https://source.android.com/docs/security/bulletin/2025-09-01
CVE-2025-21755
CVE-2025-38352
CVE-2025-021701
* tag 'ASB-2025-09-05_12-5.10' of https://android.googlesource.com/kernel/common:
UPSTREAM: perf/core: Fix potential NULL deref
UPSTREAM: net/packet: fix a race in packet_set_ring() and packet_notifier()
BACKPORT: FROMGIT: f2fs: add sysfs entry for effective lookup mode
BACKPORT: FROMGIT: f2fs: add lookup_mode mount option
ANDROID: 16K: Allocate pad vma on the stack
ANDROID: 16K: Don't copy data vma for maps/smaps output
ANDROID: GKI: Update oplus symbol list
ANDROID: vendor_hooks: add hooks in cpu_cgroup subsystem
ANDROID: vendor_hooks: Add hooks in reweight_entity
ANDROID: GKI: Export css_task_iter_start()
UPSTREAM: regulator: core: Fix deadlock in create_regulator()
UPSTREAM: coresight-etm4x: add isb() before reading the TRCSTATR
UPSTREAM: usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
UPSTREAM: f2fs: fix to avoid use GC_AT when setting gc_mode as GC_URGENT_LOW or GC_URGENT_MID
UPSTREAM: usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes()
UPSTREAM: xhci: Mitigate failed set dequeue pointer commands
ANDROID: refresh ABI following type change
UPSTREAM: net/sched: Always pass notifications when child class becomes empty
Revert "vm_sockets: Add flags field in the vsock address data structure"
Revert "vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag"
Revert "af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path"
Revert "af_vsock: Assign the vsock transport considering the vsock address flags"
Revert "vsock: Fix transport_* TOCTOU"
Linux 5.10.240
rseq: Fix segfault on registration when rseq_cs is non-zero
x86/process: Move the buffer clearing before MONITOR
KVM: SVM: Advertise TSA CPUID bits to guests
KVM: x86: add support for CPUID leaf 0x80000021
x86/bugs: Add a Transient Scheduler Attacks mitigation
x86/bugs: Rename MDS machinery to something more generic
x86/mm: Disable hugetlb page table sharing on 32-bit
vhost-scsi: protect vq->log_used with vq->mutex
Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID
HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras
HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY
vt: add missing notification when switching back to text mode
net: usb: qmi_wwan: add SIMCom 8230C composition
um: vector: Reduce stack usage in vector_eth_configure()
atm: idt77252: Add missing `dma_map_error()`
bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
bnxt_en: Fix DCB ETS validation
net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()
can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level
net: phy: microchip: limit 100M workaround to link-down events on LAN88xx
net: appletalk: Fix device refcount leak in atrtr_create()
md/raid1: Fix stack memory use after return in raid1_reshape
wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev()
dma-buf: fix timeout handling in dma_resv_wait_timeout v2
Input: xpad - support Acer NGR 200 Controller
Input: xpad - add VID for Turtle Beach controllers
Input: xpad - add support for Amazon Game Controller
netlink: make sure we allow at least one dump skb
netlink: Fix rmem check in netlink_broadcast_deliver().
pwm: mediatek: Ensure to disable clocks in error path
rtc: lib_test: add MODULE_LICENSE
ethernet: atl1: Add missing DMA mapping error checks and count errors
Revert "ACPI: battery: negate current when discharging"
usb: gadget: u_serial: Fix race condition in TTY wakeup
drm/sched: Increment job count before swapping tail spsc queue
pinctrl: qcom: msm: mark certain pins as invalid for interrupts
x86/mce: Make sure CMCI banks are cleared during shutdown on Intel
x86/mce: Don't remove sysfs if thresholding sysfs init fails
x86/mce/amd: Fix threshold limit reset
x86/its: FineIBT-paranoid vs ITS
x86/its: Fix build errors when CONFIG_MODULES=n
x86/its: Use dynamic thunks for indirect branches
x86/modules: Set VM_FLUSH_RESET_PERMS in module_alloc()
x86/its: Add "vmexit" option to skip mitigation on some CPUs
x86/its: Enable Indirect Target Selection mitigation
x86/its: Fix undefined reference to cpu_wants_rethunk_at()
x86/its: Add support for ITS-safe return thunk
x86/alternatives: Remove faulty optimization
x86/alternative: Optimize returns patching
x86/its: Add support for ITS-safe indirect thunk
x86/alternatives: Teach text_poke_bp() to patch Jcc.d32 instructions
x86/alternatives: Introduce int3_emulate_jcc()
x86/its: Enumerate Indirect Target Selection (ITS) bug
x86/bhi: Define SPEC_CTRL_BHI_DIS_S
Documentation: x86/bugs/its: Add ITS documentation
rxrpc: Fix oops due to non-existence of prealloc backlog struct
fs/proc: do_task_stat: use __for_each_thread()
net/sched: Abort __tc_modify_qdisc if parent class does not exist
atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
atm: clip: Fix infinite recursive call of clip_push().
