--- Begin Message ---
Package: src:linux
Version: 6.19.11-1
Severity: important
X-Debbugs-Cc: [email protected], [email protected]
User: [email protected]
Usertags: amd64
Dear Maintainer,
* What led up to the situation?
Start computer
* What exactly did you do (or not do) that was effective (or
ineffective)?
Kernel booted
* What was the outcome of this action?
Crash with QR code shown
* What outcome did you expect instead?
Boot complete
Debian
Kernel team
Panic Report
Panic Report
To report this crash to Debian, run:
reportbug linux-image-6.19.11+deb14-amd64
and include the following log:
[ 11.203060] RAX: ffffffffffffffda RBX: 00007f5c40002600 RCX:
00007f5c49d1ac69
[ 11.203061] RDX: 0000000000000004 RSI: 00007f5c4a3bc44d RDI:
0000000000000006
[ 11.203062] RBP: 0000000000000004 R08: 0000000000000000 R09:
00007f5c40005100
[ 11.203063] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000020000
[ 11.203064] R13: 00007f5c4a3bc44d R14: 00007f5c40002720 R15:
0000000000000000
[ 11.203068] </TASK>
[ 11.203069] ---[ end trace 0000000000000000 ]---
[ 11.203076] lp0: using parport0 (interrupt-driven).
[ 11.203234] ppdev: user-space parallel port driver
[ 11.204125] systemd[1]: Finished systemd-modules-load.service - Load Kernel
Modules.
[ 11.204948] systemd[1]: Starting systemd-sysctl.service - Apply Kernel
Variables...
[ 11.210900] systemd[1]: Finished systemd-tmpfiles-setup-dev-early.service -
Create Static Device Nodes in /dev gracefully.
[ 11.212371] systemd[1]: Finished systemd-sysctl.service - Apply Kernel
Variables.
[ 11.229854] EXT4-fs (dm-1): re-mounted 9025b81e-448f-48b6-9a18-85e2b16b3a1e
r/w.
[ 11.230664] systemd[1]: Finished systemd-remount-fs.service - Remount Root
and Kernel File Systems.
[ 11.231018] systemd[1]: systemd-hwdb-update.service - Rebuild Hardware
Database skipped, unmet condition check ConditionNeedsUpdate=/etc
[ 11.231055] systemd[1]: systemd-pstore.service - Platform Persistent Storage
Archival skipped, unmet condition check
ConditionDirectoryNotEmpty=/sys/fs/pstore
[ 11.231933] systemd[1]: Starting systemd-random-seed.service - Load/Save OS
Random Seed...
[ 11.231964] systemd[1]: systemd-sysusers.service - Create System Users
skipped, no trigger condition checks were met.
[ 11.233269] systemd[1]: Starting systemd-journalctl.socket - Journal Log
Access Socket...
[ 11.234431] systemd[1]: Starting systemd-resolved.service - Network Name
Resolution...
[ 11.235412] systemd[1]: Starting systemd-timesyncd.service - Network Time
Synchronization...
[ 11.236037] systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create
Static Device Nodes in /dev...
[ 11.236055] systemd[1]: systemd-tpm2-setup.service - TPM SRK Setup skipped,
unmet condition check ConditionSecurity=measured-uki
[ 11.236072] systemd[1]: systemd-pcrnvdone.service - TPM PCR NvPCR
Initialization Separator skipped, unmet condition check
ConditionSecurity=measured-uki
[ 11.236407] systemd[1]: Listening on systemd-journalctl.socket - Journal Log
Access Socket.
[ 11.242126] systemd[1]: Starting systemd-userdbd.service - User Database
Manager...
[ 11.242325] systemd[1]: Finished systemd-random-seed.service - Load/Save OS
Random Seed.
[ 11.244440] slab kernfs_node_cache start ffff88e5e3ab2880 pointer offset
120 size 136
[ 11.244460] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 11.244466] #PF: supervisor instruction fetch in kernel mode
[ 11.244470] #PF: error_code(0x0010) - not-present page
[ 11.244474] PGD 0 P4D 0
[ 11.244481] Oops: Oops: 0010 [#1] SMP NOPTI
[ 11.244490] CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Tainted: G W
6.19.11+deb14-amd64 #1 PREEMPT(lazy) Debian 6.19.11-1
[ 11.244498] Tainted: [W]=WARN
[ 11.244501] Hardware name: Framework Laptop 13 (AMD Ryzen
7040Series)/FRANMDCP07, BIOS 03.18 01/08/2026
[ 11.244505] RIP: 0010:0x0
[ 11.244516] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 11.244519] RSP: 0018:ffffcde3002aced0 EFLAGS: 00010286
[ 11.244525] RAX: 0000000000000001 RBX: 0000000000000053 RCX:
0000000000000001
[ 11.244529] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff88e5e3ab28f8
[ 11.244532] RBP: ffff88e5c0a1a140 R08: 0000000000000000 R09:
ffffcde3002acc18
[ 11.244536] R10: ffffffffb3cdbfa8 R11: 00000000ffffefff R12:
ffff88ed1e732f80
[ 11.244539] R13: ffffcde3002acf00 R14: 0000000000000052 R15:
0000000000000000
[ 11.244543] FS: 0000000000000000(0000) GS:ffff88ed69ea7000(0000)
knlGS:0000000000000000
[ 11.244547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.244551] CR2: ffffffffffffffd6 CR3: 0000000180ae0000 CR4:
0000000000f50ef0
[ 11.244555] PKRU: 55555554
[ 11.244558] Call Trace:
[ 11.244562] <IRQ>
[ 11.244565] rcu_do_batch+0x1bc/0x560
[ 11.244579] rcu_core+0x17d/0x3a0
[ 11.244587] handle_softirqs+0xd7/0x310
[ 11.244596] __irq_exit_rcu+0xbc/0xe0
[ 11.244601] sysvec_apic_timer_interrupt+0x71/0x90
[ 11.244609] </IRQ>
[ 11.244612] <TASK>
[ 11.244616] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[ 11.244621] RIP: 0010:cpuidle_enter_state+0xcc/0x650
[ 11.244628] Code: 00 00 e8 77 46 2b ff e8 12 f0 ff ff 49 89 c4 0f 1f 44 00
00 31 ff e8 83 8f 29 ff 45 84 ff 0f 85 02 02 00 00 fb 0f 1f 44 00 00 <85> ed 0f
88 d3 01 00 00 4c 63 f5 49 83 fe 0a 0f 83 46 04 00 00 49
[ 11.244632] RSP: 0018:ffffcde3001e7e50 EFLAGS: 00000246
[ 11.244637] RAX: ffff88ed69ea7000 RBX: ffff88e5c107f800 RCX:
0000000000000000
[ 11.244641] RDX: 000000029e378239 RSI: 0000000026dc56ed RDI:
0000000000000000
[ 11.244644] RBP: 0000000000000002 R08: fffffffd417ac001 R09:
ffffffffb3e57760
[ 11.244648] R10: 000000055d02dcca R11: 0000000000000000 R12:
000000029e378239
[ 11.244651] R13: ffffffffb3e57760 R14: 0000000000000002 R15:
0000000000000000
[ 11.244664] cpuidle_enter+0x31/0x50
[ 11.244671] do_idle+0x143/0x2b0
[ 11.244680] cpu_startup_entry+0x29/0x30
[ 11.244686] start_secondary+0x126/0x180
[ 11.244694] common_startup_64+0x13e/0x141
[ 11.244707] </TASK>
[ 11.244710] Modules linked in: lp parport_pc ppdev parport i2c_dev msr
efi_pstore configfs nfnetlink efivarfs autofs4 ext4 mbcache jbd2
crc32c_cryptoapi dm_crypt dm_mod amdgpu amdxcp drm_panel_backlight_quirks
gpu_sched drm_buddy drm_ttm_helper ttm drm_exec i2c_algo_bit
drm_suballoc_helper ucsi_acpi drm_display_helper typec_ucsi hid_multitouch
typec hid_sensor_hub cec hid_generic roles rc_core i2c_hid_acpi cros_ec_debugfs
cros_ec_sysfs cros_kbd_led_backlight cros_ec_chardev cros_charge_control
i2c_hid drm_client_lib cros_ec_dev hid xhci_pci drm_kms_helper
ghash_clmulni_intel nvme aesni_intel sp5100_tco xhci_hcd drm watchdog nvme_core
thunderbolt nvme_keyring usbcore video cros_ec_lpcs i2c_piix4 nvme_auth
serio_raw battery cros_ec hkdf button wmi crc16 usb_common cros_ec_proto
i2c_smbus
[ 11.244838] CR2: 0000000000000000
[ 11.244843] ---[ end trace 0000000000000000 ]---
[ 11.688713] pstore: backend (efi_pstore) writing error (-28)
[ 11.688717] RIP: 0010:0x0
[ 11.688724] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 11.688726] RSP: 0018:ffffcde3002aced0 EFLAGS: 00010286
[ 11.688729] RAX: 0000000000000001 RBX: 0000000000000053 RCX:
0000000000000001
[ 11.688731] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff88e5e3ab28f8
[ 11.688732] RBP: ffff88e5c0a1a140 R08: 0000000000000000 R09:
ffffcde3002acc18
[ 11.688734] R10: ffffffffb3cdbfa8 R11: 00000000ffffefff R12:
ffff88ed1e732f80
[ 11.688735] R13: ffffcde3002acf00 R14: 0000000000000052 R15:
0000000000000000
[ 11.688737] FS: 0000000000000000(0000) GS:ffff88ed69ea7000(0000)
knlGS:0000000000000000
[ 11.688738] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.688740] CR2: ffffffffffffffd6 CR3: 000000030fe2c000 CR4:
0000000000f50ef0
[ 11.688741] PKRU: 55555554
[ 11.688743] Kernel panic - not syncing: Fatal exception in interrupt
[ 11.688950] Kernel Offset: 0x30c00000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
-- Package-specific info:
** Kernel log: boot messages should be attached
** Model information
sys_vendor: Framework
product_name: Laptop 13 (AMD Ryzen 7040Series)
product_version: A7
chassis_vendor: Framework
chassis_version: A7
bios_vendor: INSYDE Corp.
bios_version: 03.18
board_vendor: Framework
board_name: FRANMDCP07
board_version: A7
** Configuration for modprobe:
blacklist microcode
blacklist arkfb
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist cirrusfb
blacklist cyber2000fb
blacklist kyrofb
blacklist matroxfb_base
blacklist mb862xxfb
blacklist neofb
blacklist pm2fb
blacklist pm3fb
blacklist s3fb
blacklist savagefb
blacklist sisfb
blacklist tdfxfb
blacklist tridentfb
blacklist vt8623fb
options snd_pcsp index=-2
options cx88_alsa index=-2
options snd_atiixp_modem index=-2
options snd_intel8x0m index=-2
options snd_via82xx_modem index=-2
options bonding max_bonds=0
options dummy numdummies=0
options ifb numifbs=0
options zswap enabled=1
** PCI devices:
00:00.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Root
Complex [1022:14e8]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
00:00.2 IOMMU [0806]: Advanced Micro Devices, Inc. [AMD] Phoenix IOMMU
[1022:14e9]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Interrupts: pin B disabled, MSI(X) routed to IRQ 29
Capabilities: <access denied>
00:01.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy
Host Bridge [1022:14ea]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 0
00:02.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy
Host Bridge [1022:14ea]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 1
00:02.2 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Phoenix GPP
Bridge [1022:14ee] (prog-if 00 [Normal decode])
Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: MSI(X) routed to IRQ 37
IOMMU group: 2
Bus: primary=00, secondary=01, subordinate=01, sec-latency=0
I/O behind bridge: [disabled] [32-bit]
Memory behind bridge: 90b00000-90bfffff [size=1M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:02.4 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Phoenix GPP
Bridge [1022:14ee] (prog-if 00 [Normal decode])
Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: MSI(X) routed to IRQ 38
IOMMU group: 3
Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
I/O behind bridge: [disabled] [32-bit]
Memory behind bridge: 90a00000-90afffff [size=1M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:03.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy
Host Bridge [1022:14ea]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 4
00:03.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Family 19h
USB4/Thunderbolt PCIe tunnel [1022:14ef] (prog-if 00 [Normal decode])
Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: MSI(X) routed to IRQ 39
IOMMU group: 4
Bus: primary=00, secondary=03, subordinate=61, sec-latency=0
I/O behind bridge: 6000-9fff [size=16K] [16-bit]
Memory behind bridge: 78000000-8fffffff [size=384M] [32-bit]
Prefetchable memory behind bridge: 7000000000-7fffffffff [size=64G]
[32-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:04.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy
Host Bridge [1022:14ea]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 5
00:04.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Family 19h
USB4/Thunderbolt PCIe tunnel [1022:14ef] (prog-if 00 [Normal decode])
Subsystem: Advanced Micro Devices, Inc. [AMD] Device [1022:1453]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: MSI(X) routed to IRQ 40
IOMMU group: 5
Bus: primary=00, secondary=62, subordinate=c0, sec-latency=0
I/O behind bridge: 2000-5fff [size=16K] [16-bit]
Memory behind bridge: 60000000-77ffffff [size=384M] [32-bit]
Prefetchable memory behind bridge: 6000000000-6fffffffff [size=64G]
[32-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:08.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Dummy
Host Bridge [1022:14ea]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 6
00:08.1 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Phoenix Internal
GPP Bridge to Bus [C:A] [1022:14eb] (prog-if 00 [Normal decode])
Subsystem: Device [0006:f111]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 41
IOMMU group: 7
Bus: primary=00, secondary=c1, subordinate=c1, sec-latency=0
I/O behind bridge: 1000-1fff [size=4K] [16-bit]
Memory behind bridge: 90000000-905fffff [size=6M] [32-bit]
Prefetchable memory behind bridge: 8000000000-80107fffff [size=264M]
[32-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:08.2 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Phoenix Internal
GPP Bridge to Bus [C:A] [1022:14eb] (prog-if 00 [Normal decode])
Subsystem: Device [0006:f111]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 42
IOMMU group: 8
Bus: primary=00, secondary=c2, subordinate=c2, sec-latency=0
I/O behind bridge: [disabled] [32-bit]
Memory behind bridge: 90900000-909fffff [size=1M] [32-bit]
Prefetchable memory behind bridge: 8010800000-80108fffff [size=1M]
[32-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:08.3 PCI bridge [0604]: Advanced Micro Devices, Inc. [AMD] Phoenix Internal
GPP Bridge to Bus [C:A] [1022:14eb] (prog-if 00 [Normal decode])
Subsystem: Device [0006:f111]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 43
IOMMU group: 9
Bus: primary=00, secondary=c3, subordinate=c3, sec-latency=0
I/O behind bridge: [disabled] [32-bit]
Memory behind bridge: 90600000-908fffff [size=3M] [32-bit]
Prefetchable memory behind bridge: [disabled] [64-bit]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
Kernel modules: shpchp
00:14.0 SMBus [0c05]: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller
[1022:790b] (rev 71)
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
IOMMU group: 10
Kernel driver in use: piix4_smbus
Kernel modules: i2c_piix4, sp5100_tco
00:14.3 ISA bridge [0601]: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge
[1022:790e] (rev 51)
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O+ Mem+ BusMaster+ SpecCycle+ MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort-
<TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
IOMMU group: 10
00:18.0 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 0 [1022:14f0]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.1 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 1 [1022:14f1]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.2 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 2 [1022:14f2]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.3 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 3 [1022:14f3]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
Kernel driver in use: k10temp
Kernel modules: k10temp
00:18.4 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 4 [1022:14f4]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.5 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 5 [1022:14f5]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.6 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 6 [1022:14f6]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
00:18.7 Host bridge [0600]: Advanced Micro Devices, Inc. [AMD] Phoenix Data
Fabric; Function 7 [1022:14f7]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 11
01:00.0 Network controller [0280]: Intel Corporation Wi-Fi 6E(802.11ax)
AX210/AX1675* 2x2 [Typhoon Peak] [8086:2725] (rev 1a)
Subsystem: Intel Corporation Wi-Fi 6 AX210 160MHz [8086:0024]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 127-132, 135-139,
141-142, 144, 146-147
IOMMU group: 12
Region 0: Memory at 90b00000 (64-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: iwlwifi
Kernel modules: iwlwifi
02:00.0 Non-Volatile memory controller [0108]: Sandisk Corp WD Black SN850X
NVMe SSD [15b7:5030] (rev 01) (prog-if 02 [NVM Express])
Subsystem: Sandisk Corp WD Black SN850X NVMe SSD [15b7:5030]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 62-78
IOMMU group: 13
Region 0: Memory at 90a00000 (64-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: nvme
Kernel modules: nvme
c1:00.0 VGA compatible controller [0300]: Advanced Micro Devices, Inc.
