-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 15 May 2026 11:52:56 +0200 Source: linux Binary: linux-doc linux-doc-6.12 linux-headers-6.12.88+deb13-common linux-headers-6.12.88+deb13-common-rt linux-libc-dev linux-source linux-source-6.12 linux-support-6.12.88+deb13 Architecture: all Version: 6.12.88-1 Distribution: trixie-security Urgency: high Maintainer: all Build Daemon (x86-csail-02) Changed-By: Salvatore Bonaccorso Description: linux-doc - Linux kernel specific documentation (meta-package) linux-doc-6.12 - Linux kernel specific documentation for version 6.12 linux-headers-6.12.88+deb13-common - Common header files for Linux 6.12.88+deb13 linux-headers-6.12.88+deb13-common-rt - Common header files for Linux 6.12.88+deb13-rt linux-libc-dev - Linux support headers for userspace development linux-source - Linux kernel source (meta-package) linux-source-6.12 - Linux kernel source for version 6.12 with Debian patches linux-support-6.12.88+deb13 - Support files for Linux 6.12 Closes: 1119093 1131025 1135313 Changes: linux (6.12.88-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic Checksums-Sha1: fe46d8c3e9367d752bb033e259b225110b0e797f 39423736 linux-doc-6.12_6.12.88-1_all.deb 97185f11db54c486184b7b7f89b5337e0cbdd8c8 1108 linux-doc_6.12.88-1_all.deb 109ae1d5cf5953bc85a2c55db3ade18f403c73e1 9454308 linux-headers-6.12.88+deb13-common-rt_6.12.88-1_all.deb ce6913ab9d4e723c150bb54600e2aa26b0faa3e2 11096692 linux-headers-6.12.88+deb13-common_6.12.88-1_all.deb ea724a4ddc0e61e067530221f52b71f01d213386 2811188 linux-libc-dev_6.12.88-1_all.deb 30be512099844240f07e3fd47f8cb36b5d0ab476 152499088 linux-source-6.12_6.12.88-1_all.deb ce56967f21d211b640eb38811754b011f5cb12d3 1096 linux-source_6.12.88-1_all.deb 9e1bb29a236e74596ce63dac0c252af0b9dd18a0 1298112 linux-support-6.12.88+deb13_6.12.88-1_all.deb 8ff8aa8d438e04936f976faf9e086241bae3cc4b 13699 linux_6.12.88-1_all-buildd.buildinfo Checksums-Sha256: b859e1fe75363340509fa4697271aa9b98701f53ba5b595d28ab5c13efd524b2 39423736 linux-doc-6.12_6.12.88-1_all.deb 80fcfb3abe7e6a8f833c98c280ae6fd57c79e3a9f83719c0799bed133cb15f30 1108 linux-doc_6.12.88-1_all.deb bdba00da146092b4adcc38040db260270d4d95bb50167263d2dd6f6092d0c05d 9454308 linux-headers-6.12.88+deb13-common-rt_6.12.88-1_all.deb 282b2bae7e5447b3f703fe28dec37d34453ce4b7bde81b1eb69564ae47efed40 11096692 linux-headers-6.12.88+deb13-common_6.12.88-1_all.deb 6c6e1dde061b55e5fd6251777ba7e8aa0c16e85d9ab8351c12e53554b7ac4e29 2811188 linux-libc-dev_6.12.88-1_all.deb 71b41b7358c6d7aa7b5e827e2f4273a25008fcb69141bb4dd386f242934de6eb 152499088 linux-source-6.12_6.12.88-1_all.deb 6c5ef9851bba0baac83657d3dac64014f9f9b698b2be47ca9974de24c0650356 1096 linux-source_6.12.88-1_all.deb 67e77ac4b5f5fd8d08328d5a2c6a411bcdf3fed0e132a1e14c5e5d05608c355d 1298112 linux-support-6.12.88+deb13_6.12.88-1_all.deb 712658e2712d727f3ba3fc7c9a63a3e8d6a48d33802025b2152baf565dc472e8 13699 linux_6.12.88-1_all-buildd.buildinfo Files: 3849773f5653329cffef57d68829176b 39423736 doc optional linux-doc-6.12_6.12.88-1_all.deb 51fcf121aad3aa23d6c11e0f53e7442d 1108 doc optional linux-doc_6.12.88-1_all.deb 5d2f448668e1cd2339a096919aa7a7e8 9454308 kernel optional linux-headers-6.12.88+deb13-common-rt_6.12.88-1_all.deb 9052ebee987cbe47c73d562bbcb8393b 11096692 kernel optional linux-headers-6.12.88+deb13-common_6.12.88-1_all.deb b675bcee24755c4c54239512cb8e1b65 2811188 devel optional linux-libc-dev_6.12.88-1_all.deb d030fc4d86d6f436e2db1b34c3d27764 152499088 kernel optional linux-source-6.12_6.12.88-1_all.deb 07f556b436a056d7927f1877aa4617d9 1096 kernel optional linux-source_6.12.88-1_all.deb d90de09ad2bbbaa0c43af853dbb2fb06 1298112 devel optional linux-support-6.12.88+deb13_6.12.88-1_all.deb 6b624811e56e7e81bfe411a1c3e6fb8c 13699 kernel optional linux_6.12.88-1_all-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmoG+VcACgkQaBVi67oX tfkgJA/9Hb9bNkMLAGmgcKdkhAfAAoyrtKlRkzNU9ImJ58V63DnOXMkaIxUV17Nh GkADQNPpQq6e+pSkfiC6QwfDaQVNB8xHHUfwisCTy/LqFi3XO3mhebagOXS/vla0 KgyMKMlfZS5Jymg1ZJRKAUTuvyYioCzevGiqGkEDWVTUuXylbVt7MzcvDy6Zu1vz YUjLqoVJ4Z7FZHL3c8lzyFDgmalwppMCzB+m+lS5/wIVVKHbYx9tQXeHsyf/eF+J /zXabbop0Pv1Cs8TIAge0pizySzROI1JmhsqM8t2rNN85Nr85P4ifE9jOmx+xjct 7bhQeWIEpOuDta/09szm7jMG5mi8x08nI9a6PXboKZ12BLoCLEl9R94ApL14Rou9 4BujgYE5QvFOgCQ3n0XwAlBf7gBt8pKxIi4a6VTYgIiGeA/v2EwCXzIXZZNs8FMA FZ/R257TBTRzkNY4uqHMX5xV096sNJP2mk+irraC4xvGlFkZVUc98QAt3shx6u13 NGKbPrlnSN3OQkL9c0c7LVOxZ4qzqtCq3nCOiAPgeqvs+m+jYmpXu4+tQqxfgKQ7 ec1Z1ovMkK99LWr697Df7zdvFk1mHNpR/67lG8+D+HispHu05MilgZ2Kn7UtIAgD Xpq9x4CH/6yVHmhZlYhhsCTX89ZgDwHmEg7PFLzPMBoibbEbR7Q= =mIq3 -----END PGP SIGNATURE-----