atm: clip: Fix memory leak of struct clip_vcc.
atm: clip: Fix potential null-ptr-deref in to_atmarpd().
net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap
vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also `transport_local`
vsock: Fix transport_* TOCTOU
af_vsock: Assign the vsock transport considering the vsock address flags
af_vsock: Set VMADDR_FLAG_TO_HOST flag on the receive path
vm_sockets: Add VMADDR_FLAG_TO_HOST vsock flag
vm_sockets: Add flags field in the vsock address data structure
vsock: Fix transport_{g2h,h2g} TOCTOU
tipc: Fix use-after-free in tipc_conn_close().
netlink: Fix wraparounds of sk->sk_rmem_alloc.
fix proc_sys_compare() handling of in-lookup dentries
perf: Revert to requiring CAP_SYS_ADMIN for uprobes
ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode
drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling
staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
media: uvcvideo: Rollback non processed entities on error
media: uvcvideo: Send control events for partial succeeds
media: uvcvideo: Return the number of processed controls
ACPI: PAD: fix crash in exit_round_robin()
usb: typec: displayport: Fix potential deadlock
Logitech C-270 even more broken
xhci: dbc: Flush queued requests before stopping dbc
xhci: dbctty: disable ECHO flag by default
dpaa2-eth: fix xdp_rxq_info leak
net: dpaa2-eth: rearrange variable in dpaa2_eth_get_ethtool_stats
dpaa2-eth: Update SINGLE_STEP register access
dpaa2-eth: Update dpni_get_single_step_cfg command
dpaa2-eth: rename dpaa2_eth_xdp_release_buf into dpaa2_eth_recycle_buf
btrfs: use btrfs_record_snapshot_destroy() during rmdir
btrfs: propagate last_unlink_trans earlier when doing a rmdir
NFSv4/flexfiles: Fix handling of NFS level errors in I/O
flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes
RDMA/mlx5: Fix vport loopback for MPV device
drm/v3d: Disable interrupts before resetting the GPU
mtk-sd: reset host->mrq on prepare_data() error
mtk-sd: Prevent memory corruption from DMA map failure
mmc: mediatek: use data instead of mrq parameter from msdc_{un}prepare_data()
regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
rcu: Return early if callback is not specified
ACPICA: Refuse to evaluate a method if arguments are missing
wifi: ath6kl: remove WARN on bad firmware input
wifi: mac80211: drop invalid source address OCB frames
scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port()
powerpc: Fix struct termio related ioctl macros
ata: pata_cs5536: fix build on 32-bit UML
ALSA: sb: Force to disable DMAs once when DMA mode is changed
net/sched: Always pass notifications when child class becomes empty
nui: Fix dma_mapping_error() check
rose: fix dangling neighbour pointers in rose_rt_device_down()
net: rose: Fix fall-through warnings for Clang
enic: fix incorrect MTU comparison in enic_change_mtu()
amd-xgbe: align CL37 AN sequence as per databook
lib: test_objagg: Set error message in check_expect_hints_stats()
drm/i915/gt: Fix timeline left held on VMA alloc error
drm/i915/selftests: Change mock_request() to return error pointers
spi: spi-fsl-dspi: Clear completion counter before initiating transfer
drm/exynos: fimd: Guard display clock control with runtime PM calls
btrfs: fix missing error handling when searching for inode refs during log replay
RDMA/mlx5: Fix CC counters query for MPV
scsi: ufs: core: Fix spelling of a sysfs attribute name
scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data
usb: typec: altmodes/displayport: do not index invalid pin_assignments
Revert "mmc: sdhci: Disable SD card clock before changing parameters"
mmc: sdhci: Add a helper function for dump register in dynamic debug mode
vsock/vmci: Clear the vmci transport packet properly when initializing it
rtc: cmos: use spin_lock_irqsave in cmos_interrupt
arm64: Restrict pagetable teardown to avoid false warning
Revert "ipv6: save dontfrag in cork"
s390: Add '-std=gnu11' to decompressor and purgatory CFLAGS
PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time
drm/bridge: cdns-dsi: Wait for Clk and Data Lanes to be ready
drm/bridge: cdns-dsi: Check return value when getting default PHY config
drm/bridge: cdns-dsi: Fix connecting to next bridge
drm/bridge: cdns-dsi: Fix the clock variable for mode_valid()
drm/amdkfd: Fix race in GWS queue scheduling
drm/udl: Unregister device before cleaning up on disconnect
drm/tegra: Fix a possible null pointer dereference
drm/tegra: Assign plane type before registration
HID: wacom: fix kobject reference count leak
HID: wacom: fix memory leak on sysfs attribute creation failure
HID: wacom: fix memory leak on kobject creation failure
btrfs: update superblock's device bytes_used when dropping chunk
dm-raid: fix variable in journal device check
Bluetooth: L2CAP: Fix L2CAP MTU negotiation
dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive
atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister().
