#1119093 linux-image-6.16.3+deb13-amd64: UBSAN array-index-out-of-bounds in ath5k driver

Package:
src:linux
Source:
src:linux
Submitter:
Vincent Danjean
Date:
2026-05-16 23:35:01 UTC
Severity:
normal
Tags:
#1119093#5
Date:
2025-10-26 21:22:49 UTC
From:
To:
  Hi,

  The ath5k driver seems to do an array-index-out-of-bounds access
as shown by the UBSAN kernel message.
[   17.954484] ------------[ cut here ]------------
[   17.954487] UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.16.3/drivers/net/wireless/ath/ath5k/base.c:1741:20
[   17.955289] index 4 is out of range for type 'ieee80211_tx_rate [4]'
[   17.956134] CPU: 1 UID: 0 PID: 1745 Comm: 16 Not tainted 6.16.3+deb13-amd64 #1 PREEMPT(lazy)  Debian 6.16.3-1~bpo13+1
[   17.956137] Hardware name: Gigabyte Technology Co., Ltd. H67A-UD3H-B3/H67A-UD3H-B3, BIOS F8 03/27/2012
[   17.956139] Call Trace:
[   17.956142]  <TASK>
[   17.956145]  dump_stack_lvl+0x5d/0x80
[   17.956154]  ubsan_epilogue+0x5/0x2b
[   17.956158]  __ubsan_handle_out_of_bounds.cold+0x46/0x4b
[   17.956162]  ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
[   17.956173]  tasklet_action_common+0xb5/0x1c0
[   17.956178]  handle_softirqs+0xdf/0x320
[   17.956181]  __irq_exit_rcu+0xbc/0xe0
[   17.956184]  common_interrupt+0x47/0xa0
[   17.956188]  asm_common_interrupt+0x26/0x40
[   17.956191] RIP: 0033:0x7f4fa439067d
[   17.956204] Code: 0f b6 14 16 45 85 c0 74 01 92 29 d0 c3 48 8d 3c 07 48 8d 34 0e 45 85 c0 74 03 48 87 f7 48 0f bc d2 49 29 d3 76 0b 0f b6 0c 16 <0f> b6 04 17 29 c8 c3 31 c0 c3 66 0f 1f 84 00 00 00 00 00 0f b6 0e
[   17.956206] RSP: 002b:00007ffd8cc32f08 EFLAGS: 00000212
[   17.956209] RAX: 0000000000000020 RBX: 0000556dfab414a0 RCX: 0000000000000070
[   17.956210] RDX: 000000000000000d RSI: 00007f4fa4b7a05f RDI: 0000556dfab414a0
[   17.956211] RBP: 00007f4fa4b7a05f R08: 0000000000000400 R09: 0000000000000008
[   17.956213] R10: fffffffffffff4b8 R11: 000000000000000e R12: 000000000000001b
[   17.956214] R13: 0000556dfab412c0 R14: 00007ffd8cc32f80 R15: 00007f4fa4b79eaf
[   17.956217]  </TASK>
[   17.956217] ---[ end trace ]---

It occurs once at each boot.
According to
https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable/+blame/master/drivers/net/wireless/ath/ath5k/base.c
the line of code has not changed for about 15 years.
And I'm using this driver for more than 10 years.
So, the array-index-out-of-bounds does not seem to
have hard consequences for now (by luck?)

  Regards,
    Vincent

#1119093#10
Date:
2025-11-01 14:09:20 UTC
From:
To:
Hi

In Debian, https://bugs.debian.org/1119093, Vincent Danjean reported
the following:

Does that ring any bell?

Regards,
Salvatore

#1119093#19
Date:
2025-11-03 07:00:48 UTC
From:
To:
Hi,

No, but it is real. ts_final_idx is at most 3 on 5212, so:
   info->status.rates[ts->ts_final_idx + 1].idx = -1;
with:
   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
and:
   #define IEEE80211_TX_MAX_RATES  4
is indeed bogus.

IMO we should just *not* set idx = -1 if ts->ts_final_idx is >= 3. As
mac80211 won't look at rates beyond IEEE80211_TX_MAX_RATES.

FWIW, the effect of the UB is it just overwrites the next member of
info->status, i.e. ack_signal.

thanks,

#1119093#24
Date:
2025-11-03 07:26:44 UTC
From:
To:
Le 03/11/2025 à 08:04, Jiri Slaby a écrit :
I won't go back there until Christmas.

I will see if I can test remotely.

   Regards,
     Vincent

#1119093#29
Date:
2025-11-03 07:04:00 UTC
From:
To:
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah,
struct sk_buff *skb,
         }

         info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
-       info->status.rates[ts->ts_final_idx + 1].idx = -1;
+       if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+               info->status.rates[ts->ts_final_idx + 1].idx = -1;

         if (unlikely(ts->ts_status)) {
                 ah->stats.ack_fail++;

Vincent, can you test this?

#1119093#36
Date:
2025-11-19 07:12:01 UTC
From:
To:
Vincent reports:
   info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
   #define IEEE80211_TX_MAX_RATES  4
is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).

Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.

Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reported-by: Vincent Danjean <vdanjean@debian.org>
Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
Closes: https://bugs.debian.org/1119093
---
Cc: 1119093@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: Nick Kossifidis <mickflemm@gmail.com>,
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: linux-wireless@vger.kernel.org
---
 drivers/net/wireless/ath/ath5k/base.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c
index 4d88b02ffa79..917e1b087924 100644
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb,
 	}

 	info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
-	info->status.rates[ts->ts_final_idx + 1].idx = -1;
+	if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+		info->status.rates[ts->ts_final_idx + 1].idx = -1;

 	if (unlikely(ts->ts_status)) {
 		ah->stats.ack_fail++;
-- 
2.51.1

#1119093#41
Date:
2025-11-19 07:17:15 UTC
From:
To:
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@vger.kernel.org

Do you want me to resend?

thanks,

#1119093#52
Date:
2025-12-09 10:04:59 UTC
From:
To:
Vincent reports:
   info->status.rates[ts->ts_final_idx + 1].idx = -1;
with the array defined as:
   struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
while the size is:
   #define IEEE80211_TX_MAX_RATES  4
is indeed bogus.

