kernel-uek-5.15.0-316.196.4.2.el9uek.src.rpm Related CVEs: CVE-2025-38566 CVE-2025-38571 CVE-2025-40215 CVE-2025-40258 CVE-2025-68209 Description of changes: [5.15.0-316.196.4.2] - xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added (Sabrina Dubroca) - usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE (Gopi Krishna Menon) - ext4: clear i_state_flags when alloc inode (Haibo Chen) - ext4: align max orphan file size with e2fsprogs limit (Baokun Li) - PM: runtime: Do not clear needs_force_resume with enabled runtime PM (Rafael J. Wysocki) - net: enetc: fix build warning when PAGE_SIZE is greater than 128K (Wei Fang) - net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop (Xiang Mei) - block: fix comment for op_is_zone_mgmt() to include RESET_ALL (shechenglong) - fuse: fix readahead reclaim deadlock (Joanne Koong) - i40e: validate ring_len parameter against hardware-specific values (Gregory Herrero) - fs/ntfs3: fix mount failure for sparse runs in run_unpack() (Konstantin Komarov) - xfrm: delete x->tunnel as we delete x (Sabrina Dubroca) [Orabug: 38933003] {CVE-2025-40215} - mptcp: fix race condition in mptcp_schedule_work() (Eric Dumazet) [Orabug: 38932997] {CVE-2025-40258} - mlx5: Fix default values in create CQ (Akiva Goldberger) [Orabug: 38932992] - sunrpc: fix handling of server side tls alerts (Olga Kornievskaia) [Orabug: 38932991] {CVE-2025-38566} - sunrpc: fix client side handling of tls alerts (Olga Kornievskaia) [Orabug: 38932988] {CVE-2025-38571} [5.15.0-316.196.4.1] - tipc: Fix use-after-free in tipc_mon_reinit_self(). (Kuniyuki Iwashima) [Orabug: 38788585] {CVE-2025-40280} - fs/proc: fix uaf in proc_readdir_de() (Wei Yang) [Orabug: 38788587] {CVE-2025-40271} - vsock: Ignore signal/timeout on connect() if already established (Michal Luczaj) [Orabug: 38788594] {CVE-2025-40248} [5.15.0-316.196.4] - vhost_scsi: Sync up cmd completion locking with upstream (Mike Christie) [Orabug: 38545946] - vhost_scsi: add support for worker ioctls (Mike Christie) [Orabug: 38545946] - vhost: Limit access to vhost worker ioctls (Mike Christie) [Orabug: 38545946] - vhost: allow userspace to create workers (Mike Christie) [Orabug: 38545946] - vhost: replace single worker pointer with xarray (Mike Christie) [Orabug: 38545946] - vhost: add helper to parse userspace vring state/file (Mike Christie) [Orabug: 38545946] - vhost: remove vhost_work_queue (Mike Christie) [Orabug: 38545946] - vhost_scsi: flush IO vqs then send TMF rsp (Mike Christie) [Orabug: 38545946] - vhost_scsi: convert to vhost_vq_work_queue (Mike Christie) [Orabug: 38545946] - vhost_scsi: make SCSI cmd completion per vq (Mike Christie) [Orabug: 38545946] - vhost_sock: convert to vhost_vq_work_queue (Mike Christie) [Orabug: 38545946] - vhost: convert poll work to be vq based (Mike Christie) [Orabug: 38545946] - vhost: take worker or vq for flushing (Mike Christie) [Orabug: 38545946] - vhost: take worker or vq instead of dev for queueing (Mike Christie) [Orabug: 38545946] - vhost, vhost_net: add helper to check if vq has work (Mike Christie) [Orabug: 38545946] - vhost: add vhost_worker pointer to vhost_virtqueue (Mike Christie) [Orabug: 38545946] - vhost: dynamically allocate vhost_worker (Mike Christie) [Orabug: 38545946] - vhost: create worker at end of vhost_dev_set_owner (Mike Christie) [Orabug: 38545946] - vhost-scsi: Fix crash during LUN unmapping (Mike Christie) [Orabug: 38545946] - vhost: move worker thread fields to new struct (Mike Christie) [Orabug: 38545946] - vhost: Fix livepatch timeouts in vhost_worker() (Josh Poimboeuf) [Orabug: 38545946] - vhost: rename vhost_work_dev_flush (Mike Christie) [Orabug: 38545946] - vhost-test: drop flush after vhost_dev_cleanup (Mike Christie) [Orabug: 38545946] - vhost/test: fix memory leak of vhost virtqueues (Xianting Tian) [Orabug: 38545946] - vhost-scsi: drop flush after vhost_dev_cleanup (Mike Christie) [Orabug: 38545946] - vhost_vsock: simplify vhost_vsock_flush() (Andrey Ryabinin) [Orabug: 38545946] - vhost_test: remove vhost_test_flush_vq() (Andrey Ryabinin) [Orabug: 38545946] - vhost_net: get rid of vhost_net_flush_vq() and extra flush calls (Andrey Ryabinin) [Orabug: 38545946] - vhost: flush dev once during vhost_dev_stop (Mike Christie) [Orabug: 38545946] - vhost: get rid of vhost_poll_flush() wrapper (Andrey Ryabinin) [Orabug: 38545946] - net/mlx5e: Add a miss level for ipsec crypto offload (Lama Kayal) [Orabug: 38600056] - net/mlx5e: Add new prio for promiscuous mode (Jianbo Liu) [Orabug: 38600056] - mm/hugetlb: add option to allows disabling CVE-2025-38085 mitigation (Joe Jin) [Orabug: 38728358] - uek-rpm: Replace check-kabi tool with kabi (Yifei Liu) [Orabug: 38673381] - uek-rpm: Introduce check function for uek-rpm/tools/kabi (Yifei Liu) [Orabug: 38673381] - rtc: expose RTC_FEATURE_UPDATE_INTERRUPT (Alexandre Belloni) [Orabug: 38708842] - Reapply "cpuidle: menu: Avoid discarding useful information" (Harshvardhan Jha) [Orabug: 38710346] - netfilter: nf_tables: reject duplicate device on updates (Pablo Neira Ayuso) [Orabug: 38389767] {CVE-2025-38678} - HID: quirks: work around VID/PID conflict for 0x4c4a/0x4155 (Zhang Heng) - mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR (Matthieu Baerts (NGI0)) - USB: storage: Remove subclass and protocol overrides from Novatek quirk (Alan Stern) - most: usb: fix double free on late probe failure (Johan Hovold) - uio_hv_generic: Set event for all channels on the device (Long Li) - regmap: slimbus: fix bus_context pointer in regmap init calls (Alexey Klimov) - usb: typec: ucsi: psy: Set max current to zero when disconnected (Jameson Thies) - ata: libata-scsi: Fix system suspend for a security locked drive (Niklas Cassel) - MIPS: mm: Prevent a TLB shutdown on initial uniquification (Maciej W. Rozycki) [5.15.0-316.196.3] - rds: Add smp_rmb before reading c_destroy_in_prog (Håkon Bugge) [Orabug: 38352484] - Revert "block: don't add or resize partition on the disk with GENHD_FL_NO_PART" (Gulam Mohamed) [Orabug: 38652797] - Revert "block: Move checking GENHD_FL_NO_PART to bdev_add_partition()" (Gulam Mohamed) [Orabug: 38652797] [5.15.0-316.196.2] - net/mlx5: Clean up only new IRQ glue on request_irq() failure (Pradyumn Rahar) [Orabug: 37961220,38730620] {CVE-2025-40250} [5.15.0-316.196.1] - uek-rpm: kabi: Remove the kabi protection for debug kernels (Yifei