Merge tag 'v6.18.18' into qcom-6.18.y#366
Open
svankas wants to merge 1776 commits intoqualcomm-linux:qcom-6.18.yfrom
Open
Merge tag 'v6.18.18' into qcom-6.18.y#366svankas wants to merge 1776 commits intoqualcomm-linux:qcom-6.18.yfrom
svankas wants to merge 1776 commits intoqualcomm-linux:qcom-6.18.yfrom
Conversation
[ Upstream commit 679ec63 ] DWC core couldn't distinguish LTSSM state among L1.0, L1.1 and L1.2. But the vendor glue driver may implement additional logic to convey this information. So add two pseudo definitions for vendor glue drivers to translate their internal L1 Substates for debugfs to show. Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Link: https://patch.msgid.link/1765503205-22184-1-git-send-email-shawn.lin@rock-chips.com Stable-dep-of: 180c3cf ("Revert "PCI: dw-rockchip: Enumerate endpoints based on dll_link_up IRQ"") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f994bb8 ] Rename rockchip_pcie_get_ltssm() to rockchip_pcie_get_ltssm_reg() and add rockchip_pcie_get_ltssm() to get_ltssm() callback in order to show the proper L1 Substates. The PCIE_CLIENT_LTSSM_STATUS[5:0] register returns the same LTSSM layout as enum dw_pcie_ltssm. So the driver just need to convey L1 PM Substates by returning the proper value defined in pcie-designware.h. cat /sys/kernel/debug/dwc_pcie_a40000000.pcie/ltssm_status L1_2 (0x142) Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Link: https://patch.msgid.link/1765503205-22184-2-git-send-email-shawn.lin@rock-chips.com Stable-dep-of: 180c3cf ("Revert "PCI: dw-rockchip: Enumerate endpoints based on dll_link_up IRQ"") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 180c3cf ] This reverts commit 0e0b45a. While this fake hotplugging was a nice idea, it has shown that this feature does not handle PCIe switches correctly: pci_bus 0004:43: busn_res: can not insert [bus 43-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:43: busn_res: [bus 43-41] end is updated to 43 pci_bus 0004:43: busn_res: can not insert [bus 43] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:00.0: devices behind bridge are unusable because [bus 43] cannot be assigned for them pci_bus 0004:44: busn_res: can not insert [bus 44-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:44: busn_res: [bus 44-41] end is updated to 44 pci_bus 0004:44: busn_res: can not insert [bus 44] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:02.0: devices behind bridge are unusable because [bus 44] cannot be assigned for them pci_bus 0004:45: busn_res: can not insert [bus 45-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:45: busn_res: [bus 45-41] end is updated to 45 pci_bus 0004:45: busn_res: can not insert [bus 45] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:06.0: devices behind bridge are unusable because [bus 45] cannot be assigned for them pci_bus 0004:46: busn_res: can not insert [bus 46-41] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci_bus 0004:46: busn_res: [bus 46-41] end is updated to 46 pci_bus 0004:46: busn_res: can not insert [bus 46] under [bus 42-41] (conflicts with (null) [bus 42-41]) pci 0004:42:0e.0: devices behind bridge are unusable because [bus 46] cannot be assigned for them pci_bus 0004:42: busn_res: [bus 42-41] end is updated to 46 pci_bus 0004:42: busn_res: can not insert [bus 42-46] under [bus 41] (conflicts with (null) [bus 41]) pci 0004:41:00.0: devices behind bridge are unusable because [bus 42-46] cannot be assigned for them pcieport 0004:40:00.0: bridge has subordinate 41 but max busn 46 During the initial scan, PCI core doesn't see the switch and since the Root Port is not hot plug capable, the secondary bus number gets assigned as the subordinate bus number. This means, the PCI core assumes that only one bus will appear behind the Root Port since the Root Port is not hot plug capable. This works perfectly fine for PCIe endpoints connected to the Root Port, since they don't extend the bus. However, if a PCIe switch is connected, then there is a problem when the downstream busses starts showing up and the PCI core doesn't extend the subordinate bus number and bridge resources after initial scan during boot. The long term plan is to migrate this driver to the upcoming pwrctrl APIs that are supposed to handle this problem elegantly. Suggested-by: Manivannan Sadhasivam <mani@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Manivannan Sadhasivam <mani@kernel.org> Tested-by: Shawn Lin <shawn.lin@rock-chips.com> Acked-by: Shawn Lin <shawn.lin@rock-chips.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251222064207.3246632-10-cassel@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5173179 ] MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification. Fixes: 227fee5 ("bus: mhi: core: Add an API for auto queueing buffers for DL channel") Fixes: 68a838b ("net: qrtr: start MHI channel after endpoit creation") Reported-by: Johan Hovold <johan@kernel.org> Closes: https://lore.kernel.org/linux-arm-msm/ZyTtVdkCCES0lkl4@hovoldconsulting.com Suggested-by: Chris Lew <quic_clew@quicinc.com> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com> Reviewed-by: Loic Poulain <loic.poulain@oss.qualcomm.com> Acked-by: Jeff Johnson <jjohnson@kernel.org> # drivers/net/wireless/ath/... Acked-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251218-qrtr-fix-v2-1-c7499bfcfbe0@oss.qualcomm.com Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit e065c6a ] Currently, the net_device is allocated when the function instance is created (e.g., in ncm_alloc_inst()). While this allows userspace to configure the device early, it decouples the net_device lifecycle from the actual USB connection state (bind/unbind). The goal is to defer net_device creation to the bind callback to properly align the lifecycle with its parent gadget device. However, deferring net_device allocation would prevent userspace from configuring parameters (like interface name or MAC address) before the net_device exists. Introduce a new structure, struct gether_opts, associated with the usb_function_instance, to cache settings independently of the net_device. These settings include the interface name pattern, MAC addresses (device and host), queue multiplier, and address assignment type. New helper functions are added: - gether_setup_opts_default(): Initializes struct gether_opts with defaults, including random MAC addresses. - gether_apply_opts(): Applies the cached options from a struct gether_opts to a valid net_device. To expose these options to userspace, new configfs macros (USB_ETHER_OPTS_ITEM and USB_ETHER_OPTS_ATTR_*) are defined in u_ether_configfs.h. These attributes are part of the function instance's configfs group. This refactoring is a preparatory step. It allows the subsequent patch to safely move the net_device allocation from the instance creation phase to the bind phase without losing the ability to pre-configure the interface via configfs. Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20251230-ncm-refactor-v1-1-793e347bc7a7@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 56a512a ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0c09811 ] The net_device in the u_ether framework currently requires explicit calls to unregister and free the device. Introduce gether_unregister_free_netdev() and the corresponding auto-cleanup macro. This ensures that if a net_device is registered, it is properly unregistered and the associated work queue is flushed before the memory is freed. This is a preparatory patch to simplify error handling paths in gadget drivers by removing the need for explicit goto labels for net_device cleanup. Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20251230-ncm-refactor-v1-2-793e347bc7a7@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Stable-dep-of: 56a512a ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 56a512a ] Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device. Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pi_strlen+0x14/0x150 rtnl_fill_ifinfo+0x6b4/0x708 rtmsg_ifinfo_build_skb+0xd8/0x13c rtmsg_ifinfo+0x50/0xa0 __dev_notify_flags+0x4c/0x1f0 dev_change_flags+0x54/0x70 do_setlink+0x390/0xebc rtnl_newlink+0x7d0/0xac8 rtnetlink_rcv_msg+0x27c/0x410 netlink_rcv_skb+0x134/0x150 rtnetlink_rcv+0x18/0x28 netlink_unicast+0x254/0x3f0 netlink_sendmsg+0x2e0/0x3d4 Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory Move the net_device allocation to ncm_bind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration. To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in f_ncm_opts using the gether_opts structure. Apply these cached settings to the net_device upon creation in ncm_bind(). Preserve the use-after-free fix from commit 6334b8e ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncm_set_alt() and ncm_disable() to ensure gether_disconnect() runs only if a connection was established. Fixes: 40d133d ("usb: gadget: f_ncm: convert to new function interface with backward compatibility") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20251230-ncm-refactor-v1-3-793e347bc7a7@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f509a08 ] When rocket_job_init() is called, iommu_group_get() has already been called, therefore we should call iommu_group_put() and make the iommu_group pointer NULL. This aligns with what's done in rocket_core_fini(). If pm_runtime_resume_and_get() somehow fails, not only should rocket_job_fini() be called but we should also unwind everything done before that, that is, disable PM, put the iommu_group, NULLify it and then call rocket_job_fini(). This is exactly what's done in rocket_core_fini() so let's call that function instead of duplicating the code. Fixes: 0810d5a ("accel/rocket: Add job submission IOCTL") Cc: stable@vger.kernel.org Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net> Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net> Link: https://patch.msgid.link/20251215-rocket-error-path-v1-1-eec3bf29dc3b@cherry.de Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 34f4495 ] When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses. Fixes: 0810d5a ("accel/rocket: Add job submission IOCTL") Cc: stable@vger.kernel.org Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Tomeu Vizoso <tomeu@tomeuvizoso.net> Signed-off-by: Tomeu Vizoso <tomeu@tomeuvizoso.net> Link: https://patch.msgid.link/20251215-rocket-error-path-v1-2-eec3bf29dc3b@cherry.de Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 43e5302 ] The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed. In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated 'sd_state' object. This violates the requirement and causes a memory leak. Fix this by introducing a cleanup label and using goto statements in the error paths to ensure that __v4l2_subdev_state_free() is always called before the function returns. Fixes: 56f64b8 ("media: tegra-video: Use zero crop settings if subdev has no get_selection") Fixes: 1ebaeb0 ("media: tegra-video: Add support for external sensor capture") Cc: stable@vger.kernel.org Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ead6364 ] Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running. Cc: Alessandro Ratti <alessandro@0x65c.net> Cc: stable@vger.kernel.org Fixes: 26844fe ("KVM: x86: never write to memory from kvm_vcpu_check_block()") Fixes: 4540515 ("KVM: x86: WARN if a vCPU gets a valid wakeup that KVM can't yet inject") Link: https://syzkaller.appspot.com/text?tag=ReproC&x=10d4261a580000 Reported-by: syzbot+1522459a74d26b0ac33a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/671bc7a7.050a0220.455e8.022a.GAE@google.com Link: https://patch.msgid.link/20260109030657.994759-1-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bfef062 ] Make sure to drop the reference taken when looking up the companion (ganged) device and its driver data during probe(). Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: e94236c ("drm/tegra: dsi: Add ganged mode support") Fixes: 221e363 ("drm/tegra: Fix reference leak in tegra_dsi_ganged_probe") Cc: stable@vger.kernel.org # 3.19: 221e363 Cc: Thierry Reding <treding@nvidia.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Thierry Reding <treding@nvidia.com> Link: https://patch.msgid.link/20251121164201.13188-1-johan@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5578534 ] 2^log_2(n) == n Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org> Link: https://patch.msgid.link/20250924080119.497867836@infradead.org Stable-dep-of: d55c571 ("x86/uprobes: Fix XOL allocation failure for 32-bit tasks") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c79dd94 ] It is important to be able to unwind compat tasks too. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/20250924080119.613695709@infradead.org Stable-dep-of: d55c571 ("x86/uprobes: Fix XOL allocation failure for 32-bit tasks") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 49cf34c ] Use ARCH_INIT_USER_FP_FRAME to describe how frame pointers are unwound on x86, and enable CONFIG_HAVE_UNWIND_USER_FP accordingly so the unwind_user interfaces can be used. Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/20250827193828.347397433@kernel.org Stable-dep-of: d55c571 ("x86/uprobes: Fix XOL allocation failure for 32-bit tasks") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ae25884 ] When userspace is interrupted at the start of a function, before we get a chance to complete the frame, unwind will miss one caller. X86 has a uprobe specific fixup for this, add bits to the generic unwinder to support this. Suggested-by: Jens Remus <jremus@linux.ibm.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/20251024145156.GM4068168@noisy.programming.kicks-ass.net Stable-dep-of: d55c571 ("x86/uprobes: Fix XOL allocation failure for 32-bit tasks") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d55c571 ] This script #!/usr/bin/bash echo 0 > /proc/sys/kernel/randomize_va_space echo 'void main(void) {}' > TEST.c # -fcf-protection to ensure that the 1st endbr32 insn can't be emulated gcc -m32 -fcf-protection=branch TEST.c -o test bpftrace -e 'uprobe:./test:main {}' -c ./test "hangs", the probed ./test task enters an endless loop. The problem is that with randomize_va_space == 0 get_unmapped_area(TASK_SIZE - PAGE_SIZE) called by xol_add_vma() can not just return the "addr == TASK_SIZE - PAGE_SIZE" hint, this addr is used by the stack vma. arch_get_unmapped_area_topdown() doesn't take TIF_ADDR32 into account and in_32bit_syscall() is false, this leads to info.high_limit > TASK_SIZE. vm_unmapped_area() happily returns the high address > TASK_SIZE and then get_unmapped_area() returns -ENOMEM after the "if (addr > TASK_SIZE - len)" check. handle_swbp() doesn't report this failure (probably it should) and silently restarts the probed insn. Endless loop. I think that the right fix should change the x86 get_unmapped_area() paths to rely on TIF_ADDR32 rather than in_32bit_syscall(). Note also that if CONFIG_X86_X32_ABI=y, in_x32_syscall() falsely returns true in this case because ->orig_ax = -1. But we need a simple fix for -stable, so this patch just sets TS_COMPAT if the probed task is 32-bit to make in_ia32_syscall() true. Fixes: 1b028f7 ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") Reported-by: Paulo Andrade <pandrade@redhat.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://lore.kernel.org/all/aV5uldEvV7pb4RA8@redhat.com/ Cc: stable@vger.kernel.org Link: https://patch.msgid.link/aWO7Fdxn39piQnxu@redhat.com Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit cc742fd ] Move the comments just before we set EXT4_EXT_MAY_ZEROOUT in ext4_split_convert_extents. Signed-off-by: Yang Erkun <yangerkun@huawei.com> Message-ID: <20251112084538.1658232-4-yangerkun@huawei.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Stable-dep-of: feaf2a8 ("ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O") Signed-off-by: Sasha Levin <sashal@kernel.org>
…ing I/O [ Upstream commit feaf2a8 ] When allocating blocks during within-EOF DIO and writeback with dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was set when calling ext4_split_convert_extents(), which may potentially result in stale data issues. Assume we have an unwritten extent, and then DIO writes the second half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| ----> dio write this range First, ext4_iomap_alloc() call ext4_map_blocks() with EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the above flags set. Then, ext4_split_convert_extents() calls ext4_split_extent() with EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2 flags set, and it calls ext4_split_extent_at() to split the second half with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at() failed to insert extent since a temporary lack -ENOSPC. It zeroes out the first half but convert the entire on-disk extent to written since the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten in the extent status tree. [0000000000SSSSSS] data S: stale data, 0: zeroed [WWWWWWWWWWWWWWWW] on-disk extent W: written extent [WWWWWWWWWWUUUUUU] extent status tree Finally, if the DIO failed to write data to the disk, the stale data in the second half will be exposed once the cached extent entry is gone. Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting an unwritten extent before submitting I/O, and make ext4_split_convert_extents() to zero out the entire extent range to zero for this case, and also mark the extent in the extent status tree for consistency. Fixes: b8a8684 ("ext4: Introduce FALLOC_FL_ZERO_RANGE flag for fallocate") Signed-off-by: Zhang Yi <yi.zhang@huawei.com> Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com> Reviewed-by: Baokun Li <libaokun1@huawei.com> Cc: stable@kernel.org Message-ID: <20251129103247.686136-4-yi.zhang@huaweicloud.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Sasha Levin <sashal@kernel.org>
…STOP handling [ Upstream commit 8fc707d ] Currently v4l2_m2m_ioctl_{de,enc}coder_cmd is being invoked during STOP command handling. However, this is not required as the iris driver has its own drain and stop handling mechanism in place. Using the m2m command API in this context leads to incorrect behavior, where the LAST flag is prematurely attached to a capture buffer, when there are no buffers in m2m source queue. But, in this scenario even though the source buffers are returned to client, hardware might still need to process the pending capture buffers. Attaching LAST flag prematurely can result in the capture buffer being removed from the destination queue before the hardware has finished processing it, causing issues when the buffer is eventually returned by the hardware. To prevent this, remove the m2m API usage in stop handling. Fixes: d091007 ("media: iris: add support for drain sequence") Fixes: 75db90a ("media: iris: Add support for drain sequence in encoder video device") Signed-off-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com> Reviewed-by: Vikash Garodia <vikash.garodia@oss.qualcomm.com> Cc: stable@vger.kernel.org Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bbef55f ] Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. Fixes: a5925a2 ("media: iris: add VPU33 specific encoding buffer calculation") Fixes: a688243 ("media: iris: Add support for ENUM_FRAMESIZES/FRAMEINTERVALS for encoder") Cc: stable@vger.kernel.org Signed-off-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com> Reviewed-by: Vikash Garodia <vikash.garodia@oss.qualcomm.com> Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b3ee88e ] Currently if a user enqueues a work item using schedule_delayed_work() the used wq is "system_wq" (per-cpu wq) while queue_delayed_work() use WORK_CPU_UNBOUND (used when a cpu is not specified). The same applies to schedule_work() that is using system_wq and queue_work(), that makes use again of WORK_CPU_UNBOUND. This lack of consistency cannot be addressed without refactoring the API. This patch continues the effort to refactor worqueue APIs, which has begun with the change introducing new workqueues and a new alloc_workqueue flag: commit 128ea9f ("workqueue: Add system_percpu_wq and system_dfl_wq") commit 930c2ea ("workqueue: Add new WQ_PERCPU flag") This specific workload do not benefit from a per-cpu workqueue, so use the default unbound workqueue (system_dfl_wq) instead. Suggested-by: Tejun Heo <tj@kernel.org> Signed-off-by: Marco Crivellari <marco.crivellari@suse.com> Link: https://patch.msgid.link/20251106141955.218911-4-marco.crivellari@suse.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Stable-dep-of: 870c2e7 ("Input: synaptics_i2c - guard polling restart in resume") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 870c2e7 ] synaptics_i2c_resume() restarts delayed work unconditionally, even when the input device is not opened. Guard the polling restart by taking the input device mutex and checking input_device_enabled() before re-queuing the delayed work. Fixes: eef3e4c ("Input: add driver for Synaptics I2C touchpad") Signed-off-by: Minseong Kim <ii4gsp@gmail.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260121063738.799967-1-ii4gsp@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