Set this 'idx = -1' sentinel only if the array index is less than the
array size. As mac80211 will not look at rates beyond the size
(IEEE80211_TX_MAX_RATES).

Note: The effect of the OOB write is negligible. It just overwrites the
next member of info->status, i.e. ack_signal.

Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reported-by: Vincent Danjean <vdanjean@debian.org>
Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
Closes: https://bugs.debian.org/1119093
Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
Cc: stable@vger.kernel.org
---
[v2] added Fixes + Cc: stable

Cc: 1119093@bugs.debian.org
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: Nick Kossifidis <mickflemm@gmail.com>,
Cc: Luis Chamberlain <mcgrof@kernel.org>
Cc: linux-wireless@vger.kernel.org
---
 drivers/net/wireless/ath/ath5k/base.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c
index 4d88b02ffa79..917e1b087924 100644
--- a/drivers/net/wireless/ath/ath5k/base.c
+++ b/drivers/net/wireless/ath/ath5k/base.c
@@ -1738,7 +1738,8 @@ ath5k_tx_frame_completed(struct ath5k_hw *ah, struct sk_buff *skb,
 	}

 	info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
-	info->status.rates[ts->ts_final_idx + 1].idx = -1;
+	if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
+		info->status.rates[ts->ts_final_idx + 1].idx = -1;

 	if (unlikely(ts->ts_status)) {
 		ah->stats.ack_fail++;
-- 
2.52.0

#1119093#57
Date:
2026-05-04 14:21:16 UTC
From:
To:
Applied, thanks!

[1/1] wifi: ath5k: do not access array OOB
      commit: d748603f12baff112caa3ab7d39f50100f010dbd

Best regards,

#1119093#66
Date:
2026-05-11 14:25:26 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1119093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 11 May 2026 16:11:08 +0200
Source: linux
Architecture: source
Version: 7.1~rc3-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1119093 1131025
Changes:
 linux (7.1~rc3-1~exp1) experimental; urgency=medium
 .
   * New upstream release candidate.
     - wifi: ath5k: do not access array OOB (Closes: #1119093)
     - PCI: Update saved_config_space upon resource assignment (Closes: #1131025)
 .
   [ Agathe Porte ]
   * d/watch: migrate to version 5
 .
   [ Loïc Minier ]
   * [arm64] Enable Qualcomm Monaco platforms: add PINCTRL_QCS8300,
     QCS_GCC_8300, INTERCONNECT_QCOM_QCS8300 as builtins.
   * [arm64] Enable Qualcomm Talos platforms: add PINCTRL_QCS615, QCS_GCC_615,
     INTERCONNECT_QCOM_QCS615 as builtins.
   * [arm64] Enable configs for Qualcomm RB1 boards: change QCOM_CLK_SMD_RPM,
     QCM_GCC_2290, QCOM_MPM, QCOM_APCS_IPC, PINCTRL_QCM2290,
     RPMSG_QCOM_GLINK_SMEM, QCOM_SMEM and QCOM_SMD_RPM as
     built-in (instead of modules) and enable CLK_QCM2290_GPUCC as module.
 .
   [ Han Gao ]
   * [riscv64] Enable CMA and DMA_CMA. Set CMA_SIZE_MBYTES=64
 .
   [ Weizhao Ouyang ]
   * [arm64] Enable BST platform support
 .
   [ Sjoerd Simons ]
   * [arm64] Enable AIR_EN8811H_PHY as module
Checksums-Sha1:
 2a0bb392d5ac8661bd8e8d2268f7c85d059245fc 183288 linux_7.1~rc3-1~exp1.dsc
 27e70bcd09dcac5844849fa03f87b4bd68b51a1f 161490612 linux_7.1~rc3.orig.tar.xz
 3105daf18e8449ed8067d346fd78b12adb0d6be7 1454324 linux_7.1~rc3-1~exp1.debian.tar.xz
 c7a6efe3d1ceb8a6aede9835c2ed9f8d071e246c 6900 linux_7.1~rc3-1~exp1_source.buildinfo
Checksums-Sha256:
 7b87dc4c0fdbfd3135f6eaeea58da9e11f958c62857d09c453deda5a62fea8f7 183288 linux_7.1~rc3-1~exp1.dsc
 7c30a797bb30d910e63c6f6fa93aabf9749174d5f1e523396db8801bbab444aa 161490612 linux_7.1~rc3.orig.tar.xz
 d5398548cd6a66ecdebb581ebd252191b23ff78f62725a48aa52ba79b91b76e1 1454324 linux_7.1~rc3-1~exp1.debian.tar.xz
 39c305beda15d4215e675544339224013de2f21bd2d1c0812742806c952a87ea 6900 linux_7.1~rc3-1~exp1_source.buildinfo
Files:
 2d05c84115ff579b4bae50ae99aa2562 183288 kernel optional linux_7.1~rc3-1~exp1.dsc
 bc38beb3ffd1b798ccf20a53e3eb25d6 161490612 kernel optional linux_7.1~rc3.orig.tar.xz
 2bf472cde035ae581aea89aa67ef8a4d 1454324 kernel optional linux_7.1~rc3-1~exp1.debian.tar.xz
 009816b97c743a9c117220288ae989ed 6900 kernel optional linux_7.1~rc3-1~exp1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoB5K9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EoycP/jp93g6KyZ0qH452AR2seXFnwJci4CbG
zz6Gru5j8dCCTBH07ed1OXmLseASaGVRI2zZqzyq7gsI/v3mOZ/pW+PyMV3G+Myt
QkvteiZBXTw3xpfBPk6mDwXF/bxc8vrXaOEu/1yHuhAPwoNYrRPLyRb2Arr2SWjv
o6kPqM7fYSwmfl3aOc3JtI1LDNvBIUtMdU4VWx1L9tv//nJylYeHaQXeAEl8Abpi
lhZqaRAc2vTGZ2a3uyc7s36G2maidTS1LCh8McP65ieWNtxl7j9F7aKYZVJhf1c6
MxdOQQLNJ6W0YQgbVvDfBMOxVNiAmtnB/e2UOueEOUN9BWeGbD6Ix/289Vv0vc96
bFghWwY6KptBZzR6d/L/GuDdascj9u9XUXEssQMboSXXE1rzJAIveDpAVYQbhyxp
voyRsC8cxPewrFhQ58BEf2poZlg6YrcojqwFVRh5WcNd5lI1TUOT+9PSrPxHiKYa
VewVXqzbr1A8LtTMd/tagBv6a8KdGxbst/qknJ22EcQcIn5ZHfK9LQ7iXiyjdf/p
EHZthtGAa4pUqytkHr5uuX72/SOEktbxOBioIxANr+oL4c+Dndn7p7R48iS/bypX
OmirvhTIZrtbY8rcadXsU4QOOIo93iM/UmNH1Sj1ggQ57ukxhdTblCA2YYgCOYwc
Wj9U9P15Grrb
=/X1u
-----END PGP SIGNATURE-----