Liu) [Orabug: 38609547] - bnxt_en: Fix memory corruption when FW resources change during ifdown (Sreekanth Reddy) [Orabug: 38440240] {CVE-2025-39810} - selftests/proc: add PROCMAP_QUERY ioctl tests (Andrii Nakryiko) [Orabug: 38410775] - tools: sync uapi/linux/fs.h header into tools subdir (Andrii Nakryiko) [Orabug: 38410775] - docs/procfs: call out ioctl()-based PROCMAP_QUERY command existence (Andrii Nakryiko) [Orabug: 38410775] - fs/procfs: add build ID fetching to PROCMAP_QUERY API (Andrii Nakryiko) [Orabug: 38410775] - fs/procfs: implement efficient VMA querying API for /proc/<pid>/maps (Andrii Nakryiko) [Orabug: 38410775] - fs/procfs: extract logic for getting VMA name constituents (Andrii Nakryiko) [Orabug: 38410775] - fs: create helper file_user_path() for user displayed mapped file path (Amir Goldstein) [Orabug: 38410775] - mm: factor out VMA stack and heap checks (Kefeng Wang) [Orabug: 38410775] [5.15.0-315.196.5] - uek-rpm: add "bpf" to CONFIG_LSM (Alan Maguire) [Orabug: 35653191] - Revert "cpufreq: Introduce an optional cpuinfo_avg_freq sysfs entry" (Samasth Norway Ananda) [Orabug: 38613264] [5.15.0-315.196.4] - net/rds: Fix rs_recv_pending counting issue (Gerd Rausch) [Orabug: 38506368] [5.15.0-315.196.3] - KVM: VMX: Intercept reads to invalid and write-only x2APIC registers (Sean Christopherson) [Orabug: 38535186] - KVM: VMX: Always intercept accesses to unsupported "extended" x2APIC regs (Sean Christopherson) [Orabug: 38535186] - KVM: x86: Split out logic to generate "readable" APIC regs mask to helper (Sean Christopherson) [Orabug: 38535186] - KVM: x86: Mark x2APIC DFR reg as non-existent for x2APIC (Sean Christopherson) [Orabug: 38535186] - uek-rpm/ol9/config-mips64-emb: Enable NF_TABLES for MIPS64 (Vijay Kumar) [Orabug: 38578981] - LTS version: v5.15.196 (Vijayendra Suman) - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup() (Marek Vasut) [Orabug: 38641258] {CVE-2024-43876} - net: rtnetlink: fix module reference count leak issue in rtnetlink_rcv_msg (Zhengchao Shao) - usb: gadget: f_acm: Refactor bind path to use __free() (Kuen-Han Tsai) [Orabug: 38601854] {CVE-2025-40094} - usb: gadget: f_ncm: Refactor bind path to use __free() (Kuen-Han Tsai) [Orabug: 38601837] {CVE-2025-40092} - usb: gadget: Introduce free_usb_request helper (Kuen-Han Tsai) - usb: gadget: Store endpoint pointer in usb_request (Kuen-Han Tsai) - arch_topology: Fix incorrect error check in topology_parse_cpu_capacity() (Kaushlendra Kumar) - xfs: always warn about deprecated mount options (Darrick J. Wong) - devcoredump: Fix circular locking dependency with devcd->mutex. (Maarten Lankhorst) - PCI: tegra194: Reset BARs when running in PCIe endpoint mode (Niklas Cassel) - PCI: rcar-host: Drop PMSR spinlock (Marek Vasut) - PCI: rcar: Finish transition to L1 state in rcar_pcie_config_access() (Marek Vasut) - PCI: tegra194: Handle errors in BPMP response (Vidya Sagar) - f2fs: fix wrong block mapping for multi-devices (Jaegeuk Kim) - NFSD: Define a proc_layoutcommit for the FlexFiles layout type (Chuck Lever) [Orabug: 38601818] {CVE-2025-40087} - vfs: Don't leak disconnected dentries on umount (Jan Kara) [Orabug: 38601923] {CVE-2025-40105} - drm/amdgpu: use atomic functions with memory barriers for vm fault info (Gui-Dong Han) - PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock (Marek Vasut) - wifi: ath11k: HAL SRNG: don't deinitialize and re-initialize again (Muhammad Usama Anjum) - PCI: j721e: Fix programming sequence of "strap" settings (Siddharth Vadapalli) - PCI: j721e: Enable ACSPCIE Refclk if "ti,syscon-acspcie-proxy-ctrl" exists (Siddharth Vadapalli) - fuse: fix livelock in synchronous file put from fuseblk workers (Darrick J. Wong) [Orabug: 38730516] {CVE-2025-40220} - fuse: allocate ff->release_args only if release is needed (Amir Goldstein) - padata: Reset next CPU when reorder sequence wraps around (Xiao Liang) - iio: imu: inv_icm42600: Simplify pm_runtime setup (Sean Nyekjaer) - PM: runtime: Add new devm functions (Csókás Bence) - iio: imu: inv_icm42600: Avoid configuring if already pm_runtime suspended (Sean Nyekjaer) - iio: imu: inv_icm42600: use = { } instead of memset() (David Lechner) - NFSD: Fix last write offset handling in layoutcommit (Sergey Bashirov) - NFSD: Minor cleanup in layoutcommit processing (Sergey Bashirov) - NFSD: Rework encoding and decoding of nfsd4_deviceid (Sergey Bashirov) - xfs: fix log CRC mismatches between i386 and other architectures (Christoph Hellwig) - xfs: rename the old_crc variable in xlog_recover_process (Christoph Hellwig) - s390/cio: Update purge function to unregister the unused subchannels (Vineeth Vijayan) - arm64: cputype: Add Neoverse-V3AE definitions (Mark Rutland) - serial: 8250_exar: add support for Advantech 2 port card with Device ID 0x0018 (Florian Eckert) - most: usb: hdm_probe: Fix calling put_device() before device initialization (Victoria Votokina) - most: usb: Fix use-after-free in hdm_disconnect (Victoria Votokina) - mei: me: add wildcat lake P DID (Alexander Usyskin) - comedi: fix divide-by-zero in comedi_buf_munge() (Deepanshu Kartikey) - binder: remove "invalid inc weak" check (Alice Ryhl) - xhci: dbc: enable back DbC in resume if it was enabled before suspend (Mathias Nyman) - usb: raw-gadget: do not limit transfer length (Andrey Konovalov) - usb/core/quirks: Add Huawei ME906S to wakeup quirk (Tim Guttzeit) - USB: serial: option: add Telit FN920C04 ECM compositions (Li Qingwu) - USB: serial: option: add Quectel RG255C (Reinhard Speyerer) - USB: serial: option: add UNISOC UIS7720 (Renjun Wang) - net: ravb: Ensure memory write completes before ringing TX doorbell (Lad Prabhakar) - net: usb: rtl8150: Fix frame padding (Michał Pecio) - vsock: fix lock inversion in vsock_assign_transport() (Stefano Garzarella) [Orabug: 38730748] {CVE-2025-40231} - ocfs2: clear extent cache after moving/defragmenting extents (Deepanshu Kartikey) [Orabug: 38730546] {CVE-2025-40233} - MIPS: Malta: Fix keyboard resource preventing i8042 driver from registering (Maciej W. Rozycki) - Revert "cpuidle: menu: Avoid discarding useful information" (Rafael J. Wysocki) - net: bonding: fix possible peer notify event loss or dup issue (Tonghao Zhang) - sctp: avoid NULL dereference when chunk data buffer is missing (Alexey Simakov) [Orabug: 38730566] {CVE-2025-40240} - arm64, mm: avoid always