[AMD/ATI] Phoenix1 [1002:15bf] (rev c4) (prog-if 00 [VGA controller])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 107
IOMMU group: 14
Region 0: Memory at 8000000000 (64-bit, prefetchable) [size=256M]
Region 2: Memory at 90000000 (64-bit, prefetchable) [size=2M]
Region 4: I/O ports at 1000 [size=256]
Region 5: Memory at 90500000 (32-bit, non-prefetchable) [size=512K]
Capabilities: <access denied>
Kernel driver in use: amdgpu
Kernel modules: amdgpu
c1:00.1 Audio device [0403]: Advanced Micro Devices, Inc. [AMD/ATI] Radeon High
Definition Audio Controller [1002:1640] (prog-if 00 [HDA compatible])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin C disabled, MSI(X) routed to IRQ 143
IOMMU group: 15
Region 0: Memory at 905c8000 (32-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
c1:00.2 Encryption controller [1080]: Advanced Micro Devices, Inc. [AMD]
Phoenix CCP/PSP 3.0 Device [1022:15c7]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin D disabled, MSI(X) routed to IRQ 109-110
IOMMU group: 16
Region 2: Memory at 90400000 (32-bit, non-prefetchable) [size=1M]
Region 5: Memory at 905cc000 (32-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: ccp
Kernel modules: ccp
c1:00.3 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Device
[1022:15b9] (prog-if 30 [XHCI])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin E disabled, MSI(X) routed to IRQ 97
IOMMU group: 17
Region 0: Memory at 90200000 (64-bit, non-prefetchable) [size=1M]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
c1:00.4 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Device
[1022:15ba] (prog-if 30 [XHCI])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 102
IOMMU group: 18
Region 0: Memory at 90300000 (64-bit, non-prefetchable) [size=1M]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
c1:00.5 Multimedia controller [0480]: Advanced Micro Devices, Inc. [AMD] Audio
Coprocessor [1022:15e2] (rev 63)
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin C routed to IRQ 140
IOMMU group: 19
Region 0: Memory at 90580000 (32-bit, non-prefetchable) [size=256K]
Region 2: Memory at 8010000000 (64-bit, prefetchable) [size=8M]
Capabilities: <access denied>
Kernel driver in use: snd_pci_ps
Kernel modules: snd_pci_acp3x, snd_rn_pci_acp3x, snd_pci_acp5x,
snd_pci_acp6x, snd_acp_pci, snd_rpl_pci_acp6x, snd_pci_ps, snd_sof_amd_rembrandt
c1:00.6 Audio device [0403]: Advanced Micro Devices, Inc. [AMD] Ryzen HD Audio
Controller [1022:15e3] (prog-if 00 [HDA compatible])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin D disabled, MSI(X) routed to IRQ 145
IOMMU group: 20
Region 0: Memory at 905c0000 (32-bit, non-prefetchable) [size=32K]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
Kernel modules: snd_hda_intel
c2:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc.
[AMD] Phoenix Dummy Function [1022:14ec]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 21
Capabilities: <access denied>
c2:00.1 Signal processing controller [1180]: Advanced Micro Devices, Inc. [AMD]
AMD IPU Device [1022:1502]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 111-126
IOMMU group: 22
Region 0: Memory at 90900000 (32-bit, non-prefetchable) [size=512K]
Region 1: Memory at 909c0000 (32-bit, non-prefetchable) [size=8K]
Region 2: Memory at 8010800000 (64-bit, prefetchable) [size=256K]
Region 4: Memory at 90980000 (32-bit, non-prefetchable) [size=256K]
Capabilities: <access denied>
Kernel driver in use: amdxdna
Kernel modules: amdxdna
c3:00.0 Non-Essential Instrumentation [1300]: Advanced Micro Devices, Inc.
[AMD] Phoenix Dummy Function [1022:14ec]
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
IOMMU group: 23
Capabilities: <access denied>
c3:00.3 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Device
[1022:15c0] (prog-if 30 [XHCI])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin B disabled, MSI(X) routed to IRQ 104
IOMMU group: 24
Region 0: Memory at 90600000 (64-bit, non-prefetchable) [size=1M]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
c3:00.4 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Device
[1022:15c1] (prog-if 30 [XHCI])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin C disabled, MSI(X) routed to IRQ 106
IOMMU group: 25
Region 0: Memory at 90700000 (64-bit, non-prefetchable) [size=1M]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
Kernel modules: xhci_pci
c3:00.5 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Pink Sardine
USB4/Thunderbolt NHI controller #1 [1022:1668] (prog-if 40 [USB4 Host
Interface])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin D disabled, MSI(X) routed to IRQ 45-60
IOMMU group: 26
Region 0: Memory at 90800000 (64-bit, non-prefetchable) [size=512K]
Capabilities: <access denied>
Kernel driver in use: thunderbolt
Kernel modules: thunderbolt
c3:00.6 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] Pink Sardine
USB4/Thunderbolt NHI controller #2 [1022:1669] (prog-if 40 [USB4 Host
Interface])
Subsystem: Framework Computer Inc. Device [f111:0006]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr-
Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort-
<MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupts: pin E disabled, MSI(X) routed to IRQ 80-95
IOMMU group: 27
Region 0: Memory at 90880000 (64-bit, non-prefetchable) [size=512K]
Capabilities: <access denied>
Kernel driver in use: thunderbolt
Kernel modules: thunderbolt
** USB devices:
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix
Fingerprint USB Device
Bus 001 Device 003: ID 8087:0032 Intel Corp. AX210 Bluetooth
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 002: ID 0bda:5634 Realtek Semiconductor Corp. Laptop Camera
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 007 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 008 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.11+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-6.19.11+deb14-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.150
ii kmod 34.2-2+b1
ii linux-base 4.15
ii linux-base-6.19.11+deb14-amd64 6.19.11-1
ii linux-binary-6.19.11+deb14-amd64 6.19.11-1
ii linux-modules-6.19.11+deb14-amd64 6.19.11-1
Versions of packages linux-image-6.19.11+deb14-amd64 recommends:
ii apparmor 4.1.6-3
Versions of packages linux-image-6.19.11+deb14-amd64 suggests:
ii debian-kernel-handbook 1.0.21
ii firmware-linux-free 20241210-3
ii grub-efi-amd64 2.14~git20250718.0e36779-2
pn linux-doc-6.19 <none>
Versions of packages linux-image-6.19.11+deb14-amd64 is related to:
ii firmware-amd-graphics 20260309-1
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-cirrus <none>
pn firmware-intel-graphics <none>
pn firmware-intel-misc <none>
pn firmware-intel-sound <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20260309-1
pn firmware-libertas <none>
pn firmware-marvell-prestera <none>
pn firmware-mediatek <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netronome <none>
pn firmware-netxen <none>
pn firmware-nvidia-graphics <none>
pn firmware-qcom-soc <none>
pn firmware-qlogic <none>
ii firmware-realtek 20260309-1
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 6.1.176-1
Done: Ben Hutchings <[email protected]>
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <[email protected]> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 02 Jul 2026 15:50:42 +0200
Source: linux
Architecture: source
Version: 6.1.176-1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <[email protected]>
Changed-By: Ben Hutchings <[email protected]>
Closes: 1130365
Changes:
linux (6.1.176-1) bookworm-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.175
- [x86] ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA
- [x86] ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk
- [arm64] media: rkvdec: reduce stack usage in
rkvdec_init_v4l2_vp9_count_tbl()
- [x86] ALSA: asihpi: avoid write overflow check warning
- [x86] ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF
- can: mcp251x: add error handling for power enable in open and resume
- btrfs: tracepoints: get correct superblock from dentry in event
btrfs_sync_file() (CVE-2026-43117)
- [x86] ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx
- [x86] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on
expiry (CVE-2026-43114)
- [x86] ALSA: hda/realtek: add quirk for Framework F111:000F
- wifi: wl1251: validate packet IDs before indexing tx_frames
(CVE-2026-43113)
- ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list
- ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex
- fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath
(CVE-2026-43112)
- [x86] ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx
- [x86] pinctrl: intel: Fix the revision for new features (1kOhm PD, HW
debouncer)
- HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3
- [x86] ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10
- HID: roccat: fix use-after-free in roccat_report_event (CVE-2026-43111)
- ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585
- wifi: brcmfmac: validate bsscfg indices in IF events (CVE-2026-43110)
- [armhf] ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J
- [armhf] soc: aspeed: socinfo: Mask table entries for accurate SoC ID
matching
- [arm64] dts: imx8mq: Set the correct gpu_ahb clock frequency
- PCI: hv: Set default NUMA node to 0 for devices without affinity info
- [arm*] drm/vc4: Release runtime PM reference after binding V3D
- [arm*] drm/vc4: Fix memory leak of BO array in hang state
(CVE-2026-43105)
- [arm*] drm/vc4: Fix a memory leak in hang state error path
(CVE-2026-43104)
- [arm*] drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock
- epoll: use refcount to reduce ep_mutex contention
- eventpoll: defer struct eventpoll free to RCU grace period
(CVE-2026-43074)
- net: sched: act_csum: validate nested VLAN headers (CVE-2026-31684)
- net: lapbether: handle NETDEV_PRE_TYPE_CHANGE (CVE-2026-43103)
- ipv4: icmp: fix null-ptr-deref in icmp_build_probe() (CVE-2026-43099)
- nfc: s3fwrn5: allocate rx skb before consuming bytes (CVE-2026-43098)
- tracing/probe: reject non-closed empty immediate strings
- ixgbevf: add missing negotiate_features op to Hyper-V ops table
(CVE-2026-43094)
- e1000: check return value of e1000_read_eeprom
- xsk: tighten UMEM headroom validation to account for tailroom and min
frame (CVE-2026-43093)
- xfrm_user: fix info leak in build_mapping() (CVE-2026-43089)
- netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator
(CVE-2026-43085)
- netfilter: xt_multiport: validate range encoding in checkentry
(CVE-2026-31681)
- netfilter: ip6t_eui64: reject invalid MAC header for all packets
(CVE-2026-31685)
- af_unix: read UNIX_DIAG_VFS data under unix_state_lock (CVE-2026-31673)
- l2tp: Drop large packets with UDP encap (CVE-2026-43080)
- [arm64,armhf] gpio: tegra: fix irq_release_resources calling enable
instead of disable
- [x86] perf/x86/intel/uncore: Skip discovery table for offline dies
(CVE-2026-43079)
- Revert "drm: Fix use-after-free on framebuffers and property blobs when
calling drm_dev_unplug" (regression in 6.1.167)
- netfilter: conntrack: add missing netlink policy validations
(CVE-2026-31407)
- [x86] drm/i915/psr: Do not use pipe_src as borders for SU area
- nfc: llcp: add missing return after LLCP_CLOSED checks (CVE-2026-31629)
- can: raw: fix ro->uniq use-after-free in raw_rcv() (CVE-2026-31532)
- [arm*] i2c: s3c24xx: check the size of the SMBUS message before using it
(CVE-2026-31627)
- staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()
(CVE-2026-31626)
- HID: alps: fix NULL pointer dereference in alps_raw_event()
(CVE-2026-31625)
- HID: core: clamp report_size in s32ton() to avoid undefined shift
(CVE-2026-31624)
- net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete()
(CVE-2026-31623)
- NFC: digital: Bounds check NFC-A cascade depth in SDD response handler
(CVE-2026-31622)
- [arm*] drm/vc4: platform_get_irq_byname() returns an int (CVE-2026-43072)
- ALSA: fireworks: bound device-supplied status before string array lookup
(CVE-2026-31619)
- fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31618)
- usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()
(CVE-2026-31617)
- usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
(CVE-2026-31616)
- [arm64,armhf] usb: gadget: renesas_usb3: validate endpoint index in
standard request handlers (CVE-2026-31615)
- ksmbd: validate EaNameLength in smb2_get_ea() (CVE-2026-31612)
- ksmbd: require 3 sub-authorities before reading sub_auth[2]
(CVE-2026-31611)
- usbip: validate number_of_packets in usbip_pack_ret_submit()
(CVE-2026-31607)
- usb: storage: Expand range of matched versions for VL817 quirks entry
- USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen
- usb: port: add delay after usb_hub_set_port_power()
- fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO
(CVE-2026-31605)
- staging: sm750fb: fix division by zero in ps_to_hz() (CVE-2026-31603)
- USB: serial: option: add Telit Cinterion FN990A MBIM composition
- ALSA: ctxfi: Limit PTP to a single page (CVE-2026-31602)
- dcache: Limit the minimal number of bucket to two (CVE-2026-43071)
- media: vidtv: fix NULL pointer dereference in
vidtv_channel_pmt_match_sections (CVE-2026-31599)
- ocfs2: fix possible deadlock between unlink and dio_end_io_write
(CVE-2026-31598)
- ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY
(CVE-2026-31597)
- ocfs2: handle invalid dinode in ocfs2_group_extend (CVE-2026-31596)
- [x86] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION
(CVE-2026-31590)
- Revert "dmaengine: idxd: Fix not releasing workqueue on .release()"
(regression in 6.1.168)
- ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
(CVE-2025-39997)
- net: add proper RCU protection to /proc/net/ptype (CVE-2026-23255)
- net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr()
- bonding: return detailed error when loading native XDP fails
- bonding: check xdp prog when set bond mode (CVE-2025-22105)
- drm/amdgpu: remove two invalid BUG_ON()s (CVE-2025-68201)
- nf_tables: nft_dynset: fix possible stateful expression memleak in error
path (CVE-2026-23399)
- rxrpc: proc: size address buffers for %pISpc output (CVE-2026-31630)
- [x86] KVM: x86: Use scratch field in MMIO fragment to hold small write
values (CVE-2026-31588)
- mm/kasan: fix double free for kasan pXds (CVE-2026-31686)
- mm: blk-cgroup: fix use-after-free in cgwb_release_workfn()
(CVE-2026-31586)
- media: vidtv: fix nfeeds state corruption on start_streaming failure
(CVE-2026-31585)
- media: em28xx: fix use-after-free in em28xx_v4l2_open() (CVE-2026-31583)
- ALSA: 6fire: fix use-after-free on disconnect (CVE-2026-31581)
- bcache: fix cached_dev.sb_bio use-after-free and crash (CVE-2026-31580)
- media: as102: fix to not free memory after the device is registered in
as102_usb_probe() (CVE-2026-31578)
- nilfs2: fix NULL i_assoc_inode dereference in
nilfs_mdt_save_to_shadow_map
(CVE-2026-31577)
- media: vidtv: fix pass-by-value structs causing MSAN warnings
(CVE-2026-43058)
- media: hackrf: fix to not free memory after the device is registered in
hackrf_probe() (CVE-2026-31576)
- PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown
(CVE-2026-31594)
- ipv6: add NULL checks for idev in SRv6 paths (CVE-2026-23442)
- gfs2: Improve gfs2_consist_inode() usage
- gfs2: Validate i_depth for exhash directories (CVE-2025-38710)
- wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure
(CVE-2026-23444)
- net: dsa: clean up FDB, MDB, VLAN entries on unbind (CVE-2025-37864)
- [arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage to 0.81V
- [arm64] dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V
- ocfs2: add inline inode consistency check to ocfs2_validate_inode_block()
- ocfs2: validate inline data i_size during inode read (CVE-2026-43076)
- ocfs2: fix out-of-bounds write in ocfs2_write_end_inline (CVE-2026-43075)
- rxrpc: Fix key quota calculation for multitoken keys
- rxrpc: Fix call removal to use RCU safe deletion (CVE-2026-31642)
- rxrpc: reject undecryptable rxkad response tickets (CVE-2026-31637)
- [x86] KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs
- ublk: fix deadlock when reading partition table (CVE-2025-68823)
- PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup
(CVE-2026-31595)
- [arm64,armhf] ASoC: qcom: q6apm: move component registration to unmanaged
version (CVE-2026-31587)
- rxrpc: Fix recvmsg() unconditional requeue (CVE-2026-23066)
- scsi: ufs: core: Fix use-after free in init error and remove paths
(CVE-2025-21739)
- ALSA: control: Avoid WARN() for symlink errors (CVE-2024-56657)
- f2fs: fix null-ptr-deref in f2fs_submit_page_bio() (CVE-2024-53221)
- wifi: iwlwifi: read txq->read_ptr under lock (CVE-2024-36922)
- [arm64] mm: fix VA-range sanity check (CVE-2023-53989)
- rxrpc: Fix anonymous key handling
- rxrpc: only handle RESPONSE during service challenge (CVE-2026-31676)
- fs/ntfs3: validate rec->used in journal-replay file record check
(CVE-2026-31716)
- fuse: reject oversized dirents in page cache (CVE-2026-31694)
- fuse: quiet down complaints in fuse_conn_limit_write
- smb: server: fix active_num_conn leak on transport allocation failure
(CVE-2026-31711)
- smb: server: fix max_connections off-by-one in tcp accept path
- smb: client: require a full NFS mode SID before reading mode bits
(CVE-2026-43350)
- smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path
(CVE-2026-31708)
- ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment
(CVE-2026-31705)
- ksmbd: use check_add_overflow() to prevent u16 DACL size overflow
(CVE-2026-31704)
- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
(CVE-2026-31702)
- ALSA: usb-audio: apply quirk for MOONDROP JU Jiu
- ALSA: caiaq: take a reference on the USB device in create_card()
(CVE-2026-31701)
- crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed
(CVE-2026-31699)
- crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command
failed (CVE-2026-31698)
- crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed
(CVE-2026-31697)
- rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
(CVE-2026-31696)
- ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES (CVE-2026-46018)
- ALSA: usb-audio: Avoid false E-MU sample-rate notifications
- ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch
- usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
- ALSA: usb-audio: Evaluate packsize caps at the right place
- drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
(CVE-2026-46006)
- [x86] misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt()
(CVE-2026-46022)
- [x86] ibmasm: fix OOB reads in command_file_write due to missing size
checks (CVE-2026-45994)
- [x86] ibmasm: fix heap over-read in ibmasm_send_i2o_message()
(CVE-2026-46064)
- firmware: google: framebuffer: Do not mark framebuffer as busy
- padata: Fix pd UAF once and for all (CVE-2025-38584)
- padata: Remove comment for reorder_work
- drm/amdgpu: Use vmemdup_array_user in amdgpu_bo_create_list_entry_array
- drm/amdgpu: Limit BO list entry count to prevent resource exhaustion
(CVE-2026-23468)
- net: enetc: fix the deadlock of enetc_mdio_lock (CVE-2025-40347)
- blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none
(CVE-2023-53292)
- [arm64] set __exception_irq_entry with __irq_entry as a default
(CVE-2023-54322)
- regset: use kvzalloc() for regset_get_alloc()
- device property: Make modifications of fwnode "flags" thread safe
- ocfs2: split transactions in dio completion to avoid credit exhaustion
(CVE-2026-46080)
- driver core: Don't let a device probe until it's ready
- wifi: rtw88: check for PCI upstream bridge existence
- f2fs: fix to detect potential corrupted nid in free_nid_list
(CVE-2025-68315)
- crypto: pcrypt - Fix handling of MAY_BACKLOG requests (CVE-2026-43493)
- [arm*] media: amphion: Fix race between m2m job_abort and device_run
(CVE-2026-46058)
- ALSA: control: Validate buf_len before strnlen() in
snd_ctl_elem_init_enum_names() (CVE-2026-46088)
- net: caif: clear client service pointer on teardown (CVE-2026-46098)
- net: strparser: fix skb_head leak in strp_abort_strp() (CVE-2026-46102)
- PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown
(CVE-2026-46009)
- Revert "ALSA: usb: Increase volume range that triggers a warning"
(regression in 6.1.162)
- lib/ts_kmp: fix integer overflow in pattern length calculation
- net: qrtr: ns: Fix use-after-free in driver remove() (CVE-2026-46047)
- ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()
(CVE-2026-46002)
- ALSA: ctxfi: Add fallback to default RSR for S/PDIF (CVE-2026-46049)
- ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes
- erofs: fix the out-of-bounds nameoff handling for trailing dirents
(CVE-2026-46078)
- md/raid10: fix deadlock with check operation and nowait requests
(CVE-2026-46050)
- nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4
- nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set
- rbd: fix null-ptr-deref when device_add_disk() fails (CVE-2026-46079)
- io_uring/timeout: check unused sqe fields
- iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned()
- io_uring/poll: fix signed comparison in io_poll_get_ownership()
(CVE-2026-52933)
- io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE
- ALSA: core: Fix potential data race at fasync handling
- ALSA: caiaq: Fix control_put() result and cache rollback
- ALSA: caiaq: Handle probe errors properly (CVE-2026-46004)
- ALSA: 6fire: Fix input volume change detection
- iio: adc: ad7768-1: fix one-shot mode data acquisition
- net: rds: fix MR cleanup on copy error (CVE-2026-46053)
- net/smc: avoid early lgr access in smc_clc_wait_msg (CVE-2026-46027)
- net: ks8851: Reinstate disabling of BHs around IRQ handler
(CVE-2026-46031)
- RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv
(CVE-2026-46043)
- ipv4: icmp: validate reply type before using icmp_pointers
(CVE-2026-46037)
- libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply()
(CVE-2026-46024)
- power: supply: axp288_charger: Do not cancel work before initializing it
- randomize_kstack: Maintain kstack_offset per task
- mmc: block: use single block write in retry
- [arm64] mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration
- tpm: tpm_tis: add error logging for data transfer
- userfaultfd: allow registration of ranges below mmap_min_addr
- [x86] KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state
- [x86] KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2
- [x86] KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2
(CVE-2026-45987)
- [x86] KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 (CVE-2026-46082)
- [x86] KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB
intercepts
- [x86] KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest
mode
- [x86] KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested
#VMEXIT
- [x86] KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested
VMRUN
- [x86] KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID)
- [x86] KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested
#VMEXIT
- [x86] KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS
- [x86] KVM: nSVM: Add missing consistency check for nCR3 validity
- mtd: docg3: fix use-after-free in docg3_release() (CVE-2026-46285)
- io_uring/poll: fix multishot recv missing EOF on wakeup race
- ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all()
(CVE-2026-46046)
- md/raid5: fix soft lockup in retry_aligned_read() (CVE-2026-46051)
- md/raid5: validate payload size before accessing journal metadata
(CVE-2026-46070)
- inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails
(CVE-2026-46040)
- tcp: call sk_data_ready() after listener migration (CVE-2026-46015)
- taskstats: set version in TGID exit notifications
- Bluetooth: hci_event: fix potential UAF in SSP passkey handlers
(CVE-2026-46056)
- can: ucan: fix devres lifetime (CVE-2026-46103)
- [arm64] crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as
64-bit
- [armel,armhf] crypto: atmel-aes - Fix 3-page memory leak in
atmel_aes_buff_cleanup (CVE-2026-46019)
- [arm*] crypto: ccree - fix a memory leak in cc_mac_digest()
(CVE-2026-45986)
- [armel,armhf] crypto: atmel-tdes - fix DMA sync direction
(CVE-2026-46077)
- crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path
(CVE-2026-46075)
- dm mirror: fix integer overflow in create_dirty_log() (CVE-2026-46023)
- IB/core: Fix zero dmac race in neighbor resolution
- ntfs3: add buffer boundary checks to run_unpack() (CVE-2026-46072)
- ntfs3: fix integer overflow in run_unpack() volume boundary check
(CVE-2026-46062)
- rtmutex: Use waiter::task instead of current in remove_waiter()
(CVE-2026-43499)
- scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails
(CVE-2026-45997)
- seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode
- crypto: authencesn - reject short ahash digests during instance creation
(CVE-2026-46033)
- ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path
- ALSA: caiaq: Don't abort when no input device is available
- ipv6: rpl: reserve mac_len headroom when recompressed SRH grows
(CVE-2026-43501)
- drm/amdgpu: fix zero-size GDS range init on RDNA4 (CVE-2026-46276)
- ALSA: caiaq: fix usb_dev refcount leak on probe failure
- net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels (CVE-2026-46099)
- netfilter: reject zero shift in nft_bitwise (CVE-2026-46101)
- scsi: target: configfs: Bound snprintf() return in
tg_pt_gp_members_show()
(CVE-2026-46149)
- ipmi: Add limits to event and receive message requests (CVE-2026-46177)
- ipmi: Check event message buffer response for bad data (CVE-2026-46128)
- ipmi:si: Return state to normal if message allocation fails
(CVE-2026-46108)
- fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
(CVE-2026-43497)
- ACPI: scan: Use acpi_dev_put() in object add error paths
- ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
- [x86] ACPI: video: force native backlight on HP OMEN 16 (8A44)
- ASoC: SOF: Don't allow pointer operations on unconfigured streams
(CVE-2026-46179)
- [arm64,armhf] spi: rockchip: fix controller deregistration
- drm/amd/display: Do not skip unrelated mode changes in DSC validation
(CVE-2026-31488)
- [arm64,armhf] spi: meson-spicc: Fix double-put in remove path
(CVE-2026-31489)
- ext4: validate p_idx bounds in ext4_ext_correct_indexes (CVE-2026-31449)
- [x86] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
(CVE-2026-46113)
- flow_dissector: do not dissect PPPoE PFC frames (CVE-2026-46306)
- net/sched: sch_red: Replace direct dequeue call with peek and
qdisc_dequeue_peeked (CVE-2026-43496)
- Bluetooth: hci_sync: Remove remaining dependencies of hci_request
- Bluetooth: btintel: serialize btintel_hw_error() with hci_req_sync_lock
(CVE-2026-31500)
- ice: Fix memory leak in ice_set_ringparam() (CVE-2026-23389)
- exit: prevent preemption of oopsing TASK_DEAD task (CVE-2026-46173)
- wifi: mt76: mt7921: fix a potential clc buffer length underflow
(CVE-2026-46136)
- wifi: b43legacy: enforce bounds check on firmware key index in RX path