#1119093#73
Date:
2026-05-15 08:24:31 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1119093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 15 May 2026 08:13:13 +0200
Source: linux
Architecture: source
Version: 7.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1119093 1131025
Changes:
 linux (7.0.7-1) unstable; urgency=high
 .
   * New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.5
https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.6
https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.7
     - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
     - ipmi: Add limits to event and receive message requests
     - ipmi: Check event message buffer response for bad data
     - ipmi:si: Return state to normal if message allocation fails
     - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
     - [arm64] ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle
       states
     - ACPI: scan: Use acpi_dev_put() in object add error paths
     - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
     - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
     - ACPI: video: force native backlight on HP OMEN 16 (8A44)
     - tracepoint: balance regfunc() on func_add() failure in
       tracepoint_add_func()
     - iommufd: Fix a race with concurrent allocation and unmap
     - ASoC: SOF: Don't allow pointer operations on unconfigured streams
     - wifi: mt76: mt7925: fix incorrect TLV length in CLC command
     - [arm64,armhf] spi: rockchip: fix controller deregistration
     - ksmbd: rewrite stop_sessions() with restartable iteration
     - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
     - flow_dissector: do not dissect PPPoE PFC frames
     - smb: client/smbdirect: fix MR registration for coalesced SG lists
     - net/sched: sch_red: Replace direct dequeue call with peek and
       qdisc_dequeue_peeked
     - exit: prevent preemption of oopsing TASK_DEAD task
     - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
     - wifi: mt76: mt7925: fix incorrect length field in txpower command
     - wifi: mt76: mt7921: fix a potential clc buffer length underflow
     - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
     - wifi: b43legacy: enforce bounds check on firmware key index in RX path
     - wifi: mac80211: drop stray 'static' from fast-RX rx_result
     - wifi: rsi: fix kthread lifetime race between self-exit and external-stop
     - wifi: mac80211: use safe list iteration in radar detect work
     - wifi: ath5k: do not access array OOB (Closes: #1119093)
     - wifi: mac80211: remove station if connection prep fails
     - wifi: b43: enforce bounds check on firmware key index in b43_rx()
     - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
       task
     - usb: usblp: fix heap leak in IEEE 1284 device ID via short response
     - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
     - ALSA: usb-audio: midi2: Restart output URBs on resume
     - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
     - ALSA: usb-audio: Fix UAC3 cluster descriptor size check
     - usb: dwc3: Move GUID programming after PHY initialization
     - USB: omap_udc: DMA: Don't enable burst 4 mode
     - USB: serial: option: add Telit Cinterion LE910Cx compositions
     - usb: ulpi: fix memory leak on ulpi_register() error paths
     - usb: typec: tcpm: fix debug accessory mode detection for sink ports
     - ALSA: hda: cs35l56: Propagate ASP TX source control errors
     - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
     - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop
       Pro 15
     - ALSA: firewire-tascam: Do not drop unread control events
     - ALSA: core: Serialize deferred fasync state checks
     - ALSA: seq: Fix UMP group 16 filtering
     - [amd64] x86/efi: Restore IRQ state in EFI page fault handler
     - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters
     - xfrm: provide message size for XFRM_MSG_MAPPING
     - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
     - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
     - xfrm: ah: account for ESN high bits in async callbacks
     - selinux: fix avdcache auditing
     - selinux: use sk blob accessor in socket permission helpers
     - selinux: don't reserve xattr slot when we won't fill it
     - selinux: shrink critical section in sel_write_load()
     - selinux: prune /sys/fs/selinux/checkreqprot
     - selinux: prune /sys/fs/selinux/disable
     - selinux: prune /sys/fs/selinux/user
     - selinux: allow multiple opens of /sys/fs/selinux/policy
     - io_uring/kbuf: support min length left for incremental buffers
     - io_uring/tw: serialize ctx->retry_llist with ->uring_lock
     - [loong64] KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read()
     - Bluetooth: virtio_bt: clamp rx length before skb_put
     - Bluetooth: virtio_bt: validate rx pkt_type header length
     - Bluetooth: btmtk: validate WMT event SKB length before struct access
     - Bluetooth: hci_conn: fix potential UAF in create_big_sync
     - Bluetooth: hci_event: Fix OOB read and infinite loop in
       hci_le_create_big_complete_evt