making PTE dirty in pte_mkwrite() (Huang, Ying) - dpaa2-eth: fix the pointer passed to PTR_ALIGN on Tx path (Ioana Ciornei) - net: enetc: correct the value of ENETC_RXB_TRUESIZE (Wei Fang) - rtnetlink: Allow deleting FDB entries in user namespace (Johannes Wiesboeck) - net: rtnetlink: add NLM_F_BULK support to rtnl_fdb_del (Nikolay Aleksandrov) - net: rtnetlink: add bulk delete support flag (Nikolay Aleksandrov) - net: netlink: add NLM_F_BULK delete request modifier (Nikolay Aleksandrov) - net: rtnetlink: use BIT for flag values (Nikolay Aleksandrov) - net: rtnetlink: add helper to extract msg type's kind (Nikolay Aleksandrov) - m68k: bitops: Fix find_*_bit() signatures (Geert Uytterhoeven) - hfsplus: return EIO when type of hidden directory mismatch in hfsplus_fill_super() (Yangtao Li) - hfs: fix KMSAN uninit-value issue in hfs_find_set_zero_bits() (Viacheslav Dubeyko) - dlm: check for defined force value in dlm_lockspace_release (Alexander Aring) - hfsplus: fix KMSAN uninit-value issue in hfsplus_delete_cat() (Viacheslav Dubeyko) - hfs: validate record offset in hfsplus_bmap_alloc (Yang Chenzhi) - hfsplus: fix KMSAN uninit-value issue in __hfsplus_ext_cache_extent() (Viacheslav Dubeyko) - hfs: make proper initalization of struct hfs_find_data (Viacheslav Dubeyko) - hfs: clear offset and space out of valid records in b-tree node (Viacheslav Dubeyko) - nios2: ensure that memblock.current_limit is set when setting pfn limits (Simon Schuster) - exec: Fix incorrect type for ret (Xichao Zhao) - PCI/sysfs: Ensure devices are powered for config reads (part 2) (Brian Norris) - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() (Viacheslav Dubeyko) - ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card (Jiaming Zhang) [Orabug: 38597093] {CVE-2025-40085} - ALSA: firewire: amdtp-stream: fix enum kernel-doc warnings (Randy Dunlap) - sched/fair: Fix pelt lost idle time detection (Vincent Guittot) - sched/balancing: Rename newidle_balance() => sched_balance_newidle() (Ingo Molnar) - drm/amd/powerplay: Fix CIK shutdown temperature (Timur Kristóf) - net: usb: lan78xx: fix use of improperly initialized dev->chipid in lan78xx_reset (I Viswanath) - net: usb: lan78xx: Add error handling to lan78xx_init_mac_address (Oleksij Rempel) - net: usb: use eth_hw_addr_set() instead of ether_addr_copy() (Jakub Kicinski) - tls: don't rely on tx_work during send() (Sabrina Dubroca) - tls: always set record_type in tls_process_cmsg (Sabrina Dubroca) - tls: wait for async encrypt in case of error during latter iterations of sendmsg (Sabrina Dubroca) - net: tls: wait for async completion on last message (Sascha Hauer) - tg3: prevent use of uninitialized remote_adv and local_adv variables (Alexey Simakov) - tcp: fix tcp_tso_should_defer() vs large RTT (Eric Dumazet) - amd-xgbe: Avoid spurious link down messages during interface toggle (Raju Rangoju) - net/ip6_tunnel: Prevent perpetual tunnel growth (Dmitry Safonov) [Orabug: 38649259] {CVE-2025-40173} - r8169: fix packet truncation after S4 resume on RTL8168H/RTL8111H (Linmao Li) - doc: fix seg6_flowlabel path (Nicolas Dichtel) - net: dlink: handle dma_map_single() failure properly (Moon Yeounsu) - can: m_can: m_can_plat_remove(): add missing pm_runtime_disable() (Marc Kleine-Budde) - dax: skip read lock assertion for read-only filesystems (Yuezhang Mo) - HID: multitouch: fix sticky fingers (Benjamin Tissoires) - cpufreq: CPPC: Avoid using CPUFREQ_ETERNAL as transition delay (Rafael J. Wysocki) - crypto: rockchip - Fix dma_unmap_sg() nents value (Thomas Fourier) - drm/exynos: exynos7_drm_decon: remove ctx->suspended (Kaustabh Chakraborty) - drm/exynos: exynos7_drm_decon: properly clear channels during bind (Kaustabh Chakraborty) - drm/exynos: exynos7_drm_decon: fix uninitialized crtc reference in functions (Kaustabh Chakraborty) - blk-crypto: fix missing blktrace bio split events (Yu Kuai) - media: lirc: Fix error handling in lirc_register() (Ma Ke) - media: rc: Directly use ida_free() (Keliu) - media: s5p-mfc: remove an unused/uninitialized variable (Arnd Bergmann) - btrfs: fix clearing of BTRFS_FS_RELOC_RUNNING if relocation already running (Filipe Manana) - ext4: detect invalid INLINE_DATA + EXTENTS flag combination (Deepanshu Kartikey) [Orabug: 38649222] {CVE-2025-40167} - jbd2: ensure that all ongoing I/O complete before freeing blocks (Zhang Yi) - r8152: add error handling in rtl8152_driver_init (Yi Cong) - LTS version: v5.15.195 (Vijayendra Suman) - selftests: mptcp: join: validate C-flag + def limit (Matthieu Baerts) - mptcp: pm: in-kernel: usable client side with C-flag (Matthieu Baerts) - media: pci: ivtv: Add check for DMA map result (Mikhail Kobuk) [Orabug: 38641260] {CVE-2024-43877} - xen/events: Update virq_to_irq on migration (Jason Andryuk) - media: pci: ivtv: Add missing check after DMA map (Thomas Fourier) - media: pci/ivtv: switch from 'pci_' to 'dma_' API (Christophe Jaillet) - arm64: mte: Do not flag the zero page as PG_mte_tagged (Catalin Marinas) - media: cx18: Add missing check after DMA map (Thomas Fourier) - media: switch from 'pci_' to 'dma_' API (Christophe Jaillet) - writeback: Avoid excessively long inode switching times (Jan Kara) - writeback: Avoid softlockup when switching many inodes (Jan Kara) - cramfs: Verify inode mode when loading from disk (Tetsuo Handa) - fs: Add 'initramfs_options' to set initramfs mount options (Lichen Liu) - pid: Add a judgment for ns null in pid_nr_ns (Gaoxiang17) [Orabug: 38649275] {CVE-2025-40178} - minixfs: Verify inode mode when loading from disk (Tetsuo Handa) - minmax.h: remove some #defines that are only expanded once (David Laight) - minmax.h: simplify the variants of clamp() (David Laight) - minmax.h: move all the clamp() definitions after the min/max() ones (David Laight) - minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() (David Laight) - minmax.h: reduce the #define expansion of min(), max() and clamp() (David Laight) - minmax.h: update some comments (David Laight) - minmax.h: add whitespace around operators and after commas (David Laight) - minmax: fix up min3() and max3() too (Linus Torvalds) - minmax: improve macro expansion and type checking (Linus Torvalds) - minmax: simplify min()/max()/clamp() implementation (Linus Torvalds) - minmax: don't use max() in situations that want a C constant expression (Linus