Changelog in Linux kernel 5.15.209

drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup

drm/i915/dp: Fix VSC dynamic range signaling for RGB formats

drm/i915: skip __i915_request_skip() for already signaled requests

drm/komeda: fix integer overflow in AFBC framebuffer size check

drm/msm/a6xx: Fix HLSQ register dumping

drm/msm/a6xx: Use barriers while updating HFI Q headers

drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0

drm/msm/snapshot: fix dumping of the unaligned regions

drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN

drm/nouveau: fix u32 overflow in pushbuf reloc bounds check

drm/panel: simple: Correct G190EAN01 prepare timing

drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()

drm/radeon: add missing revision check for CI

drm/sun4i: Fix resource leaks

drm/vc4: Fix a memory leak in hang state error path

drm/vc4: Fix memory leak of BO array in hang state

drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock

dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets

dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs

e1000: check return value of e1000_read_eeprom

e1000e: Unroll PTP in probe error handling

efi/capsule-loader: fix incorrect sizeof in phys array reallocation

epoll: use refcount to reduce ep_mutex contention

ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics

eventpoll: defer struct eventpoll free to RCU grace period

ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()

ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()

extcon: ptn5150: handle pending IRQ events during system resume

f2fs: fix null-ptr-deref in f2fs_submit_page_bio()

f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode

f2fs: fix to wait on block writeback for post_read case

fanotify: fix false positive on permission events

fbdev: efifb: Register sysfs groups through driver core

fbdev: matroxfb: Mark variable with __maybe_unused to avoid W=1 build break

fbdev: offb: fix PCI device reference leak on probe failure

fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO

fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free

fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO

firmware: arm_ffa: Check for NULL FF-A ID table while driver registration

firmware: arm_ffa: Skip free_pages on RX buffer alloc failure

firmware: dmi: Correct an indexing error in dmi.h

firmware: google: framebuffer: Do not mark framebuffer as busy

flow_dissector: Add number of vlan tags dissector

flow_dissector: Add PPPoE dissectors

flow_dissector: Do not count vlan tags inside tunnel payload

flow_dissector: do not dissect PPPoE PFC frames

fs/adfs: validate nzones in adfs_validate_bblk()

fs/ntfs3: Add more attributes checks in mi_enum_attr()

fs/ntfs3: terminate the cached volume label after UTF-8 conversion

fs/ntfs3: validate rec->used in journal-replay file record check

fs/ocfs2: fix comments mentioning i_mutex

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

fs: dlm: fix use after free in midcomms commit

fsl-mc: Use driver_set_override() instead of open-coding

fuse: quiet down complaints in fuse_conn_limit_write

fuse: reject oversized dirents in page cache

gfs2: add some missing log locking

gfs2: Improve gfs2_consist_inode() usage

gfs2: No more self recovery

gfs2: prevent NULL pointer dereference during unmount

gfs2: Validate i_depth for exhash directories

gpio: cdev: check if uAPI v2 config attributes are correctly zeroed

gpio: tegra: fix irq_release_resources calling enable instead of disable

gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)

HID: alps: fix NULL pointer dereference in alps_raw_event()

HID: asus: do not abort probe when not necessary

HID: asus: make asus_resume adhere to linux kernel coding standards

HID: core: clamp report_size in s32ton() to avoid undefined shift

HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3

HID: quirks: really enable the intended work around for appledisplay

HID: roccat: fix use-after-free in roccat_report_event

HID: usbhid: fix deadlock in hid_post_reset()

hv_sock: fix ARM64 support

hwmon: (corsair-psu) Close HID device on probe errors

hwmon: (ltc2992) Clamp threshold writes to hardware range

hwmon: (ltc2992) Fix u32 overflow in power read path

hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer

hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR

hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple

hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer

hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()

hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()

hwmon: (pmbus/adm1266) reject implausible blackbox record_count

hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors

hwmon: (pmbus/adm1266) seed timestamp from the real-time clock

hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX

i2c: s3c24xx: check the size of the SMBUS message before using it

i3c: fix uninitialized variable use in i2c setup

i3c: mipi-i3c-hci: fix IBI payload length calculation for final status

i40e: Cleanup PTP pins on probe failure

i40e: don't advertise IFF_SUPP_NOFCS

IB/core: Fix zero dmac race in neighbor resolution

ibmasm: fix heap over-read in ibmasm_send_i2o_message()