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb()
     - rust: drm: gem: clean up GEM state in init failure case
     - rust: allow `clippy::collapsible_match` globally
     - rust: allow `clippy::collapsible_if` globally
     - rust: pin-init: internal: move alignment check to `make_field_check`
     - [armhf] spi: sun4i: fix controller deregistration
     - [armhf] spi: ti-qspi: fix controller deregistration
     - spi: sun6i: fix controller deregistration
     - [arm64,armhf] spi: tegra114: fix controller deregistration
     - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration
     - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in
       rtw_cbuf_alloc
     - staging: vme_user: fix root device leak on init failure
     - fanotify: fix false positive on permission events
     - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
     - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
     - [arm64] signal: Preserve POR_EL0 if poe_context is missing
     - mm/hugetlb_cma: round up per_node before logging it
     - [loong64] Fix SYM_SIGFUNC_START definition for 32BIT
     - [loong64] KVM: Compile switch.S directly into the kernel
     - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
       rtnl_fill_vfinfo
     - mptcp: pm: ADD_ADDR rtx: skip inactive subflows
     - [amd64] perf/x86/intel: Improve validation and configuration of ACR masks
     - rseq: Set rseq::cpu_id_start to 0 on unregistration
     - rseq: Protect rseq_reset() against interrupts
     - rseq: Don't advertise time slice extensions if disabled
     - [amd64] accel/ivpu: Disallow re-exporting imported GEM objects
     - sound: ua101: fix division by zero at probe
     - [ppc64el] pseries/papr-hvpipe: Fix race with interrupt handler
     - [ppc64el] pseries/papr-hvpipe: Prevent kernel stack memory leak to
       userspace
     - [ppc64el] pseries/papr-hvpipe: Fix null ptr deref in
       papr_hvpipe_dev_create_handle()
     - [ppc64el] pseries/papr-hvpipe: Fix & simplify error handling in
       papr_hvpipe_init()
     - [ppc64el] pseries/papr-hvpipe: Fix the usage of copy_to_user()
     - net: libwx: fix VF illegal register access
     - ip6_gre: Use cached t->net in ip6erspan_changelink().
     - net: libwx: use request_irq for VF misc interrupt
     - netpoll: pass buffer size to egress_dev() to avoid MAC truncation
     - net/rds: handle zerocopy send cleanup before the message is queued
     - net: wwan: t7xx: validate port_count against message length in
       t7xx_port_enum_msg_handler
     - ovl: fix verity lazy-load guard broken by fsverity_active() semantic
       change
     - [amd64] x86/efi: Fix graceful fault handling after FPU softirq changes
     - hwmon: (ltc2992) Clamp threshold writes to hardware range
     - hwmon: (ltc2992) Fix u32 overflow in power read path
     - clk: rk808: fix OF node reference imbalance
     - hwmon: (corsair-psu) Close HID device on probe errors
     - af_unix: Reject SIOCATMARK on non-stream sockets
     - [arm64] fpsimd: ptrace: zero target's fpsimd_state, not the tracer's
     - pmdomain: mediatek: fix use-after-free in
       scpsys_get_bus_protection_legacy()
     - block: add pgmap check to biovec_phys_mergeable
     - block: fix zone write plug removal
     - block: only read from sqe on initial invocation of blkdev_uring_cmd()
     - cifs: abort open_cached_dir if we don't request leases
     - cifs: change_conf needs to be called for session setup
     - extcon: ptn5150: handle pending IRQ events during system resume
     - fbcon: Avoid OOB font access if console rotation fails
     - gpio: of: clear OF_POPULATED on hog nodes in remove path
     - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS
     - hv_sock: fix ARM64 support
     - hv_sock: Report EOF instead of -EIO for FIN
     - hv_sock: Return -EIO for malformed/short packets
     - ibmveth: Disable GSO for packets with small MSS
     - ice: fix double free in ice_sf_eth_activate() error path
     - tracefs: Fix default permissions not being applied on initial mount
     - udf: reject descriptors with oversized CRC length
     - [amd64] x86/boot/e820: Re-enable BIOS fallback if e820 table is empty
     - thermal: core: Free thermal zone ID later during removal
     - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
     - thermal/drivers/sprd: Fix raw temperature clamping in
       sprd_thm_rawdata_to_temp
     - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
     - tracing/fprobe: Remove fprobe from hash in failure path
     - tracing/fprobe: Unregister fprobe even if memory allocation fails
     - tracing/probes: Limit size of event probe to 3K
     - tracing/fprobe: Check the same type fprobe on table as the unregistered
       one
     - [riscv64] clk: microchip: mpfs-ccc: fix out of bounds access during output
       registration
     - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
       quirk table
     - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
     - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
     - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed
     - btrfs: do not mark inode incompressible after inline attempt fails
     - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to
       info-leak
     - btrfs: fix double free in create_space_info() error path
     - btrfs: fix double free in create_space_info_sub_group() error path
     - btrfs: fix missing last_unlink_trans update when removing a directory
     - dm-thin: fix metadata refcount underflow
     - dm: don't report warning when doing deferred remove
     - dm: fix a buffer overflow in ioctl processing
     - eventfs: Hold eventfs_mutex and SRCU when remount walks events
     - dm-verity-fec: correctly reject too-small FEC devices
     - dm-verity-fec: correctly reject too-small hash devices
     - dm-verity-fec: fix corrected block count stat
     - dm-verity-fec: fix reading parity bytes split across blocks (take 3)
     - dm-verity-fec: fix the size of dm_verity_fec_io::erasures
     - isofs: validate Rock Ridge CE continuation extent against volume size
     - isofs: validate block number from NFS file handle in isofs_export_iget
     - [amd64] iommu/vt-d: Block PASID attachment to nested domain with dirty
       tracking
     - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
     - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
     - lib/crc: tests: Make crc_kunit test only the enabled CRC variants
     - lib/scatterlist: fix length calculations in extract_kvec_to_sg
     - lib/scatterlist: fix temp buffer in extract_user_to_sg()
     - libceph: Fix slab-out-of-bounds access in auth message processing
     - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
     - nvme-apple: drop invalid put of admin queue reference count
     - nvmet-tcp: fix race between ICReq handling and queue teardown
     - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
     - openvswitch: vport: fix self-deadlock on release of tunnel ports
     - pmdomain: core: Fix detach procedure for virtual devices in genpd
     - psp: strip variable-length PSP header in psp_dev_rcv()
     - RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
     - [riscv64] kvm: fix vector context allocation leak
     - [s390x] debug: Reject zero-length input in debug_input_flush_fn()
     - [s390x] debug: Reject zero-length input before trimming a newline
     - scsi: mpt3sas: Limit NVMe request size to 2 MiB
     - smb/client: fix out-of-bounds read in smb2_compound_op()
     - smb/client: fix out-of-bounds read in symlink_data()
     - smb: client: use kzalloc to zero-initialize security descriptor buffer
     - smb: client: validate dacloffset before building DACL pointers
     - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls
     - [amd64] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is
       empty
     - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values
     - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values
     - mm/damon/stat: detect and use fresh enabled value
     - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
     - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock
     - PCI: Update saved_config_space upon resource assignment (Closes: #1131025)
     - PCI/AER: Clear only error bits in PCIe Device Status
     - PCI/AER: Stop ruling out unbound devices as error source
     - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
     - power: supply: max17042: avoid overflow when determining health
     - [powerpc*] xive: fix kmemleak caused by incorrect chip_data lookup
     - [amd64] perf/x86/intel: Always reprogram ACR events to prevent stale masks
     - [amd64] perf/x86/intel: Disable PMI for self-reloaded ACR events
     - [amd64] perf/x86/intel: Enable auto counter reload for DMR
     - RDMA/ionic: bound node_desc sysfs read with %.64s
     - RDMA/ionic: Fix typo in format string
     - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
     - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
     - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss()
     - RDMA/mana: Validate rx_hash_key_len
     - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event()
     - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
     - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
     - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
     - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
     - RDMA/rxe: Reject unknown opcodes before ICRC processing
     - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
     - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init()
     - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init()
     - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask
     - sched_ext: Use dsq->first_task instead of list_empty() in
       dispatch_enqueue() FIFO-tail
     - mptcp: fastclose msk when linger time is 0
     - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
     - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
     - mptcp: sockopt: set timestamp flags on subflow socket, not msk
     - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf
     - mptcp: fix rx timestamp corruption on fastopen
     - mptcp: fix scheduling with atomic in timestamp sockopt
     - mptcp: pm: prio: skip closed subflows