Torvalds) - minmax: make generic MIN() and MAX() macros available everywhere (Linus Torvalds) - minmax: simplify and clarify min_t()/max_t() implementation (Linus Torvalds) - minmax: add a few more MIN_T/MAX_T users (Linus Torvalds) - minmax: avoid overly complicated constant expressions in VM code (Linus Torvalds) - minmax: fix indentation of __cmp_once() and __clamp_once() (David Laight) - minmax: deduplicate __unconst_integer_typeof() (Andy Shevchenko) - minmax: Introduce {min,max}_array() (Herve Codina) - arm64: dts: qcom: sdm845: Fix slimbam num-channels/ees (Stephan Gerhold) - btrfs: fix the incorrect max_bytes value for find_lock_delalloc_range() (Qu Wenruo) - fscontext: do not consume log entries when returning -EMSGSIZE (Aleksa Sarai) - dm: fix NULL pointer dereference in __dm_suspend() (Zheng Qixing) [Orabug: 38649056] {CVE-2025-40134} - tracing: Fix race condition in kprobe initialization causing NULL pointer dereference (Yuan Chen) [Orabug: 38592032] {CVE-2025-40042} - ksmbd: fix error code overwriting in smb2_get_info_filesystem() (Matvey Kovalev) - net: usb: asix: hold PM usage ref to avoid PM/MDIO + RTNL deadlock (Oleksij Rempel) [Orabug: 38649002] {CVE-2025-40120} - mfd: intel_soc_pmic_chtdc_ti: Set use_single_read regmap_config flag (Hans de Goede) - mfd: intel_soc_pmic_chtdc_ti: Drop unneeded assignment for cache_type (Andy Shevchenko) - mfd: intel_soc_pmic_chtdc_ti: Fix invalid regmap-config max_register value (Hans de Goede) - media: mc: Clear minor number before put device (Edward Adam Davis) [Orabug: 38649397] {CVE-2025-40197} - Squashfs: reject negative file sizes in squashfs_read_inode() (Phillip Lougher) [Orabug: 38649424] {CVE-2025-40200} - Squashfs: add additional inode sanity checking (Phillip Lougher) - ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data() (Ma Ke) - ASoC: codecs: wcd934x: Simplify with dev_err_probe (Krzysztof Kozlowski) - KVM: x86: Don't (re)check L1 intercepts when completing userspace I/O (Sean Christopherson) [Orabug: 38591958] {CVE-2025-40026} - lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older (Nathan Chancellor) - ext4: free orphan info with kvfree (Jan Kara) - ext4: guard against EA inode refcount underflow in xattr update (Ahmet Eray Karadag) [Orabug: 38649329] {CVE-2025-40190} - ext4: correctly handle queries for metadata mappings (Ojaswin Mujoo) - ext4: increase i_disksize to offset + len in ext4_update_disksize_before_punch() (Yongjian Sun) - ext4: verify orphan file size is not too big (Jan Kara) [Orabug: 38649284] {CVE-2025-40179} - nfsd: nfserr_jukebox in nlm_fopen should lead to a retry (Olga Kornievskaia) - NFSD: Fix destination buffer size in nfsd4_ssc_setup_dul() (Thorsten Blum) - mm/page_alloc: only set ALLOC_HIGHATOMIC for __GPF_HIGH allocations (Thadeu Lima de Souza Cascardo) - x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases) (Sean Christopherson) - x86/umip: Check that the instruction opcode is at least two bytes (Sean Christopherson) - spi: cadence-quadspi: Flush posted register writes before DAC access (Pratyush Yadav) - spi: cadence-quadspi: Flush posted register writes before INDAC access (Pratyush Yadav) - PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq() (Niklas Cassel) - PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit (Siddharth Vadapalli) - PCI/AER: Support errors introduced by PCIe r6.0 (Lukas Wunner) - PCI/AER: Fix missing uevent on recovery when a reset is requested (Niklas Schnelle) - PCI/ERR: Fix uevent on failure to recover (Lukas Wunner) - PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV (Niklas Schnelle) [Orabug: 38730511] {CVE-2025-40219} - PCI/sysfs: Ensure devices are powered for config reads (Brian Norris) - rseq/selftests: Use weak symbol reference, not definition, to link with glibc (Sean Christopherson) - rtc: interface: Fix long-standing race when setting alarm (Esben Haabendal) - rtc: interface: Ensure alarm irq is enabled when UIE is enabled (Esben Haabendal) - memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe (Zhen Ni) - mmc: core: SPI mode remove cmd7 (Rex Chen) - mtd: rawnand: fsmc: Default to autodetect buswidth (Linus Walleij) - sparc: fix error handling in scan_one_device() (Ma Ke) - sparc64: fix hugetlb for sun4u (Anthony Yznaga) - sctp: Fix MAC comparison to be constant-time (Eric Biggers) [Orabug: 38649450] {CVE-2025-40204} - scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl() (Thorsten Blum) - pwm: berlin: Fix wrong register in suspend/resume (Jisheng Zhang) - powerpc/pseries/msi: Fix potential underflow and leak issue (Nam Cao) - powerpc/powernv/pci: Fix underflow and leak issue (Nam Cao) - nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk (Georg Gottleuber) - parisc: don't reference obsolete termio struct for TC* constants (Sam James) - openat2: don't trigger automounts with RESOLVE_NO_XDEV (Askar Safin) - lib/genalloc: fix device leak in of_gen_pool_get() (Johan Hovold) - KEYS: trusted_tpm1: Compare HMAC values in constant time (Eric Biggers) - iommu/vt-d: PRS isn't usable if PDS isn't supported (Lu Baolu) - iio: imu: inv_icm42600: Drop redundant pm_runtime reinitialization in resume (Sean Nyekjaer) - init: handle bootloader identifier in kernel parameters (Huacai Chen) - iio: frequency: adf4350: Fix prescaler usage. (Michael Hennerich) - iio: dac: ad5421: use int type to store negative error codes (Rong Qianfeng) - iio: dac: ad5360: use int type to store negative error codes (Rong Qianfeng) - fs/ntfs3: Fix a resource leak bug in wnd_extend() (Haoxiang Li) - crypto: atmel - Fix dma_unmap_sg() direction (Thomas Fourier) - cpufreq: intel_pstate: Fix object lifecycle issue in update_qos_request() (Rafael J. Wysocki) [Orabug: 38649365] {CVE-2025-40194} - copy_sighand: Handle architectures where sizeof(unsigned long) < sizeof(u64) (Simon Schuster) - bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup() (Adam Xue) - btrfs: avoid potential out-of-bounds in btrfs_encode_fh() (Anderson Nascimento) [Orabug: 38649461] {CVE-2025-40205} - drm/nouveau: fix bad ret code in nouveau_bo_move_prep (Shuhao Fu) - media: i2c: mt9v111: fix incorrect type for ret (Rong Qianfeng) - firmware: meson_sm: fix device leak at probe (Johan Hovold) - xen/manage: Fix suspend error path (Lukas Wunner) - xen/events: Cleanup find_virq() return codes (Jason Andryuk) - ARM: OMAP2+: pm33xx-core: ix device node reference leaks in amx3_idle_init (Miaoqian Lin) - arm64: dts: qcom: msm8916: Add missing MDSS reset (Stephan Gerhold) - ACPI: debug: fix signedness issues in read/write helpers (Amir Mohammad Jahangirzad) - ACPI: TAD: Add missing sysfs_remove_group() for ACPI_TAD_RT (Daniel Tang) - bpf: Avoid RCU context warning when unpinning htab with internal structs (Kafai Wan) - gpio: wcd934x: mark the GPIO controller as sleeping (Bartosz Golaszewski) - gpio: wcd934x: Remove duplicate assignment of of_gpio_n_cells (Andy Shevchenko) - tpm_tis: Fix incorrect arguments in tpm_tis_probe_irq_single (Gunnar Kudrjavets) - crypto: essiv - Check ssize for decryption and in-place encryption (Herbert Xu) [Orabug: 38581454,38705933] {CVE-2025-40019} - bridge: br_vlan_fill_forward_path_pvid: use br_vlan_group_rcu() (Eric Woudstra) - drm/amd/display: Properly disable scaling on DCE6 (Timur Kristóf) - drm/amd/display: Properly clear SCL_*_FILTER_CONTROL on DCE6 (Timur Kristóf) - drm/amd/display: Add missing DCE6 SCL_HORZ_FILTER_INIT* SRIs (Timur Kristóf) - drm/amdgpu: Add additional DCE6 SCL registers (Alex Deucher) - bpf: Fix metadata_dst leak __bpf_redirect_neigh_v{4,6} (Daniel Borkmann) [Orabug: 38649299] {CVE-2025-40183} - mailbox: zynqmp-ipi: Remove dev.parent check in zynqmp_ipi_free_mboxes (Harini T) - mailbox: zynqmp-ipi: Remove redundant mbox_controller_unregister() call (Harini T) - tools build: Align warning options with perf (Leo Yan) - net: fsl_pq_mdio: Fix device node reference leak in fsl_pq_mdio_probe (Erick Karanja) - tcp: Don't call reqsk_fastopen_remove() in tcp_conn_request(). (Kuniyuki Iwashima) [Orabug: 38649578] {CVE-2025-40186} - net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce() (Alexandr Sapozhnikov) [Orabug: 38649311] {CVE-2025-40187} - drm/vmwgfx: Fix Use-after-free in validation (Ian Forbes) [Orabug: 38643545] {CVE-2025-40111} - drm/vmwgfx: Copy DRM hash-table code into driver (Thomas Zimmermann) - s390/cio: unregister the subchannel while purging (Vineeth Vijayan) - net/mlx4: prevent potential use after free in mlx4_en_do_uc_filter() (Dan Carpenter) - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue (Duoming Zhou) [Orabug: 38557653] {CVE-2025-40001} - scsi: mvsas: Use sas_task_find_rq() for tagging (John Garry) - scsi: mvsas: Delete mvs_tag_init() (John Garry) - scsi: libsas: Add sas_task_find_rq() (John Garry) - cpufreq: tegra186: Set target frequency for all cpus in policy (Aaron Kling) - clk: nxp: Fix pll0 rate check condition in LPC18xx CGU driver (Alok Tiwari) - clk: nxp: lpc18xx-cgu: convert from round_rate() to determine_rate() (Brian Masney) - perf session: Fix handling when buffer exceeds 2 GiB (Leo Yan) - rtc: x1205: Fix Xicor X1205 vendor prefix (Rob Herring) - perf util: Fix compression checks returning -1 as bool (Yunseong Kim) - clk: at91: peripheral: fix return value (Brian Masney) - libperf event: Ensure tracing data is multiple of 8 sized (Ian Rogers) - perf evsel: Avoid container_of on a NULL leader (Ian Rogers) - iio: frequency: adf4350: Fix ADF4350_REG3_12BIT_CLKDIV_MODE (Michael Hennerich) - clocksource/drivers/clps711x: Fix resource leaks in error paths (Zhen Ni) - fs: always return zero on success from replace_fd() (Thomas Weißschuh) - usb: cdns3: cdnsp-pci: remove redundant pci_disable_device() call (Miaoqian Lin) - bus: fsl-mc: Check return value of platform_get_resource() (Salah Triki) - pinctrl: check the return value of pinmux_ops::get_function_name() (Bartosz Golaszewski) [Orabug: 38591980] {CVE-2025-40030} - Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak (Zhen Ni) [Orabug: 38592000] {CVE-2025-40035} - Input: atmel_mxt_ts - allow reset GPIO to sleep (Marek Vasut) - nvdimm: ndtest: Return -ENOMEM if devm_kcalloc() fails in ndtest_probe() (Guangshuo Li) - mm: hugetlb: avoid soft lockup when mprotect to large memory area (Yang Shi) [Orabug: 38649149] {CVE-2025-40153} - ext4: fix checks for orphan inodes (Jan Kara) - mfd: vexpress-sysreg: Check the return value of devm_gpiochip_add_data() (Bartosz Golaszewski) - net: nfc: nci: Add parameter validation for packet data (Deepak Sharma) - fs: udf: fix OOB read in lengthAllocDescs handling (Larshin Sergey) [Orabug: 38592047] {CVE-2025-40044} - uio_hv_generic: Let userspace take care of interrupt mask (Naman Jain) [Orabug: 38592066] {CVE-2025-40048} - Squashfs: fix uninit-value in squashfs_get_parent (Phillip Lougher) [Orabug: 38592076] {CVE-2025-40049} - net: dlink: handle copy_thresh allocation failure (Moon Yeounsu) [Orabug: 38592097] {CVE-2025-40053} - net: ena: return 0 in ena_get_rxfh_key_size() when RSS hash key is not configurable (Kohei Enju) - nfp: fix RSS hash key size when RSS is not supported (Kohei Enju) - drivers/base/node: fix double free in register_one_node() (Donet Tom) - ocfs2: fix double free in user_cluster_connect() (Dan Carpenter) [Orabug: 38592109] {CVE-2025-40055} - hwrng: ks-sa - fix division by zero in ks_sa_rng_init (Nishanth Menon) - Bluetooth: MGMT: Fix not exposing debug UUID on MGMT_OP_READ_EXP_FEATURES_INFO (Luiz Augusto von Dentz) - net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast (I Viswanath) [Orabug: 38649095] {CVE-2025-40140} - RDMA/siw: Always report immediate post SQ errors (Bernard Metzler) - usb: vhci-hcd: Prevent suspending virtually attached devices (Cristian Ciocaltea) - scsi: mpt3sas: Fix crash in transport port remove by using ioc_info() (Ranjan Kumar) [Orabug: 38648980] {CVE-2025-40115} - ipvs: Defer ip_vs_ftp unregister during netns cleanup (Slavin Liu) [Orabug: 38581444] {CVE-2025-40018} - NFSv4.1: fix backchannel max_resp_sz verification check (Anthony Iliopoulos) - coresight: trbe: Return NULL pointer for allocation failures (Leo Yan) - remoteproc: qcom: q6v5: Avoid disabling handover IRQ twice (Stephan Gerhold) - sparc: fix accurate exception reporting in copy_{from,to}_user for M7 (Michael Karcher) - sparc: fix accurate exception reporting in copy_to_user for Niagara 4 (Michael Karcher) - sparc: fix accurate exception reporting in copy_{from_to}_user for Niagara (Michael Karcher) - sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC III (Michael Karcher) - sparc: fix accurate exception reporting in copy_{from_to}_user for UltraSPARC (Michael Karcher) - wifi: ath10k: avoid unnecessary wait for service ready message (Baochen