ibmasm: fix OOB reads in command_file_write due to missing size checks

ibmveth: Disable GSO for packets with small MSS

ice: Add netif_device_attach/detach into PF reset flow

ice: fix locking in ice_dcb_rebuild()

iio: adc: ad7768-1: fix one-shot mode data acquisition

iio: imu: inv_icm42600: fix odr switch when turning buffer off

ima: check return value of crypto_shash_final() in boot aggregate

inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails

io-wq: check that the predecessor is hashed in io_wq_remove_pending()

io_uring/poll: fix backport of io_poll_add() changes

io_uring/poll: fix EPOLL_URING_WAKE sometimes not being honored

io_uring: prevent opcode speculation

iommu/vt-d: Disable DMAR for Intel Q35 IGFX

iommu: fix a reference count leak in iommu_sva_bind_device()

ip6_gre: Use cached t->net in ip6erspan_changelink().

ipmi: Add limits to event and receive message requests

ipmi: Check event message buffer response for bad data

Linux: ipmi:si: Return state to normal if message allocation fails

Linux: ipmi:ssif: Clean up kthread on errors

Linux: ipmi:ssif: Fix a shutdown race

Linux: ipmi:ssif: NULL thread on error

Linux: ipmi:ssif: Remove unnecessary indention

ipv4: add new arguments to udp_tunnel_dst_lookup()

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

ipv4: icmp: validate reply type before using icmp_pointers

ipv4: raw: reject IP_HDRINCL packets with ihl < 5

ipv4: remove "proto" argument from udp_tunnel_dst_lookup()

ipv4: rename and move ip_route_output_tunnel()

ipv6: add NULL checks for idev in SRv6 paths

ipv6: fix possible UAF in icmpv6_rcv()

ipv6: rename and move ip6_dst_lookup_tunnel()

ipv6: rpl: reserve mac_len headroom when recompressed SRH grows

ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()

ipvs: fix MTU check for GSO packets in tunnel mode

irqchip/ath79-cpu: Remove unused function

irqchip/irq-pic32-evic: Address warning related to wrong printf() formatter

isofs: validate block number from NFS file handle in isofs_export_iget

isofs: validate Rock Ridge CE continuation extent against volume size

ixgbevf: fix use-after-free in VEPA multicast source pruning

kernel: globalize lookup_or_create_module_kobject()

kernel: param: rename locate_module_kobject

ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()

ksmbd: do not expire session on binding failure

ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine

ksmbd: scope conn->binding slowpath to bound sessions only

ksmbd: unset conn->binding on failed binding request

ktest: Avoid undef warning when WARNINGS_FILE is unset

ktest: Fix the month in the name of the failure directory

ktest: Honor empty per-test option overrides

ktest: Run POST_KTEST hooks on failure and cancellation

kunit: config: Enable KUNIT_DEBUGFS by default

kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS

KVM: nSVM: Add missing consistency check for nCR3 validity

KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN

KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)

KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode

KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state

KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2

KVM: Reject wrapped offset in kvm_reset_dirty_gfn()

KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION

KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts

KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0

KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses

KVM: x86: Fix Xen hypercall tracepoint argument assignment

KVM: x86: Use scratch field in MMIO fragment to hold small write values

l2tp: Drop large packets with UDP encap

leds: lgm-sso: Remove duplicate assignments for priv->mmap

lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()

lib/ts_kmp: fix integer overflow in pattern length calculation

libceph: Fix potential null-ptr-deref in decode_choose_args()

libceph: Fix potential out-of-bounds access in crush_decode()

libceph: Fix potential out-of-bounds access in osdmap_decode()

libceph: Fix slab-out-of-bounds access in auth message processing

libceph: handle rbtree insertion error in decode_choose_args()

libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()

Linux: Linux 5.15.209

locking: Fix rwlock support in

macvlan: annotate data-races around port->bc_queue_len_used

mailbox: add sanity check for channel array

mailbox: mailbox-test: don't free the reused channel

mailbox: mailbox-test: free channels on probe error

mailbox: mailbox-test: initialize struct earlier

mailbox: mailbox-test: make data_ready a per-instance variable

mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()

md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime

md/raid10: fix deadlock with check operation and nowait requests

md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

md/raid5: fix soft lockup in retry_aligned_read()

md/raid5: validate payload size before accessing journal metadata

media: as102: fix to not free memory after the device is registered in as102_usb_probe()

media: dib8000: avoid division by 0 in dib8000_set_dds()

media: em28xx: fix use-after-free in em28xx_v4l2_open()

media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe()

media: i2c: imx412: Assert reset GPIO during probe

media: i2c: ov8856: free control handler on error in ov8856_init_controls()

media: rc: streamzap: Error handling in probe

media: rc: xbox_remote: heed DMA restrictions

media: uvcvideo: Enable VB2_DMABUF for metadata stream

media: vidtv: fix nfeeds state corruption on start_streaming failure

media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections

media: vidtv: fix pass-by-value structs causing MSAN warnings

memory: tegra124-emc: Fix dll_change check

memory: tegra30-emc: Fix dll_change check

mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()

