-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Mar 2026 07:45:42 +0100
Source: linux
Binary: linux-doc linux-doc-6.1 linux-headers-6.1.0-44-common linux-headers-6.1.0-44-common-rt linux-source linux-source-6.1 linux-support-6.1.0-44
Architecture: all
Version: 6.1.164-1
Distribution: bookworm-security
Urgency: high
Maintainer: all Build Daemon (x86-csail-02) <buildd_all-x86-csail-02@buildd.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 linux-doc  - Linux kernel specific documentation (meta-package)
 linux-doc-6.1 - Linux kernel specific documentation for version 6.1
 linux-headers-6.1.0-44-common - Common header files for Linux 6.1.0-44
 linux-headers-6.1.0-44-common-rt - Common header files for Linux 6.1.0-44-rt
 linux-source - Linux kernel source (meta-package)
 linux-source-6.1 - Linux kernel source for version 6.1 with Debian patches
 linux-support-6.1.0-44 - Support files for Linux 6.1
Closes: 1127597
Changes:
 linux (6.1.164-1) bookworm-security; urgency=high
 .
   * New upstream stable update:
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.163
     - nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec (CVE-2026-23112)
     - [x86] kfence: fix booting on 32bit non-PAE systems
     - [x86] platform/x86: intel_telemetry: Fix swapped arrays in PSS output
     - rbd: check for EOD after exclusive lock is ensured to be held
     - Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
     - KVM: Don't clobber irqfd routing type when deassigning irqfd
     - netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
       (CVE-2025-38201)
     - [arm*] binder: fix BR_FROZEN_REPLY error log
     - binderfs: fix ida_alloc_max() upper bound
     - [arm64] pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system
       wakeup
     - [arm64] pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system
       wakeup
     - [arm64] pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
     - gve: Fix stats report corruption on queue count change
     - tracing: Fix ftrace event field alignments
     - gve: Correct ethtool rx_dropped calculation
     - wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
     - wifi: wlcore: ensure skb headroom before skb_push
     - net: usb: sr9700: support devices with virtual driver CD
     - block,bfq: fix aux stat accumulation destination
     - smb/server: call ksmbd_session_rpc_close() on error path in
       create_smb2_pipe()
     - [amd64] HID: intel-ish-hid: Update ishtp bus match to support device ID
       table
     - HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL
     - btrfs: fix reservation leak in some error paths when inserting inline
       extent
     - [amd64] HID: intel-ish-hid: Reset enum_devices_done before enumeration
     - HID: playstation: Center initial joystick axes to prevent spurious events
     - ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk
     - netfilter: replace -EEXIST with -EBUSY
     - HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list
     - HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
     - HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)
     - ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free
     - wifi: mac80211: collect station statistics earlier when disconnect
     - nvme-fc: release admin tagset if init fails
     - wifi: cfg80211: Fix bitrate calculation overflow for HE rates
     - scsi: target: iscsi: Fix use-after-free in
       iscsit_dec_session_usage_count()
     - ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
     - scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
     - wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice
     - [x86] platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
     - [x86] platform/x86: intel_telemetry: Fix PSS event register mask
     - smb/client: fix memory leak in smb2_open_file()
     - net: liquidio: Initialize netdev pointer before queue setup
     - net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
     - net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
     - macvlan: fix error recovery in macvlan_common_newlink()
     - net: don't touch dev->stats in BPF redirect paths
     - tipc: use kfree_sensitive() for session key material
     - [x86] drm/mgag200: fix mgag200_bmc_stop_scanout()
     - [armhf] hwmon: (occ) Mark occ_init_attribute() as __printf
     - netfilter: nf_tables: fix inverted genmask check in
       nft_map_catchall_activate() (CVE-2026-23111)
     - [amd64] ASoC: amd: fix memory leak in acp3x pdm dma ops
     - hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() (CVE-2025-40082)
     - iommu: disable SVA when CONFIG_X86 is set (CVE-2025-71089)
     - [arm64] spi: tegra: Fix a memory leak in tegra_slink_probe()
     - ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU.
