-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 May 2026 11:52:56 +0200 Source: linux Architecture: source Version: 6.12.88-1 Distribution: trixie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Salvatore Bonaccorso Closes: 1119093 1131025 1135313 Changes: linux (6.12.88-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic Checksums-Sha1: 9b8f33673ff81e734b829154bb8e8f2ad2b5ae47 288306 linux_6.12.88-1.dsc 0b54434c0459caf30e7f292d71c2511396ddff2b 151267944 linux_6.12.88.orig.tar.xz 7a7072dc2dc493acfa2af638b18d218bc332f836 1814308 linux_6.12.88-1.debian.tar.xz 8a6fcd07d62b388ee32d1896049b2f00fcbc971e 6855 linux_6.12.88-1_source.buildinfo Checksums-Sha256: 741aae72868c1a0c637322618bd2c698d5a76a35fd269f58e988844107a95c9e 288306 linux_6.12.88-1.dsc 4181175d5c45476060292e8150687e088cf3f6cc0c4db5166587e79547bb883e 151267944 linux_6.12.88.orig.tar.xz 5d499f004da3c0d8e715cc24a873b3068b040ebe68a653325ea0fc4a71fe3b7f 1814308 linux_6.12.88-1.debian.tar.xz 7d647d259b703ff876ff1741dfcc781b47cf5c96632a242514b6e1104bf467bb 6855 linux_6.12.88-1_source.buildinfo Files: 8cd34123e266fab4dcab26f67e7cb66d 288306 kernel optional linux_6.12.88-1.dsc 48032eac7e3aa60ae58498bbfe6476f8 151267944 kernel optional linux_6.12.88.orig.tar.xz 4cc02e041e6963aaeb1d4cdb5fc95e2d 1814308 kernel optional linux_6.12.88-1.debian.tar.xz c3a0dfefe5a4b55d336c9a530925c457 6855 kernel optional linux_6.12.88-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoG7aRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4B8P/jWBmnjzt05dzkueh/+6LjmGQXwY6xFp zIJnMr1dMrZQ9zenbcoZJG7bdiDXznAy5QhqaaPHs159k5mNVIWAPzEOfWwgbMe2 GJtgFVlSGWAOcJKW26Nx2kurzBGlrWJNnsUExFvGGs1GJbN9WBXp8s4wZHb0XhgK m/+modftmt29fHFtX/NM8PWIR9wF4NP0mmHmQ+xFJ6J6YuG89vmmihlIgFqNs69V GzfUllO46RewkKF5Xey2NTGiuVIZgfJ0GJDlbo26DYl1oJ68TF9C0rKU7MGs1Sex pL5uSiQQhbUckYdCtwgY8IdYeSmtMXuLCYuJ5gRV/LH8WfoU43t0/KO+Ev4QOH/Y v4qkVJ9BAuKEKoRSc434VM3/cYajEaqzp8xCfKGAKYKDlmJLfqDvrBMTWBkEPs2i PsOk3gFB5JFreaaQ99lKTT3xCPD++JkvKi9ERQoXUAuayfu404l5SMA0aAUcX4BI YhDb2aXwqXyi+UDIVB2dYB3TGXEVdiVeG2oJOn2quOkH59zO/FP694eoP2Icbyl0 R/IHjMJ4Pezsr1Qq5GJkKCfryiNWnaklV7aSXiMAVgI726wRahOTcUs23sSdB7j6 rhct3lc7/Dkh0PKkKVCnPHK1i6SiK3oiT95D07HDMogbDQqTnf79CiAclxJchFGM 1Jy989l8oGS3 =+AIQ -----END PGP SIGNATURE-----