… scalable mode [ Upstream commit 42662d1 ] PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault. Commit 4fc82cd ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled. With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Commit 81e921f ("iommu/vt-d: Fix NULL domain on device release") adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint's link drops. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs. Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock. Fixes: 37764b9 ("iommu/vt-d: Global devTLB flush when present context entry changed") Fixes: 81e921f ("iommu/vt-d: Fix NULL domain on device release") Cc: stable@vger.kernel.org Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com> Link: https://lore.kernel.org/r/20251211035946.2071-2-guojinhui.liam@bytedance.com Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f63ea19 ] The pcie bus address should be mapped 1:1 to the cpu side MMIO address, so that there is no same address allocated from normal system memory. Otherwise it's broken if the same address assigned to the EP for DMA purpose.Fix it to sync with the vendor BSP. Fixes: 568a67e ("arm64: dts: rockchip: Fix rk356x PCIe register and range mappings") Fixes: 66b51ea ("arm64: dts: rockchip: Add rk3568 PCIe2x1 controller") Cc: stable@vger.kernel.org Cc: Andrew Powers-Holmes <aholmes@omnom.net> Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com> Link: https://patch.msgid.link/1767600929-195341-1-git-send-email-shawn.lin@rock-chips.com Signed-off-by: Heiko Stuebner <heiko@sntech.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 46c56b7 ] The pcie bus address should be mapped 1:1 to the cpu side MMIO address, so that there is no same address allocated from normal system memory. Otherwise it's broken if the same address assigned to the EP for DMA purpose.Fix it to sync with the vendor BSP. Fixes: 0acf4fa ("arm64: dts: rockchip: add PCIe3 support for rk3588") Fixes: 8d81b77 ("arm64: dts: rockchip: add rk3588 PCIe2 support") Cc: stable@vger.kernel.org Cc: Sebastian Reichel <sebastian.reichel@collabora.com> Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com> Link: https://patch.msgid.link/1767600929-195341-2-git-send-email-shawn.lin@rock-chips.com Signed-off-by: Heiko Stuebner <heiko@sntech.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit da61439 ] Make sure to drop the reference taken when looking up the EMC device and its driver data on first set_rate(). Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 2db04f1 ("clk: tegra: Add EMC clock driver") Fixes: 6d6ef58 ("clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver") Cc: stable@vger.kernel.org # 4.2: 6d6ef58 Cc: Mikko Perttunen <mperttunen@nvidia.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Stephen Boyd <sboyd@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7020586 ] Move the CPER CXL protocol errors validity check out of cxl_cper_post_prot_err() to new cxl_cper_sec_prot_err_valid() and limit the serial number check only to CXL agents that are CXL devices (UEFI v2.10, Appendix N.2.13). Export the new symbol for reuse by ELOG. Reviewed-by: Dave Jiang <dave.jiang@intel.com> Reviewed-by: Hanjun Guo <guohanjun@huawei.com> Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com> Signed-off-by: Fabio M. De Francesco <fabio.m.de.francesco@linux.intel.com> [ rjw: Subject tweak ] Link: https://patch.msgid.link/20260114101543.85926-4-fabio.m.de.francesco@linux.intel.com Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Stable-dep-of: b584bfb ("ACPI: APEI: GHES: Disable KASAN instrumentation when compile testing with clang < 18") Signed-off-by: Sasha Levin <sashal@kernel.org>
…with clang < 18 [ Upstream commit b584bfb ] After a recent innocuous change to drivers/acpi/apei/ghes.c, building ARCH=arm64 allmodconfig with clang-17 or older (which has both CONFIG_KASAN=y and CONFIG_WERROR=y) fails with: drivers/acpi/apei/ghes.c:902:13: error: stack frame size (2768) exceeds limit (2048) in 'ghes_do_proc' [-Werror,-Wframe-larger-than] 902 | static void ghes_do_proc(struct ghes *ghes, | ^ A KASAN pass that removes unneeded stack instrumentation, enabled by default in clang-18 [1], drastically improves stack usage in this case. To avoid the warning in the common allmodconfig case when it can break the build, disable KASAN for ghes.o when compile testing with clang-17 and older. Disabling KASAN outright may hide legitimate runtime issues, so live with the warning in that case; the user can either increase the frame warning limit or disable -Werror, which they should probably do when debugging with KASAN anyways. Closes: ClangBuiltLinux/linux#2148 Link: llvm/llvm-project@51fbab1 [1] Signed-off-by: Nathan Chancellor <nathan@kernel.org> Cc: All applicable <stable@vger.kernel.org> Link: https://patch.msgid.link/20260114-ghes-avoid-wflt-clang-older-than-18-v1-1-9c8248bfe4f4@kernel.org Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
…ntifier [ Upstream commit faa6baa ] Replace verbatim license text with a `SPDX-License-Identifier`. The comment header mis-attributes this license to be "X11", but the license text does not include the last line "Except as contained in this notice, the name of the X Consortium shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the X Consortium.". Therefore, this license is actually equivalent to the SPDX "MIT" license (confirmed by text diffing). Cc: Andrej Rosano <andrej@inversepath.com> Signed-off-by: Bence Csókás <csokas.bence@prolan.hu> Acked-by: Andrej Rosano <andrej.rosano@reversec.com> Signed-off-by: Shawn Guo <shawnguo@kernel.org> Stable-dep-of: 43d67ec ("PCI: dwc: ep: Fix resizable BAR support for multi-PF configurations") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8821e85 ] Many ethernet drivers report xdp Rx queue frag size as being the same as DMA write size. However, the only user of this field, namely bpf_xdp_frags_increase_tail(), clearly expects a truesize. Such difference leads to unspecific memory corruption issues under certain circumstances, e.g. in ixgbevf maximum DMA write size is 3 KB, so when running xskxceiver's XDP_ADJUST_TAIL_GROW_MULTI_BUFF, 6K packet fully uses all DMA-writable space in 2 buffers. This would be fine, if only rxq->frag_size was properly set to 4K, but value of 3K results in a negative tailroom, because there is a non-zero page offset. We are supposed to return -EINVAL and be done with it in such case, but due to tailroom being stored as an unsigned int, it is reported to be somewhere near UINT_MAX, resulting in a tail being grown, even if the requested offset is too much (it is around 2K in the abovementioned test). This later leads to all kinds of unspecific calltraces. [ 7340.337579] xskxceiver[1440]: segfault at 1da718 ip 00007f4161aeac9d sp 00007f41615a6a00 error 6 [ 7340.338040] xskxceiver[1441]: segfault at 7f410000000b ip 00000000004042b5 sp 00007f415bffecf0 error 4 [ 7340.338179] in libc.so.6[61c9d,7f4161aaf000+160000] [ 7340.339230] in xskxceiver[42b5,400000+69000] [ 7340.340300] likely on CPU 6 (core 0, socket 6) [ 7340.340302] Code: ff ff 01 e9 f4 fe ff ff 0f 1f 44 00 00 4c 39 f0 74 73 31 c0 ba 01 00 00 00 f0 0f b1 17 0f 85 ba 00 00 00 49 8b 87 88 00 00 00 <4c> 89 70 08 eb cc 0f 1f 44 00 00 48 8d bd f0 fe ff ff 89 85 ec fe [ 7340.340888] likely on CPU 3 (core 0, socket 3) [ 7340.345088] Code: 00 00 00 ba 00 00 00 00 be 00 00 00 00 89 c7 e8 31 ca ff ff 89 45 ec 8b 45 ec 85 c0 78 07 b8 00 00 00 00 eb 46 e8 0b c8 ff ff <8b> 00 83 f8 69 74 24 e8 ff c7 ff ff 8b 00 83 f8 0b 74 18 e8 f3 c7 [ 7340.404334] Oops: general protection fault, probably for non-canonical address 0x6d255010bdffc: 0000 [qualcomm-linux#1] SMP NOPTI [ 7340.405972] CPU: 7 UID: 0 PID: 1439 Comm: xskxceiver Not tainted 6.19.0-rc1+ qualcomm-linux#21 PREEMPT(lazy) [ 7340.408006] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-5.fc42 04/01/2014 [ 7340.409716] RIP: 0010:lookup_swap_cgroup_id+0x44/0x80 [ 7340.410455] Code: 83 f8 1c 73 39 48 ba ff ff ff ff ff ff ff 03 48 8b 04 c5 20 55 fa bd 48 21 d1 48 89 ca 83 e1 01 48 d1 ea c1 e1 04 48 8d 04 90 <8b> 00 48 83 c4 10 d3 e8 c3 cc cc cc cc 31 c0 e9 98 b7 dd 00 48 89 [ 7340.412787] RSP: 0018:ffffcc5c04f7f6d0 EFLAGS: 00010202 [ 7340.413494] RAX: 0006d255010bdffc RBX: ffff891f477895a8 RCX: 0000000000000010 [ 7340.414431] RDX: 0001c17e3fffffff RSI: 00fa070000000000 RDI: 000382fc7fffffff [ 7340.415354] RBP: 00fa070000000000 R08: ffffcc5c04f7f8f8 R09: ffffcc5c04f7f7d0 [ 7340.416283] R10: ffff891f4c1a7000 R11: ffffcc5c04f7f9c8 R12: ffffcc5c04f7f7d0 [ 7340.417218] R13: 03ffffffffffffff R14: 00fa06fffffffe00 R15: ffff891f47789500 [ 7340.418229] FS: 0000000000000000(0000) GS:ffff891ffdfaa000(0000) knlGS:0000000000000000 [ 7340.419489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 7340.420286] CR2: 00007f415bfffd58 CR3: 0000000103f03002 CR4: 0000000000772ef0 [ 7340.421237] PKRU: 55555554 [ 7340.421623] Call Trace: [ 7340.421987] <TASK> [ 7340.422309] ? softleaf_from_pte+0x77/0xa0 [ 7340.422855] swap_pte_batch+0xa7/0x290 [ 7340.423363] zap_nonpresent_ptes.constprop.0.isra.0+0xd1/0x270 [ 7340.424102] zap_pte_range+0x281/0x580 [ 7340.424607] zap_pmd_range.isra.0+0xc9/0x240 [ 7340.425177] unmap_page_range+0x24d/0x420 [ 7340.425714] unmap_vmas+0xa1/0x180 [ 7340.426185] exit_mmap+0xe1/0x3b0 [ 7340.426644] __mmput+0x41/0x150 [ 7340.427098] exit_mm+0xb1/0x110 [ 7340.427539] do_exit+0x1b2/0x460 [ 7340.427992] do_group_exit+0x2d/0xc0 [ 7340.428477] get_signal+0x79d/0x7e0 [ 7340.428957] arch_do_signal_or_restart+0x34/0x100 [ 7340.429571] exit_to_user_mode_loop+0x8e/0x4c0 [ 7340.430159] do_syscall_64+0x188/0x6b0 [ 7340.430672] ? __do_sys_clone3+0xd9/0x120 [ 7340.431212] ? switch_fpu_return+0x4e/0xd0 [ 7340.431761] ? arch_exit_to_user_mode_prepare.isra.0+0xa1/0xc0 [ 7340.432498] ? do_syscall_64+0xbb/0x6b0 [ 7340.433015] ? __handle_mm_fault+0x445/0x690 [ 7340.433582] ? count_memcg_events+0xd6/0x210 [ 7340.434151] ? handle_mm_fault+0x212/0x340 [ 7340.434697] ? do_user_addr_fault+0x2b4/0x7b0 [ 7340.435271] ? clear_bhb_loop+0x30/0x80 [ 7340.435788] ? clear_bhb_loop+0x30/0x80 [ 7340.436299] ? clear_bhb_loop+0x30/0x80 [ 7340.436812] ? clear_bhb_loop+0x30/0x80 [ 7340.437323] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 7340.437973] RIP: 0033:0x7f4161b14169 [ 7340.438468] Code: Unable to access opcode bytes at 0x7f4161b1413f. [ 7340.439242] RSP: 002b:00007ffc6ebfa770 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 7340.440173] RAX: fffffffffffffe00 RBX: 00000000000005a1 RCX: 00007f4161b14169 [ 7340.441061] RDX: 00000000000005a1 RSI: 0000000000000109 RDI: 00007f415bfff990 [ 7340.441943] RBP: 00007ffc6ebfa7a0 R08: 0000000000000000 R09: 00000000ffffffff [ 7340.442824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 7340.443707] R13: 0000000000000000 R14: 00007f415bfff990 R15: 00007f415bfff6c0 [ 7340.444586] </TASK> [ 7340.444922] Modules linked in: rfkill intel_rapl_msr intel_rapl_common intel_uncore_frequency_common skx_edac_common nfit libnvdimm kvm_intel vfat fat kvm snd_pcm irqbypass rapl iTCO_wdt snd_timer intel_pmc_bxt iTCO_vendor_support snd ixgbevf virtio_net soundcore i2c_i801 pcspkr libeth_xdp net_failover i2c_smbus lpc_ich failover libeth virtio_balloon joydev 9p fuse loop zram lz4hc_compress lz4_compress 9pnet_virtio 9pnet netfs ghash_clmulni_intel serio_raw qemu_fw_cfg [ 7340.449650] ---[ end trace 0000000000000000 ]--- The issue can be fixed in all in-tree drivers, but we cannot just trust OOT drivers to not do this. Therefore, make tailroom a signed int and produce a warning when it is negative to prevent such mistakes in the future. Fixes: bf25146 ("bpf: add frags support to the bpf_xdp_adjust_tail() API") Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com> Acked-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com> Link: https://patch.msgid.link/20260305111253.2317394-10-larysa.zaremba@intel.