     https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.164
     - smb: client: split cached_fid bitfields to avoid shared-byte RMW races
       (CVE-2026-23230)
     - ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error
       paths (CVE-2026-23220)
     - smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()
       (CVE-2026-23228)
     - crypto: octeontx - Fix length check to avoid truncation in
       ucode_load_store
     - crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
       (CVE-2026-23222)
     - crypto: virtio - Add spinlock protection with virtqueue notification
       (CVE-2026-23229)
     - crypto: virtio - Remove duplicated virtqueue_kick in
       virtio_crypto_skcipher_crypt_req
     - nilfs2: Fix potential block overflow that cause system hang
       (CVE-2025-71237)
     - scsi: qla2xxx: Validate sp before freeing associated memory
       (CVE-2025-71236)
     - scsi: qla2xxx: Allow recovery for tape devices
     - scsi: qla2xxx: Delay module unload while fabric scan in progress
       (CVE-2025-71235)
     - scsi: qla2xxx: Query FW again before proceeding with login
     - gpio: omap: do not register driver in probe()
     - btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
       (CVE-2025-68358)
     - net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module
     - smb: client: set correct id, uid and cruid for multiuser automounts
       (CVE-2024-26822)
     - scsi: qla2xxx: Fix bsg_done() causing double free
     - PCI: endpoint: Automatically create a function specific attributes group
     - PCI: endpoint: Remove unused field in struct pci_epf_group
     - PCI: endpoint: Avoid creating sub-groups asynchronously (CVE-2025-71233)
     - bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show
       functions
     - bus: fsl-mc: fix use-after-free in driver_override_show() (CVE-2026-23221)
     - scsi: qla2xxx: Remove dead code (GNN ID)
     - scsi: qla2xxx: Reduce fabric scan duplicate code
     - scsi: qla2xxx: Free sp in error path to fix system crash (CVE-2025-71232)
     - cacheinfo: Decrement refcount in cache_setup_of_node()
     - cacheinfo: Remove of_node_put() for fw_token
     - ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
     - [x86] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list
     - gpio: sprd: Change sprd_gpio lock to raw_spin_lock
     - ALSA: hda/realtek: Add quirk for Inspur S14-G1
     - romfs: check sb_set_blocksize() return value
     - [arm64,armhf] drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not
       used
     - [x86] platform/x86: classmate-laptop: Add missing NULL pointer checks
     - [x86] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9
     - [x86] platform/x86: panasonic-laptop: Fix sysfs group leak in error path
     - gpiolib: acpi: Fix gpio count with string references
     - Revert "wireguard: device: enable threaded NAPI"
     - mptcp: schedule rtx timer only after pushing data
     - mptcp: ensure context reset on disconnect() (CVE-2025-71144)
     - xsk: Fix race condition in AF_XDP generic RX path (CVE-2025-37920)
     - devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
       (CVE-2025-40251)
     - clk: mediatek: fix of_iomap memory leak (CVE-2023-53424)
     - nfsd: don't ignore the return code of svc_proc_register() (CVE-2025-22026)
     - ksmbd: set ATTR_CTIME flags when setting mtime (CVE-2024-57895)
     - ACPI: APEI: send SIGBUS to current task if synchronous memory error not
       recovered (CVE-2025-39763)
     - net: stmmac: Fix accessing freed irq affinity_hint (CVE-2025-23155)
     - net: dsa: free routing table on probe failure (CVE-2025-37786)
     - mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() (CVE-2026-23169)
     - wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()
       (CVE-2025-38643)
     - cpuset: Fix missing adaptation for cpuset_is_populated
     - fbdev: rivafb: fix divide error in nv3_arb()
     - fbdev: smscufx: properly copy ioctl memory to kernelspace
     - f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent
       atomic commit and checkpoint writes
     - f2fs: fix to avoid UAF in f2fs_write_end_io()
     - f2fs: fix out-of-bounds access in sysfs attribute read/write
     - USB: serial: option: add Telit FN920C04 RNDIS compositions
     - net: tunnel: make skb_vlan_inet_prepare() return drop reasons
       (Closes: #1127597)
 .
   [ Ben Hutchings ]
   * CI: Delete support for ccache, which was removed from common pipeline
   * CI: Update build job to work after another common pipeline change
 .