MIPS: Always record SEGBITS in cpu_data.vmbits

mips: mm: Allocate tlb_vpn array atomically

MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow

MIPS: mm: Rewrite TLB uniquification for the hidden bit feature

MIPS: mm: Suppress TLB uniquification on EHINV hardware

misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()

mm/kasan: fix double free for kasan pXds

mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()

mmc: block: use single block write in retry

module: Fix freeing of charp module parameters when CONFIG_SYSFS=n

MPTCP: fix lock class name family in pm_nl_create_listen_socket

mptcp: fix scheduling with atomic in timestamp sockopt

mptcp: sockopt: set timestamp flags on subflow socket, not msk

mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure

mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure

mtd: docg3: Convert to platform remove callback returning void

mtd: docg3: fix use-after-free in docg3_release()

mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions

mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path

mtd: physmap_of_gemini: Fix disabled pinctrl state check

mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob

mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations

mtd: spi-nor: swp: check SR_TB flag when getting tb_mask

net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master

net/rds: handle zerocopy send cleanup before the message is queued

net/rds: Optimize rds_ib_laddr_check

net/rds: reset op_nents when zerocopy page pin fails

net/rds: Restrict use of RDS/IB to the initial network namespace

net/rds: zero per-item info buffer before handing it to visitors

net/sched: act_ct: Only release RCU read lock after ct_ft

net/sched: cls_u32: use skb_header_pointer_careful()

net/sched: netem: fix probability gaps in 4-state loss model

net/sched: netem: fix queue limit check to include reordered packets

net/sched: netem: validate slot configuration

net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)

net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys

net/sched: sch_choke: annotate data-races in choke_dump_stats()

net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()

net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()

net/sched: sch_pie: annotate data-races in pie_dump_stats()

net/sched: sch_pie: annotate more data-races in pie_dump_stats()

net/sched: sch_red: annotate data-races in red_dump_stats()

net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked

net/sched: sch_sfb: annotate data-races in sfb_dump_stats()

net/sched: taprio: continue with other TXQs if one dequeue() failed

net/sched: taprio: fix use-after-free in advance_sched() on schedule switch

net/sched: taprio: refactor one skb dequeue from TXQ to separate function

net/sched: taprio: rename close_time to end_time

net/sched: taprio: replace safety precautions with comments

net/sched: taprio: stop going through private ops for dequeue and peek

net/smc: avoid early lgr access in smc_clc_wait_msg

net: add skb_header_pointer_careful() helper

net: ag71xx: check error for platform_get_irq

net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled

net: bcmgenet: fix off-by-one in bcmgenet_put_txcb

net: bcmgenet: keep RBUF EEE/PM disabled

net: bridge: Flush multicast groups when snooping is disabled

net: caif: clear client service pointer on teardown

net: clear the dst when changing skb protocol

net: dsa: mt7530: fix FDB entries not aging out with short timeout

net: dsa: mt7530: preserve VLAN tags on trapped link-local frames

net: dsa: mt7530: rename mt753x_bpdu_port_fw enum to mt753x_to_cpu_fw

net: dsa: mt7530: sync driver-specific behavior of MT7531 variants

net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()

net: ethernet: cortina: Carry over frag counter

net: ethernet: cortina: Drop half-assembled SKB

net: ethernet: cortina: Make RX SKB per-port

net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference

net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf

net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels

net: lapbether: handle NETDEV_PRE_TYPE_CHANGE

net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer

net: mana: validate rx_req_idx to prevent out-of-bounds array access

net: phy: dp83869: fix setting CLK_O_SEL field.