     - mptcp: pm: kernel: reset fullmesh counter after flush
     - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0
     - mptcp: pm: ADD_ADDR rtx: allow ID 0
     - mptcp: pm: ADD_ADDR rtx: fix potential data-race
     - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount
     - mptcp: pm: ADD_ADDR rtx: free sk if last
     - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker
     - mptcp: pm: ADD_ADDR rtx: return early if no retrans
     - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
     - f2fs: fix false alarm of lockdep on cp_global_sem lock
     - f2fs: fix fiemap boundary handling when read extent cache is incomplete
     - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage
     - f2fs: fix incorrect file address mapping when inline inode is unwritten
     - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
     - f2fs: fix node_cnt race between extent node destroy and writeback
     - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
     - f2fs: refactor f2fs_move_node_folio function
     - f2fs: fix inline data not being written to disk in writeback path
     - f2fs: fix fsck inconsistency caused by FGGC of node block
     - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
     - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
       value
     - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
     - [arm64] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer
     - [arm64] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer
     - [arm64] KVM: arm64: Fix pin leak and publication ordering in
       __pkvm_init_vcpu()
     - [loong64] Fix potential ADE in loongson_gpu_fixup_dma_hang()
     - [loong64] KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS
     - [loong64] KVM: Fix "unreliable stack" for kvm_exc_entry
     - [loong64] KVM: Fix HW timer interrupt lost when inject interrupt by
       software
     - [loong64] KVM: Move unconditional delay into timer clear scenery
     - [loong64] KVM: Use kvm_set_pte() in kvm_flush_pte()
     - [loong64] Use per-root-bridge PCIH flag to skip mem resource fixup
     - bpf: Fix use-after-free in arena_vm_close on fork
     - octeon_ep_vf: add NULL check for napi_build_skb()
     - mmc: core: Adjust MDT beyond 2025
     - mmc: core: Add quirk for incorrect manufacturing date
     - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
     - crypto: qat - fix indentation of macros in qat_hal.c
     - crypto: qat - fix firmware loading failure for GEN6 devices
     - hfsplus: fix uninit-value by validating catalog record size
     - hfsplus: fix held lock freed on hfsplus_fill_super()
     - 8021q: use RCU for egress QoS mappings
     - 8021q: delete cleared egress QoS mappings
     - printk: add print_hex_dump_devel()
     - crypto: caam - guard HMAC key hex dumps in hash_digest_key
     - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
     - net: stmmac: Prevent NULL deref when RX memory exhausted
     - rust: pin-init: fix incorrect accessor reference lifetime
     - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in
       Zen2's op cache
     - ksmbd: validate inherited ACE SID length
 .
   [ Salvatore Bonaccorso ]
   * ptrace: slightly saner 'get_dumpable()' logic
Checksums-Sha1:
 bdb7e1fbd034dd9fed0e2d77e0bfdaac647b677c 194732 linux_7.0.7-1.dsc
 12ad382a2f4e1950cf37d72a450223e8650db54b 160366364 linux_7.0.7.orig.tar.xz
 78405e56ed662c127777220c14e0902287d59f0c 1468968 linux_7.0.7-1.debian.tar.xz
 2536ac1e279b84c1b255ac6bfa135c95b46eb0bc 6872 linux_7.0.7-1_source.buildinfo
Checksums-Sha256:
 3dd61ac38ee7357e5e2c010d85f88c1916f7c5d31a99d359e0b85b0f0e91cb1c 194732 linux_7.0.7-1.dsc
 a14109ce964b753c72ef0d5aef3653686957a491925deea3467c73faaa11ff1d 160366364 linux_7.0.7.orig.tar.xz
 c50b09443af3d2a06bbf91a1ae8a7f11931065e941e5c0f20ff5ee3c7fa179e2 1468968 linux_7.0.7-1.debian.tar.xz
 ac35bd612e2612089a371d45dfe22bba4eb6a4edbc17b5bc4235c597efad3baa 6872 linux_7.0.7-1_source.buildinfo
Files:
 221de020af4ff68409fdc1deb21be3a9 194732 kernel optional linux_7.0.7-1.dsc
 3988334628ee990aa5d48fd135f0c77d 160366364 kernel optional linux_7.0.7.orig.tar.xz
 16deb5024f5defa802e706107ff8cb5f 1468968 kernel optional linux_7.0.7-1.debian.tar.xz
 a20bdb2fd34fea159c7f1f858bbcac6a 6872 kernel optional linux_7.0.7-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoGuoNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENiIP/itV76theCauQ+TIsZdNWHZ4NSjCl6ce
FAeY3WrlQtfiUJFVVavcvr+LnB/my76Hpxwyg2QvmXpxhVN7qGaWt+wbTfbfoplZ
jumq4MaiQ7TV0dgU9AsU+/smLIzvbimyRwDKJOl12cSRW+um98S4T6LyjBCPLHLp
Bj39+C4G69WpMw3PBZ1Rehi01/ev2aPKAFjT7f9eFE6EPsFa/kUjS4ba95+GAWkp
jNrmaH0SjzK535Zvk9H+imzFgb8rgKRiYowcPnmjD60ywdj58W6oSbTvSGdKVgyF
bij6/WYfIckcHgRxOkNXO5nM3F2nWRKmP3tUAqiIpialSmZmwWFaaT1WhwYQ4HeD
xgYKEExfXneW1vU7Wbg2uu5DZINmNTIGXWArhm+D9MZTNSZRfrA8Qv5eTRjJrROD
iakVKnEn7+5cW3zRnNIFMBFy6L4bdxlcTo9xro0KMUgMOMMOQNo8ReCnarThbsFb
+jxc5wImHLJxC+aUif9Y/c06tqo7A0sfiyKUjcLY8Kiv5PyRjzfF4Fp0e6xxFbYQ
NJKygJDOZMc3NTjjKE1DnvTdehik1quokdKMrlSKffVEZii8xeI313bkfWVB9hVq
MdMA3Zr5qhgo2w8Ms2pARA+DeP2zuY61T9mbFL3Gb8SfUR9nJl5NIz/W2CIj+Reo
vGtxp9lfSstL
=/7mN
-----END PGP SIGNATURE-----