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ee0e6e6 ] If the ata_qc_for_each_raw() loop finishes without finding a matching SCSI command for any QC, the variable qc will hold a pointer to the last element examined, which has the tag i == ATA_MAX_QUEUE - 1. This qc can match the port deferred QC (ap->deferred_qc). If that happens, the condition qc == ap->deferred_qc evaluates to true despite the loop not breaking with a match on the SCSI command for this QC. In that case, the error handler mistakenly intercepts a command that has not been issued yet and that has not timed out, and thus erroneously returning a timeout error. Fix the problem by checking for i < ATA_MAX_QUEUE in addition to qc == ap->deferred_qc. The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Assisted-by: Gemini:gemini-3.1-pro Fixes: eddb98a ("ata: libata-eh: correctly handle deferred qc timeouts") Signed-off-by: Guenter Roeck <linux@roeck-us.net> [cassel: modified commit log as suggested by Damien] Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d87c828 ] The FEAT_SVE2p1 is indicated by ID_AA64ZFR0_EL1.SVEver. However, the BFADD requires the FEAT_SVE_B16B16, which is indicated by ID_AA64ZFR0_EL1.B16B16. This could cause the test to incorrectly fail on a CPU that supports FEAT_SVE2.1 but not FEAT_SVE_B16B16. LD1Q Gather load quadwords which is decoded from SVE encodings and implied by FEAT_SVE2p1. Fixes: c5195b0 ("kselftest/arm64: Add SVE 2.1 to hwcap test") Signed-off-by: Yifan Wu <wuyifan50@huawei.com> Reviewed-by: Mark Brown <broonie@kernel.org> Signed-off-by: Will Deacon <will@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 457965c ] If trigger_data_alloc() fails and returns NULL, event_hist_trigger_parse() jumps to the out_free error path. While kfree() safely handles a NULL pointer, trigger_data_free() does not. This causes a NULL pointer dereference in trigger_data_free() when evaluating data->cmd_ops->set_filter. Fix the problem by adding a NULL pointer check to trigger_data_free(). The problem was found by an experimental code review agent based on gemini-3.1-pro while reviewing backports into v6.18.y. Cc: Miaoqian Lin <linmq006@gmail.com> Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Steven Rostedt (Google) <rostedt@goodmis.org> Link: https://patch.msgid.link/20260305193339.2810953-1-linux@roeck-us.net Fixes: 0550069 ("tracing: Properly process error handling in event_hist_trigger_parse()") Assisted-by: Gemini:gemini-3.1-pro Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2658a17 ] Fix an inconsistency between func_states_equal() and collect_linked_regs(): - regsafe() uses check_ids() to verify that cached and current states have identical register id mapping. - func_states_equal() calls regsafe() only for registers computed as live by compute_live_registers(). - clean_live_states() is supposed to remove dead registers from cached states, but it can skip states belonging to an iterator-based loop. - collect_linked_regs() collects all registers sharing the same id, ignoring the marks computed by compute_live_registers(). Linked registers are stored in the state's jump history. - backtrack_insn() marks all linked registers for an instruction as precise whenever one of the linked registers is precise. The above might lead to a scenario: - There is an instruction I with register rY known to be dead at I. - Instruction I is reached via two paths: first A, then B. - On path A: - There is an id link between registers rX and rY. - Checkpoint C is created at I. - Linked register set {rX, rY} is saved to the jump history. - rX is marked as precise at I, causing both rX and rY to be marked precise at C. - On path B: - There is no id link between registers rX and rY, otherwise register states are sub-states of those in C. - Because rY is dead at I, check_ids() returns true. - Current state is considered equal to checkpoint C, propagate_precision() propagates spurious precision mark for register rY along the path B. - Depending on a program, this might hit verifier_bug() in the backtrack_insn(), e.g. if rY ∈ [r1..r5] and backtrack_insn() spots a function call. The reproducer program is in the next patch. This was hit by sched_ext scx_lavd scheduler code. Changes in tests: - verifier_scalar_ids.c selftests need modification to preserve some registers as live for __msg() checks. - exceptions_assert.c adjusted to match changes in the verifier log, R0 is dead after conditional instruction and thus does not get range. - precise.c adjusted to match changes in the verifier log, register r9 is dead after comparison and it's range is not important for test. Reported-by: Emil Tsalapatis <emil@etsalapatis.com> Fixes: 0fb3cf6 ("bpf: use register liveness information for func_states_equal") Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20260306-linked-regs-and-propagate-precision-v1-1-18e859be570d@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 024cea2 ] The reg_bounds_crafted tests validate the verifier's range analysis logic. They focus on the actual ranges and thus ignore the tnum. As a consequence, they carry the assumption that the tested cases can be reproduced in userspace without using the tnum information. Unfortunately, the previous change the refinement logic breaks that assumption for one test case: (u64)2147483648 (u32)<op> [4294967294; 0x100000000] The tested bytecode is shown below. Without our previous improvement, on the false branch of the condition, R7 is only known to have u64 range [0xfffffffe; 0x100000000]. With our improvement, and using the tnum information, we can deduce that R7 equals 0x100000000. 19: (bc) w0 = w6 ; R6=0x80000000 20: (bc) w0 = w7 ; R7=scalar(smin=umin=0xfffffffe,smax=umax=0x100000000,smin32=-2,smax32=0,var_off=(0x0; 0x1ffffffff)) 21: (be) if w6 <= w7 goto pc+3 ; R6=0x80000000 R7=0x100000000 R7's tnum is (0; 0x1ffffffff). On the false branch, regs_refine_cond_op refines R7's u32 range to [0; 0x7fffffff]. Then, __reg32_deduce_bounds refines the s32 range to 0 using u32 and finally also sets u32=0. From this, __reg_bound_offset improves the tnum to (0; 0x100000000). Finally, our previous patch uses this new tnum to deduce that it only intersect with u64=[0xfffffffe; 0x100000000] in a single value: 0x100000000. Because the verifier uses the tnum to reach this constant value, the selftest is unable to reproduce it by only simulating ranges. The solution implemented in this patch is to change the test case such that there is more than one overlap value between u64 and the tnum. The max. u64 value is thus changed from 0x100000000 to 0x300000000. Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Link: https://lore.kernel.org/r/50641c6a7ef39520595dcafa605692427c1006ec.1772225741.git.paul.chaignon@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Dileep malepu <dileep.debian@gmail.com> Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 62413a9 upstream. The gate action can be replaced while the hrtimer callback or dump path is walking the schedule list. Convert the parameters to an RCU-protected snapshot and swap updates under tcf_lock, freeing the previous snapshot via call_rcu(). When REPLACE omits the entry list, preserve the existing schedule so the effective state is unchanged. Fixes: a51c328 ("net: qos: introduce a gate control flow action") Cc: stable@vger.kernel.org Signed-off-by: Paul Moses <p@1g4.org> Tested-by: Vladimir Oltean <vladimir.oltean@nxp.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: Victor Nogueira <victor@mojatatu.com> Link: https://patch.msgid.link/20260223150512.2251594-2-p@1g4.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…red blocks commit 11cb63b upstream. As Paolo said earlier [1]: "Since the blamed commit below, classify can return TC_ACT_CONSUMED while the current skb being held by the defragmentation engine. As reported by GangMin Kim, if such packet is that may cause a UaF when the defrag engine later on tries to tuch again such packet." act_ct was never meant to be used in the egress path, however some users are attaching it to egress today [2]. Attempting to reach a middle ground, we noticed that, while most qdiscs are not handling TC_ACT_CONSUMED, clsact/ingress qdiscs are. With that in mind, we address the issue by only allowing act_ct to bind to clsact/ingress qdiscs and shared blocks. That way it's still possible to attach act_ct to egress (albeit only with clsact). [1] https://lore.kernel.org/netdev/674b8cbfc385c6f37fb29a1de08d8fe5c2b0fbee.1771321118.git.pabeni@redhat.com/ [2] https://lore.kernel.org/netdev/cc6bfb4a-4a2b-42d8-b9ce-7ef6644fb22b@ovn.org/ Reported-by: GangMin Kim <km.kim1503@gmail.com> Fixes: 3f14b37 ("net/sched: act_ct: fix skb leak and crash on ooo frags") CC: stable@vger.kernel.org Signed-off-by: Victor Nogueira <victor@mojatatu.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260225134349.1287037-1-victor@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9063d7e2615f4a7ab321de6b520e23d370e58816 upstream. Start states are read from untrusted data and used as indexes into the DFA state tables. The aa_dfa_next() function call in unpack_pdb() will access dfa->tables[YYTD_ID_BASE][start], and if the start state exceeds the number of states in the DFA, this results in an out-of-bound read. ================================================================== BUG: KASAN: slab-out-of-bounds in aa_dfa_next+0x2a1/0x360 Read of size 4 at addr ffff88811956fb90 by task su/1097 ... Reject policies with out-of-bounds start states during unpacking to prevent the issue. Fixes: ad5ff3d ("AppArmor: Add ability to load extended policy") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e38c55d9f834e5b848bfed0f5c586aaf45acb825 upstream. The function sets `*ns = NULL` on every call, leaking the namespace string allocated in previous iterations when multiple profiles are unpacked. This also breaks namespace consistency checking since *ns is always NULL when the comparison is made. Remove the incorrect assignment. The caller (aa_unpack) initializes *ns to NULL once before the loop, which is sufficient. Fixes: dd51c84 ("apparmor: provide base for multiple profiles to be replaced at once") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab09264660f9de5d05d1ef4e225aa447c63a8747 upstream.