net: phy: qcom: at803x: Use the correct bit to disable extended next page

net: qrtr: ns: Fix use-after-free in driver remove()

net: rds: fix MR cleanup on copy error

net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo

net: sched: act_csum: validate nested VLAN headers

net: sched: choke: remove unused variables in struct choke_sched_data

net: sched: gred/red: remove unused variables in struct red_stats

net: sched: sch_netem: Refactor code in 4-state loss generator

net: stmmac: fix TSO DMA API usage causing oops

net: strparser: fix skb_head leak in strp_abort_strp()

net: tap: NULL pointer derefence in dev_parse_header_protocol when skb->dev is null

net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring

net: tls: prevent chain-after-chain in plain text SG

net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()

net: usb: lan78xx: Fix double free issue with interrupt buffer allocation

net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit

net: wwan: iosm: fix potential memory leaks in ipc_imem_init()

net_sched: sch_hhf: annotate data-races in hhf_dump_stats()

netdevsim: Fix memory leak of nsim_dev->fa_cookie

netdevsim: zero initialize struct iphdr in dummy sk_buff

netfilter: arp_tables: fix IEEE1394 ARP payload parsing

netfilter: conntrack: add missing netlink policy validations

netfilter: conntrack: remove sprintf usage

netfilter: ip6t_eui64: reject invalid MAC header for all packets

netfilter: ip6t_hbh: reject oversized option lists

netfilter: ipset: stop hash:* range iteration at end

netfilter: nf_conntrack_sip: don't use simple_strtoul

netfilter: nf_queue: hold bridge skb->dev while queued

netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator

netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO

netfilter: nfnetlink_osf: fix out-of-bounds read on option matching

netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check

netfilter: nft_ct: fix missing expect put in obj eval

netfilter: nft_fwd_netdev: check ttl/hl before forwarding

netfilter: nft_osf: restrict it to ipv4

netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR

netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry

netfilter: reject zero shift in nft_bitwise

netfilter: skip recording stale or retransmitted INIT

netfilter: x_tables: unregister the templates first

netfilter: xt_multiport: validate range encoding in checkentry

netfilter: xt_policy: fix strict mode inbound policy matching

netfilter: xt_socket: enable defrag after all other checks

netfilter: xtables: restrict several matches to inet family

nexthop: fix IPv6 route referencing IPv4 nexthop

nf_tables: nft_dynset: fix possible stateful expression memleak in error path

NFC: digital: Bounds check NFC-A cascade depth in SDD response handler

nfc: llcp: add missing return after LLCP_CLOSED checks

nfc: s3fwrn5: allocate rx skb before consuming bytes

NFC: trf7970a: Ignore antenna noise when checking for RF field

nfp: fix swapped arguments in nfp_encode_basic_qdr() calls

nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()

nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map

nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

ntfs3: add buffer boundary checks to run_unpack()

ntfs3: fix integer overflow in run_unpack() volume boundary check

nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4

nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()

nvmet: always initialize cqe.result

nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free

ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison

ocfs2/dlm: validate qr_numregions in dlm_match_regions()

ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()

ocfs2: fix listxattr handling when the buffer is full

ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

ocfs2: fix possible deadlock between unlink and dio_end_io_write

ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY

ocfs2: handle invalid dinode in ocfs2_group_extend

ocfs2: split transactions in dio completion to avoid credit exhaustion

ocfs2: validate bg_bits during freefrag scan

ocfs2: validate group add input before caching

ocfs2: validate inline data i_size during inode read

octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c

openvswitch: cap upcall PID array size and pre-size vport replies

padata: Fix pd UAF once and for all

padata: Remove comment for reorder_work

params: Replace __modinit with __init_or_module

parisc: _llseek syscall is only available for 32-bit userspace

parisc: Fix IRQ leak in LASI driver

PCI/ACPI: Restrict program_hpx_type2() to AER bits

PCI/AER: Clear only error bits in PCIe Device Status

PCI/AER: Stop ruling out unbound devices as error source

PCI: Add PCIE_PME_TO_L2_TIMEOUT_US L2 ready timeout value

PCI: Enable AtomicOps only if Root Port supports them

PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown

PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown

PCI: hv: Set default NUMA node to 0 for devices without affinity info

PCI: tegra194: Disable direct speed change for Endpoint mode

PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down

PCI: tegra194: Fix polling delay for L2 state

PCI: tegra194: Increase LTSSM poll time on surprise link down

PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"