#1119093#78
Date:
2026-05-16 23:32:32 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1119093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 15 May 2026 11:52:56 +0200
Source: linux
Architecture: source
Version: 6.12.88-1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1119093 1131025 1135313
Changes:
 linux (6.12.88-1) trixie-security; urgency=high
 .
   * New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88
     - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()
     - ipmi: Add limits to event and receive message requests
     - ipmi: Check event message buffer response for bad data
     - ipmi:si: Return state to normal if message allocation fails
     - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free
     - ACPI: scan: Use acpi_dev_put() in object add error paths
     - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO
     - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug
     - ACPI: video: force native backlight on HP OMEN 16 (8A44)
     - ASoC: SOF: Don't allow pointer operations on unconfigured streams
     - spi: rockchip: fix controller deregistration
     - ksmbd: rewrite stop_sessions() with restartable iteration
     - mm: convert mm_lock_seq to a proper seqcount
     - [amd64] x86: shadow stacks: proper error handling for mmap lock
       (CVE-2026-43109)
     - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn
     - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN
     - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c
     - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB
       invalidations (CVE-2026-43220) (Closes: #1135313)
     - flow_dissector: do not dissect PPPoE PFC frames
     - net: txgbe: fix RTNL assertion warning when remove module
     - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088)
     - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM
     - net/sched: sch_red: Replace direct dequeue call with peek and
       qdisc_dequeue_peeked
     - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499)
     - exit: prevent preemption of oopsing TASK_DEAD task
     - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr
     - wifi: mt76: mt7925: fix incorrect length field in txpower command
     - wifi: mt76: mt7921: fix a potential clc buffer length underflow
     - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work
     - wifi: b43legacy: enforce bounds check on firmware key index in RX path
     - wifi: mac80211: drop stray 'static' from fast-RX rx_result
     - wifi: rsi: fix kthread lifetime race between self-exit and external-stop
     - wifi: mac80211: use safe list iteration in radar detect work
     - wifi: ath5k: do not access array OOB (Closes: #1119093)
     - wifi: mac80211: remove station if connection prep fails
     - wifi: b43: enforce bounds check on firmware key index in b43_rx()
     - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog
       task
     - usb: usblp: fix heap leak in IEEE 1284 device ID via short response
     - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
     - ALSA: usb-audio: midi2: Restart output URBs on resume
     - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()
     - ALSA: usb-audio: Fix UAC3 cluster descriptor size check
     - USB: omap_udc: DMA: Don't enable burst 4 mode
     - USB: serial: option: add Telit Cinterion LE910Cx compositions
     - usb: ulpi: fix memory leak on ulpi_register() error paths
     - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
     - ALSA: firewire-tascam: Do not drop unread control events
     - xfrm: provide message size for XFRM_MSG_MAPPING
     - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete
     - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap()
     - xfrm: ah: account for ESN high bits in async callbacks
     - selinux: don't reserve xattr slot when we won't fill it
     - selinux: shrink critical section in sel_write_load()
     - selinux: prune /sys/fs/selinux/disable
     - Bluetooth: virtio_bt: clamp rx length before skb_put
     - Bluetooth: virtio_bt: validate rx pkt_type header length
     - Bluetooth: btmtk: validate WMT event SKB length before struct access
     - Bluetooth: hci_event: Fix OOB read and infinite loop in
       hci_le_create_big_complete_evt
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb()
     - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb()
     - [armhf] spi: sun4i: fix controller deregistration
     - [armhf] spi: ti-qspi: fix controller deregistration
     - spi: sun6i: fix controller deregistration
     - fanotify: fix false positive on permission events
     - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter
     - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()
     - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in
       rtnl_fill_vfinfo
     - sound: ua101: fix division by zero at probe
     - net: libwx: fix VF illegal register access
     - ip6_gre: Use cached t->net in ip6erspan_changelink().
     - net/rds: handle zerocopy send cleanup before the message is queued
     - net: wwan: t7xx: validate port_count against message length in
       t7xx_port_enum_msg_handler
     - hwmon: (ltc2992) Clamp threshold writes to hardware range
     - hwmon: (ltc2992) Fix u32 overflow in power read path
     - clk: rk808: fix OF node reference imbalance
     - hwmon: (corsair-psu) Close HID device on probe errors
     - af_unix: Reject SIOCATMARK on non-stream sockets
     - block: add pgmap check to biovec_phys_mergeable
     - cifs: abort open_cached_dir if we don't request leases
     - cifs: change_conf needs to be called for session setup
     - extcon: ptn5150: handle pending IRQ events during system resume
     - gpio: of: clear OF_POPULATED on hog nodes in remove path
     - hv_sock: fix ARM64 support
     - ibmveth: Disable GSO for packets with small MSS
     - ice: fix double free in ice_sf_eth_activate() error path
     - spi: microchip-core-qspi: fix controller deregistration
     - udf: reject descriptors with oversized CRC length
     - thermal: core: Free thermal zone ID later during removal
     - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata
     - thermal/drivers/sprd: Fix raw temperature clamping in
       sprd_thm_rawdata_to_temp
     - spi: topcliff-pch: fix controller deregistration
     - spi: topcliff-pch: fix use-after-free on unbind
     - clk: imx: imx8-acm: fix flags for acm clocks
     - clk: microchip: mpfs-ccc: fix out of bounds access during output
       registration
     - cpuidle: powerpc: avoid double clear when breaking snooze
     - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in
       quirk table
     - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop
     - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens
     - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed
     - btrfs: fix double free in create_space_info() error path
     - dm-thin: fix metadata refcount underflow