(CVE-2026-46163)
- wifi: rsi: fix kthread lifetime race between self-exit and external-stop
(CVE-2026-46187)
- wifi: ath5k: do not access array OOB (CVE-2026-46307)
- wifi: b43: enforce bounds check on firmware key index in b43_rx()
(CVE-2026-46122)
- usb: usblp: fix heap leak in IEEE 1284 device ID via short response
(CVE-2026-46151)
- usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
(CVE-2026-46167)
- ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
(CVE-2026-46146)
- ALSA: usb-audio: Fix UAC3 cluster descriptor size check
- USB: serial: option: add Telit Cinterion LE910Cx compositions
- usb: ulpi: fix memory leak on ulpi_register() error paths
(CVE-2026-46109)
- ALSA: firewire-tascam: Do not drop unread control events
- xfrm: provide message size for XFRM_MSG_MAPPING
- ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() (CVE-2026-46172)
- Bluetooth: virtio_bt: clamp rx length before skb_put (CVE-2026-46123)
- Bluetooth: virtio_bt: validate rx pkt_type header length (CVE-2026-46186)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
(CVE-2026-45835)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
(CVE-2026-45834)
- fanotify: fix false positive on permission events (CVE-2026-46150)
- net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
rtnl_fill_vfinfo (CVE-2026-46132)
- sound: ua101: fix division by zero at probe (CVE-2026-46184)
- ip6_gre: Use cached t->net in ip6erspan_changelink(). (CVE-2026-46120)
- net/rds: handle zerocopy send cleanup before the message is queued
(CVE-2026-43502)
- [x86] hwmon: (corsair-psu) Close HID device on probe errors
- cifs: abort open_cached_dir if we don't request leases
- cifs: change_conf needs to be called for session setup
- [arm64] extcon: ptn5150: handle pending IRQ events during system resume
- [arm64] hv_sock: fix ARM64 support
- [ppc64el] ibmveth: Disable GSO for packets with small MSS
(CVE-2026-46273)
- udf: reject descriptors with oversized CRC length
- spi: topcliff-pch: fix use-after-free on unbind (CVE-2026-46301)
- [ppc64el] cpuidle: powerpc: avoid double clear when breaking snooze
- [x86] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
quirk table
- [arm64,armhf] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
- [arm64,armhf] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
(CVE-2026-46143)
- [arm64,armhf] ASoC: qcom: q6apm: remove child devices when apm is removed
- btrfs: fix double free in create_space_info() error path (CVE-2026-46129)
- dm-thin: fix metadata refcount underflow (CVE-2026-46107)
- dm: don't report warning when doing deferred remove
- dm: fix a buffer overflow in ioctl processing (CVE-2026-46294)
- dm-verity-fec: correctly reject too-small FEC devices
- dm-verity-fec: correctly reject too-small hash devices
- isofs: validate Rock Ridge CE continuation extent against volume size
(CVE-2026-46303)
- isofs: validate block number from NFS file handle in isofs_export_iget
(CVE-2026-46124)
- libceph: Fix slab-out-of-bounds access in auth message processing
(CVE-2026-46119)
- md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
(CVE-2026-46161)
- nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free (CVE-2026-46304)
- openvswitch: vport: fix self-deadlock on release of tunnel ports
(CVE-2026-46165)
- [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
(CVE-2026-46112)
- [s390x] debug: Reject zero-length input in debug_input_flush_fn()
- smb/client: fix out-of-bounds read in symlink_data() (CVE-2026-46185)
- PCI/AER: Clear only error bits in PCIe Device Status
- PCI/AER: Stop ruling out unbound devices as error source
- [x86] power: supply: max17042: avoid overflow when determining health
- RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
(CVE-2026-46178)
- RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
(CVE-2026-46127)
- RDMA/rxe: Reject unknown opcodes before ICRC processing (CVE-2026-46133)
- RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
(CVE-2026-46189)
- mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
- mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
- mptcp: sockopt: set timestamp flags on subflow socket, not msk
- mptcp: fix scheduling with atomic in timestamp sockopt (CVE-2026-46168)
- f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
- f2fs: fix fiemap boundary handling when read extent cache is incomplete
- f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
- [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
value
- f2fs: compress: change the first parameter of page_array_{alloc,free} to
sbi
- f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic
(CVE-2025-38627)
- exit: Sleep at TASK_IDLE when waiting for application core dump
- media: uvcvideo: Enable VB2_DMABUF for metadata stream
- [x86] staging: media: atomisp: Disallow all private IOCTLs
(CVE-2026-46205)
- media: rc: xbox_remote: heed DMA restrictions (CVE-2026-46236)
- media: rc: streamzap: Error handling in probe
- media: saa7164: add ioremap return checks and cleanups (CVE-2026-46235)
- [x86] platform/x86: hp-wmi: Ignore backlight and FnLock events
- media: pci: zoran: fix potential memory leak in zoran_probe()
- media: dib8000: avoid division by 0 in dib8000_set_dds()
- [armhf] media: omap3isp: drop the use count of v4l2 pipeline
- [arm64,armhf] spi: imx: fix runtime pm leak on probe deferral
- [armel,armhf] spi: orion: fix clock imbalance on registration failure
- drm/amdgpu: Add bounds checking to ib_{get,set}_value (CVE-2026-46218)
- drm/amdgpu/vce: Prevent partial address patches
- drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg (CVE-2026-46199)
- drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg (CVE-2026-46230)
- drm/gem: Fix inconsistent plane dimension calculation in
drm_gem_fb_init_with_funcs() (CVE-2026-46209)
- drm/amdkfd: validate SVM ioctl nattr against buffer size (CVE-2026-46197)
- drm/radeon: add missing revision check for CI
- drm/amdgpu: zero-initialize GART table on allocation
- drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
- drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
(CVE-2026-46220)
- drm/amdgpu/pm: add missing revision check for CI
- drm/amdgpu/pm: align Hawaii mclk workaround with radeon
- sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
(CVE-2026-46227)
- batman-adv: fix integer overflow on buff_pos (CVE-2026-46198)
- batman-adv: reject new tp_meter sessions during teardown (CVE-2026-46206)
- batman-adv: stop caching unowned originator pointers in BAT IV
(CVE-2026-46238)
- batman-adv: bla: prevent use-after-free when deleting claims
(CVE-2026-46212)
- batman-adv: bla: only purge non-released claims (CVE-2026-46233)
- batman-adv: bla: put backbone reference on failed claim hash insert
(CVE-2026-46231)
- Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
(CVE-2026-45836)
- mtd: spi-nor: sst: Factor out common write operation to
`sst_nor_write_data()`
- mtd: spi-nor: sst: Fix write enable before AAI sequence
- vsock: fix buffer size clamping order (CVE-2026-46234)
- vsock/virtio: fix accept queue count leak on transport mismatch
(CVE-2026-46214)
- drm/amdgpu/vcn3: Avoid overflow on msg bound check
- drm/amdgpu/vcn4: Avoid overflow on msg bound check
- mtd: spi-nor: sst: Fix SST write failure
- bcache: fix uninitialized closure object
- blk-cgroup: wait for blkcg cleanup before initializing new disk
- fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
(CVE-2026-53130)
- drbd: Balance RCU calls in drbd_adm_dump_devices() (CVE-2026-53128)
- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
(CVE-2026-53320)
- pstore/ram: fix resource leak when ioremap() fails
- devres: fix missing node debug info in devm_krealloc()
- debugfs: check for NULL pointer in debugfs_create_str()
- hrtimers: Update the return type of enqueue_hrtimer()
- hrtimer: Avoid pointless reprogramming in __hrtimer_start_range_ns()
- hrtimer: Reduce trace noise in hrtimer_start()
- locking: Fix rwlock support in <linux/spinlock_up.h>
- firmware: dmi: Correct an indexing error in dmi.h
- wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
- wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished
irq_prepare_bcn_tasklet (CVE-2026-53112)
- bpf: Add CHECKSUM_COMPLETE to bpf test progs
- bpf: test_run: Fix the null pointer dereference issue in
bpf_lwt_xmit_push_encap (CVE-2026-53111)
- kernel: param: rename locate_module_kobject
- kernel: globalize lookup_or_create_module_kobject()
- bpf, devmap: Remove unnecessary if check in for loop
- bpf: Use RCU-safe iteration in dev_map_redirect_multi() SKB path
(CVE-2026-53096)
- wifi: rtw89: phy: fix uninitialized variable access in
rtw89_phy_cfo_set_crystal_cap()
- r8152: fix incorrect register write to USB_UPHY_XTAL
- [ppc64el] powerpc/crash: fix backup region offset update to elfcorehdr
- macvlan: annotate data-races around port->bc_queue_len_used
- bpf: fix end-of-list detection in cgroup_storage_get_next_key()
(CVE-2026-45838)
- wifi: brcmfmac: Fix error pointer dereference (CVE-2026-53093)
- bpf: Drop task_to_inode and inet_conn_established from lsm sleepable
hooks
- bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec()
(CVE-2026-45839)
- [arm64] ACPI: AGDI: fix missing newline in error message
- [arm64] kexec: Remove duplicate allocation for trans_pgd
- [arm64] net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
(CVE-2026-53088)
- [arm64] net: bcmgenet: Remove TX ring full logging
- [arm64] net: bcmgenet: Remove custom ndo_poll_controller()
- [arm64] net: bcmgenet: add bcmgenet_has_* helpers
- [arm64] net: bcmgenet: move DESC_INDEX flow to ring 0
- [arm64] net: bcmgenet: support reclaiming unsent Tx packets
- [arm64] net: bcmgenet: switch to use 64bit statistics
- [arm64] net: bcmgenet: fix racing timeout handler (CVE-2026-53086)
- netfilter: xt_socket: enable defrag after all other checks
- netfilter: nft_fwd_netdev: check ttl/hl before forwarding
- 6pack: propagage new tty types
- net: hamradio: 6pack: fix uninit-value in sixpack_receive_buf
(CVE-2026-53082)
- net/sched: act_ct: Only release RCU read lock after ct_ft
(CVE-2026-46319)
- net/rds: Optimize rds_ib_laddr_check
- net/rds: Restrict use of RDS/IB to the initial network namespace
(CVE-2026-53077)
- ppp: require CAP_NET_ADMIN in target netns for unattached ioctls
(CVE-2026-53075)
- bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
(CVE-2026-53074)
- Bluetooth: L2CAP: Fix printing wrong information if SDU length exceeds
MTU
- Bluetooth: hci_ldisc: Clear HCI_UART_PROTO_INIT on error (CVE-2026-53073)
- Bluetooth: fix locking in hci_conn_request_evt() with HCI_PROTO_DEFER
(CVE-2026-53072)
- Bluetooth: l2cap: Add missing chan lock in l2cap_ecred_reconf_rsp
(CVE-2026-53071)
- sctp: fix missing encap_port propagation for GSO fragments
- net, bpf: fix null-ptr-deref in xdp_master_redirect() for down master
(CVE-2026-53069)
- [arm*] drm/komeda: fix integer overflow in AFBC framebuffer size check
(CVE-2026-53068)
- [arm*] drm/sun4i: backend: fix error pointer dereference (CVE-2026-53066)
* [armhf] ASoC: sti: use managed regmap_field allocations (CVE-2026-53065)
- dm cache: fix null-deref with concurrent writes in passthrough mode
(CVE-2026-53064)
- dm cache: fix write path cache coherency in passthrough mode
- dm cache: fix write hang in passthrough mode (CVE-2026-53063)
- dm cache policy smq: fix missing locks in invalidating cache blocks
(CVE-2026-53062)
- dm cache: fix concurrent write failure in passthrough mode
- dm cache: support shrinking the origin device
- dm cache: fix dirty mapping checking in passthrough mode switching
(CVE-2026-53061)
- dm cache metadata: fix memory leak on metadata abort retry
(CVE-2026-53060)
- dm log: fix out-of-bounds write due to region_count overflow
(CVE-2026-53059)
- [arm64] spi: fsl-qspi: Use reinit_completion() for repeated operations
- [arm*] drm/sun4i: Fix resource leaks
- drm/amdgpu: Add default case in DVI mode validation
- dm init: ensure device probing has finished in dm-mod.waitfor=
- padata: Remove cpu online check from cpu add and removal
- padata: Put CPU offline callback in ONLINE section to allow failure
(CVE-2026-53314)
- drm/amdgpu/gfx10: look at the right prop for gfx queue priority
- [arm64] drm/msm/dpu: fix mismatch between power and frequency
(CVE-2026-53056)
- [arm64] drm/msm/dsi: rename MSM8998 DSI version from V2_2_0 to V2_0_0
- [arm64,armhf] drm/panel: simple: Correct G190EAN01 prepare timing
- ALSA: core: Validate compress device numbers without dynamic minors
- drm/amd/pm/ci: Use highest MCLK on CI when MCLK DPM is disabled
- drm/amd/pm/ci: Disable MCLK DPM on problematic CI ASICs
- drm/amd/pm/smu7: Fix SMU7 voltage dependency on display clock
- drm/amd/pm/ci: Fix powertune defaults for Hawaii 0x67B0
- drm/amd/pm/ci: Clear EnabledForActivity field for memory levels
- drm/amd/pm/ci: Fill DW8 fields from SMC
- drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
- [arm64] drm/msm/a6xx: Fix HLSQ register dumping
- [arm64] drm/msm/shrinker: Fix can_block() logic
- [arm64] drm/msm/a6xx: Use barriers while updating HFI Q headers
- [armhf] pmdomain: ti: omap_prm: Fix a reference leak on device node
- [arm64] ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
- [arm*] ASoC: qcom: qdsp6: topology: check widget type before accessing
data (CVE-2026-53052)
- PCI: Enable AtomicOps only if Root Port supports them
- ALSA: scarlett2: Add missing sentinel initializer field
- [x86] ASoC: SOF: amd: Fix for reading position updates from stream box.