The profile removal code uses recursion when removing nested profiles,
which can lead to kernel stack exhaustion and system crashes.
Reproducer:
$ pf='a'; for ((i=0; i<1024; i++)); do
echo -e "profile $pf { \n }" | apparmor_parser -K -a;
pf="$pf//x";
done
$ echo -n a > /sys/kernel/security/apparmor/.remove
Replace the recursive __aa_profile_list_release() approach with an
iterative approach in __remove_profile(). The function repeatedly
finds and removes leaf profiles until the entire subtree is removed,
maintaining the same removal semantic without recursion.
Fixes: c88d4c7 ("AppArmor: core policy routines")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 306039414932c80f8420695a24d4fe10c84ccfb2 upstream. Currently the number of policy namespaces is not bounded relying on the user namespace limit. However policy namespaces aren't strictly tied to user namespaces and it is possible to create them and nest them arbitrarily deep which can be used to exhaust system resource. Hard cap policy namespaces to the same depth as user namespaces. Fixes: c88d4c7 ("AppArmor: core policy routines") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Ryan Lee <ryan.lee@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8756b68edae37ff546c02091989a4ceab3f20abd upstream. The match_char() macro evaluates its character parameter multiple times when traversing differential encoding chains. When invoked with *str++, the string pointer advances on each iteration of the inner do-while loop, causing the DFA to check different characters at each iteration and therefore skip input characters. This results in out-of-bounds reads when the pointer advances past the input buffer boundary. [ 94.984676] ================================================================== [ 94.985301] BUG: KASAN: slab-out-of-bounds in aa_dfa_match+0x5ae/0x760 [ 94.985655] Read of size 1 at addr ffff888100342000 by task file/976 [ 94.986319] CPU: 7 UID: 1000 PID: 976 Comm: file Not tainted 6.19.0-rc7-next-20260127 qualcomm-linux#1 PREEMPT(lazy) [ 94.986322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 94.986329] Call Trace: [ 94.986341] <TASK> [ 94.986347] dump_stack_lvl+0x5e/0x80 [ 94.986374] print_report+0xc8/0x270 [ 94.986384] ? aa_dfa_match+0x5ae/0x760 [ 94.986388] kasan_report+0x118/0x150 [ 94.986401] ? aa_dfa_match+0x5ae/0x760 [ 94.986405] aa_dfa_match+0x5ae/0x760 [ 94.986408] __aa_path_perm+0x131/0x400 [ 94.986418] aa_path_perm+0x219/0x2f0 [ 94.986424] apparmor_file_open+0x345/0x570 [ 94.986431] security_file_open+0x5c/0x140 [ 94.986442] do_dentry_open+0x2f6/0x1120 [ 94.986450] vfs_open+0x38/0x2b0 [ 94.986453] ? may_open+0x1e2/0x2b0 [ 94.986466] path_openat+0x231b/0x2b30 [ 94.986469] ? __x64_sys_openat+0xf8/0x130 [ 94.986477] do_file_open+0x19d/0x360 [ 94.986487] do_sys_openat2+0x98/0x100 [ 94.986491] __x64_sys_openat+0xf8/0x130 [ 94.986499] do_syscall_64+0x8e/0x660 [ 94.986515] ? count_memcg_events+0x15f/0x3c0 [ 94.986526] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986540] ? handle_mm_fault+0x1639/0x1ef0 [ 94.986551] ? vma_start_read+0xf0/0x320 [ 94.986558] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986561] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986563] ? fpregs_assert_state_consistent+0x50/0xe0 [ 94.986572] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986574] ? arch_exit_to_user_mode_prepare+0x9/0xb0 [ 94.986587] ? srso_alias_return_thunk+0x5/0xfbef5 [ 94.986588] ? irqentry_exit+0x3c/0x590 [ 94.986595] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 94.986597] RIP: 0033:0x7fda4a79c3ea Fix by extracting the character value before invoking match_char, ensuring single evaluation per outer loop. Fixes: 074c1cd ("apparmor: dfa move character match into a macro") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d352873bbefa7eb39995239d0b44ccdf8aaa79a4 upstream. The verify_dfa() function only checks DEFAULT_TABLE bounds when the state is not differentially encoded. When the verification loop traverses the differential encoding chain, it reads k = DEFAULT_TABLE[j] and uses k as an array index without validation. A malformed DFA with DEFAULT_TABLE[j] >= state_count, therefore, causes both out-of-bounds reads and writes. [ 57.179855] ================================================================== [ 57.180549] BUG: KASAN: slab-out-of-bounds in verify_dfa+0x59a/0x660 [ 57.180904] Read of size 4 at addr ffff888100eadec4 by task su/993 [ 57.181554] CPU: 1 UID: 0 PID: 993 Comm: su Not tainted 6.19.0-rc7-next-20260127 qualcomm-linux#1 PREEMPT(lazy) [ 57.181558] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 57.181563] Call Trace: [ 57.181572] <TASK> [ 57.181577] dump_stack_lvl+0x5e/0x80 [ 57.181596] print_report+0xc8/0x270 [ 57.181605] ? verify_dfa+0x59a/0x660 [ 57.181608] kasan_report+0x118/0x150 [ 57.181620] ? verify_dfa+0x59a/0x660 [ 57.181623] verify_dfa+0x59a/0x660 [ 57.181627] aa_dfa_unpack+0x1610/0x1740 [ 57.181629] ? __kmalloc_cache_noprof+0x1d0/0x470 [ 57.181640] unpack_pdb+0x86d/0x46b0 [ 57.181647] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181653] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181656] ? aa_unpack_nameX+0x1a8/0x300 [ 57.181659] aa_unpack+0x20b0/0x4c30 [ 57.181662] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181664] ? stack_depot_save_flags+0x33/0x700 [ 57.181681] ? kasan_save_track+0x4f/0x80 [ 57.181683] ? kasan_save_track+0x3e/0x80 [ 57.181686] ? __kasan_kmalloc+0x93/0xb0 [ 57.181688] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181693] ? aa_simple_write_to_buffer+0x54/0x130 [ 57.181697] ? policy_update+0x154/0x330 [ 57.181704] aa_replace_profiles+0x15a/0x1dd0 [ 57.181707] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181710] ? __kvmalloc_node_noprof+0x44a/0x780 [ 57.181712] ? aa_loaddata_alloc+0x77/0x140 [ 57.181715] ? srso_alias_return_thunk+0x5/0xfbef5 [ 57.181717] ? _copy_from_user+0x2a/0x70 [ 57.181730] policy_update+0x17a/0x330 [ 57.181733] profile_replace+0x153/0x1a0 [ 57.181735] ? rw_verify_area+0x93/0x2d0 [ 57.181740] vfs_write+0x235/0xab0 [ 57.181745] ksys_write+0xb0/0x170 [ 57.181748] do_syscall_64+0x8e/0x660 [ 57.181762] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 57.181765] RIP: 0033:0x7f6192792eb2 Remove the MATCH_FLAG_DIFF_ENCODE condition to validate all DEFAULT_TABLE entries unconditionally. Fixes: 031dcc8 ("apparmor: dfa add support for state differential encoding") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5df0c44e8f5f619d3beb871207aded7c78414502 upstream.
