Bluetooth: fix memory leak in error path of hci_alloc_dev()

...

6lowpan: fix off-by-one in multicast context address compression

...

mm/hugetlb: restore reservation on error in hugetlb folio copy paths

...

net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove

...

net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint

...

net: mvpp2: refill RX buffers before XDP or skb use

...

IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN

...

USB: serial: io_ti: fix heap overflow in get_manuf_info()

...

ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()

...

Bluetooth: bnep: reject short frames before parsing

...

net/sched: cls_fw: fix NULL dereference of "old" filters before change()

...

net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown

...

netfilter: x_tables: avoid leaking percpu counter pointers

...

drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

...

batman-adv: clear current gateway during teardown

...

RDMA/srp: bound SRP_RSP sense copy by the received length

...

net: mvpp2: sync RX data at the hardware packet offset

...

ipc/shm: serialize orphan cleanup with shm_nattch updates

...

hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf

...

netfilter: ebtables: fix OOB read in compat_mtw_from_user

...

netfilter: conntrack_irc: fix possible out-of-bounds read

...

mptcp: allow subflow rcv wnd to shrink

...

misc: fastrpc: fix use-after-free race in fastrpc_map_create

...

ipv6: sit: reload inner IPv6 header after GSO offloads

...

sctp: fix uninit-value in __sctp_rcv_asconf_lookup()

...

net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr

...

ipv6: Fix a potential NPD in cleanup_prefix_route()

...

gpio: mvebu: fix NULL pointer dereference in suspend/resume

...

netfilter: nft_exthdr: fix register tracking for F_PRESENT flag

...

thunderbolt: Clamp XDomain response data copy to allocation size

...

batman-adv: dat: handle forward allocation error

...

dm cache policy smq: check allocation under invalidate lock

...

Bluetooth: MGMT: validate advertising TLV before type checks

...

batman-adv: fix tp_meter counter underflow during shutdown

...

RDMA/umem: Fix truncation for block sizes >= 4G

...

Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend

...

ipv6: mcast: Fix use-after-free when processing MLD queries

...

netfilter: nf_log: validate MAC header was set before dumping it

...

netfilter: nft_ct: bail out on template ct in get eval

...

ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options

...

bnxt_en: Fix NULL pointer dereference

...

drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11

...

ipc: limit next_id allocation to the valid ID range

...

udp: clear skb->dev before running a sockmap verdict

...

net: skbuff: fix missing zerocopy reference in pskb_carve helpers

...

batman-adv: tvlv: reject oversized TVLV packets

...

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

...

vsock/vmci: fix sk_ack_backlog leak on failed handshake

...

libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c

...

thunderbolt: Reject zero-length property entries in validator

...