net: enetc: Correct endianness handling in _enetc_rd_reg64
um: ubd: Add missing error check in start_io_thread()
vsock/uapi: fix linux/vm_sockets.h userspace compilation errors
wifi: mac80211: fix beacon interval calculation overflow
libbpf: Fix null pointer dereference in btf_dump__free on allocation failure
attach_recursive_mnt(): do not lock the covering tree when sliding something under it
ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()
atm: clip: prevent NULL deref in clip_push()
i2c: robotfuzz-osif: disable zero-length read messages
i2c: tiny-usb: disable zero-length read messages
net_sched: sch_sfq: reject invalid perturb period
PCI: cadence-ep: Correct PBA offset in .set_msix() callback
uio_hv_generic: Align ring size to system page
uio_hv_generic: Query the ringbuffer size for device
Drivers: hv: vmbus: Add utility function for querying ring size
Drivers: hv: Rename 'alloced' to 'allocated'
Drivers: hv: vmbus: Fix duplicate CPU assignments within a device
uio: uio_hv_generic: use devm_kzalloc() for private data alloc
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
RDMA/core: Use refcount_t instead of atomic_t on refcount of iwcm_id_private
f2fs: don't over-report free space or inodes in statvfs
can: tcan4x5x: fix power regulator retrieval during probe
media: omap3isp: use sgtable-based scatterlist wrappers
jfs: validate AG parameters in dbMount() to prevent crashes
fs/jfs: consolidate sanity checking in dbMount
usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
usb: typec: tcpci_maxim: add terminating newlines to logging
usb: typec: tcpci_maxim: remove redundant assignment
usb: typec: tcpci_maxim: Fix uninitialized return variable
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF
ovl: Check for NULL d_inode() in ovl_dentry_upper()
ceph: fix possible integer overflow in ceph_zero_objects()
ALSA: hda: Add new pci id for AMD GPU display HD audio controller
ALSA: hda: Ignore unsol events for cards being shut down
usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode
usb: cdc-wdm: avoid setting WDM_READ for ZLP-s
usb: Add checks for snprintf() calls in usb_alloc_dev()
usb: common: usb-conn-gpio: use a unique name for usb connector device
usb: potential integer overflow in usbg_make_tpg()
um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h
iio: pressure: zpa2326: Use aligned_s64 for the timestamp
bcache: fix NULL pointer in cache_set_flush()
md/md-bitmap: fix dm-raid max_write_behind setting
dmaengine: xilinx_dma: Set dma_device directions
hwmon: (pmbus/max34440) Fix support for max34451
leds: multicolor: Fix intensity setting while SW blinking
mfd: max14577: Fix wakeup source leaks on device unbind
mailbox: Not protect module_put with spin_lock_irqsave
NFSv4.2: fix listxattr to return selinux security label
cifs: Fix cifs_query_path_info() for Windows NT servers
Conflicts:
Documentation/devicetree/bindings/serial/8250.yaml
Documentation/devicetree/bindings~HEAD
android/abi_gki_aarch64.xml
Change-Id: I597d5cad10f85d9f2b543c8429cb785eedbf40dc
7d9f9c49ac