ELSA-2026-50294

Описание

[5.15.0-321.202.5]

• Revert 'ip6_tunnel: Fix usage of skb_vlan_inet_prepare()' (Harshit Mogalapalli) [Orabug: 39476647]
• smb: client: reject userspace cifs.spnego descriptions (Asim Viladi Oglu Manizada) [Orabug: 39463672]

[5.15.0-321.202.4]

• tun: free page on build_skb failure in tun_xdp_one() (Weiming Shi) [Orabug: 39429143]
• tap: free page on error paths in tap_get_user_xdp() (Weiming Shi) [Orabug: 39429143]
• tun: free page on short-frame rejection in tun_xdp_one() (Weiming Shi) [Orabug: 39429143]

[5.15.0-321.202.3]

• net: skbuff: propagate shared-frag marker through frag-transfer helpers (Hyunwoo Kim) [Orabug: 39368827] {CVE-2026-46300}
• net: skbuff: preserve shared-frag marker during coalescing (William Bowling) [Orabug: 39368827]
• ptrace: slightly saner 'get_dumpable()' logic (Linus Torvalds) [Orabug: 39384274] {CVE-2026-46333}
• mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather (David Hildenbrand (Red Hat)) [Orabug: 38474901]
• Revert 'mm/hugetlb: add option to allows disabling CVE-2025-38085 mitigation' (Samasth Norway Ananda) [Orabug: 38474901]
• mm/rmap: fix two comments related to huge_pmd_unshare() (David Hildenbrand (Red Hat)) [Orabug: 38474901]
• mm/hugetlb: fix two comments related to huge_pmd_unshare() (David Hildenbrand (Red Hat)) [Orabug: 38474901]
• mm/hugetlb: fix hugetlb_pmd_shared() (David Hildenbrand (Red Hat)) [Orabug: 38474901]

[5.15.0-321.202.2]

• dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler (Guenter Roeck)
• Revert 'arm64: dts: qcom: sdm845-oneplus: Mark l14a regulator as boot-on' (Sasha Levin)
• ip6_tunnel: Fix usage of skb_vlan_inet_prepare() (Ben Hutchings)
• hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race (Gui-Dong Han)
• wifi: wlcore: Return -ENOMEM instead of -EAGAIN if there is not enough headroom (Guenter Roeck)
• sched: idle: Make skipping governor callbacks more consistent (Rafael J. Wysocki)
• nvmet-tcp: fix use-before-check of sg in bounds validation (Cengiz Can)
• remoteproc: mediatek: Unprepare SCP clock during system suspend (Tzung-Bi Shih)
• net: openvswitch: Avoid releasing netdev before teardown completes (Toke Hoiland-Jorgensen)
• ACPI: processor: Fix previous acpi_processor_errata_piix4() fix (Rafael J. Wysocki)
• net: hsr: fix VLAN add unwind on slave errors (Luka Gejak)
• x86/CPU/AMD: Add a fix for AMD-SB-7052 (Prathyushi Nangia) [Orabug: 39327141] {CVE-2025-54518}
• xfrm: esp: ipv4: fix up flags setting (Greg Kroah-Hartman) [Orabug: 39342679] {CVE-2026-43284}
• xfrm: esp: avoid in-place decrypt on shared skb frags (Kuan-Ting Chen) [Orabug: 39342679] {CVE-2026-43284}
• KVM: x86: disable preemption around the call to kvm_arch_vcpu_{un|}blocking (Maxim Levitsky) [Orabug: 39334996]
• KVM: Don't block+unblock when halt-polling is successful (Sean Christopherson) [Orabug: 39334996]
• nfsd: fix heap overflow in NFSv4.0 LOCK replay cache (Jeff Layton) [Orabug: 39167616] {CVE-2026-31402}
• net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks (Victor Nogueira) [Orabug: 39103230] {CVE-2026-23270}
• exadata: tools: perf: update column to comm_nodigit (Stephen Brennan) [Orabug: 39327019]
• perf report: Add comm_nodigit sort key (Stephen Brennan) [Orabug: 39327019]
• Revert 'tools: perf: add comm_ignore_digit column' (Stephen Brennan) [Orabug: 39327019]