     - dm: don't report warning when doing deferred remove
     - dm: fix a buffer overflow in ioctl processing
     - eventfs: Hold eventfs_mutex and SRCU when remount walks events
     - dm-verity-fec: correctly reject too-small FEC devices
     - dm-verity-fec: correctly reject too-small hash devices
     - isofs: validate Rock Ridge CE continuation extent against volume size
     - isofs: validate block number from NFS file handle in isofs_export_iget
     - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update
     - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()
     - lib/scatterlist: fix length calculations in extract_kvec_to_sg
     - lib/scatterlist: fix temp buffer in extract_user_to_sg()
     - libceph: Fix slab-out-of-bounds access in auth message processing
     - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies
     - nvme-apple: drop invalid put of admin queue reference count
     - nvmet-tcp: fix race between ICReq handling and queue teardown
     - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free
     - openvswitch: vport: fix self-deadlock on release of tunnel ports
     - pmdomain: core: Fix detach procedure for virtual devices in genpd
     - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove()
     - [s390x] debug: Reject zero-length input in debug_input_flush_fn()
     - smb/client: fix out-of-bounds read in smb2_compound_op()
     - smb/client: fix out-of-bounds read in symlink_data()
     - smb: client: use kzalloc to zero-initialize security descriptor buffer
     - smb: client: validate dacloffset before building DACL pointers
     - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls
     - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock
     - PCI: Update saved_config_space upon resource assignment (Closes: #1131025)
     - PCI/AER: Clear only error bits in PCIe Device Status
     - PCI/AER: Stop ruling out unbound devices as error source
     - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage
     - power: supply: max17042: avoid overflow when determining health
     - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss()
     - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss()
     - RDMA/mana: Validate rx_hash_key_len
     - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq()
     - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
     - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()
     - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads
     - RDMA/rxe: Reject unknown opcodes before ICRC processing
     - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path
     - mptcp: fastclose msk when linger time is 0
     - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure
     - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure
     - mptcp: sockopt: set timestamp flags on subflow socket, not msk
     - mptcp: fix scheduling with atomic in timestamp sockopt
     - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode()
     - f2fs: fix fiemap boundary handling when read extent cache is incomplete
     - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks()
     - f2fs: fix node_cnt race between extent node destroy and writeback
     - f2fs: fix uninitialized kobject put in f2fs_init_sysfs()
     - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong
       value
     - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise()
     - bpf: Fix use-after-free in arena_vm_close on fork
     - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info
     - fs: prepare for adding LSM blob to backing_file
     - dma-mapping: drop unneeded includes from dma-mapping.h
     - dma-mapping: add __dma_from_device_group_begin()/end()
     - hwmon: (powerz) Avoid cacheline sharing for DMA buffer
     - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs
     - udf: fix partition descriptor append bookkeeping
     - mtd: spinand: winbond: Declare the QE bit on W25NxxJW
     - hfsplus: fix uninit-value by validating catalog record size
     - hfsplus: fix held lock freed on hfsplus_fill_super()
     - erofs: move {in,out}pages into struct z_erofs_decompress_req
     - erofs: tidy up z_erofs_lz4_handle_overlap()
     - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
     - gtp: disable BH before calling udp_tunnel_xmit_skb()
     - printk: add print_hex_dump_devel()
     - crypto: caam - guard HMAC key hex dumps in hash_digest_key
     - ALSA: aloop: Fix peer runtime UAF during format-change stop
     - net: stmmac: avoid shadowing global buf_sz
     - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
     - net: stmmac: Prevent NULL deref when RX memory exhausted
     - wifi: mt76: mt7925: fix incorrect TLV length in CLC command
     - tracepoint: balance regfunc() on func_add() failure in
       tracepoint_add_func()
     - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace
     - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in
       Zen2's op cache
     - ksmbd: validate inherited ACE SID length
 .
   [ Salvatore Bonaccorso ]
   * ptrace: slightly saner 'get_dumpable()' logic
Checksums-Sha1:
 9b8f33673ff81e734b829154bb8e8f2ad2b5ae47 288306 linux_6.12.88-1.dsc
 0b54434c0459caf30e7f292d71c2511396ddff2b 151267944 linux_6.12.88.orig.tar.xz
 7a7072dc2dc493acfa2af638b18d218bc332f836 1814308 linux_6.12.88-1.debian.tar.xz
 8a6fcd07d62b388ee32d1896049b2f00fcbc971e 6855 linux_6.12.88-1_source.buildinfo
Checksums-Sha256:
 741aae72868c1a0c637322618bd2c698d5a76a35fd269f58e988844107a95c9e 288306 linux_6.12.88-1.dsc
 4181175d5c45476060292e8150687e088cf3f6cc0c4db5166587e79547bb883e 151267944 linux_6.12.88.orig.tar.xz
 5d499f004da3c0d8e715cc24a873b3068b040ebe68a653325ea0fc4a71fe3b7f 1814308 linux_6.12.88-1.debian.tar.xz
 7d647d259b703ff876ff1741dfcc781b47cf5c96632a242514b6e1104bf467bb 6855 linux_6.12.88-1_source.buildinfo
Files:
 8cd34123e266fab4dcab26f67e7cb66d 288306 kernel optional linux_6.12.88-1.dsc
 48032eac7e3aa60ae58498bbfe6476f8 151267944 kernel optional linux_6.12.88.orig.tar.xz
 4cc02e041e6963aaeb1d4cdb5fc95e2d 1814308 kernel optional linux_6.12.88-1.debian.tar.xz
 c3a0dfefe5a4b55d336c9a530925c457 6855 kernel optional linux_6.12.88-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoG7aRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4B8P/jWBmnjzt05dzkueh/+6LjmGQXwY6xFp
zIJnMr1dMrZQ9zenbcoZJG7bdiDXznAy5QhqaaPHs159k5mNVIWAPzEOfWwgbMe2
GJtgFVlSGWAOcJKW26Nx2kurzBGlrWJNnsUExFvGGs1GJbN9WBXp8s4wZHb0XhgK
m/+modftmt29fHFtX/NM8PWIR9wF4NP0mmHmQ+xFJ6J6YuG89vmmihlIgFqNs69V
GzfUllO46RewkKF5Xey2NTGiuVIZgfJ0GJDlbo26DYl1oJ68TF9C0rKU7MGs1Sex
pL5uSiQQhbUckYdCtwgY8IdYeSmtMXuLCYuJ5gRV/LH8WfoU43t0/KO+Ev4QOH/Y
v4qkVJ9BAuKEKoRSc434VM3/cYajEaqzp8xCfKGAKYKDlmJLfqDvrBMTWBkEPs2i
PsOk3gFB5JFreaaQ99lKTT3xCPD++JkvKi9ERQoXUAuayfu404l5SMA0aAUcX4BI
YhDb2aXwqXyi+UDIVB2dYB3TGXEVdiVeG2oJOn2quOkH59zO/FP694eoP2Icbyl0
R/IHjMJ4Pezsr1Qq5GJkKCfryiNWnaklV7aSXiMAVgI726wRahOTcUs23sSdB7j6
rhct3lc7/Dkh0PKkKVCnPHK1i6SiK3oiT95D07HDMogbDQqTnf79CiAclxJchFGM
1Jy989l8oGS3
=+AIQ
-----END PGP SIGNATURE-----