dtb-aarch64-6.12.0-160000.5.1

- Fix OOB access in "drm/amdgpu: read back register after written for VCN v4.0.5" (bsc#1249251)
- commit 3545bbd

- sched/psi: Fix psi_seq initialization (bsc#1248155).
- commit 2dd3707

- Move pesign-obs-integration requirement from kernel-syms to kernel devel
  subpackage (bsc#1248108).
- commit e707e41

- ice, irdma: fix an off by one in error handling code
  (bsc#1247712).
- irdma: free iwdev->rf after removing MSI-X (bsc#1247712).
- ice: Fix signedness bug in ice_init_interrupt_scheme()
  (bsc#1247712).
- ice: init flow director before RDMA (bsc#1247712).
- ice: simplify VF MSI-X managing (bsc#1247712).
- ice: enable_rdma devlink param (bsc#1247712).
- ice: treat dyn_allowed only as suggestion (bsc#1247712).
- ice, irdma: move interrupts code to irdma (bsc#1247712).
- ice: get rid of num_lan_msix field (bsc#1247712).
- ice: remove splitting MSI-X between features (bsc#1247712).
- ice: devlink PF MSI-X max and min parameter (bsc#1247712).
- ice: count combined queues using Rx/Tx count (bsc#1247712).
- commit 5c830c5

- kABI: io_uring: msg_ring ensure io_kiocb freeing is deferred
  (CVE-2025-38453 bsc#1247234).
  Conflicts:
  series.conf
- commit 909d7fe

- io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU
  (CVE-2025-38453 bsc#1247234).
- commit 171360a

- tls: always refresh the queue when reading sock (CVE-2025-38471
  bsc#1247450).
- commit 2bcb640

- smc: Fix various oops due to inet_sock type confusion
  (CVE-2025-38475 bsc#1247308).
- commit 05e8074

- do_change_type(): refuse to operate on unmounted/not ours mounts (CVE-2025-38498 bsc#1247374)
- commit cb82edb

- nvme-tcp: fix selinux denied when calling sock_sendmsg
  (bsc#1247497).
- commit 6082643

- Update
  patches.suse/smb-client-reject-userspace-cifs-spnego-descriptions.patch
  (bsc#1266238 CVE-2026-46243).
- commit 9550304

- Bluetooth: serialize accept_q access (git-fixes).
- Refresh
  patches.suse/Bluetooth-fix-UAF-in-l2cap_sock_cleanup_listen-vs-l2.patch.
- commit 649e53f

- auxdisplay: line-display: fix OOB read on zero-length
  message_store() (git-fixes).
- security/keys: fix missed RCU read section on lookup
  (stable-fixes).
- drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c
  probe (git-fixes).
- drm/amd/display: Validate payload length and link_index in
  dc_process_dmub_aux_transfer_async (stable-fixes).
- drm/amd/display: Validate GPIO pin LUT table size before
  iterating (stable-fixes).
- drm/amd/display: Fix integer overflow in bios_get_image()
  (stable-fixes).
- drm/amdgpu/vpe: Force collaborate sync after TRAP
  (stable-fixes).
- ALSA: asihpi: Fix potential OOB array access at reading cache
  (stable-fixes).
- HID: quirks: really enable the intended work around for
  appledisplay (git-fixes).
- HID: uclogic: Fix regression of input name assignment
  (git-fixes).
- commit 5fdf340

- net: mana: Expose hardware diagnostic info via debugfs (bsc#1266414).
- net: mana: Use kvmalloc for large RX queue and buffer allocations (bsc#1266765).
- net: mana: Use per-queue allocation for tx_qp to reduce allocation size (bsc#1266765).
- net: mana: hardening: Reject zero max_num_queues from GDMA_QUERY_MAX_RESOURCES (git-fixes).
- net: mana: hardening: Reject zero max_num_queues from MANA_QUERY_VPORT_CONFIG (git-fixes).
- net: mana: Skip redundant detach on already-detached port (git-fixes).
- net: mana: Add NULL guards in teardown path to prevent panic on attach failure (git-fixes).
- RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port (git-fixes).
- net: mana: validate rx_req_idx to prevent out-of-bounds array access (bsc#1266402).
- net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer (bsc#1265928).
- commit 36776be