[5.15.0-321.202.1]

• virtio-net: add cond_resched() to the command waiting loop (Jason Wang) [Orabug: 39291988]
• virtio-net: convert rx mode setting to use workqueue (Jason Wang) [Orabug: 39291988]
• x86: KVM: Add common feature flag for AMD's PSFD (Sean Christopherson) [Orabug: 35586248]
• KVM: x86: Insert 'AMD' in KVM_X86_FEATURE_PSFD (Jim Mattson) [Orabug: 35586248]
• KVM: x86: Expose Predictive Store Forwarding Disable (Babu Moger) [Orabug: 35586248]
• i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low (Yann Sionneau) [Orabug: 39174661]

[5.15.0-320.202.8]

• iommu/arm-smmu-v3: Handle zeroed A4-2C HTTU override settings (Joao Martins) [Orabug: 39186453]
• iommu: Move IOMMU_DIRTY_NO_CLEAR define (Shameer Kolothum) [Orabug: 39186453]
• iommu/arm-smmu-v3: Enable HTTU for stage1 with io-pgtable mapping (Kunkun Jiang) [Orabug: 39186453]
• iommu/arm-smmu-v3: Add support for dirty tracking in domain alloc (Joao Martins) [Orabug: 39186453]
• iommu/io-pgtable-arm: Add read_and_clear_dirty() support (Shameer Kolothum) [Orabug: 39186453]
• iommu/arm-smmu-v3: Add feature detection for HTTU (Jean-Philippe Brucker) [Orabug: 39186453]

[5.15.0-320.202.7]

• crypto: algif_aead - Fix minimum RX size check for decryption (Herbert Xu) [Orabug: 39250686,39331104] {CVE-2026-43077}
• crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl (Herbert Xu) [Orabug: 39250686,39331109] {CVE-2026-43078}
• crypto: authencesn - Fix src offset when decrypting in-place (Herbert Xu) [Orabug: 39250686]
• crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption (Herbert Xu) [Orabug: 39250686,39300910] {CVE-2026-43033}
• crypto: authenc - use memcpy_sglist() instead of null skcipher (Eric Biggers) [Orabug: 39250686]
• crypto: algif_aead - snapshot IV for async AEAD requests (Douya Le) [Orabug: 39250686]
• crypto: algif_aead - Revert to operating out-of-place (Herbert Xu) [Orabug: 39250686,39283867,39291961] {CVE-2026-31431}
• crypto: algif_aead - use memcpy_sglist() instead of null skcipher (Eric Biggers) [Orabug: 39250686] {CVE-2026-31431}
• crypto: scatterwalk - Backport memcpy_sglist() (Eric Biggers) [Orabug: 39250686]
• uek-rpm: Enable FWCTL for aarch64 (Dave Kleikamp) [Orabug: 39252913]

[5.15.0-320.202.6]

• Revert 'rds: Drop rds conn in connect worker if not in down state.' (Vijayendra Suman) [Orabug: 39277795]
• uek-rpm: CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON should be set (Dave Kleikamp) [Orabug: 39109819]
• iommu/vt-d: Disallow dirty tracking if incoherent page walk (Lu Baolu) [Orabug: 39109819]
• iommu/vt-d: Set variable intel_dirty_ops to static (Kunwu Chan) [Orabug: 39109819]
• iommu/vt-d: Access/Dirty bit support for SS domains (Joao Martins) [Orabug: 39109819]
• iommu/amd: reduce GA Log overflow printk noise (Alejandro Jimenez) [Orabug: 39209012]
• iommu/amd: add reschedule points to GA Log draining (Alejandro Jimenez) [Orabug: 39209012]
• iommu/amd: Rework GAInt handling in overflow case (Joao Martins) [Orabug: 39209012]
• iommu/amd: Disable GAInt while GA Log is processed (Joao Martins) [Orabug: 39209012]
• iommu/amd: Move helpers to update IOMMU features to amd_iommu.h (Alejandro Jimenez) [Orabug: 39209012]
• iommu/amd: Increase GA Log buffer size to 8192 entries (Joao Martins) [Orabug: 39209012]
• x86/CPU: Fix FPDSS on Zen1 (Borislav Petkov) [Orabug: 39241228,39273722] {CVE-2026-31628}

