sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL

...

RDMA/hns: Fix unlocked call to hns_roce_qp_remove()

...

wifi: b43: enforce bounds check on firmware key index in b43_rx()

...

RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads

...

batman-adv: bla: only purge non-released claims

...

wifi: mac80211: remove station if connection prep fails

...

ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3()

...

drm/amdgpu/vcn4: Prevent OOB reads when parsing IB

...

ip6_gre: Use cached t->net in ip6erspan_changelink().

...

wifi: mac80211: drop stray 'static' from fast-RX rx_result

...

batman-adv: stop caching unowned originator pointers in BAT IV

...

RDMA/rxe: Reject unknown opcodes before ICRC processing

...

drm/amdgpu: Add bounds checking to ib_{get,set}_value

...

ipmi:si: Return state to normal if message allocation fails

...

Bluetooth: virtio_bt: clamp rx length before skb_put

...

RDMA/mana: Validate rx_hash_key_len

...

drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg

...

mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show()

...

mptcp: pm: ADD_ADDR rtx: free sk if last

...

btrfs: fix double free in create_space_info() error path

...

wifi: mt76: mt7921: fix a potential clc buffer length underflow

...

smb/client: fix out-of-bounds read in smb2_compound_op()

...

ipmi: Add limits to event and receive message requests

...

net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo

...

tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()

...

RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp()

...

media: rc: xbox_remote: heed DMA restrictions

...

btrfs: fix double free in create_space_info_sub_group() error path

...

xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete

...

spi: rspi: fix controller deregistration

...

batman-adv: stop tp_meter sessions during mesh teardown

...

scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show()

...

RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()

...

dm-thin: fix metadata refcount underflow

...

vsock: fix buffer size clamping order

...

staging: media: atomisp: Disallow all private IOCTLs

...

drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission

...

drm/amdkfd: validate SVM ioctl nattr against buffer size

...

mptcp: pm: ADD_ADDR rtx: always decrease sk refcount

...

batman-adv: bla: prevent use-after-free when deleting claims

...

openvswitch: vport: fix self-deadlock on release of tunnel ports

...

md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

...

spi: fsl: fix controller deregistration

...

smb/client: fix out-of-bounds read in symlink_data()

...

btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak

...

fbcon: Avoid OOB font access if console rotation fails

...

block: add pgmap check to biovec_phys_mergeable

...

wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task

...

Off-by-One Leading to Out-of-Bounds Write in bzip2

...

btrfs: fix missing last_unlink_trans update when removing a directory

...