   [ Salvatore Bonaccorso ]
   * apparmor: fix kernel-doc complaints
   * apparmor: Fix kernel-doc warnings in apparmor/policy.c
   * apparmor: validate DFA start states are in bounds in unpack_pdb
   * apparmor: fix memory leak in verify_header
   * apparmor: replace recursive profile removal with iterative approach
   * apparmor: fix: limit the number of levels of policy namespaces
   * apparmor: fix side-effect bug in match_char() macro usage
   * apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
   * apparmor: Fix double free of ns_name in aa_replace_profiles()
   * apparmor: fix unprivileged local user can do privileged policy management
   * apparmor: fix differential encoding verification
   * apparmor: fix race on rawdata dereference
   * apparmor: fix race between freeing data and fs accessing it
Checksums-Sha1:
 60c0d75f9bd697f2c441a8202928ab1291c4083a 37162028 linux-doc-6.1_6.1.164-1_all.deb
 be9bfd3183db63a32b009b1b5d7dfb67e1592b64 1108 linux-doc_6.1.164-1_all.deb
 405e24bdc1455b9ef0af99330d82dcb08fc0e815 8646360 linux-headers-6.1.0-44-common-rt_6.1.164-1_all.deb
 e9485f6256fbe39bd31ff5f4a727be0e4e5996c3 10300224 linux-headers-6.1.0-44-common_6.1.164-1_all.deb
 17b958f6209acba981bb803c25a36fefcea58958 138987564 linux-source-6.1_6.1.164-1_all.deb
 a871ecd26a16418acd838403eef592118184a451 1100 linux-source_6.1.164-1_all.deb
 13a3e8fc956a85bea1887d96efcd8fc1a1e2d251 1142416 linux-support-6.1.0-44_6.1.164-1_all.deb
 cdff72aaf282dcbc4fac8f645ed876720718a012 13513 linux_6.1.164-1_all-buildd.buildinfo
Checksums-Sha256:
 7dd961755ed8fcafcd2526fe725d5e94b28b9c307e403d7ebe7c02551d4a8cdf 37162028 linux-doc-6.1_6.1.164-1_all.deb
 cc5fb594265b4d047fdb10778a810834137ccad3b96176ed871bd3654182a761 1108 linux-doc_6.1.164-1_all.deb
 85a6b847abbb812c0ebd58c13664331326ec484df6a242902ebbae98f1ed4d95 8646360 linux-headers-6.1.0-44-common-rt_6.1.164-1_all.deb
 c5dc74b571c39c11e8767f957da782f48edea63574ec3fd670046d0b4e1c1ac9 10300224 linux-headers-6.1.0-44-common_6.1.164-1_all.deb
 bb62207c6799b8ac6cb633acc91adf8f11014d57aa925c7a8eba3dc57c43b8ce 138987564 linux-source-6.1_6.1.164-1_all.deb
 46dd514f534604cf103fd29eb02c18d9ed7cbb2c9dc5cab53f60c0b862e8b441 1100 linux-source_6.1.164-1_all.deb
 a6b3017c59442ebf0b8bc951336d1a74783692a269dce41e34f67214bb574462 1142416 linux-support-6.1.0-44_6.1.164-1_all.deb
 66e07357d35f4c8c6e91aadb5c41f824c54617e89e5385444aebe5fcb6987778 13513 linux_6.1.164-1_all-buildd.buildinfo
Files:
 a9ee032a2a2f6844ca579e175ab1d3ba 37162028 doc optional linux-doc-6.1_6.1.164-1_all.deb
 28fa1db62958c40cd514435babf78fde 1108 doc optional linux-doc_6.1.164-1_all.deb
 b17501ee016d9f37ffe348f5419907c2 8646360 kernel optional linux-headers-6.1.0-44-common-rt_6.1.164-1_all.deb
 e4de3cca4664b7d45efba89dea2e912a 10300224 kernel optional linux-headers-6.1.0-44-common_6.1.164-1_all.deb
 27b21ac344be357ed9f4ac6ee30f2c43 138987564 kernel optional linux-source-6.1_6.1.164-1_all.deb
 c5992ec3af5ae432e67e05446d2d585f 1100 kernel optional linux-source_6.1.164-1_all.deb
 372852e7693f699e2e05034f9ddad9a7 1142416 devel optional linux-support-6.1.0-44_6.1.164-1_all.deb
 a29c2ad4bf9c526ecfd3a2d64d19ebd6 13513 kernel optional linux_6.1.164-1_all-buildd.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXLxUpUHQBQBTDtd4aBVi67oXtfkFAmmugxUACgkQaBVi67oX
tfnlvxAAtOUm3rjmbtfrFAGVYxl8CdODn0lKGXNfTCmvOM0XMpqTDDMJkAVnB6ks
OwkFBT4mamQTeVhgwjxSCRH0MdeI50QHvrqXwB6ImKO9yIu4EkeLvDrR9b4ENNJf
vCdgi7Y3m0BEgIIj+myweTAm4SvGA4K3ibu5/e+3HoKFSQE127LcomFUg1mIEMV+
FkWGJcfxD9kFGEs1+cHBGVb/uGaD2r/oSsPmBjCjKkj32qgI2BgUUxBdlqaaHU+j
TGB269al6W/4aDjLAeGoniDC4VvAguzbYBqLecgKbWjgUVLf+D4g5DdGKkqEcCYv
cpmBFz3HwOK54OyLKSUhYohi5AcOmM/X6uzxc4m0uyoY0m+VBs1vzKEv1MpB9um/
IYtxHY/hPseUsnlQrBNfs7TfSJu7eVQJxKrndHfSED/6juSXWqlnEBa6Z7ucWLAw
G3dJW1H8crfmdXm7L7bhaVNuLSyxXb3Xuaw5Tj+O03KmK2dtpfBH9+2vhFS3i3dx
SlbYZHxcMMKozg0cyMsNZUms977XSI6+trOZE3SReX8eIfaUTwVGmzgU6i/RJ9lc
FrDQPWn0hm/wmriVzuOT4qAr67ItuBo/z8Me0GN2p5NpsrwOs7l5BWhgC1ybDwnB
0e47fSylAGn8gNnhEspAN1P4BhGuGrn5WA9dUtmzkCRzioZ+C38=
=qQ2/
-----END PGP SIGNATURE-----