Qiang) - Documentation: trace: historgram-design: Separate sched_waking histogram section heading and the following diagram (Bagas Sanjaya) - IB/sa: Fix sa_local_svc_timeout_ms read race (Vlad Dumitrescu) - RDMA/core: Resolve MAC of next-hop device without ARP support (Parav Pandit) - Revert "usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems Running" (Michał Pecio) - scsi: qla2xxx: Fix incorrect sign of error code in START_SP_W_RETRIES() (Rong Qianfeng) - scsi: qla2xxx: edif: Fix incorrect sign of error code (Rong Qianfeng) - ACPI: NFIT: Fix incorrect ndr_desc being reportedin dev_err message (Colin Ian King) - wifi: mt76: fix potential memory leak in mt76_wmac_probe() (Abdun Nihaal) - RDMA/cm: Rate limit destroy CM ID timeout error message (Håkon Bugge) - drivers/base/node: handle error properly in register_one_node() (Donet Tom) - watchdog: mpc8xxx_wdt: Reload the watchdog timer when enabling the watchdog (Christophe Leroy) - netfilter: ipset: Remove unused htable_bits in macro ahash_region (Zhen Ni) - iio: consumers: Fix offset handling in iio_convert_raw_to_processed() (Hans de Goede) - fs: ntfs3: Fix integer overflow in run_unpack() (Vitaly Grigoryev) - ASoC: Intel: bytcr_rt5651: Fix invalid quirk input mapping (Takashi Iwai) [Orabug: 38649006] {CVE-2025-40121} - ASoC: Intel: bytcr_rt5640: Fix invalid quirk input mapping (Takashi Iwai) [Orabug: 38649156] {CVE-2025-40154} - ASoC: Intel: bytcht_es8316: Fix invalid quirk input mapping (Takashi Iwai) - pps: fix warning in pps_register_cdev when register device fail (Wang Liang) [Orabug: 38592169] {CVE-2025-40070} - misc: genwqe: Fix incorrect cmd field being reported in error (Colin Ian King) - usb: gadget: configfs: Correctly set use_os_string at bind (William Wu) - usb: phy: twl6030: Fix incorrect type for ret (Xichao Zhao) - drm/amdkfd: Fix error code sign for EINVAL in svm_ioctl() (Rong Qianfeng) - tcp: fix __tcp_close() to only send RST when required (Eric Dumazet) - PCI: tegra: Fix devm_kcalloc() argument order for port->phys allocation (Alok Tiwari) - wifi: mwifiex: send world regulatory domain to driver (Stefan Kerkmann) - drm/amdgpu: Power up UVD 3 for FW validation (v2) (Timur Kristóf) - ALSA: lx_core: use int type to store negative error codes (Rong Qianfeng) - media: rj54n1cb0c: Fix memleak in rj54n1_probe() (Zhang Shurong) - scsi: myrs: Fix dma_alloc_coherent() error check (Thomas Fourier) - scsi: pm80xx: Fix array-index-out-of-of-bounds on rmmod (Niklas Cassel) [Orabug: 38649566] {CVE-2025-40118} - usb: host: max3421-hcd: Fix error pointer dereference in probe cleanup (Dan Carpenter) - drm/radeon/r600_cs: clean up of dead code in r600_cs (Brahmajit Das) - i2c: designware: Add disabling clocks when probe fails (Kunihiko Hayashi) - i2c: mediatek: fix potential incorrect use of I2C_MASTER_WRRD (Leilk Liu) - thermal/drivers/qcom/lmh: Add missing IRQ includes (Dmitry Baryshkov) - thermal/drivers/qcom: Make LMH select QCOM_SCM (Dmitry Baryshkov) - tools/nolibc: make time_t robust if __kernel_old_time_t is missing in host headers (Zhouyi Zhou) - smp: Fix up and expand the smp_call_function_many() kerneldoc (Rafael J. Wysocki) - bpf: Explicitly check accesses to bpf_sock_addr (Paul Chaignon) [Orabug: 38592204] {CVE-2025-40078} - selftests: watchdog: skip ping loop if WDIOF_KEEPALIVEPING not supported (Akhilesh Patil) - i3c: master: svc: Recycle unused IBI slot (Stanley Chu) - nvmet-fc: move lsop put work to nvmet_fc_ls_req_op (Daniel Wagner) [Orabug: 38649248] {CVE-2025-40171} - pwm: tiehrpwm: Fix corner case in clock divisor calculation (Uwe Kleine-König) - arm64: dts: mediatek: mt8516-pumpkin: Fix machine compatible (AngeloGioacchino Del Regno) - firmware: firmware: meson-sm: fix compile-test default (Johan Hovold) - pinctrl: renesas: Use int type to store negative error codes (Rong Qianfeng) - PM: sleep: core: Clear power.must_resume in noirq suspend error path (Rafael J. Wysocki) - block: use int to store blk_stack_limits() return value (Rong Qianfeng) - regulator: scmi: Use int type to store negative error codes (Rong Qianfeng) - ARM: at91: pm: fix MCKx restore routine (Nicolas Ferre) - blk-mq: check kobject state_in_sysfs before deleting in blk_mq_unregister_hctx (Li Nan) [Orabug: 38649025] {CVE-2025-40125} - pinctrl: meson-gxl: add missing i2c_d pinmux (Da Xue) - soc: qcom: rpmh-rsc: Unconditionally clear _TRIGGER bit for TCS (Sneh Mankad) - ACPI: processor: idle: Fix memory leak when register cpuidle device failed (Huisong Li) - cpufreq: scmi: Account for malformed DT in scmi_dev_used_by_cpus() (Florian Fainelli) - libbpf: Fix reuse of DEVMAP (Yureka Lilian) - regmap: Remove superfluous check for !config in __regmap_init() (Geert Uytterhoeven) - x86/vdso: Fix output operand size of RDPID (Uros Bizjak) - perf: arm_spe: Prevent overflow in PERF_IDX2OFF() (Leo Yan) [Orabug: 38592220] {CVE-2025-40081} - coresight: trbe: Prevent overflow in PERF_IDX2OFF() (Leo Yan) - selftests: arm64: Check fread return value in exec_target (Bala-Vignesh-Reddy) - filelock: add FL_RECLAIM to show_fl_flags() macro (Jeff Layton) - net/9p: fix double req put in p9_fd_cancelled (Nalivayko Sergey) [Orabug: 38591964] {CVE-2025-40027} - minmax: add in_range() macro (Matthew Wilcox) - crypto: rng - Ensure set_ent is always present (Herbert Xu) [Orabug: 38643530] {CVE-2025-40109} - platform/x86: int3472: Check for adev == NULL (Hans de Goede) - driver core/PM: Set power.no_callbacks along with power.no_pm (Rafael J. Wysocki) - staging: axis-fifo: flush RX FIFO on read errors (Ovidiu Panait) - staging: axis-fifo: fix maximum TX packet length check (Ovidiu Panait) - serial: stm32: allow selecting console when the driver is module (Raphaël Gallais-Pou) - hid: fix I2C read buffer overflow in raw_event() for mcp2221 (Arnaud Lecomte) - perf subcmd: avoid crash in exclude_cmds when excludes is empty (Hupu) - dm-integrity: limit MAX_TAG_SIZE to 255 (Mikulas Patocka) - wifi: rtlwifi: rtl8192cu: Don't claim USB ID 07b8:8188 (Bitterblue Smith) - USB: serial: option: add SIMCom 8230C compositions (Xiaowei Li) - media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe (Duoming Zhou) - media: tuner: xc5000: Fix use-after-free in xc5000_release (Duoming Zhou) [Orabug: 38548036] {CVE-2025-39994} - media: tunner: xc5000: Refactor firmware load (Ricardo Ribalda) - udp: Fix memory accounting