PCMCIA: Fix garbled log messages for KERN_CONT

perf branch: Avoid incrementing NULL

perf expr: Return -EINVAL for syntax error in expr__find_ids()

perf util: Kill die() prototype, dead for a long time

perf/x86/intel/uncore: Skip discovery table for offline dies

perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace

phonet/pep: disable BH around forwarded sk_receive_skb()

phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access

pinctrl: abx500: Fix type of 'argument' variable

pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer)

pinctrl: pinctrl-pic32: Fix resource leak

platform/surface: surfacepro3_button: Drop wakeup source on remove

platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL

platform/x86: dell-wmi-sysman: bound enumeration string aggregation

platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()

platform/x86: hp-wmi: Ignore backlight and FnLock events

platform/x86: hp_accel: Check ACPI_COMPANION() against NULL

platform/x86: intel-hid: Check ACPI_HANDLE() against NULL

platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL

platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup

pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()

pmdomain: ti: omap_prm: Fix a reference leak on device node

power: supply: axp288_charger: Do not cancel work before initializing it

power: supply: max17042: avoid overflow when determining health

powerpc/crash: fix backup region offset update to elfcorehdr

powerpc/warp: Fix error handling in pika_dtm_thread

powerpc64/bpf: do not increment tailcall count when prog is NULL

ppp: require CAP_NET_ADMIN in target netns for unattached ioctls

pppoe: drop PFC frames

pstore/ram: fix resource leak when ioremap() fails

pstore: inode: Only d_invalidate() is needed

quota: Fix race of dquot_scan_active() with quota deactivation

r8152: fix incorrect register write to USB_UPHY_XTAL

RDMA/core: Prefer NLA_NUL_STRING

RDMA/hns: Fix unlocked call to hns_roce_qp_remove()

RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()

RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()

RDMA/rtrs: Fix use-after-free in path file creation cleanup

RDMA/rxe: Reject unknown opcodes before ICRC processing

RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv

RDMA/siw: Reject MPA FPDU length underflow before signed receive math

RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path

regulator: act8945a: fix OF node reference imbalance

regulator: bd9571mwv: fix OF node reference imbalance

regulator: max77650: fix OF node reference imbalance

Revert "ALSA: usb: Increase volume range that triggers a warning"

Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower"

Revert "net: ethernet: xscale: Check for PTP support properly"

Revert "net: ixp4xx_eth: convert to ndo_hwtstamp_get() and ndo_hwtstamp_set()"

Revert "nvme: nvme-fc: Ensure ->ioerr_work is cancelled in nvme_fc_delete_ctrl()"

Revert "s390/cio: Fix device lifecycle handling in css_alloc_subchannel()"

Revert "wifi: cfg80211: stop NAN and P2P in cfg80211_leave"

Revert "x86/vdso: Fix output operand size of RDPID"

ring-buffer: Fix reporting of missed events in iterator

rtc: abx80x: Disable alarm feature if no interrupt attached

rtc: ntxec: fix OF node reference imbalance

rxrpc: Fix anonymous key handling

rxrpc: Fix call removal to use RCU safe deletion

rxrpc: Fix key quota calculation for multitoken keys

rxrpc: Fix missing validation of ticket length in non-XDR key preparsing

rxrpc: Fix recvmsg() unconditional requeue

rxrpc: only handle RESPONSE during service challenge

rxrpc: proc: size address buffers for %pISpc output

rxrpc: reject undecryptable rxkad response tickets

s390/debug: Reject zero-length input before trimming a newline

s390/debug: Reject zero-length input in debug_input_flush_fn()

s390/xor: Fix xor_xc_2() inline assembly constraints

scripts/dtc: Remove unused dts_version in dtc-lexer.l

scsi: isci: Fix use-after-free in device removal path

scsi: sg: Resolve soft lockup issue when opening /dev/sgX

scsi: sr: Add memory allocation failure handling for get_capabilities()

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

scsi: target: core: Fix integer overflow in UNMAP bounds check

scsi: ufs: core: Fix use-after free in init error and remove paths

sctp: discard stale INIT after handshake completion

sctp: fix missing encap_port propagation for GSO fragments

sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks

sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode

selftest: memcg: skip memcg_sock test if address family not supported

selftests/mqueue: Fix incorrectly named file

slip: bound decode() reads against the compressed packet length

slip: reject VJ receive packets on instances with no rstate array

smb: client: fix potential UAF in smb2_is_valid_oplock_break()