- dm: fix a buffer overflow in ioctl processing (git-fixes).
- scsi: ses: Handle positive SCSI error from ses_recv_diag()
  (git-fixes).
- scsi: devinfo: Add BLIST_SKIP_IO_HINTS for Iomega ZIP
  (git-fixes).
- scsi: mpi3mr: Clear reset history on ready and recheck state
  after timeout (git-fixes).
- scsi: ufs: core: Fix shift out of bounds when MAXQ=32
  (git-fixes).
- commit e61e502

- team: avoid NETDEV_CHANGEMTU event when unregistering slave
  (CVE-2026-43234 bsc#1264409).
- commit 0f4d02d

- net: stmmac: Prevent NULL deref when RX memory exhausted
  (CVE-2026-46110 bsc#1266759).
- net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY()
  (CVE-2026-46110 bsc#1266759).
- net/mlx5: Fix switchdev mode rollback in case of failure
  (CVE-2026-43012 bsc#1264016).
- net/mlx5: lag: Check for LAG device before creating debugfs
  (CVE-2026-43013 bsc#1264011).
- net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled
  (CVE-2026-31736 bsc#1263908).
- commit 5178a8b

- Input: ims-pcu - fix usb_free_coherent() size in
  ims_pcu_buffers_free() (git-fixes).
- Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
  (git-fixes).
- Input: xpad - fix out-of-bounds access for Share button
  (git-fixes).
- Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB
  buffer size (git-fixes).
- commit d66e959

- btrfs: do not mark inode incompressible after inline attempt
  fails (git-fixes).
- commit b9ec6e8

- USB: serial: cypress_m8: validate interrupt packet headers
  (git-fixes).
- USB: serial: safe_serial: fix memory corruption with small
  endpoint (git-fixes).
- USB: serial: omninet: fix memory corruption with small endpoint
  (git-fixes).
- USB: serial: mxuport: fix memory corruption with small endpoint
  (git-fixes).
- USB: serial: option: add missing RSVD(5) flag for Rolling
  RW135R-GL (git-fixes).
- USB: serial: mct_u232: fix missing interrupt-in transfer sanity
  check (git-fixes).
- USB: serial: keyspan: fix missing indat transfer sanity check
  (git-fixes).
- USB: serial: belkin_sa: validate interrupt status length
  (git-fixes).
- USB: cdc-acm: Fix bit overlap and move quirk definitions to
  header (git-fixes).
- usb: dwc2: Fix use after free in debug code (git-fixes).
- usb: chipidea: core: convert ci_role_switch to local variable
  (git-fixes).
- usb: gadget: f_fs: serialize DMABUF cancel against request
  completion (git-fixes).
- usb: gadget: f_fs: copy only received bytes on short ep0 read
  (git-fixes).
- usb: gadget: dummy_hcd: Reject hub port requests for
  non-existent ports (git-fixes).
- usbip: vudc: Fix use after free bug in vudc_remove due to race
  condition (git-fixes).
- usb: usbtmc: reject interrupt endpoints with small
  wMaxPacketSize (git-fixes).
- usb: usbtmc: check URB actual_length for interrupt-IN
  notifications (git-fixes).
- usb: gadget: uvc: hold opts->lock across XU walks in
  uvc_function_bind (git-fixes).
- usb: gadget: net2280: Fix double free in probe error path
  (git-fixes).
- usb: gadget: f_hid: fix device reference leak in hidg_alloc()
  (git-fixes).
- usb: typec: ucsi: Don't update power_supply on power role
  change if not connected (git-fixes).
- usb: typec: tcpm: improve handling of DISCOVER_MODES failures
  (git-fixes).
- usb: cdns3: gadget: fix request skipping after clearing halt
  (git-fixes).
- usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call
  permanently leaks the runtime PM usage counter across
  bind/unbind cycles (git-fixes).
- usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy
  acquisition failure (git-fixes).
- thunderbolt: property: Reject dir_len < 4 to prevent size_t
  underflow (git-fixes).
- thunderbolt: property: Reject u32 wrap in
  tb_property_entry_valid() (git-fixes).
- usb: gadget: composite: fix integer underflow in WebUSB GET_URL
  handling (git-fixes).
- tty: serial: samsung: Remove redundant port lock acquisition
  in rx helpers (git-fixes).
- serial: qcom_geni: fix kfifo underflow when flush precedes
  DMA completion IRQ (git-fixes).
- serial: fsl_lpuart: fix rx buffer and DMA map leaks in
  start_rx_dma (git-fixes).
- serial: qcom-geni: fix UART_RX_PAR_EN bit position (git-fixes).
- tty: serial: pch_uart: add check for dma_alloc_coherent()
  (git-fixes).
- parport: Fix race between port and client registration
  (git-fixes).
- comedi: comedi_test: fix check for valid scan_begin_src in
  waveform_ai_cmdtest() (git-fixes).
- comedi: comedi_test: Fix limiting of convert_arg in
  waveform_ai_cmdtest() (git-fixes).
- iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
  (git-fixes).
- iio: gyro: itg3200: fix i2c read into the wrong stack location
  (git-fixes).
- iio: dac: ad5686: acquire lock when doing powerdown control
  (git-fixes).
- iio: temperature: tsys01: fix broken PROM checksum validation
  (git-fixes).
- iio: buffer: hw-consumer: fix use-after-free in error path
  (git-fixes).
- iio: dac: ad5686: fix input raw value check (git-fixes).
- iio: ssp_sensors: cancel delayed work_refresh on remove
  (git-fixes).
- iio: dac: max5821: fix return value check in powerdown sync
  (git-fixes).
- iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
  (git-fixes).
- iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
  (git-fixes).
- iio: light: cm3323: fix reg_conf not being initialized correctly
  (git-fixes).
- iio: magnetometer: st_magn: fix default DRDY pin selection
  for LIS2MDL (git-fixes).
- iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
  (git-fixes).
- iio: adc: npcm: fix unbalanced clk_disable_unprepare()
  (git-fixes).
- iio: gyro: adis16260: fix division by zero in write_raw
  (git-fixes).
- iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for
  dual mux (git-fixes).
- drm/hyperv: validate VMBus packet size in receive callback
  (git-fixes).
- drm/hyperv: validate resolution_count and fix WIN8 fallback
  (git-fixes).
- drm/amd/pm/si: Disregard vblank time when no displays are
  connected (git-fixes).
- drm/i915: Fix potential UAF in TTM object purge (git-fixes).
- commit b935350