if ns_name is NULL after
1071 error = aa_unpack(udata, &lh, &ns_name);
and if ent->ns_name contains an ns_name in
1089 } else if (ent->ns_name) {
then ns_name is assigned the ent->ns_name
1095 ns_name = ent->ns_name;
however ent->ns_name is freed at
1262 aa_load_ent_free(ent);
and then again when freeing ns_name at
1270 kfree(ns_name);
Fix this by NULLing out ent->ns_name after it is transferred to ns_name
Fixes: 145a0ef ("apparmor: fix blob compression when ns is forced on a policy load
")
Reported-by: Qualys Security Advisory <qsa@qualys.com>
Tested-by: Salvatore Bonaccorso <carnil@debian.org>
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…ment commit 6601e13e82841879406bf9f369032656f441a425 upstream. An unprivileged local user can load, replace, and remove profiles by opening the apparmorfs interfaces, via a confused deputy attack, by passing the opened fd to a privileged process, and getting the privileged process to write to the interface. This does require a privileged target that can be manipulated to do the write for the unprivileged process, but once such access is achieved full policy management is possible and all the possible implications that implies: removing confinement, DoS of system or target applications by denying all execution, by-passing the unprivileged user namespace restriction, to exploiting kernel bugs for a local privilege escalation. The policy management interface can not have its permissions simply changed from 0666 to 0600 because non-root processes need to be able to load policy to different policy namespaces. Instead ensure the task writing the interface has privileges that are a subset of the task that opened the interface. This is already done via policy for confined processes, but unconfined can delegate access to the opened fd, by-passing the usual policy check. Fixes: b7fd2c0 ("apparmor: add per policy ns .load, .replace, .remove interface files") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 39440b137546a3aa383cfdabc605fb73811b6093 upstream. Differential encoding allows loops to be created if it is abused. To prevent this the unpack should verify that a diff-encode chain terminates. Unfortunately the differential encode verification had two bugs. 1. it conflated states that had gone through check and already been marked, with states that were currently being checked and marked. This means that loops in the current chain being verified are treated as a chain that has already been verified. 2. the order bailout on already checked states compared current chain check iterators j,k instead of using the outer loop iterator i. Meaning a step backwards in states in the current chain verification was being mistaken for moving to an already verified state. Move to a double mark scheme where already verified states get a different mark, than the current chain being kept. This enables us to also drop the backwards verification check that was the cause of the second error as any already verified state is already marked. Fixes: 031dcc8 ("apparmor: dfa add support for state differential encoding") Reported-by: Qualys Security Advisory <qsa@qualys.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a0b7091c4de45a7325c8780e6934a894f92ac86b upstream. There is a race condition that leads to a use-after-free situation: because the rawdata inodes are not refcounted, an attacker can start open()ing one of the rawdata files, and at the same time remove the last reference to this rawdata (by removing the corresponding profile, for example), which frees its struct aa_loaddata; as a result, when seq_rawdata_open() is reached, i_private is a dangling pointer and freed memory is accessed. The rawdata inodes weren't refcounted to avoid a circular refcount and were supposed to be held by the profile rawdata reference. However during profile removal there is a window where the vfs and profile destruction race, resulting in the use after free. Fix this by moving to a double refcount scheme. Where the profile refcount on rawdata is used to break the circular dependency. Allowing for freeing of the rawdata once all inode references to the rawdata are put. Fixes: 5d5182c ("apparmor: move to per loaddata files, instead of replicating in profiles") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Maxime Bélair <maxime.belair@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8e135b8aee5a06c52a4347a5a6d51223c6f36ba3 upstream. AppArmor was putting the reference to i_private data on its end after removing the original entry from the file system. However the inode can aand does live beyond that point and it is possible that some of the fs call back functions will be invoked after the reference has been put, which results in a race between freeing the data and accessing it through the fs. While the rawdata/loaddata is the most likely candidate to fail the race, as it has the fewest references. If properly crafted it might be possible to trigger a race for the other types stored in i_private. Fix this by moving the put of i_private referenced data to the correct place which is during inode eviction. Fixes: c961ee5 ("apparmor: convert from securityfs to apparmorfs for policy ns files") Reported-by: Qualys Security Advisory <qsa@qualys.com> Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Reviewed-by: Maxime Bélair <maxime.belair@canonical.com> Reviewed-by: Cengiz Can <cengiz.can@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aac9b27 upstream. Syzbot reported a WARN_ON() in ata_scsi_deferred_qc_work(), caused by ap->ops->qc_defer() returning non-zero before issuing the deferred qc. ata_scsi_schedule_deferred_qc() is called during each command completion. This function will check if there is a deferred QC, and if ap->ops->qc_defer() returns zero, meaning that it is possible to queue the deferred qc at this time (without being deferred), then it will queue the work which will issue the deferred qc. Once the work get to run, which can potentially be a very long time after the work was scheduled, there is a WARN_ON() if ap->ops->qc_defer() returns non-zero. While we hold the ap->lock both when assigning and clearing deferred_qc, and the work itself holds the ap->lock, the code currently does not cancel the work after clearing the deferred qc. This means that the following scenario can happen: 1) One or several NCQ commands are queued. 2) A non-NCQ command is queued, gets stored in ap->deferred_qc. 3) Last NCQ command gets completed, work is queued to issue the deferred qc. 4) Timeout or error happens, ap->deferred_qc is cleared. The queued work is currently NOT canceled. 5) Port is reset. 6) One or several NCQ commands are queued. 7) A non-NCQ command is queued, gets stored in ap->deferred_qc. 8) Work is finally run. Yet at this time, there is still NCQ commands in flight. The work in 8) really belongs to the non-NCQ command in 2), not to the non-NCQ command in 7). The reason why the work is executed when it is not supposed to, is because it was never canceled when ap->deferred_qc was cleared in 4). Thus, ensure that we always cancel the work after clearing ap->deferred_qc. Another potential fix would have been to let ata_scsi_deferred_qc_work() do nothing if ap->ops->qc_defer() returns non-zero. However, canceling the work when clearing ap->deferred_qc seems slightly more logical, as we hold the ap->lock when clearing ap->deferred_qc, so we know that the work cannot be holding the lock. (The function could be waiting for the lock, but that is okay since it will do nothing if ap->deferred_qc is not set.) Reported-by: syzbot+bcaf842a1e8ead8dfb89@syzkaller.appspotmail.com Fixes: 0ea8408 ("ata: libata-scsi: avoid Non-NCQ command starvation") Fixes: eddb98a ("ata: libata-eh: correctly handle deferred qc timeouts") Reviewed-by: Igor Pylypiv <ipylypiv@google.com> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Niklas Cassel <cassel@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20260312200326.246396673@linuxfoundation.org Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is the 6.18.18 stable release
* tag 'v6.18.18':
Linux 6.18.18
ata: libata: cancel pending work after clearing deferred_qc
apparmor: fix race between freeing data and fs accessing it
apparmor: fix race on rawdata dereference
apparmor: fix differential encoding verification
apparmor: fix unprivileged local user can do privileged policy management
apparmor: Fix double free of ns_name in aa_replace_profiles()
apparmor: fix missing bounds check on DEFAULT table in verify_dfa()
apparmor: fix side-effect bug in match_char() macro usage
apparmor: fix: limit the number of levels of policy namespaces
apparmor: replace recursive profile removal with iterative approach
apparmor: fix memory leak in verify_header
apparmor: validate DFA start states are in bounds in unpack_pdb
net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
net/sched: act_gate: snapshot parameters with RCU on replace
Linux 6.18.17
selftests/bpf: Avoid simplification of crafted bounds test
bpf: collect only live registers in linked regs
tracing: Add NULL pointer check to trigger_data_free()
selftest/arm64: Fix sve2p1_sigill() to hwcap test
ata: libata-eh: Fix detection of deferred qc timeouts
xdp: produce a warning when calculated tailroom is negative
net: enetc: use truesize as XDP RxQ info frag_size
i40e: use xdp.frame_sz as XDP RxQ info frag_size
i40e: fix registering XDP RxQ info
xsk: introduce helper to determine rxq->frag_size
xdp: use modulo operation to calculate XDP frag tailroom
net/sched: act_ife: Fix metalist update behavior
net: ipv6: fix panic when IPv4 route references loopback IPv6 nexthop
net: vxlan: fix nd_tbl NULL dereference when IPv6 is disabled
net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled
selftests/harness: order TEST_F and XFAIL_ADD constructors
kselftest/harness: Use helper to avoid zero-size memset warning
net: ethernet: mtk_eth_soc: Reset prog ptr to old_prog in case of error in mtk_xdp_setup()
netfilter: nft_set_pipapo: split gc into unlink and reclaim phase
netfilter: nf_tables: clone set on flush only
netfilter: nf_tables: unconditionally bump set->nelems before insertion
net: Provide a PREEMPT_RT specific check for netdev_queue::_xmit_lock
block: use trylock to avoid lockdep circular dependency in sysfs
net: stmmac: Defer VLAN HW configuration when interface is down
net: stmmac: Fix VLAN HW state restore
net: stmmac: Improve double VLAN handling
net: stmmac: Fix error handling in VLAN add and delete paths
nfc: rawsock: cancel tx_work before socket teardown
nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
nfc: nci: complete pending data exchange on device close
nfc: nci: free skb on nci_transceive early error paths
net: devmem: use READ_ONCE/WRITE_ONCE on binding->dev
net_sched: sch_fq: clear q->band_pkt_count[] in fq_reset()
net: nfc: nci: Fix zero-length proprietary notifications
tcp: secure_seq: add back ports to TS offset
net: sched: avoid qdisc_reset_all_tx_gt() vs dequeue race for lockless qdiscs
hwmon: (max6639) fix inverted polarity
timekeeping: Fix timex status validation for auxiliary clocks
nvme: fix memory allocation in nvme_pr_read_keys()
nvme: reject invalid pr_read_keys() num_keys values
drm/xe/reg_sr: Fix leak on xa_store failure
drm/xe/gsc: Fix GSC proxy cleanup on early initialization failure
i2c: i801: Revert "i2c: i801: replace acpi_lock with I2C bus lock"
drm/sched: Fix kernel-doc warning for drm_sched_job_done()
amd-xgbe: fix sleep while atomic on suspend/resume
net: ipv4: fix ARM64 alignment fault in multipath hash seed
ipv6: fix NULL pointer deref in ip6_rt_get_dev_rcu()
smb/client: fix buffer size for smb311_posix_qinfo in SMB311_posix_query_info()
smb/client: fix buffer size for smb311_posix_qinfo in smb2_compound_op()
bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim
igb: Fix trigger of incorrect irq in igb_xsk_wakeup
iavf: fix netdev->max_mtu to respect actual hardware limit
libie: don't unroll if fwlog isn't supported
ice: fix adding AQ LLDP filter for VF
xen/acpi-processor: fix _CST detection using undersized evaluation buffer
net/rds: Fix circular locking dependency in rds_tcp_tune
indirect_call_wrapper: do not reevaluate function pointer
wifi: mt76: Fix possible oob access in mt76_connac2_mac_write_txwi_80211()
wifi: mt76: mt7925: Fix possible oob access in mt7925_mac_write_txwi_80211()
wifi: mt76: mt7996: Fix possible oob access in mt7996_mac_write_txwi_80211()
wifi: wlcore: Fix a locking bug
wifi: cw1200: Fix locking in error paths
octeon_ep_vf: avoid compiler and IQ/OQ reordering
octeon_ep_vf: Relocate counter updates before NAPI
octeon_ep: avoid compiler and IQ/OQ reordering
octeon_ep: Relocate counter updates before NAPI
bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded
net: dsa: realtek: rtl8365mb: fix rtl8365mb_phy_ocp_write return value
kunit: tool: copy caller args in run_kernel to prevent mutation
rust: kunit: fix warning when !CONFIG_PRINTK
drm/xe/configfs: Free ctx_restore_mid_bb in release
drm/xe: Do not preempt fence signaling CS instructions
drm/syncobj: Fix handle <-> fd ioctls with dirty stack
wifi: rsi: Don't default to -EOPNOTSUPP in rsi_mac80211_config
can: mcp251x: fix deadlock in error path of mcp251x_open
can: bcm: fix locking for bcm_op runtime updates
amd-xgbe: fix MAC_TCR_SS register width for 2.5G and 10M speeds
net: ti: icssg-prueth: Fix ping failure after offload mode setup when link speed is not 1G
atm: lec: fix null-ptr-deref in lec_arp_clear_vccs
dpaa2-switch: Fix interrupt storm after receiving bad if_id in IRQ handler
xsk: Fix zero-copy AF_XDP fragment drop
xsk: Fix fragment node deletion to prevent buffer leak
tcp: give up on stronger sk_rcvbuf checks (for now)
udp: Unhash auto-bound connected sk from 4-tuple hash table when disconnected.