- [x86] ASoC: SOF: Prepare ipc_msg_data to be used with compress API
- [x86] ASoC: SOF: Prepare set_stream_data_offset for compress API
- [x86] ASoC: SOF: Add support for compress API for stream data/offset
- [x86] ASoC: SOF: compress: return the configured codec from get_params
- [i386] ALSA: sc6000: Use standard print API
- [i386] ALSA: sc6000: Keep the programmed board state in card-private data
- dm cache: fix missing return in invalidate_committed's error path
- gfs2: Call unlock_new_inode before d_instantiate
- quota: Fix race of dquot_scan_active() with quota deactivation
(CVE-2026-53050)
- gfs2: add some missing log locking (CVE-2026-53049)
- gfs2: prevent NULL pointer dereference during unmount (CVE-2026-53048)
- efi/capsule-loader: fix incorrect sizeof in phys array reallocation
(CVE-2026-53047)
- ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
(CVE-2026-53046)
- [armhf] dts: mediatek: mt7623: fix efuse fallback compatible
- [armhf] memory: tegra124-emc: Fix dll_change check (CVE-2026-53045)
- [arm64] dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO
(M.2 W_DISABLE1)
- [arm64] dts: mediatek: mt6795: Fix gpio-ranges pin count
- [arm64] dts: mediatek: mt7986a: Fix gpio-ranges pin count
- [arm64] dts: qcom: sm8450: Fix GIC_ITS range length
- [arm64] dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
- [arm64] dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered
during boot
- unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
- ocfs2/dlm: validate qr_numregions in dlm_match_regions() (CVE-2026-53043)
- ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
(CVE-2026-53309)
- [arm64] soc: qcom: aoss: compare against normalized cooling state
- [arm64] dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
- [arm64] xor: fix conflicting attributes for xor_block_template
- ocfs2: fix listxattr handling when the buffer is full (CVE-2026-53041)
- ocfs2: validate bg_bits during freefrag scan (CVE-2026-53040)
- ocfs2: validate group add input before caching (CVE-2026-53039)
- soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
- [armhf] dmaengine: mxs-dma: Fix missing return value from
of_dma_controller_register()
- tracing: Rebuild full_name on each hist_field_name() call
- ima: check return value of crypto_shash_final() in boot aggregate
- HID: asus: make asus_resume adhere to linux kernel coding standards
- HID: asus: do not abort probe when not necessary
- mtd: spi-nor: core: correct the op.dummy.nbytes when check read
operations
- mtd: spi-nor: spansion: Rename s28hs512t prefix
- mtd: spi-nor: spansion: Replace hardcoded values for addr_nbytes/
addr_mode_nbytes
- mtd: spi-nor: spansion: Make RD_ANY_REG_OP macro take number of dummy
bytes
- mtd: spi-nor: spansion: Add support for Infineon S25FS256T
- mtd: spi-nor: Allow post_sfdp hook to return errors
- mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
- mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
- mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
- mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
- mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
- mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
- [armhf] mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
- HID: usbhid: fix deadlock in hid_post_reset() (CVE-2026-53037)
- [arm64] bpf, arm64: Fix off-by-one in check_imm signed range check
(CVE-2026-53036)
- bpf, sockmap: Fix af_unix iter deadlock (CVE-2026-53035)
- bpf, sockmap: Fix af_unix null-ptr-deref in proto update (CVE-2026-53034)
- bpf, sockmap: Take state lock for af_unix iter (CVE-2026-53033)
- bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
- bpf: allow UTF-8 literals in bpf_bprintf_prepare()
- [armel,armhf] bpf, arm32: Reject BPF-to-BPF calls and callbacks in the
JIT
- perf branch: Avoid incrementing NULL
- perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE
trace
- perf expr: Return -EINVAL for syntax error in expr__find_ids()
- perf util: Kill die() prototype, dead for a long time
- i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
- dev_printk: add new dev_err_probe() helpers
- [x86] platform/surface: surfacepro3_button: Drop wakeup source on remove
- [s390x] tty: hvc_iucv: fix off-by-one in number of supported devices
(CVE-2026-53306)
- [x86] platform/x86: panasonic-laptop: Fix OPTD notifier registration and
cleanup
- [armhf] mfd: mc13xxx-core: Fix memory leak in
mc13xxx_add_subdevice_pdata()
- nfs/blocklayout: Fix compilation error (`make W=1`) in
bl_write_pagelist()
- fs/ntfs3: terminate the cached volume label after UTF-8 conversion
(CVE-2026-53023)
- [x86] platform/x86: dell_rbu: avoid uninit value usage in
packet_size_write()
- [x86] platform/x86: dell-wmi-sysman: bound enumeration string aggregation
(CVE-2026-53022)
- RDMA/core: Prefer NLA_NUL_STRING
- scsi: sg: Resolve soft lockup issue when opening /dev/sgX
(CVE-2026-53304)
- scsi: target: core: Fix integer overflow in UNMAP bounds check
(CVE-2026-53021)
- [armhf] clk: imx: imx6q: Fix device node reference leak in
pll6_bypassed()
- [armhf] clk: imx: imx6q: Fix device node reference leak in
of_assigned_ldb_sels()
- [arm64] clk: imx8mq: Correct the CSI PHY sels
- [arm64] clk: qoriq: avoid format string warning
- [arm64] clk: xgene: Fix mapping leak in xgene_pllclk_init()
- f2fs: Use sysfs_emit_at() to simplify code
- f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
(CVE-2026-53303)
- [x86] drm/i915: Constify watermark state checker
- [x86] drm/i915: Extract intel_dbuf_mdclk_cdclk_ratio_update()
- [x86] drm/i915: Loop over all active pipes in intel_mbus_dbox_update
- [x86] drm/i915/wm: Verify the correct plane DDB entry
- crypto: ccp - copy IV using skcipher ivsize (CVE-2026-53016)
- [arm64] dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
- [x86] PCMCIA: Fix garbled log messages for KERN_CONT
- [arm64] dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
- [arm64] dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
- net/sched: sch_cake: fix NAT destination port not being updated in
cake_update_flowkeys
- nexthop: fix IPv6 route referencing IPv4 nexthop (CVE-2026-53012)
- net/sched: taprio: continue with other TXQs if one dequeue() failed
- net/sched: taprio: refactor one skb dequeue from TXQ to separate function
- net/sched: taprio: rename close_time to end_time
- net/sched: taprio: fix use-after-free in advance_sched() on schedule
switch (CVE-2026-53011)
- container_of: remove container_of_safe()
- container_of: add container_of_const() that preserves const-ness of the
pointer
- tcp: preserve const qualifier in tcp_sk()
- tcp: add data-race annotations around tp->data_segs_out and
tp->total_retrans
- tcp: annotate data-races around tp->bytes_sent
- tcp: annotate data-races around tp->bytes_retrans
- tcp: annotate data-races around tp->dsack_dups
- tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
- i40e: don't advertise IFF_SUPP_NOFCS
- e1000e: Unroll PTP in probe error handling
- ipv6: fix possible UAF in icmpv6_rcv() (CVE-2026-53006)
- sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
(CVE-2026-53004)
- pppoe: drop PFC frames (CVE-2026-53003)
- openvswitch: cap upcall PID array size and pre-size vport replies
(CVE-2026-45840)
- netfilter: nft_osf: restrict it to ipv4
- netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
(CVE-2026-45841)
- netfilter: conntrack: remove sprintf usage (CVE-2026-53002)
- netfilter: xtables: restrict several matches to inet family
(CVE-2026-53001)
- ipvs: fix MTU check for GSO packets in tunnel mode
- netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
(CVE-2026-52999)
- netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
(CVE-2026-52998)
- slip: reject VJ receive packets on instances with no rstate array
(CVE-2026-45842)
- slip: bound decode() reads against the compressed packet length
(CVE-2026-45843)
- [arm64] dts: meson-gxl-p230: fix ethernet PHY interrupt number
- ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
- ksmbd: scope conn->binding slowpath to bound sessions only
(CVE-2026-52911)
- net/rds: zero per-item info buffer before handing it to visitors
(CVE-2026-52995)
- net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
- net/sched: sch_pie: annotate data-races in pie_dump_stats()
- net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
- net/sched: sch_red: annotate data-races in red_dump_stats()
- net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
- nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
- tipc: fix double-free in tipc_buf_append() (CVE-2026-52993)
- vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
- fs/adfs: validate nzones in adfs_validate_bblk() (CVE-2026-52992)
- fbdev: offb: fix PCI device reference leak on probe failure
- mailbox: mailbox-test: free channels on probe error (CVE-2026-53296)
- cgroup/rdma: fix integer overflow in rdmacg_try_charge()
- mailbox: add sanity check for channel array (CVE-2026-53295)
- mailbox: mailbox-test: don't free the reused channel (CVE-2026-53294)
- btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
- tracing: branch: Fix inverted check on stat tracer registration
- nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
(CVE-2026-52989)
- netfilter: arp_tables: fix IEEE1394 ARP payload parsing (CVE-2026-45844)
- nvme-pci: fix missed admin queue sq doorbell write
- drm/amdgpu: fix spelling typos
- drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
- drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
- netfilter: xt_policy: fix strict mode inbound policy matching
(CVE-2026-52920)
- netfilter: nf_conntrack_sip: don't use simple_strtoul (CVE-2026-52986)
- [arm64,armhf] drivers/spi-rockchip.c : Remove redundant variable slave
- [arm64,armhf] spi: rockchip: switch to use modern name
- [arm64.armhf] spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
- cdrom, scsi: sr: propagate read-only status to block layer via
set_disk_ro()
- netdevsim: zero initialize struct iphdr in dummy sk_buff (CVE-2026-52985)
- net/sched: netem: fix probability gaps in 4-state loss model
- net/sched: netem: fix queue limit check to include reordered packets
(CVE-2026-52984)
- net/sched: netem: validate slot configuration
- net/sched: netem: fix slot delay calculation overflow
- net/sched: sch_choke: annotate data-races in choke_dump_stats()
- net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
- vrf: Fix a potential NPD when removing a port from a VRF (CVE-2026-52925)
- net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
(CVE-2026-52982)
- net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
- neighbour: add RCU protection to neigh_tables[]
- neigh: let neigh_xmit take skb ownership (CVE-2026-52981)
- ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
- net: mctp i2c: check length before marking flow active
- netfilter: skip recording stale or retransmitted INIT
- sctp: discard stale INIT after handshake completion
- ipv4: rename and move ip_route_output_tunnel()
- ipv4: remove "proto" argument from udp_tunnel_dst_lookup()
- ipv4: add new arguments to udp_tunnel_dst_lookup()
- ipv6: rename and move ip6_dst_lookup_tunnel()
- bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
(CVE-2026-45846)
- net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
- net: netconsole: move newline trimming to function
- netconsole: propagate device name truncation in dev_name_store()
- ALSA: hda/conexant: fix some typos
- ALSA: hda/conexant: Renaming the codec with device ID 0x1f86 and 0x1f87
- ALSA: hda/conexant: Fix missing error check for jack detection
(CVE-2026-53291)
- futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
(CVE-2026-52977)
- drm/amd/display: Allow DCE link encoder without AUX registers
- drm/amd/display: Read EDID from VBIOS embedded panel info
- bonding: 802.3ad replace MAC_ADDRESS_EQUAL with __agg_has_partner
- net: bonding: add broadcast_neighbor option for 802.3ad
- bonding: add support for per-port LACP actor priority
- bonding: print churn state via netlink
- bonding: 3ad: implement proper RCU rules for port->aggregator
(CVE-2026-52975)
- iavf: stop removing VLAN filters from PF on interface down
- iavf: wait for PF confirmation before removing VLAN filters
- iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
- ice: Pull common tasks into ice_vf_post_vsi_rebuild
- ice: fix NULL pointer dereference in ice_reset_all_vfs()
(CVE-2026-53289)
- net: tls: fix strparser anchor skb leak on offload RX setup failure
(CVE-2026-52974)
- net/sched: cls_flower: revert unintended changes
- smb: client: correctly handle ErrorContextData as a flexible array
- smb: client: fix OOB reads parsing symlink error response
(CVE-2026-31613)
- net/sched: sch_pie: annotate more data-races in pie_dump_stats()
- [arm64] net: bcmgenet: Initialize u64 stats seq counter
- [arm64] net: bcmgenet: fix leaking free_bds
- btrfs: tracepoints: fix sleep while in atomic context in
btrfs_sync_file()
- ALSA: misc: Use guard() for spin locks
- ALSA: core: Serialize deferred fasync state checks
- [x86] ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
- [x86] ASoC: SOF: stream-ipc: Check for cstream nullity in
sof_ipc_msg_data()
- mtd: spi-nor: spansion: Enable JFFS2 write buffer for S25FS256T
- netconsole: avoid out-of-bounds access on empty string in trim_newline()
- bonding: fix NULL pointer dereference in actor_port_prio setting
- net: bonding: update the slave array for broadcast mode
- crypto: af_alg - Cap AEAD AD length to 0x80000000 (CVE-2026-52972)
- i40e: Cleanup PTP pins on probe failure
- netfilter: nf_conntrack_sip: get helper before allocating expectation
- audit: fix incorrect inheritable capability in CAPSET records
(CVE-2026-53287)
- netfilter: nft_ct: fix missing expect put in obj eval (CVE-2026-52970)
- net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
- audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
- KVM: Reject wrapped offset in kvm_reset_dirty_gfn() (CVE-2026-52969)
- [s390x] KVM: s390: pci: fix GAIT table indexing due to double-scaling
pointer arithmetic (CVE-2026-52968)
- [x86] KVM: x86: Fix Xen hypercall tracepoint argument assignment
- smb/client: fix possible infinite loop and oob read in symlink_data()
(CVE-2026-52967)
- [x86] drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
- ALSA: usb-audio: Bound MIDI endpoint descriptor scans (CVE-2026-52963)
- ceph: fix a buffer leak in __ceph_setxattr() (CVE-2026-52962)
- libceph: Fix potential out-of-bounds access in osdmap_decode()
(CVE-2026-52958)
- libceph: Fix potential null-ptr-deref in decode_choose_args()
(CVE-2026-52957)
- libceph: Fix potential out-of-bounds access in crush_decode()
(CVE-2026-52955)
- libceph: handle rbtree insertion error in decode_choose_args()
(CVE-2026-52954)
- [x86] iommu/vt-d: Disable DMAR for Intel Q35 IGFX
- [x86] drm/i915: skip __i915_request_skip() for already signaled requests
- [arm64,armhf] drm/panfrost: Fix wait_bo ioctl leaking positive return
from dma_resv_wait_timeout()
- [x86] drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
- [x86] drm/gma500/oaktrail_lvds: fix hang on init failure (CVE-2026-53279)
- [x86] drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
- io-wq: check that the predecessor is hashed in io_wq_remove_pending()
- net/rds: reset op_nents when zerocopy page pin fails (CVE-2026-43494)
- io_uring: prevent opcode speculation (CVE-2025-21863)
- [s390x] debug: Reject zero-length input before trimming a newline
- wifi: mac80211: check tdls flag in ieee80211_tdls_oper (CVE-2026-43052)
- [x86] Revert "x86/vdso: Fix output operand size of RDPID"
- [s390x] Revert "s390/cio: Fix device lifecycle handling in
css_alloc_subchannel()" (regression in 6.1.165)
- sysfs: don't remove existing directory on update failure
- ALSA: ua101: Reject too-short USB descriptors
- ALSA: asihpi: Fix potential OOB array access at reading cache
- net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
- Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
- Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
- Bluetooth: bnep: Fix UAF read of dev->name
- Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
(CVE-2026-46275)
- Bluetooth: MGMT: validate Add Extended Advertising Data length
- phonet/pep: disable BH around forwarded sk_receive_skb()
- [arm64] net: bcmgenet: keep RBUF EEE/PM disabled
- net: ifb: report ethtool stats over num_tx_queues
- netfilter: ip6t_hbh: reject oversized option lists (CVE-2026-52915)
- netfilter: nf_queue: hold bridge skb->dev while queued (CVE-2026-52912)
- netfilter: ipset: stop hash:* range iteration at end (CVE-2026-52921)
- qed: fix double free in qed_cxt_tables_alloc()
- ring-buffer: Fix reporting of missed events in iterator
- vsock/vmci: fix UAF when peer resets connection during handshake
- vsock/virtio: reset connection on receiving queue overflow
- wifi: ath11k: clear shared SRNG pointer state on restart
- ipv4: raw: reject IP_HDRINCL packets with ihl < 5
- ixgbevf: fix use-after-free in VEPA multicast source pruning
- ice: fix setting promisc mode while adding VID filter
- wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
- cifs: Fix busy dentry used after unmounting
- tracing: Do not call map->ops->elt_free() if elt_alloc() fails
- [arm64] KVM: arm64: vgic-its: Reject restored DTE with out-of-range
num_eventid_bits
- [x86] scsi: isci: Fix use-after-free in device removal path
- [armhf] spi: ti-qspi: fix use-after-free after DMA setup failure
- RDMA/siw: Reject MPA FPDU length underflow before signed receive math
- device property: set fwnode->secondary to NULL in fwnode_init()
- drm/virtio: use uninterruptible resv lock for plane updates
- drm/amd/display: Fix integer overflow in bios_get_image()
- drm/amd/display: Validate GPIO pin LUT table size before iterating
- drm/amd/display: Validate payload length and link_index in
dc_process_dmub_aux_transfer_async
- batman-adv: mcast: fix use-after-free in orig_node RCU release
- batman-adv: clear current gateway during teardown (CVE-2026-52926)
- batman-adv: dat: handle forward allocation error (CVE-2026-52922)
- batman-adv: fix fragment reassembly length accounting (CVE-2026-52914)
- batman-adv: fix tp_meter counter underflow during shutdown
(CVE-2026-52919)
- batman-adv: frag: disallow unicast fragment in fragment (CVE-2026-52916)
- batman-adv: bla: fix report_work leak on backbone_gw purge
- batman-adv: tp_meter: avoid use of uninit sender vars (CVE-2026-52931)
- batman-adv: tt: fix negative last_changeset_len
- batman-adv: tt: fix negative tt_buff_len
- HID: uclogic: Fix regression of input name assignment
- netfilter: x_tables: unregister the templates first
- tcp: Fix imbalanced icsk_accept_queue count.
- ice: fix locking in ice_dcb_rebuild()
- [arm64,armhf] phy: marvell: mvebu-a3700-utmi: fix incorrect
USB2_PHY_CTRL register access
- irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
- wifi: ath11k: fix error path leaks in some WMI WOW calls
- HID: quirks: really enable the intended work around for appledisplay
- net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
(CVE-2026-52941)
- ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
- [arm64] drm/msm/dsi: don't dump registers past the mapped region
- [arm64] drm/msm: Fix iommu_map_sgtable() return value check and avoid
WARN
- [ppc64el] powerpc/time: Remove redundant preempt_disable|enable() calls
from arch_irq_work_raise()
- net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
- net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
- net: tls: prevent chain-after-chain in plain text SG
- [arm64] drm/msm/snapshot: fix dumping of the unaligned regions
- wifi: ath11k: Trigger sta disconnect on hardware restart
- wifi: ath11k: update hw params for IPQ5018
- wifi: ath11k: update ce configurations for IPQ5018
- wifi: ath11k: remap ce register space for IPQ5018
- wifi: ath11k: update hal srng regs for IPQ5018
- wifi: ath11k: initialize hw_ops for IPQ5018
- wifi: ath11k: add new hw ops for IPQ5018 to get rx dest ring hashmap
- wifi: ath11k: fix rssi station dump not updated in QCN9074
- wifi: ath11k: fix peer resolution on rx path when peer_id=0
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
- [x86] platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
- [x86] platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
- [x86] platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
- RDMA/rtrs: Fix use-after-free in path file creation cleanup
- net: bridge: Flush multicast groups when snooping is disabled
- bridge: mcast: Fix a possible use-after-free when removing a bridge port
- tracing: Avoid NULL return from hist_field_name() on truncation
- string: add mem_is_zero() helper to check if memory area is all zeros
- gpiolib: cdev: use !mem_is_zero() instead of memchr_inv(s, 0, n)
- gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
- net: mana: validate rx_req_idx to prevent out-of-bounds array access
- security/keys: fix missed RCU read section on lookup
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.176
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
- net/sched: cls_fw: fix NULL dereference of "old" filters before change()
(CVE-2026-53080)
- net: mctp: ensure our nlmsg responses are initialised (CVE-2026-45930)
- net/sched: sch_sfb: Replace direct dequeue call with peek and
qdisc_dequeue_peeked
- drm: Remove plane hsub/vsub alignment requirement for core helpers
- [armhf] net: cpsw_new: Fix potential unregister of netdev that has not
been registered yet (CVE-2026-43219)
- nfc: llcp: Fix use-after-free in llcp_sock_release()
- nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
- xfrm: Check for underflow in xfrm_state_mtu
- nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
- netfilter: synproxy: refresh tcphdr after skb_ensure_writable
- netfilter: xt_cpu: prefer raw_smp_processor_id
- netfilter: ebtables: fix OOB read in compat_mtw_from_user
(CVE-2026-52927)
- tun: free page on short-frame rejection in tun_xdp_one() (CVE-2026-46321)
- tun: free page on build_skb failure in tun_xdp_one() (CVE-2026-46322)
- net: netlink: fix sending unassigned nsid after assigned one
- net: netlink: don't set nsid on local notifications
- net/smc: Do not re-initialize smc hashtables
- [s390x] net/iucv: fix locking in .getsockopt
- ipv4: free net->ipv4.sysctl_local_reserved_ports after
unregister_net_sysctl_table()
- [x86] ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
- net: hsr: fix potential OOB access in supervision frame handling
- tunnels: load network headers after skb_cow() in
iptunnel_pmtud_build_icmp[v6]()
- vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
- tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
- ASoC: codecs: simple-mux: Fix enum control bounds check
- Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
- bonding: refuse to enslave CAN devices
- ethtool: eeprom: add more safeties to EEPROM Netlink fallback
- ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
- Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
- Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
- [arm*] gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
- net: mana: Add NULL guards in teardown path to prevent panic on attach
failure
- sctp: fix race between sctp_wait_for_connect and peeloff
- ipv6: fix possible infinite loop in rt6_fill_node()
- ipv6: fix possible infinite loop in fib6_select_path()
- net: skbuff: fix pskb_carve leaking zcopy pages
- batman-adv: v: stop OGMv2 on disabled interface (CVE-2026-52913)
- batman-adv: tvlv: abort OGM send on tvlv append failure
- batman-adv: tt: reject oversized local TVLV buffers
- batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
- batman-adv: tvlv: reject oversized TVLV packets (CVE-2026-52934)
- batman-adv: iv: recover OGM scheduling after forward packet error
- batman-adv: tp_meter: directly shut down timer on cleanup
- batman-adv: tt: fix TOCTOU race for reported vlans
- batman-adv: tt: avoid empty VLAN responses
- batman-adv: bla: avoid double decrement of bla.num_requests
- mm/page_alloc: clear page->private in free_pages_prepare()
(CVE-2026-43303)
- bpf: Fix a few selftest failures due to llvm18 change
- net/packet: convert po->tp_tx_has_off to an atomic flag
- net/packet: convert po->tp_loss to an atomic flag
- net/packet: convert po->has_vnet_hdr to an atomic flag
- net/packet: convert po->running to an atomic flag
- net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd()
(CVE-2026-31700)
- [x86] drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD
register
- drm/dp: Add eDP 1.5 bit definition
- [x86] drm/i915/psr: Read Intel DPCD workaround register
- [x86] drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line
used
- net: gro: don't merge zcopy skbs (CVE-2026-46323)
- phy: mscc: Use PHY_ID_MATCH_VENDOR to minimize PHY ID table
- phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
- hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
- hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with
pmbus_lock
- hwmon: (pmbus/adm1266) serialize NVMEM blackbox read with pmbus_lock
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
- usb: typec: ucsi: ccg: reject firmware images without a ':' record header
- usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
- usb: typec: altmodes/displayport: validate count before reading Status
Update VDO
- [x86] usb: typec: wcove: don't write past struct pd_message in
wcove_read_rx_buffer()
- usb: typec: ucsi: validate connector number in ucsi_connector_change()
- USB: serial: safe_serial: fix memory corruption with small endpoint
- HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
- Bluetooth: btusb: Allow firmware re-download when version matches
- hpfs: fix a crash if hpfs_map_dnode_bitmap fails
- ipc: limit next_id allocation to the valid ID range (CVE-2026-52923)
- auxdisplay: line-display: fix OOB read on zero-length message_store()
- Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
- Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
- Bluetooth: HIDP: fix missing length checks in hidp_input_report()
- Bluetooth: ISO: fix UAF in iso_recv_frame
- Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
- parport: Fix race between port and client registration (Closes: #1130365)
- USB: cdc-acm: Fix bit overlap and move quirk definitions to header
- wireguard: send: append trailer after expanding head
- iio: dac: ad5686: fix input raw value check
- iio: dac: ad5686: acquire lock when doing powerdown control
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
- iio: gyro: itg3200: fix i2c read into the wrong stack location
- iio: ssp_sensors: cancel delayed work_refresh on remove
- iio: temperature: tsys01: fix broken PROM checksum validation
- iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
- iio: light: cm3323: fix reg_conf not being initialized correctly
- iio: buffer: hw-consumer: fix use-after-free in error path
- USB: serial: omninet: fix memory corruption with small endpoint
- usb: dwc2: Fix use after free in debug code
- Input: elan_i2c - validate firmware size before use
- bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
- macsec: fix replay protection at XPN lower-PN wrap
- ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
- [arm64] ASoC: qcom: q6asm-dai: fix error handling in prepare and
set_params
- ipv6: exthdrs: refresh nh after handling HAO option
- ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
- ipv6: validate extension header length before copying to cmsg
- xfrm: input: hold netns during deferred transport reinjection
- ip6: vti: Use ip6_tnl.net in vti6_changelink().
- HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
- iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
- nfc: hci: fix out-of-bounds read in HCP header parsing
- xfrm: route MIGRATE notifications to caller's netns
- xfrm: ah: use skb_to_full_sk in async output callbacks
- netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without
direction check
- [arm64] ASoC: qcom: q6asm-dai: close stream only when running
- [arm64] ASoC: qcom: q6asm-dai: do not set stream state in event and
trigger callbacks
- xfrm: esp: restore combined single-frag length gate
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
- [x86] Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
- [x86] comedi: comedi_test: fix check for valid scan_begin_src in
waveform_ai_cmdtest()
- [x86] comedi: comedi_test: Fix limiting of convert_arg in
waveform_ai_cmdtest()
- counter: Fix refcount leak in counter_alloc() error path
- [i386] tty: serial: pch_uart: add check for dma_alloc_coherent()
- [arm*] usb: chipidea: core: convert ci_role_switch to local variable
- usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
- USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub
controllers
- usb: storage: Add quirks for PNY Elite Portable SSD
- usbip: vudc: Fix use after free bug in vudc_remove due to race condition
- usb: usbtmc: check URB actual_length for interrupt-IN notifications
- usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
- USB: serial: option: add MeiG SRM813Q
- USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
- USB: serial: belkin_sa: validate interrupt status length
- USB: serial: cypress_m8: validate interrupt packet headers
- USB: serial: keyspan: fix missing indat transfer sanity check
- USB: serial: mxuport: fix memory corruption with small endpoint
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
- usb: gadget: net2280: Fix double free in probe error path
- usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
- usb: gadget: f_fs: copy only received bytes on short ep0 read
- thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
- thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
- scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
- scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
- scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
- scsi: target: iscsi: Validate CHAP_R length before base64 decode
- drm/hyperv: validate resolution_count and fix WIN8 fallback
- drm/hyperv: validate VMBus packet size in receive callback
- [x86] drm/i915: Fix potential UAF in TTM object purge
- drm/amd/pm/si: Disregard vblank time when no displays are connected
- [arm64] serial: sh-sci: fix memory region release in error path
- [arm64] serial: fsl_lpuart: fix rx buffer and DMA map leaks in
start_rx_dma
- drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
- drm/amdkfd: Check for pdd drm file first in CRIU restore path
- HID: core: Add printk_ratelimited variants to hid_warn() etc
- HID: pass the buffer size to hid_report_raw_event
- HID: core: Fix size_t specifier in hid_report_raw_event()
- RDMA/rxe: Complete the rxe_cleanup_task backport
- USB: serial: digi_acceleport: fix memory corruption with small endpoints
- [arm*] xhci: tegra: Fix ghost USB device on dual-role port unplug
- netfilter: nf_tables: restore set elements when delete set fails
(CVE-2024-27012)
- USB: serial: cypress_m8: fix memory corruption with small endpoint
- bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is
loaded (CVE-2026-23310)
- usb: core: Fix SuperSpeed root hub wMaxPacketSize
- bpf: Free reuseport cBPF prog after RCU grace period. (CVE-2026-52910)
- USB: serial: mct_u232: fix memory corruption with small endpoint
- [amd64] dmaengine: idxd: Fix not releasing workqueue on .release()
(CVE-2026-43064)
- i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl (CVE-2026-52948)
- ipv6: mcast: Fix use-after-free when processing MLD queries
(CVE-2026-53275)
- net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
(CVE-2026-53274)
- tee: optee: prevent use-after-free when the client exits before the
supplicant (CVE-2026-53273)
- netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
- ipvs: clear the svc scheduler ptr early on edit (CVE-2026-53270)
- netfilter: synproxy: add mutex to guard hook reference counting
(CVE-2026-53269)
- netfilter: conntrack_irc: fix possible out-of-bounds read
(CVE-2026-53268)
- netfilter: bridge: make ebt_snat ARP rewrite writable (CVE-2026-53266)
- dm cache policy smq: check allocation under invalidate lock
(CVE-2026-53265)
- net/sched: act_api: use RCU with deferred freeing for action lifecycle
(CVE-2026-53264)
- 6lowpan: fix off-by-one in multicast context address compression
(CVE-2026-53263)
- pcnet32: stop holding device spin lock during napi_complete_done
- net: Annotate sk->sk_write_space() for UDP SOCKMAP.
- net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
- net: lan743x: permit VLAN-tagged packets up to configured MTU
- [arm*] net: fec: fix pinctrl default state restore order on resume
- Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
(CVE-2026-53256)
- Bluetooth: MGMT: validate advertising TLV before type checks
(CVE-2026-53255)
- Bluetooth: RFCOMM: validate skb length in MCC handlers (CVE-2026-53254)
- Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame()
extension handling
- Bluetooth: bnep: reject short frames before parsing (CVE-2026-53253)
- Bluetooth: fix memory leak in error path of hci_alloc_dev()
(CVE-2026-53252)
- Bluetooth: MGMT: Fix backward compatibility with userspace
- ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options (CVE-2026-53249)
- ptp: vclock: Switch from RCU to SRCU
- vxlan: vnifilter: send notification on VNI add
- vxlan: vnifilter: fix spurious notification on VNI update
- ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
- net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
(CVE-2026-53245)
- sctp: purge outqueue on stale COOKIE-ECHO handling (CVE-2026-52924)
- ipmi: Fix rcu_read_unlock to srcu_read_unlock in handle_read_event_rsp
- signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
(CVE-2026-53352)
- time: Fix off-by-one in settimeofday() usec validation
- ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked
streams (CVE-2026-53242)
- fs/ntfs3: Return error for inconsistent extended attributes
(CVE-2023-54125)
- usb: gadget: f_ncm: Fix net_device lifecycle with device_move
(CVE-2026-43421)
- usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo
- net: skbuff: fix missing zerocopy reference in pskb_carve helpers
(CVE-2026-52943)
- tap: free page on error paths in tap_get_user_xdp() (CVE-2026-46320)
- [arm64] KVM: arm64: Remove VPIPT I-cache handling
- [arm64] tlb: Allow XZR argument to TLBI ops
- [arm64] tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI
- iomap: don't revert iov_iter on partially completed buffered writes
- xfrm: policy: fix use-after-free on inexact bin in
xfrm_policy_bysel_ctx() (CVE-2026-53239)
- netlabel: validate unlabeled address and mask attribute lengths
(CVE-2026-53238)
- ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
(CVE-2026-53350)
- tcp: restrict SO_ATTACH_FILTER to priv users (CVE-2026-53236)
- net/mlx4: avoid GCC 10 __bad_copy_from() false positive
- net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
(CVE-2026-52947)
- ipv6: sit: reload inner IPv6 header after GSO offloads (CVE-2026-53228)
- net: openvswitch: fix possible kfree_skb of ERR_PTR (CVE-2026-53227)
- r8152: reduce the control transfer of rtl8152_get_version()
- r8152: Block future register access if register access fails
- r8152: handle the return value of usb_reset_device()
- sctp: fix uninit-value in __sctp_rcv_asconf_lookup() (CVE-2026-53225)
- net: guard timestamp cmsgs to real error queue skbs (CVE-2026-53223)
- net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic
completion (CVE-2026-52939)
- ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
(CVE-2026-53221)
- rds: mark snapshot pages dirty in rds_info_getsockopt()
- netfilter: nf_conntrack: destroy stale expectfn expectations on
unregister (CVE-2026-53349)
- netfilter: x_tables: avoid leaking percpu counter pointers
(CVE-2026-53219)
- netfilter: nf_log: validate MAC header was set before dumping it
(CVE-2026-52942)
- netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
(CVE-2026-53218)
- [arm*] net: mvpp2: sync RX data at the hardware packet offset
(CVE-2026-53217)
- [arm*] net: mvpp2: limit XDP frame size to the RX buffer (CVE-2026-53216)
- [arm*] net: mvpp2: Add metadata support for xdp mode
- [arm*] net: mvpp2: refill RX buffers before XDP or skb use
(CVE-2026-53215)
- [arm*] net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
- netfilter: ctnetlink: ensure safe access to master conntrack
(CVE-2026-43116)
- [arm*] drm/vc4: fix krealloc() memory leak (CVE-2026-53213)
- netfilter: nft_tunnel: fix use-after-free on object destroy
(CVE-2026-53212)
- Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
(CVE-2026-53209)
- Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
(CVE-2026-53208)
- [x86] drm/i915/gem: Fix phys BO pread/pwrite with offset (CVE-2026-53356)
- ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
(CVE-2026-53198)
- xfrm: espintcp: do not reuse an in-progress partial send (CVE-2026-52935)
- USB: serial: io_ti: fix heap overflow in get_manuf_info()
(CVE-2026-53196)
- USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
(CVE-2026-53195)
- USB: serial: option: add usb-id for Dell Wireless DW5826e-m
- USB: serial: kl5kusb105: fix bulk-out buffer overflow (CVE-2026-53194)
- ALSA: timer: Fix UAF at snd_timer_user_params()
- drm/amd/display: Reject gpio_bitshift >= 32 in
bios_parser_get_gpio_pin_info()
- RDMA/srp: bound SRP_RSP sense copy by the received length
(CVE-2026-53186)
- udp: clear skb->dev before running a sockmap verdict (CVE-2026-53184)
- [armhf] socfpga: Fix OF node refcount leak in SMP setup
- [armel,armhf] 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
- [armel,armhf] 9475/1: entry: use byte load for KASAN VMAP stack shadow
(CVE-2026-53343)
- mptcp: fix retransmission loop when csum is enabled
- mptcp: close TOCTOU race while computing rcv_wnd
- mptcp: allow subflow rcv wnd to shrink (CVE-2026-53183)
- mptcp: sockopt: check timestamping ret value
- wifi: nl80211: reject oversized EMA RNR lists (CVE-2026-53182)
- vsock/vmci: fix sk_ack_backlog leak on failed handshake (CVE-2026-53181)
- bnxt_en: Fix NULL pointer dereference (CVE-2026-53177)
- IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
(CVE-2026-53176)
- pidfd: refuse access to tasks that have started exiting harder
- fuse: reject fuse_notify() pagecache ops on directories (CVE-2026-53168)
- [arm*] i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
(CVE-2026-53339)
- [armhf] i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
- [arm*] i2c: tegra: Fix NOIRQ suspend/resume
- [x86] Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
- [x86] Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
- ipc/shm: serialize orphan cleanup with shm_nattch updates
(CVE-2026-52930)
- [arm*] misc: fastrpc: fix use-after-free of fastrpc_user in workqueue
context (CVE-2026-53161)
- [arm*] misc: fastrpc: fix use-after-free race in fastrpc_map_create
(CVE-2026-53160)
- [arm*] misc: fastrpc: fix DMA address corruption due to find_vma misuse
(CVE-2026-53159)
- net/mlx5: Reorder completion before putting command entry in
cmd_work_handler
- net: bonding: fix NULL pointer dereference in bond_do_ioctl()
(CVE-2026-53337)
- [armel,armhf] net: mv643xx: fix OF node refcount
- net: rds: clear i_sends on setup unwind (CVE-2026-53355)
- mmc: core: Fix host controller programming for fixed driver type
- [arm64] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
- mmc: sdhci: add signal voltage switch in sdhci_resume_host
- sctp: diag: reject stale associations in dump_one path (CVE-2026-52917)
- sctp: stream: fully roll back denied add-stream state (CVE-2026-52929)
- thunderbolt: Reject zero-length property entries in validator
(CVE-2026-53150)
- thunderbolt: Bound root directory content to block size (CVE-2026-53149)
- thunderbolt: Clamp XDomain response data copy to allocation size
(CVE-2026-53148)
- thunderbolt: Validate XDomain request packet size before type cast
(CVE-2026-53147)
- thunderbolt: Limit XDomain response copy to actual frame size
(CVE-2026-53146)
- slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock (CVE-2026-53331)
- drm/amdgpu: restart the CS if some parts of the VM are still invalidated
- drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
(CVE-2026-53137)
- drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
(CVE-2026-53136)
- drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
(CVE-2026-53135)
- drm/amd/display: Use krealloc_array() in dal_vector_reserve()
(CVE-2026-53329)
- fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
(CVE-2026-52946)
- mm/hugetlb: avoid false positive lockdep assertion
- mm/damon/ops-common: call folio_test_lru() after folio_get()
- mm/huge_memory: update file PMD counter before folio_put()
(CVE-2026-53189)
- f2fs: use kfree() instead of kvfree() to free some memory
- f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally
- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in
f2fs_write_end_io() (CVE-2026-31715)
- ksmbd: require minimum ACE size in smb_check_perm_dacl() (CVE-2026-31712)
- smb: client: validate the whole DACL before rewriting it in cifsacl
(CVE-2026-31709)
- [arm64] mm: Enable batched TLB flush in unmap_hotplug_range()
- lib: test_hmm: evict device pages on file close to avoid use-after-free
(CVE-2026-46280)
- wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
(CVE-2026-46069)
- [arm*] spi: imx: Convert to platform remove callback returning void
- [arm*] spi: imx: fix use-after-free on unbind (CVE-2026-45996)
- thermal: core: Fix thermal zone governor cleanup issues (CVE-2026-46021)
- media: rc: ttusbir: respect DMA coherency rules
- media: rc: igorplugusb: heed coherency rules
- sched: Use u64 for bandwidth ratio calculations
- net: qrtr: ns: Limit the maximum number of lookups (CVE-2026-46026)
- net: qrtr: ns: Change servers radix tree to xarray
- net: qrtr: ns: Free the node during ctrl_cmd_bye() (CVE-2026-46038)
- net: qrtr: ns: Limit the total number of nodes (CVE-2026-46003)
- net: bridge: use a stable FDB dst snapshot in RCU readers
(CVE-2026-46086)
- spi: fix resource leaks on device setup failure (CVE-2026-46083)
- fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
(CVE-2026-46065)
- xfs: fix a resource leak in xfs_alloc_buftarg() (CVE-2026-46005)
- udf: fix partition descriptor append bookkeeping (CVE-2026-45991)
- hfsplus: fix uninit-value by validating catalog record size
(CVE-2026-46169)
- hfsplus: fix held lock freed on hfsplus_fill_super() (CVE-2026-46299)
- erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
(CVE-2026-45999)
- ceph: only d_add() negative dentries when they are unhashed
(CVE-2026-46052)
- printk: add print_hex_dump_devel()
- [arm*] crypto: caam - guard HMAC key hex dumps in hash_digest_key
(CVE-2026-46291)
- net: stmmac: avoid shadowing global buf_sz
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
- net: stmmac: Prevent NULL deref when RX memory exhausted (CVE-2026-46110)
- tracepoint: balance regfunc() on func_add() failure in
tracepoint_add_func() (CVE-2026-46196)
- wifi: mac80211: remove station if connection prep fails (CVE-2026-46125)
- wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
task (CVE-2026-46180)
- [arm*] usb: dwc3: Move GUID programming after PHY initialization
- net: ipv4: stop checking crypto_ahash_alignmask
- net: ipv6: stop checking crypto_ahash_alignmask
- xfrm: ah: account for ESN high bits in async callbacks (CVE-2026-46193)
- xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
(CVE-2026-46116)
- [armhf] spi: sun4i: Convert to platform remove callback returning void
- [armfh] spi: sun4i: switch to use modern name
- [armhf] spi: sun4i: fix controller deregistration
- spi: Convert to SPI_CONTROLLER_HALF_DUPLEX
- [armhf] spi: spi-ti-qspi: Convert to platform remove callback returning
void
- [armhf] spi: spi-ti-qspi: switch to use modern name
- [armhf] spi: ti-qspi: fix controller deregistration
- [arm*] spi: sun6i: fix controller deregistration
- [arm*] spi: s3c64xx: Use devm_clk_get_enabled()
- [arm*] spi: s3c64xx: fix NULL-deref on driver unbind (CVE-2026-46296)
- mtd: spi-nor: core: fix implicit declaration warning
- mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
(CVE-2026-46190)
- [arm*] spi: tegra114: fix controller deregistration
- [arm*] spi: tegra20-sflash: fix controller deregistration
- mm/hugetlb_cma: round up per_node before logging it
- net: wwan: t7xx: validate port_count against message length in
t7xx_port_enum_msg_handler (CVE-2026-43495)
- fbcon: Avoid OOB font access if console rotation fails (CVE-2026-46191)
- [i386] spi: topcliff-pch: Convert to platform remove callback returning
void
- btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
info-leak (CVE-2026-46159)
- tracing/probes: Limit size of event probe to 3K
- btrfs: remove fs_info argument from btrfs_sysfs_add_space_info_type()
- btrfs: fix double free in create_space_info_sub_group() error path
(CVE-2026-46164)
- pmdomain: core: Fix detach procedure for virtual devices in genpd
(CVE-2026-46292)
- smb: client: validate dacloffset before building DACL pointers
(CVE-2026-46195)
- smb: client: Use FullSessionKey for AES-256 encryption key derivation
- btrfs: fix missing last_unlink_trans update when removing a directory
(CVE-2026-46160)
- mptcp: fastclose msk when linger time is 0
- mptcp: pm: prio: skip closed subflows
- mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
- mptcp: pm: ADD_ADDR rtx: allow ID 0
- mptcp: pm: ADD_ADDR rtx: fix potential data-race (CVE-2026-46137)
- mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
- f2fs: fix incorrect file address mapping when inline inode is unwritten
- f2fs: fix false alarm of lockdep on cp_global_sem lock
- cgroup/cpuset: Reset DL migration state on can_attach() failure
- genetlink: Use internal flags for multicast groups
- smb: client: require net admin for CIFS SWN netlink
- Bluetooth: hci_qca: Convert timeout from jiffies to ms
- mm/memory: fix spurious warning when unmapping device-private/exclusive
pages
- Bluetooth: Init sk_peer_* on bt_sock_alloc
- Bluetooth: serialize accept_q access (CVE-2026-52918)
- net: hsr: defer node table free until after RCU readers
- ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
- ice: fix VF queue configuration with low MTU values
- mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
- [arm64] octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
- mptcp: reset rcv wnd on disconnect
- mptcp: do not drop partial packets
- [x86] platform/x86/intel/vsec: Add private data for per-device data
- [x86] platform/x86/intel/vsec: Create wrapper to walk PCI config space
- [x86] platform/x86/intel/vsec: Make driver_data info const
- [x86] platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error
recovery
- [arm64] spi: qup: switch to use modern name
- [arm64] spi: qup: fix error pointer deref after DMA setup failure
- [arm64] tlb: Flush walk cache when unsharing PMD tables
- phy: tegra: xusb: Disable trk clk when not in use
- phy: tegra: xusb: Fix per-pad high-speed termination calibration
- iio: gyro: adis16260: fix division by zero in write_raw
- iio: dac: ad5686: fix ref bit initialization for single-channel parts
- ALSA: firewire-motu: Protect register DSP event queue positions
- [armhf] serial: samsung_tty: Use port lock wrappers
- [armhf] tty: serial: samsung: use u32 for register interactions
- [armhf] tty: serial: samsung: Remove redundant port lock acquisition in
rx helpers
- [arm64] usb: dwc3: xilinx: fix error handling in zynqmp init error paths
- [armhf] usb: musb: omap2430: Fix use-after-free in omap2430_probe()
- usb: gadget: f_hid: tidy error handling in hidg_alloc
- usb: gadget: f_hid: fix device reference leak in hidg_alloc()
- usb: typec: ucsi: Check if power role change actually happened before
handling
- thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
- [arm64] tty: serial: qcom-geni-serial: remove unused symbols
- [arm64] tty: serial: qcom-geni-serial: align #define values
- [arm64] serial: qcom-geni: fix UART_RX_PAR_EN bit position
- scsi: target: iscsi: Fix CRC overread and double-free in
iscsit_handle_text_cmd()
- usb: typec: ucsi: Don't update power_supply on power role change if not
connected
- netfilter: nft_fib: fix stale stack leak via the OIFNAME register
(CVE-2026-53134)
- hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
(CVE-2026-53199)
- mm/hugetlb: rename isolate_hugetlb() to folio_isolate_hugetlb()
- mm/migrate: don't call folio_putback_active_hugetlb() on dst hugetlb
folio
- mm/hugetlb: rename folio_putback_active_hugetlb() to
folio_putback_hugetlb()
- mm/memory-failure: fix missing ->mf_stats count in hugetlb poison
- mm/memory-failure: fix hugetlb_lock AA deadlock in
get_huge_page_for_hwpoison (CVE-2026-53207)
- RDMA: Move DMA block iterator logic into dedicated files
- RDMA/umem: Fix truncation for block sizes >= 4G (CVE-2026-53133)
- ipvs: skip ipv6 extension headers for csum checks (CVE-2026-45850)
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed
before init (CVE-2023-54271)
- batman-adv: stop tp_meter sessions during mesh teardown (CVE-2026-46208)
- batman-adv: tp_meter: fix tp_num leak on kmalloc failure
- [x86] ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
- perf build: Conditionally define NDEBUG
- perf parse-events: Make YYDEBUG dependent on doing a debug build
- perf build: Disable fewer bison warnings
- [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
- ipmi:ssif: Fix a shutdown race
- ipmi:ssif: Clean up kthread on errors (CVE-2026-46044)
- usb: typec: tcpm: reset internal port states on soft reset AMS
- lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
(CVE-2026-43492)
- ipmi:ssif: Remove unnecessary indention
- ipmi:ssif: NULL thread on error
- [arm*] drm/v3d: Reject empty multisync extension to prevent infinite
loop (CVE-2026-46314)
- [arm64] Mitigate TLBI errata on various CPU cores (CVE-2025-10263):
+ cputype: Add NVIDIA Olympus definitions
+ cputype: Add C1-Ultra definitions
+ cputype: Add C1-Premium definitions
+ errata: Mitigate TLBI errata on various Arm CPUs (CVE-2026-53354)
+ errata: Mitigate TLBI errata on NVIDIA Olympus CPU
+ errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
- [armhf] fbdev: vt8500lcdfb: Fix dma_free_coherent() cpu_addr parameter
(regression in 6.1.165)
- [x86] CPU/AMD: Move the Zen3 BTC_NO detection to the Zen3 init function
(regression in 6.1.173)
- r8152: Hold the rtnl_lock for all of reset
- media: rc: ttusbir: fix inverted error logic
- batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
- media: rc: igorplugusb: fix control request setup packet (CVE-2026-46091)
- ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
- batman-adv: tp_meter: fix race condition in send error reporting
- batman-adv: tp_meter: avoid role confusion in tp_list
- netfilter: require Ethernet MAC header before using eth_hdr()
(CVE-2026-53131)
.
[ Ben Hutchings ]
* Refresh "rxrpc: Fix conn-level packet handling to unshare RESPONSE packets"
* [rt] Add new signing key for Clark Williams
* [rt] Update to 6.1.176-rt64:
- ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
- [x86] kvm/vmx: guard regparm(0) on vmread_error_trampoline for x86_32
only
* [x86] Revert "x86/CPU: Only try to mitigate FPDSS on Zen1" as redundant
* Revert "net: ipv4: stop checking crypto_ahash_alignmask"
* Revert "net: ipv6: stop checking crypto_ahash_alignmask"
* Revert "Bluetooth: L2CAP: use chan timer to close channels in
cleanup_listen()"
* cgroup/cpuset: Fix misplaced call to reset_migrate_dl_data()
* media: uvcvideo: Create an ID namespace for streaming output terminals
* [ppc64el] cpuidle: Set CPUIDLE_FLAG_POLLING for snooze state
* Revert "media: rc: streamzap: Error handling in probe"
* Revert "epoll: use refcount to reduce ep_mutex contention"
(CVE-2025-38349, CVE-2026-46242)
.
[ Salvatore Bonaccorso ]
* ip6_vti: set netns_immutable on the fallback device. (CVE-2026-52909)
* net/sched: act_pedit: check static offsets a priori
* net/sched: act_pedit: rate limit datapath messages
* net/sched: fix pedit partial COW leading to page cache corruption
(CVE-2026-46331)
* net/sched: act_pedit: free pedit keys on bail from offset check
Checksums-Sha1:
bda1e6c17284d2a8be3bb0629cc8de4517f26484 290776 linux_6.1.176-1.dsc
4441b32974d18ee4e4be15a51f647a221bc4d94a 137945728 linux_6.1.176.orig.tar.xz
e2287221a33002c0596427f28f9863b0902c82d7 1873136 linux_6.1.176-1.debian.tar.xz
9f6f6bf45c2d76c5048813acc08383a9c5299bf8 6537 linux_6.1.176-1_source.buildinfo
Checksums-Sha256:
640124b35c5d7e32af9a9d536c47cfebf723fbb86bfbb25d0f2729b798bca35e 290776
linux_6.1.176-1.dsc
9aad4025973feea3f0d978e82ab7db97d8d5ce3f59fcc6b1f316153d66e3a504 137945728
linux_6.1.176.orig.tar.xz
10477b04dc15f7c1c52d8c812c889be5fd37aa178163e352755cd137c73ade6b 1873136
linux_6.1.176-1.debian.tar.xz
02c7115da0c0a2aa72b251ad98090388f0842bb2136a0c1113519b607878a664 6537
linux_6.1.176-1_source.buildinfo
Files:
5293dfe525a253ae95342e2b28388a1a 290776 kernel optional linux_6.1.176-1.dsc
8ed41488a97b99fe31a4e16184f7bef7 137945728 kernel optional
linux_6.1.176.orig.tar.xz
7e40cb422a15f62b48d9e077cce6d2a9 1873136 kernel optional
linux_6.1.176-1.debian.tar.xz
d545a16aa102ac5761527c46a969e0f1 6537 kernel optional
linux_6.1.176-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmpG9AoACgkQ57/I7JWG
EQlMcw//dwk7T9atm43n4jPrNWFT2uAsmi4joSJ9D2KErm3K85g68zHxJeVZmBc8
o3/Mu9FNsk7b4SE+w/snoSTQQnLnk3Fy0StLbwEhBZpjOIyRkktTNu8QP5ed0Kar
vIWH+h2auc4jXgtS3jkVOJ27QFcfOcCzf+UQeoFn6VrHAezqubIU1uqrqyWgcrOa
RL12+nv/FEkMob61Br05kFVv5vSzi/6CrhyT3dRRUErJu0r8Jyr8xTTIUFyhSRso
vGhJ5qaO/EoQUQyiV+rRmFC0B7wn+kgDL4ZGzmPP363Iyhn79/LZ+JFbl/9I9TIM
tsNA5K8KnYr0Ae6ymKCah3um5/6FP5aw/qIknBV3+Xl0o6Vy/Rpq2OIg2URpQPzx
W2t2326xVIpmqTDvww0lE+L2cx657f4cBS3MOP0y1efYf92A+zFbKOqx0xZ+lCpS
UP+XPy6oM1abvakYAGbVTdFHZSMts8cjLiI8aYwVvTCy9XFhW4RgWCQt6mxdepiH
oZ+v38ZOvbbXP7LaE/qDnpJWhYpa2J+C+NAllY1aBq1iCFXt/DSfH4jkgBvwt54+
Qo0KCtJzcczau2I/QmrZOXWJQLCJrTrAx1TS4ew9WJfUxtFYLCzaQpRzGgpJfnRZ
rjR0llEiv8dHD0l+P9ZO/oAFwldLrowlEfzVoiiY/GR9ueWMVyU=
=ch9X
-----END PGP SIGNATURE-----
pgp5eeWOC15qr.pgp
Description: PGP signature
--- End Message ---