- net: gro: don't merge zcopy skbs (git-fixes).
- net: skbuff: propagate shared-frag marker through frag-transfer
  helpers (CVE-2026-43503 bsc#1265960).
- net: skbuff: preserve shared-frag marker during coalescing
  (CVE-2026-46300 bsc#1265209).
- commit 68f8e8b

- Revert "net: skbuff: propagate shared-frag marker through pskb_copy()"
  This reverts commit f71c96250de20f4edf1c4beeb9d8b973a9ad6943.
- commit aaf0bdb

- Update
  patches.kabi/ptrace-slightly-saner-get_dumpable-logic-kabi-assert.patch
  (CVE-2026-46333 bsc#1265308).
- Update
  patches.kabi/ptrace-slightly-saner-get_dumpable-logic-kabi.patch
  (CVE-2026-46333 bsc#1265308).
- Update
  patches.suse/ptrace-slightly-saner-get_dumpable-logic.patch
  (CVE-2026-46333 bsc#1265308).
- commit 493e3ed

- kernel-binary: Only apply vmlinux workaround on SLE15 and later
  To create debuginfo for vmlinux the file needs to be present even if
  it's not packaged because a compressed file is packaged insteand.
  To accomplish that the file is marked as ghost in the file list. Then
  rpm does not complain that the file exists but does not package it.
  However, rpm still reserves space for ghost files when installing a
  package. To avoid reserving space for a file that is not used the file
  is truncated.
  That works on SLE 15 but on SLE 12 rpm then fails packaging the
  debuginfo complaiing that extra debuginfo files are present. Limit the
  workaround to SLE 15 and later.
  Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit 1ef7451

- scsi: target: iscsi: validate CHAP_R length before base64 decode
  (bsc#1265449).
- commit 04f607e

- Refresh
  patches.suse/io-wq-check-that-the-predecessor-is-hashed-in-io_wq_remove_pending.patch.
- commit 033df25

- net: mana: Fix crash from unvalidated SHM offset read from BAR0 during FLR (bsc#1265846).
- net: mana: remove double CQ cleanup in mana_create_rxq error path (git-fixes).
- net: mana: Skip WQ object destruction for uninitialized RXQ (git-fixes).
- net: mana: check xdp_rxq registration before unreg in mana_destroy_rxq() (git-fixes).
- RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() (git-fixes).
- RDMA/mana: Validate rx_hash_key_len (git-fixes).
- hv_sock: fix ARM64 support (git-fixes).
- mshv: Fix error handling in mshv_region_pin (CVE-2026-43045 bsc#1263942).
- mshv: Refactor and rename memory region handling functions (CVE-2026-43045 bsc#1263942).
- commit 6cbd7cb