smb: client: reject userspace cifs.spnego descriptions

soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching

soc: qcom: aoss: compare against normalized cooling state

soc: qcom: ocmem: register reasons for probe deferrals

soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available

soc: qcom: ocmem: use scoped device node handling to simplify error paths

sound: ua101: fix division by zero at probe

spi: cadence-quadspi: Implement refcount to handle unbind during busy

spi: fsl-qspi: Use reinit_completion() for repeated operations

spi: hisi-kunpeng: prevent infinite while() loop in hisi_spi_flush_fifo

spi: imx: fix runtime pm leak on probe deferral

spi: meson-spicc: Fix double-put in remove path

spi: mpc52xx: fix use-after-free on unbind

spi: mtk-nor: fix controller deregistration

spi: orion: fix clock imbalance on registration failure

spi: rockchip: fix controller deregistration

spi: sprd: fix error pointer deref after DMA setup failure

spi: ti-qspi: fix use-after-free after DMA setup failure

spi: topcliff-pch: fix use-after-free on unbind

spi: zynqmp-gqspi: fix controller deregistration

staging: media: atomisp: Disallow all private IOCTLs

staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()

staging: sm750fb: fix division by zero in ps_to_hz()

string: add mem_is_zero() helper to check if memory area is all zeros

SUNRPC: Check if the xprt is connected before handling sysfs reads

SUNRPC: Do not dereference non-socket transports in sysfs

SUNRPC: lock against ->sock changing during sysfs read

sysfs: don't remove existing directory on update failure

taskstats: set version in TGID exit notifications

tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)

tcp: call sk_data_ready() after listener migration

tcp: Fix imbalanced icsk_accept_queue count.

thermal/drivers/spear: Fix error condition for reading st,thermal-flags

thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp

thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata

tipc: fix double-free in tipc_buf_append()

tpm: avoid -Wunused-but-set-variable

tpm: tpm_tis: add error logging for data transfer

tracing/probe: reject non-closed empty immediate strings

tracing: Avoid NULL return from hist_field_name() on truncation

tracing: branch: Fix inverted check on stat tracer registration

tracing: Do not call map->ops->elt_free() if elt_alloc() fails

tracing: Rebuild full_name on each hist_field_name() call

tty: hvc: remove HVC_IUCV_MAGIC

tty: hvc_iucv: fix off-by-one in number of supported devices

tty: n_gsm: fix deadlock and link starvation in outgoing data path

tty: n_gsm: fix flow control handling in tx path

udf: reject descriptors with oversized CRC length

um: drivers: call kernel_strrchr() explicitly in cow_user.c

um: virt-pci: Fix build failure

unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()

usb: gadget: renesas_usb3: validate endpoint index in standard request handlers

USB: omap_udc: DMA: Don't enable burst 4 mode

USB: serial: option: add Telit Cinterion FN990A MBIM composition

USB: serial: option: add Telit Cinterion LE910Cx compositions

usb: storage: Expand range of matched versions for VL817 quirks entry

usb: ulpi: fix memory leak on ulpi_register() error paths

usb: usblp: fix heap leak in IEEE 1284 device ID via short response

usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl

usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()

usbip: validate number_of_packets in usbip_pack_ret_submit()

userfaultfd: allow registration of ranges below mmap_min_addr

vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check

vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()

vrf: Fix a potential NPD when removing a port from a VRF

vsock/virtio: fix accept queue count leak on transport mismatch

vsock/vmci: fix UAF when peer resets connection during handshake

vsock: fix buffer size clamping order

wifi: ath11k: clear shared SRNG pointer state on restart

wifi: ath11k: fix error path leaks in some WMI WOW calls

wifi: ath5k: do not access array OOB

wifi: b43: enforce bounds check on firmware key index in b43_rx()

wifi: b43legacy: enforce bounds check on firmware key index in RX path

wifi: brcmfmac: Fix error pointer dereference

wifi: brcmfmac: validate bsscfg indices in IF events

wifi: cfg80211: advance loop vars in cfg80211_merge_profile()

wifi: iwlwifi: read txq->read_ptr under lock

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

wifi: mac80211: check tdls flag in ieee80211_tdls_oper

wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()

wifi: rsi: fix kthread lifetime race between self-exit and external-stop

wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

wifi: wl1251: validate packet IDs before indexing tx_frames

x86/uprobes: Fix XOL allocation failure for 32-bit tasks

xfrm: clear trailing padding in build_polexpire()

xfrm: provide message size for XFRM_MSG_MAPPING

xfrm_user: fix info leak in build_mapping()

xsk: tighten UMEM headroom validation to account for tailroom and min frame