[5.15.0-320.202.5]

• Revert 'PCI: Enable ACS after configuring IOMMU for OF platforms' (Manivannan Sadhasivam) [Orabug: 39187371]
• net/handshake: duplicate handshake cancellations leak socket (Scott Mayhew) [Orabug: 38847720] {CVE-2025-68775}
• ext4: show 'shutdown' hint when ext4 is forced to shutdown (Baokun Li) [Orabug: 39002346]
• ext4: show 'emergency_ro' when EXT4_FLAGS_EMERGENCY_RO is set (Baokun Li) [Orabug: 39002346]
• ext4: correct behavior under errors=remount-ro mode (Baokun Li) [Orabug: 39002346]
• ext4: add more ext4_emergency_state() checks around sb_rdonly() (Baokun Li) [Orabug: 39002346]
• ext4: add ext4_emergency_state() helper function (Baokun Li) [Orabug: 39002346]
• ext4: add EXT4_FLAGS_EMERGENCY_RO bit (Baokun Li) [Orabug: 39002346]
• ext4: convert EXT4_FLAGS_* defines to enum (Baokun Li) [Orabug: 39002346]
• ext4: make ext4_forced_shutdown() take struct super_block (Jan Kara) [Orabug: 39002346]
• ipv6: use RCU in ip6_xmit() (Eric Dumazet) [Orabug: 38649062] {CVE-2025-40135}
• memfd: move MFD_MF_KEEP_UE_MAPPED flag to higher bit (William Roche) [Orabug: 39109773]
• scsi: qla2xxx: Sanitize payload size to prevent member overflow (Jiasheng Jiang) [Orabug: 38930868] {CVE-2026-23059}
• bpf: Fix reference count leak in bpf_prog_test_run_xdp() (Tetsuo Handa) [Orabug: 38887702] {CVE-2026-22994}
• nfsd: check that server is running in unlock_filesystem (Olga Kornievskaia) [Orabug: 38887682] {CVE-2026-22989}
• net/mlx5e: TC, delete flows only for existing peers (Mark Bloch) [Orabug: 38970398] {CVE-2026-23173}
• net/handshake: restore destructor on submit failure (Caoping) [Orabug: 38887601] {CVE-2025-71148}
• scsi: qla2xxx: Fix improper freeing of purex item (Zilin Guan) [Orabug: 38798929] {CVE-2025-68741}
• bnxt_en: Fix XDP_TX path (Michael Chan) [Orabug: 38847684] {CVE-2025-68770}
• perf/x86/amd: Check event before enable to avoid GPF (George Kennedy) [Orabug: 38847849] {CVE-2025-68798}
• scsi: smartpqi: Fix device resources accessed after device removal (Mike Mcgowen) [Orabug: 38798848] {CVE-2025-68371}
• KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced (Omar Sandoval) [Orabug: 38773579] {CVE-2025-68259}
• x86/fpu: Ensure XFD state on signal delivery (Chang S. Bae) [Orabug: 38773165] {CVE-2025-68171}
• virtio-net: fix received length check in big packets (Bui Quang Minh) [Orabug: 38737152] {CVE-2025-40292}
• ACPI: CPPC: Fix NULL pointer dereference when nosmp is used (Yunhui Cui) [Orabug: 38641284] {CVE-2025-38113}
• EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller (Qiuxu Zhuo) [Orabug: 38649173] {CVE-2025-40157}
• sunrpc: fix null pointer dereference on zero-length checksum (Lei Lu) [Orabug: 38649042] {CVE-2025-40129}
• cpufreq: CPPC: Fix possible null-ptr-deref for cppc_get_cpu_cost() (Jinjie Ruan) [Orabug: 38641275] {CVE-2024-53230}
• cpufreq: CPPC: Fix possible null-ptr-deref for cpufreq_cpu_get_raw() (Jinjie Ruan) [Orabug: 38641272] {CVE-2024-53231}
• vhost: vringh: Fix copy_to_iter return value check (Michael S. Tsirkin) [Orabug: 38592117] {CVE-2025-40056}
• crypto: qat - flush misc workqueue during device shutdown (Giovanni Cabiddu) [Orabug: 38401717] {CVE-2025-39721}
• vhost: vringh: Modify the return value check (Zhang Jiao) [Orabug: 38592085] {CVE-2025-40051}
• virtio-net: fix recursived rtnl_lock() during probe() (Zigit Zo) [Orabug: 38324330] {CVE-2025-38551}
• gve: prevent ethtool ops after shutdown (Jordan Rhee) [Orabug: 38401492] {CVE-2025-38735}
• KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight (Sean Christopherson) [Orabug: 38254140] {CVE-2025-38455}
• net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect (Oleksij Rempel) [Orabug: 38253871] {CVE-2025-38385}
• net/mlx5e: Disable MACsec offload for uplink representor profile (Carolina Jubran) [Orabug: 38094809] {CVE-2025-38020}
• dmaengine: idxd: fix memory leak in error handling path of idxd_alloc (Shuai Xue) [Orabug: 38094794] {CVE-2025-38015}
• net/mlx5: Fix ECVF vports unload on shutdown flow (Amir Tzin) [Orabug: 38152903] {CVE-2025-38109}
• bnxt: properly flush XDP redirect lists (Yan Zhai) [Orabug: 38175054] {CVE-2025-38246}
• eth: bnxt: fix missing ring index trim on error path (Jakub Kicinski) [Orabug: 37937451] {CVE-2025-37873}
• net/mlx5: Fix null-ptr-deref in mlx5_create_{inner_,}ttc_table() (Henry Martin) [Orabug: 37938078] {CVE-2025-37888}
• nfsd: fix possible badness in FREE_STATEID (Olga Kornievskaia) [Orabug: 37989102] {CVE-2024-50043}
• devlink: fix xa_alloc_cyclic() error handling (Michal Swiatkowski) [Orabug: 37828271] {CVE-2025-22017}