inet: annotate data-races around isk->inet_num
nvme-multipath: fix leak on try_module_get failure
net: ethernet: ti: am65-cpsw-nuss/cpsw-ale: Fix multicast entry handling in ALE table
net: annotate data-races around sk->sk_{data_ready,write_space}
nvmet-fcloop: Check remoteport port_state before calling done callback
netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence
drm/solomon: Fix page start when updating rectangle in page addressing mode
e1000e: clear DPG_EN after reset to avoid autonomous power-gating
i40e: Fix preempt count leak in napi poll tracepoint
ice: recap the VSI and QoS info after rebuild
idpf: Fix flow rule delete failure due to invalid validation
idpf: change IRQ naming to match netdev and ethtool queue numbering
idpf: increment completion queue next_to_clean in sw marker wait routine
hwmon: (it87) Check the it87_lock() return value
pinctrl: cirrus: cs42l43: Fix double-put in cs42l43_pin_probe()
pinctrl: meson: amlogic-a4: Fix device node reference leak in aml_dt_node_to_map_pinmux()
pinctrl: generic: move function to amlogic-am4 driver
HID: multitouch: new class MT_CLS_EGALAX_P80H84
module: Remove duplicate freeing of lockdep classes
platform/x86: thinkpad_acpi: Fix errors reading battery thresholds
pinctrl: qcom: qcs615: Add missing dual edge GPIO IRQ errata flag
pinctrl: equilibrium: fix warning trace on load
pinctrl: equilibrium: rename irq_chip function callbacks
hwmon: (aht10) Fix initialization commands for AHT20
hwmon: (aht10) Add support for dht20
nvme: fix admin queue leak on controller reset
drm/amd/display: Use GFP_ATOMIC in dc_create_stream_for_sink
Bluetooth: Fix CIS host feature condition
net: stmmac: remove support for lpi_intr_o
platform/x86: hp-bioscfg: Support allocations of larger data
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths
ipmi: Fix use-after-free and list corruption on sender error
ASoC: fsl_xcvr: provide regmap names
ASoC: fsl_xcvr: use dev_err_probe() replacing dev_err() + return
ARM: clean up the memset64() C wrapper
Revert "netfilter: nft_set_rbtree: validate open interval overlap"
kbuild: Split .modinfo out from ELF_DETAILS
selftests: mptcp: join: check removing signal+subflow endp
selftests: mptcp: join: check RM_ADDR not sent over same subflow
selftests: mptcp: more stable simult_flows tests
mptcp: pm: in-kernel: always mark signal+subflow endp as used
mptcp: pm: avoid sending RM_ADDR over same subflow
scsi: core: Fix refcount leak for tagset_refcnt
smb: client: fix oops due to uninitialised var in smb2_unlink()
smb: client: Don't log plaintext credentials in cifs_set_cifscreds
smb: client: fix broken multichannel with krb5+signing
smb: client: fix cifs_pick_channel when channels are equally loaded
xfs: Fix error pointer dereference
xfs: fix xfs_group release bug in xfs_dax_notify_dev_failure
drbd: fix null-pointer dereference on local read error
drbd: fix "LOGIC BUG" in drbd_al_begin_io_nonblock()
Squashfs: check metadata block offset is within range
mm: thp: deny THP for files on anonymous inodes
scsi: target: Fix recursive locking in __configfs_open_file()
tracing: Fix WARN_ON in tracing_buffers_mmap_close
nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().
net/sched: ets: fix divide by zero in the offload path
arm64: gcs: Do not set PTE_SHARED on GCS mappings if FEAT_LPA2 is enabled
cpufreq: intel_pstate: Fix crash during turbo disable
RDMA/ionic: Fix kernel stack leak in ionic_create_cq()
RDMA/irdma: Fix kernel stack leak in irdma_create_user_ah()
IB/mthca: Add missed mthca_unmap_user_db() for mthca_create_srq()
net: phy: register phy led_triggers during probe to avoid AB-BA deadlock
gve: fix incorrect buffer cleanup in gve_tx_clean_pending_packets for QPL
Bluetooth: purge error queues in socket destructors
wifi: mac80211: fix NULL pointer dereference in mesh_rx_csa_frame()
wifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
wifi: cfg80211: cancel rfkill_block work in wiphy_unregister()
wifi: libertas: fix use-after-free in lbs_free_adapter()
wifi: radiotap: reject radiotap with unknown bits
ALSA: hda/realtek: add quirk for Samsung Galaxy Book Flex (NT950QCT-A38A)
ALSA: hda/realtek: Add quirk for Acer Aspire V3-572G
ALSA: hda/realtek: fix model name typo for Samsung Galaxy Book Flex (NT950QCG-X716)
ALSA: hda/intel: increase default bdl_pos_adj for Nvidia controllers
ALSA: usb-audio: Use correct version for UAC3 header validation
ALSA: doc: usb-audio: Add doc for QUIRK_FLAG_SKIP_IFACE_SETUP
ALSA: hda/realtek: Add quirk for HP Pavilion 15-eh1xxx to enable mute LED
platform/x86: dell-wmi: Add audio/mic mute key codes
platform/x86: alienware-wmi-wmax: Add G-Mode support to m18 laptops
platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
x86/boot/sev: Move SEV decompressor variables into the .data section
x86/sev: Allow IBPB-on-Entry feature for SNP guests
x86/boot: Handle relative CONFIG_EFI_SBAT_FILE file paths
perf/x86/intel/uncore: Add per-scheduler IMC CAS count events
x86/efi: defer freeing of boot services memory
HID: multitouch: Keep latency normal on deactivate for reactivation gesture
HID: pidff: Fix condition effect bit clearing
HID: Add HID_CLAIMED_INPUT guards in raw_event callbacks missing them
can: usb: f81604: handle bulk write errors properly
can: usb: f81604: handle short interrupt urb messages properly
can: usb: etas_es58x: correctly anchor the urb in the read bulk callback
can: ucan: Fix infinite loop from zero-length messages
can: usb: f81604: correctly anchor the urb in the read bulk callback
can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message
net: usb: pegasus: validate USB endpoints
net: usb: kalmia: validate USB endpoints
net: usb: kaweth: validate USB endpoints
nfc: pn533: properly drop the usb interface reference on disconnect
media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
namespace: fix proc mount iteration
eventpoll: Fix integer overflow in ep_loop_check_proc()
net: arcnet: com20020-pci: fix support for 2.5Mbit cards
drm/i915/dp: Fix pipe BPP clamping due to HDR
drm/i915/dp: Fail state computation for invalid DSC source input BPP values
LoongArch: Remove some extern variables in source files
LoongArch: Handle percpu handler address for ORC unwinder
LoongArch: Remove unnecessary checks for ORC unwinder
mm/slab: use prandom if !allow_spin
slub: remove CONFIG_SLUB_TINY specific code paths
hwmon: (max16065) Use READ/WRITE_ONCE to avoid compiler optimization induced race
drm/amd: Fix hang on amdgpu unload by using pci_dev_is_disconnected()
PM: sleep: core: Avoid bit field races related to work_in_progress
btrfs: zoned: fixup last alloc pointer after extent removal for RAID0/10
btrfs: define the AUTO_KFREE/AUTO_KVFREE helper macros
KVM: x86: Add x2APIC "features" to control EOI broadcast suppression
PCI: dwc: ep: Fix resizable BAR support for multi-PF configurations
PCI: dwc: Remove duplicate dw_pcie_ep_hide_ext_capability() function
PCI: dwc: Add new APIs to remove standard and extended Capability
PCI: Add preceding capability position support in PCI_FIND_NEXT_*_CAP macros
ARM: dts: imx53-usbarmory: Replace license text comment with SPDX identifier
ACPI: APEI: GHES: Disable KASAN instrumentation when compile testing with clang < 18
ACPI: APEI: GHES: Add helper for CPER CXL protocol errors checks
clk: tegra: tegra124-emc: fix device leak on set_rate()
arm64: dts: rockchip: Fix rk3588 PCIe range mappings
arm64: dts: rockchip: Fix rk356x PCIe range mappings
iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode
Input: synaptics_i2c - guard polling restart in resume
Input: synaptics_i2c - replace use of system_wq with system_dfl_wq
media: iris: Add missing platform data entries for SM8750
media: iris: remove v4l2_m2m_ioctl_{de,en}coder_cmd API usage during STOP handling
ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O
ext4: correct the comments place for EXT4_EXT_MAY_ZEROOUT
x86/uprobes: Fix XOL allocation failure for 32-bit tasks
unwind_user/x86: Teach FP unwind about start of function
unwind_user/x86: Enable frame pointer unwinding on x86
unwind: Implement compat fp unwind
unwind: Simplify unwind_user_next_fp() alignment check
drm/tegra: dsi: fix device leak on probe
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
media: tegra-video: Fix memory leak in __tegra_channel_try_format()
accel/rocket: fix unwinding in error path in rocket_probe
accel/rocket: fix unwinding in error path in rocket_core_init
usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device
usb: gadget: u_ether: add gether_opts for config caching
net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels
Revert "PCI: dw-rockchip: Enumerate endpoints based on dll_link_up IRQ"
PCI: dw-rockchip: Change get_ltssm() to provide L1 Substates info
PCI: dwc: Add L1 Substates context to ltssm_status of debugfs
PCI: dw-rockchip: Configure L1SS support
PCI: dwc: Advertise L1 PM Substates only if driver requests it