- Kernel-binary: Do not truncate vmlinux when it's the boot image
  Some architectures use vmlinux to boot. Truncating vmlinux on those
  architectures causes signing failure during build. Also if the signing
  was disabled a brokne kernel would be produced.
  Fixes: 222edac2a18 (kernel-binary: prevent uncompressed vmlinux from inflating rpm size requirements)
- commit d3cf603

- perf: Fix __perf_event_overflow() vs perf_remove_from_context()
  race (bsc#1260018 CVE-2026-23271).
- commit 1c3b58a

- drivers/base/memory: fix memory block reference leak in poison
  accounting (git-fixes).
- commit c0de598

- kabi assert: ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- kabi: ptrace: slightly saner 'get_dumpable()' logic
  (bsc#1265308).
- ptrace: slightly saner 'get_dumpable()' logic (bsc#1265308).
- commit f8f4ca2

- io-wq: check that the predecessor is hashed in
  io_wq_remove_pending() (git-fixes).
- commit 7709fe4

- net: skbuff: propagate shared-frag marker through pskb_copy()
  (CVE-2026-46300 bsc#1265209).
- commit f71c962

- x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's  op cache (bsc#1264013 CVE-2025-54518).
- commit b2d5a21

- Update config files: disable unsupported CONFIG_AFS_FS and CONFIG_AF_RXRPC
- commit a035dd7

- supported.conf: drop rxrpc completely (bsc#1264450)
- commit 2dc3b0f

- xfrm: esp: avoid in-place decrypt on shared skb frags
  (bsc#1264449).
- commit afc97fe

- crypto: authencesn - Fix src offset when decrypting in-place
  (bsc#1262573 CVE-2026-31431).
- commit 66d7b47

- crypto: authencesn - Do not place hiseq at end of dst for
  out-of-place decryption (bsc#1262573 CVE-2026-31431).
- commit d5fe1c6

- crypto: authenc - use memcpy_sglist() instead of null skcipher
  (bsc#1262573 CVE-2026-31431).
- Refresh
  patches.suse/crypto-authencesn-reject-too-short-AAD-assoclen-8-to.patch
- commit 3e7ba77

- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
  CVE-2026-31431).
- commit 748d5b2

- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
  CVE-2026-31431).
- commit 748d5b2

- crypto: algif_aead - Revert to operating out-of-place
  (bsc#1262573 CVE-2026-31431).
- commit 02b8598

- crypto: algif_aead - use memcpy_sglist() instead of null skciphe
  (bsc#1262573 CVE-2026-31431).
- commit 28e785f

- kABI: Restore af_alg_{count,pull}_tsgl() signatures (bsc#1262573
  CVE-2026-31431).
- commit 748d5b2

- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
  (CVE-2026-23304 bsc#1260544).
- commit 51fafb4

- powerpc/crash: adjust the elfcorehdr size (jsc#PED-11175
  git-fixes).
- powerpc/kdump: Fix size calculation for hot-removed memory
  ranges (jsc#PED-11175 git-fixes).
- commit cfb9cde

- ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
  (CVE-2026-23304 bsc#1260544).
- commit 51fafb4

- selftests/powerpc: Suppress -Wmaybe-uninitialized with GCC 15
  (bsc#1261669 ltc#212590).
- commit e7cec47

- scsi: target: Fix recursive locking in __configfs_open_file()
  (CVE-2026-23292 bsc#1260500).
- scsi: target: iscsi: Fix use-after-free in
  iscsit_dec_session_usage_count() (CVE-2026-23193 bsc#1258414).
- scsi: target: iscsi: Fix use-after-free in
  iscsit_dec_conn_usage_count() (CVE-2026-23216 bsc#1258447).
- commit f1d41b2

- xdp: produce a warning when calculated tailroom is negative
  (CVE-2026-23343 bsc#1260527).
- commit 72b74a3

- bpf, arm64: Force 8-byte alignment for JIT buffer to prevent
  atomic tearing (CVE-2026-23383 bsc#1260497).
- commit b5b5e19

- nvmet: move async event work off nvmet-wq (git-fixes).
- nvme-pci: cap queue creation to used queues (git-fixes).
- nvme-pci: ensure we're polling a polled queue (git-fixes).
- nvme-fabrics: use kfree_sensitive() for DHCHAP secrets
  (git-fixes).
- commit 5ccf382