[5.15.0-320.202.4]

• xsk: fix an integer overflow in xp_create_and_assign_umem() (Gavrilov Ilia) [Orabug: 37828202] {CVE-2025-21997}
• RDMA/mlx5: Fix the recovery flow of the UMR QP (Yishai Hadas) [Orabug: 37766306] {CVE-2025-21892}
• misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors (Vimal Agrawal) [Orabug: 37678552] {CVE-2024-58078}
• net/sched: cls_api: fix error handling causing NULL dereference (Pierre Riteau) [Orabug: 37702083] {CVE-2025-21857}
• bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() (Shigeru Yoshida) [Orabug: 37766220] {CVE-2025-21867}
• net: xdp: Disallow attaching device-bound programs in generic mode (Toke Hoiland-Jorgensen) [Orabug: 37650238] {CVE-2025-21808}
• iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() (Qasim Ijaz) [Orabug: 37649891] {CVE-2025-21724}
• xfrm: delete intermediate secpath entry in packet offload mode (Alexandre Cassen) [Orabug: 37649866] {CVE-2025-21720}
• gpiolib: Fix crash on error in gpiochip_get_ngpios() (Andy Shevchenko) [Orabug: 37650154] {CVE-2025-21783}
• scsi: mpi3mr: Fix possible crash when setting up bsg fails (Guixin Liu) [Orabug: 37649886] {CVE-2025-21723}
• uek-rpm: Enable CONFIG_NET_VRF in container kernel (Boris Ostrovsky) [Orabug: 38932706]
• Documentation: add documentation for MFD_MF_KEEP_UE_MAPPED (William Roche) [Orabug: 38768951]
• selftests/mm: test userspace MFR for HugeTLB hugepage (William Roche) [Orabug: 38768951]
• mm: memfd/hugetlb: introduce memfd-based userspace MFR policy (William Roche) [Orabug: 38768951]