leak. (Kuniyuki Iwashima) [Orabug: 37844324] {CVE-2025-22058} - KVM: arm64: Fix softirq masking in FPSIMD register saving sequence (Will Deacon) [Orabug: 38513233] - media: rc: fix races with imon_disconnect() (Larshin Sergey) [Orabug: 38548026] {CVE-2025-39993} - media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove (Duoming Zhou) [Orabug: 38548050] {CVE-2025-39996} - scsi: target: target_core_configfs: Add length check to avoid buffer overflow (Wang Haoran) [Orabug: 38548058] {CVE-2025-39998} - LTS version: v5.15.194 (Vijayendra Suman) - drm/i915/backlight: Return immediately when scale() finds invalid parameters (Guenter Roeck) - i40e: add validation for ring_len param (Lukasz Czapnik) [Orabug: 38547951,38603025,38607608] {CVE-2025-39973} - i40e: increase max descriptors for XL710 (Justin Bronder) - i40e: fix idx validation in config queues msg (Lukasz Czapnik) [Orabug: 38547937] {CVE-2025-39971} - i40e: fix validation of VF state in get resources (Lukasz Czapnik) [Orabug: 38547928] {CVE-2025-39969} - mm/hugetlb: fix folio is still mapped when deleted (Tu Jinjiang) [Orabug: 38560480] {CVE-2025-40006} - mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() (David Hildenbrand) - fbcon: Fix OOB access in font allocation (Thomas Zimmermann) - fbcon: fix integer overflow in fbcon_do_set_font (Samasth Norway Ananda) [Orabug: 38547912] {CVE-2025-39967} - tracing: dynevent: Add a missing lockdown check on dynevent (Masami Hiramatsu) [Orabug: 38581470] {CVE-2025-40021} - i40e: add mask to apply valid bits for itr_idx (Lukasz Czapnik) - i40e: add max boundary check for VF filters (Lukasz Czapnik) [Orabug: 38547922] {CVE-2025-39968} - i40e: fix input validation logic for action_meta (Lukasz Czapnik) [Orabug: 38547932] {CVE-2025-39970} - i40e: fix idx validation in i40e_validate_queue_map (Lukasz Czapnik) [Orabug: 38547945] {CVE-2025-39972} - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx (Eric Biggers) [Orabug: 38641289] {CVE-2025-40022} - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg (Herbert Xu) [Orabug: 38537468,38575792,38575804] {CVE-2025-39964} - drm/gma500: Fix null dereference in hdmi teardown (Zabelin Nikita) [Orabug: 38560495] {CVE-2025-40011} - net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port (Vladimir Oltean) - net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() (Vladimir Oltean) - net: dsa: lantiq_gswip: do also enable or disable cpu port (Martin Schiller) - selftests: fib_nexthops: Fix creation of non-FDB nexthops (Ido Schimmel) - nexthop: Forbid FDB status change while nexthop is in a group (Ido Schimmel) [Orabug: 38547971] {CVE-2025-39980} - bnxt_en: correct offset handling for IPv6 destination address (Alok Tiwari) - ethernet: rvu-af: Remove slash from the driver name (Petr Malat) - can: peak_usb: fix shift-out-of-bounds issue (Stephane Grosjean) [Orabug: 38581461] {CVE-2025-40020} - can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow (Vincent Mailhol) - can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow (Vincent Mailhol) - can: hi311x: populate ndo_change_mtu() to prevent buffer overflow (Vincent Mailhol) - can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow (Vincent Mailhol) - can: etas_es58x: sort the includes by alphabetic order (Vincent Mailhol) - can: etas_es58x: advertise timestamping capabilities and add ioctl support (Vincent Mailhol) - can: dev: add generic function can_eth_ioctl_hwts() (Vincent Mailhol) - can: dev: add generic function can_ethtool_op_get_ts_info_hwts() (Vincent Mailhol) - can: bittiming: replace CAN units with the generic ones from linux/units.h (Vincent Mailhol) - can: bittiming: allow TDC{V,O} to be zero and add can_tdc_const::tdc{v,o,f}_min (Vincent Mailhol) - bpf: Reject bpf_timer for PREEMPT_RT (Leon Hwang) - can: rcar_can: rcar_can_resume(): fix s2ram with PSCI (Geert Uytterhoeven) - arm64: dts: imx8mp: Correct thermal sensor index (Peng Fan) - IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions (Or Har-Toov) - usb: core: Add 0x prefix to quirks debug output (Jiayi Li) - ALSA: usb-audio: Fix build with CONFIG_INPUT=n (Takashi Iwai) - ALSA: usb-audio: Convert comma to semicolon (Chen Ni) - ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 (Cristian Ciocaltea) - ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks (Cristian Ciocaltea) - ALSA: usb-audio: Simplify NULL comparison in mixer_quirks (Cristian Ciocaltea) - ALSA: usb-audio: Avoid multiple assignments in mixer_quirks (Cristian Ciocaltea) - ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks (Cristian Ciocaltea) - ALSA: usb-audio: Fix block comments in mixer_quirks (Cristian Ciocaltea) - net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer (Hans de Goede) - net: rfkill: gpio: add DT support (Philipp Zabel) - mptcp: propagate shutdown to subflows when possible (Matthieu Baerts) - ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer (Namjae Jeon) - mptcp: set remote_deny_join_id0 on SYN recv (Matthieu Baerts) - phy: ti: omap-usb2: fix device leak at unbind (Johan Hovold) - phy: Use device_get_match_data() (Rob Herring) - phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning (Krzysztof Kozlowski) - USB: gadget: dummy-hcd: Fix locking bug in RT-enabled kernels (Alan Stern) - usb: gadget: dummy_hcd: remove usage of list iterator past the loop body (Jakob Koschel) - xhci: dbc: Fix full DbC transfer ring after several reconnects (Mathias Nyman) - xhci: dbc: decouple endpoint allocation from initialization (Mathias Nyman) - serial: sc16is7xx: fix bug in flow control levels init (Hugo Villeneuve) - drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path (Qi Xi) - drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ (Loic Poulain) - ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message (Colin Ian King) - ASoC: wm8974: Correct PLL rate rounding (Charles Keepax) - ASoC: wm8940: Correct typo in control name (Charles Keepax) - mmc: mvsdio: Fix dma_unmap_sg() nents value (Thomas Fourier) - btrfs: tree-checker: fix the incorrect inode ref size check (Qu Wenruo) - power: supply: bq27xxx: restrict no-battery detection to bq27000 (H. Nikolaus Schaller) - power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery (H. Nikolaus Schaller) - nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* (Nathan Chancellor) - cnic: Fix