- tg3: Fix race for querying speed/duplex (bsc#1257183).
- commit 4d083ab

- KVM: arm64: Fix ID register initialization for non-protected
  pKVM guests (CVE-2026-23425 bsc#1261506).
- commit b02fb9f

- Refresh
  patches.suse/scsi-scsi_transport_sas-Fix-the-maximum-channel-scan.patch.
- commit bf87874

- dm mpath: make pg_init_delay_msecs settable (git-fixes).
- commit b2a0fd6

- dm: clear cloned request bio pointer when last clone bio
  completes (git-fixes).
- commit d6eb6ea

- dm: remove fake timeout to avoid leak request (git-fixes).
- commit bf8f04d

- add bugnumber to existing mana change (bsc#1252266).
- net: mana: Ring doorbell at 4 CQ wraparounds (git-fixes).
- PCI: hv: remove unnecessary module_init/exit functions (git-fixes).
- PCI: hv: Remove unused field pci_bus in struct hv_pcibus_device (git-fixes).
- RDMA/mana_ib: Add device-memory support (git-fixes).
- RDMA/mana_ib: Take CQ type from the device type (git-fixes).
- net: mana: Implement ndo_tx_timeout and serialize queue resets per port (bsc#1257472).
- Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump() (git-fixes).
- net: mana: Fix use-after-free in reset service rescan path (git-fixes).
- net: mana: Handle hardware recovery events when probing the device (bsc#1257466).
- net: mana: Drop TX skb on post_work_request failure and unmap resources (git-fixes).
- net: mana: Handle SKB if TX SGEs exceed hardware limit (git-fixes).
- net: mana: Add standard counter rx_missed_errors (git-fixes).
- commit dde91c8

- btrfs: fallback to buffered IO if the data profile has
  duplication (git-fixes).
- commit c194c61

- arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS (bsc#1259329)
- commit c775b21

- selftests/bpf: add verifier sign extension bound computation
  tests (git-fixes).
- bpf: verifier improvement in 32bit shift sign extension pattern
  (git-fixes).
- commit 9625613

- hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read
  (git-fixes).
- hwmon: (it87) Check the it87_lock() return value (git-fixes).
- commit 8d41466

- drm/xe/reg_sr: Fix leak on xa_store failure (git-fixes).
- drm/xe: Do not preempt fence signaling CS instructions
  (git-fixes).
- nouveau/dpcd: return EBUSY for aux xfer if the device is asleep
  (git-fixes).
- drm/sched: Fix kernel-doc warning for drm_sched_job_done()
  (git-fixes).
- drm/solomon: Fix page start when updating rectangle in page
  addressing mode (git-fixes).
- platform/x86: dell-wmi-sysman: Don't hex dump plaintext password
  data (git-fixes).
- pmdomain: bcm: bcm2835-power: Fix broken reset status read
  (git-fixes).
- ata: libata-core: Disable LPM on ST1000DM010-2EP102 (git-fixes).
- commit a06b327

- tracing: Fix crash on synthetic stacktrace field usage
  (CVE-2026-23088 bsc#1257814).
- commit 41fea09

- idpf: detach and close netdevs while handling a reset
  (CVE-2026-22981 bsc#1257225).
- commit 6e399ef

- KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR
  (failed VMRUN) (git-fixes).
- commit ea24b4e

- KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested
  VM-Exits (git-fixes).
- commit 39ff5cb

- KVM: x86: Explicitly set new periodic hrtimer expiration in
  apic_timer_fn() (git-fixes).
- commit e059ee8

- KVM: x86: WARN if hrtimer callback for periodic APIC timer
  fires with period=0 (git-fixes).
- commit 2c24d91

- platform/x86: intel_telemetry: Fix PSS event register mask
  (git-fixes).
- platform/x86: intel_telemetry: Fix swapped arrays in PSS output
  (git-fixes).
- platform/x86: toshiba_haps: Fix memory leaks in add/remove
  routines (git-fixes).
- commit 35ce7c7

- KVM: x86: Don't clear async #PF queue when CR0.PG is disabled
  (e.g. on #SMI) (git-fixes).
- commit c57db6d

- btrfs: scrub: always update btrfs_scrub_progress::last_physical
  (git-fixes).
- commit 9d5464b

- slimbus: core: Constify slim_eaddr_equal() (jsc#PED-10906
  git-fixes).
- commit 6c2c54b

- bus: fsl-mc: Constify fsl_mc_device_match() (jsc#PED-10906
  git-fixes).
- commit b3ff1a5