use-after-free bugs in cnic_delete_task (Duoming Zhou) [Orabug: 38503848] {CVE-2025-39945} - net: liquidio: fix overflow in octeon_init_instr_queue() (Alexey Nepomnyashih) - tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). (Kuniyuki Iwashima) [Orabug: 38526387] {CVE-2025-39955} - i40e: remove redundant memory barrier when cleaning Tx descs (Maciej Fijalkowski) - net: natsemi: fix rx_dropped double accounting on netif_rx() failure (Moon Yeounsu) - qed: Don't collect too many protection override GRC elements (Jamie Bainbridge) [Orabug: 38503869] {CVE-2025-39949} - dpaa2-switch: fix buffer pool seeding for control traffic (Ioana Ciornei) - um: virtio_uml: Fix use-after-free after put_device in probe (Miaoqian Lin) - cgroup: split cgroup_destroy_wq into 3 workqueues (Chen Ridong) [Orabug: 38503891] {CVE-2025-39953} - pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch (Geert Uytterhoeven) - wifi: mac80211: fix incorrect type for ret (Liao Yuanhong) - ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported (Takashi Sakamoto) - net: hsr: hsr_slave: Fix the promiscuous mode in offload mode (Ravi Gunasekaran) - mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory (Miaohe Lin) [Orabug: 38461847] {CVE-2025-39883} - drm/i915/power: fix size for for_each_set_bit() in abox iteration (Jani Nikula) - phy: ti-pipe3: fix device leak at unbind (Johan Hovold) - phy: tegra: xusb: fix device and OF node leak at probe (Johan Hovold) - dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees (Stephan Gerhold) [Orabug: 38494821] {CVE-2025-39923} - regulator: sy7636a: fix lifecycle of power good gpio (Andreas Kemnade) - dmaengine: ti: edma: Fix memory allocation size for queue_priority_map (Anders Roxell) - hsr: use hsr_for_each_port_rtnl in hsr_port_get_hsr (Hangbin Liu) - hsr: use rtnl lock when iterating over ports (Hangbin Liu) - net: hsr: Add VLAN CTAG filter support (Murali Karicheri) - net: hsr: Add support for MC filtering at the slave device (Murali Karicheri) - net: hsr: Disable promiscuous mode in offload mode (Ravi Gunasekaran) - can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB (Anssi Hannula) - can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails (Tetsuo Handa) - can: j1939: j1939_sk_bind(): call j1939_priv_put() immediately when j1939_local_ecu_get() failed (Tetsuo Handa) - i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path (Michal Schmidt) [Orabug: 38494786] {CVE-2025-39911} - i40e: Use irq_update_affinity_hint() (Nitesh Narayan Lal) - igb: fix link test skipping when interface is admin down (Kohei Enju) - tunnels: reset the GSO metadata before reusing the skb (Antoine Tenart) - net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() (Stefan Wahren) - USB: serial: option: add Telit Cinterion LE910C4-WWX new compositions (Fabio Porcedda) - USB: serial: option: add Telit Cinterion FN990A w/audio compositions (Fabio Porcedda) - dt-bindings: serial: brcm,bcm7271-uart: Constrain clocks (Krzysztof Kozlowski) - tty: hvc_console: Call hvc_kick in hvc_write unconditionally (Fabian Vogt) - Input: i8042 - add TUXEDO InfinityBook Pro Gen10 AMD to i8042 quirk table (Christoffer Sandberg) - mtd: rawnand: stm32_fmc2: avoid overlapping mappings on ECC buffer (Christophe Kerello) - mtd: rawnand: stm32_fmc2: Fix dma_map_sg error check (Jack Wang) - mtd: nand: raw: atmel: Respect tAR, tCLR in read setup timing (Alexander Sverdlin) - mtd: nand: raw: atmel: Fix comment in timings preparation (Alexander Dahl) - mm/khugepaged: fix the address passed to notifier on testing young (Wei Yang) - libceph: fix invalid accesses to ceph_connection_v1_info (Ilya Dryomov) [Orabug: 38461836] {CVE-2025-39880} - fuse: prevent overflow in copy_file_range return value (Miklos Szeredi) - fuse: check if copy_file_range() returns larger than requested size (Miklos Szeredi) - mtd: rawnand: stm32_fmc2: fix ECC overwrite (Christophe Kerello) - ocfs2: fix recursive semaphore deadlock in fiemap call (Mark Tinguely) [Orabug: 38461858] {CVE-2025-39885} - mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN (Krister Johansen) - compiler-clang.h: define __SANITIZE_*__ macros only when undefined (Nathan Chancellor) - EDAC/altera: Delete an inappropriate dma_free_coherent() call (Salah Triki) - tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. (Kuniyuki Iwashima) [Orabug: 38494796] {CVE-2025-39913} - NFSv4/flexfiles: Fix layout merge mirror check. (Jonathan Curley) - tracing: Fix tracing_marker may trigger page fault during preempt_disable (Luo Gengkun) - NFSv4: Clear the NFS_CAP_XATTR flag if not supported by the server (Trond Myklebust) - NFSv4: Clear the NFS_CAP_FS_LOCATIONS flag if it is not set (Trond Myklebust) - mm/rmap: reject hugetlb folios in folio_make_device_exclusive() (David Hildenbrand) - net: Fix null-ptr-deref by sock_lock_init_class_and_name() and rmmod. (Kuniyuki Iwashima) [Orabug: 37901603] {CVE-2025-23143} - media: i2c: imx214: Fix link frequency validation (André Apitzsch) - media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning (Arnd Bergmann) - mm: introduce and use {pgd,p4d}_populate_kernel() (Harry Yoo) - kunit: kasan_test: disable fortify string checker on kasan_strings() test (Levi Yun) - xfs: short circuit xfs_growfs_data_private() if delta is zero (Eric Sandeen) - Revert "fbdev: Disable sysfb device registration when removing conflicting FBs" (Brett A C Sheffield) [5.15.0-315.193.2] - KVM: x86: Don't unnecessarily force masterclock update on vCPU hotplug (Sean Christopherson) [Orabug: 38530514] - KVM: x86: Expose TSC offset controls to userspace (Oliver Upton) [Orabug: 38530514] - KVM: x86: Refactor tsc synchronization code (Oliver Upton) [Orabug: 38530514] - kvm: x86: protect masterclock with a seqcount (Paolo Bonzini) [Orabug: 38530514] - KVM: x86: Report host tsc and realtime values in KVM_GET_CLOCK (Oliver Upton) [Orabug: 38530514] - KVM: x86: Fix potential race in KVM_GET_CLOCK (Oliver Upton) [Orabug: 38530514] - KVM: x86: extract KVM_GET_CLOCK/KVM_SET_CLOCK to separate functions (Paolo Bonzini) [Orabug: 38530514] - kvm: x86: abstract locking around pvclock_update_vm_gtod_copy (Paolo Bonzini) [Orabug: 38530514] - Revert "KVM: x86: Don't unnecessarily force masterclock update on vCPU hotplug" (Dongli Zhang) [Orabug: 38530514] _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