PCI: j721e: Add config guards for Cadence Host and Endpoint library APIs
PCI: j721e: Use devm_clk_get_optional_enabled() to get and enable the clock
memory: mtk-smi: fix device leak on larb probe
memory: mtk-smi: fix device leaks on common probe
x86/acpi/boot: Correct acpi_is_processor_usable() check again
bpf: Improve bounds when tnum has a single possible value
bpf: Introduce tnum_step to step through tnum's members
bpf: Add bitwise tracking for BPF_END
bpf: Fix race in devmap on PREEMPT_RT
bpf: Fix race in cpumap on PREEMPT_RT
PCI: Correct PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 value
spi: stm32: fix missing pointer assignment in case of dma chaining
sched_ext: Fix SCX_EFLAG_INITIALIZED being a no-op flag
selftests/bpf: Fix OOB read in dmabuf_collector
bpf: Fix stack-out-of-bounds write in devmap
bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing
ASoC: SDCA: Fix comments for sdca_irq_request()
ALSA: usb: qcom: Correct parameter comment for uaudio_transfer_buffer_setup()
btrfs: fix compat mask in error messages in btrfs_check_features()
btrfs: print correct subvol num if active swapfile prevents deletion
btrfs: fix warning in scrub_verify_one_metadata()
btrfs: fix objectid value in error message in check_extent_data_ref()
btrfs: fix incorrect key offset in error message in check_dev_extent_item()
btrfs: fix error message order of parameters in btrfs_delete_delayed_dir_index()
btrfs: free pages on error in btrfs_uring_read_extent()
ALSA: hda: cs35l56: Fix signedness error in cs35l56_hda_posture_put()
drm/amdgpu: Fix error handling in slot reset
drm/amdgpu: Fix locking bugs in error paths
drm/amdgpu: Unlock a mutex before destroying it
drm/amdgpu/userq: Do not allow userspace to trivially triger kernel warnings
PCI: dwc: ep: Flush MSI-X write before unmapping its ATU entry
arm64: io: Extract user memory type in ioremap_prot()
arm64: io: Rename ioremap_prot() to __ioremap_prot()
s390/vtime: Fix virtual timer forwarding
s390/idle: Fix cpu idle exit cpu time accounting
perf: Fix __perf_event_overflow() vs perf_remove_from_context() race
ALSA: usb-audio: Use inclusive terms
ALSA: usb-audio: Cap the packet size pre-calculations
drm/client: Do not destroy NULL modes
zloop: check for spurious options passed to remove
zloop: advertise a volatile write cache
regulator: bq257xx: Fix device node reference leak in bq257xx_reg_dt_parse_gpio()
scsi: ufs: core: Move link recovery for hibern8 exit failure to wl_resume
cxl: Fix race of nvdimm_bus object when creating nvdimm objects
cxl: Move devm_cxl_add_nvdimm_bridge() to cxl_pmem.ko
cgroup/cpuset: Fix incorrect use of cpuset_update_tasks_cpumask() in update_cpumasks_hier()
drm/xe/wa: Steer RMW of MCR registers while building default LRC
accel/amdxdna: Validate command buffer payload count
accel/amdxdna: Prevent ubuf size overflow
accel/amdxdna: Remove buffer size check when creating command BO
perf/core: Fix invalid wait context in ctx_sched_in()
rseq: Clarify rseq registration rseq_size bound check comment
sched/fair: Fix lag clamp
sched/eevdf: Update se->vprot in reweight_entity()
sched/fair: Only set slice protection at pick time
sched/fair: Fix zero_vruntime tracking
sched/fair: Introduce and use the vruntime_cmp() and vruntime_op() wrappers for wrapped-signed aritmetics
sched/fair: Rename cfs_rq::avg_vruntime to ::sum_w_vruntime, and helper functions
sched/fair: Rename cfs_rq::avg_load to cfs_rq::sum_weight
x86/cfi: Fix CFI rewrite for odd alignments
x86/fred: Correct speculative safety in fred_extint()
ALSA: usb-audio: Add QUIRK_FLAG_SKIP_IFACE_SETUP
ALSA: usb-audio: Remove VALIDATE_RATES quirk for Focusrite devices
ALSA: scarlett2: Fix DSP filter control array handling
drm/imx: parallel-display: check return value of devm_drm_bridge_add() in imx_pd_probe()
scsi: pm8001: Fix use-after-free in pm8001_queue_command()
scsi: lpfc: Properly set WC for DPP mapping
irqchip/sifive-plic: Fix frozen interrupt due to affinity setting
drm/tiny: sharp-memory: fix pointer error dereference
drm/fourcc: fix plane order for 10/12/16-bit YCbCr formats
KVM: arm64: Fix ID register initialization for non-protected pKVM guests
KVM: arm64: Hide S1POE from guests when not supported by the host
drm/logicvc: Fix device node reference leak in logicvc_drm_config_parse()
debugobject: Make it work with deferred page initialization - again
drm/vmwgfx: Return the correct value in vmw_translate_ptr functions
drm/vmwgfx: Fix invalid kref_put callback in vmw_bo_dirty_release
perf/core: Fix refcount bug and potential UAF in perf_mmap
Linux 6.18.16
drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v7
most: core: fix leak on early registration failure
arm64: Fix sampling the "stable" virtual counter in preemptible section
xfs: fix copy-paste error in previous fix
drm/i915/wakeref: clean up INTEL_WAKEREF_PUT_* flag macros
Revert "ACPI: processor: Update cpuidle driver check in __acpi_processor_start()"
ALSA: pcm: Revert bufs move in snd_pcm_xfern_frames_ioctl()
NTB: ntb_transport: Fix too small buffer for debugfs_name
rust: list: Add unsafe blocks for container_of and safety comments
tracing: Wake up poll waiters for hist files when removing an event
tracing: Fix checking of freed trace_event_file for hist files
fgraph: Do not call handlers direct when not using ftrace_ops
tracing: ring-buffer: Fix to check event length before using
ring-buffer: Fix possible dereference of uninitialized pointer
net: nfc: nci: Fix parameter validation for packet data
drm/amdgpu: keep vga memory on MacBooks with switchable graphics
drm/amd/display: Correct logic check error for fastboot
arm64: Force the use of CNTVCT_EL0 in __delay()
rust: pin-init: replace clippy `expect` with `allow`
rust: irq: add `'static` bounds to irq callbacks
io_uring/zcrx: fix user_ref race between scrub and refill paths
x86/kexec: Copy ACPI root pointer address from config table
gpio: sysfs: fix chip removal with GPIOs exported over sysfs
net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle
drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise
kbuild: rpm-pkg: Disable automatic requires for manual debuginfo package
ASoC: amd: yc: Add DMI quirk for ASUS Vivobook Pro 15X M6501RR
io_uring/cmd_net: fix too strict requirement on ioctl
gpio: nomadik: Add missing IS_ERR() check
cifs: some missing initializations on replay
io_uring/zcrx: fix sgtable leak on mapping failures
fbcon: Remove struct fbcon_display.inverse
fbdev: ffb: fix corrupted video output on Sun FFB1
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
fbdev: vt8500lcdfb: fix missing dma_free_coherent()
fbcon: check return value of con2fb_acquire_newinfo()
fbdev: Use device_create_with_groups() to fix sysfs groups registration race
mm: numa_memblks: Identify the accurate NUMA ID of CFMW
ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
kbuild: rpm-pkg: Fix manual debuginfo generation when using .src.rpm
kernel: rpm-pkg: Restore find-debuginfo.sh approach to -debuginfo package
kbuild: rpm-pkg: Restrict manual debug package creation
kbuild: Fix CC_CAN_LINK detection
function_graph: Restore direct mode when callbacks drop to one
atm: fore200e: fix use-after-free in tasklets during device removal
net: intel: fix PCI device ID conflict between i40e and ipw2200
mm/page_alloc: clear page->private in free_pages_prepare()
mm/vmscan: fix demotion targets checks in reclaim/demotion
procfs: fix possible double mmput() in do_procmap_query()
mm/page_alloc: skip debug_check_no_{obj,locks}_freed with FPI_TRYLOCK
mm/hugetlb: restore failed global reservations to subpool
drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify
drm/amd/display: Increase DCN35 SR enter/exit latency
io_uring/openclose: fix io_pipe_fixed() slot tracking for specific slots
io_uring/filetable: clamp alloc_hint to the configured alloc range
ceph: fix write storm on fscrypted files
ceph: do not propagate page array emplacement errors as batch errors
tracing: Reset last_boot_info if ring buffer is reset
tracing: Fix to set write permission to per-cpu buffer_size_kb
net: macb: Fix tx/rx malfunction after phy link down and up
net: ti: icssg-prueth: Add optional dependency on HSR
octeontx2-af: CGX: fix bitmap leaks
net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean()
net: ethernet: marvell: skge: remove incorrect conflicting PCI ID
LoongArch: Disable instrumentation for setup_ptwalker()
LoongArch: Guard percpu handler under !CONFIG_PREEMPT_RT
LoongArch: Use %px to print unmodified unwinding address
LoongArch: Prefer top-down allocation after arch_mem_init()
LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE
mm/slab: do not access current->mems_allowed_seq if !allow_spin
rust: kbuild: pass `-Zunstable-options` for Rust 1.95.0
drm/i915/quirks: Fix device id for QUIRK_EDP_LIMIT_RATE_HBR2 entry
ceph: supply snapshot context in ceph_zero_partial_object()
MIPS: rb532: Fix MMIO UART resource registration
cifs: Fix locking usage for tcon fields
i2c: imx-lpi2c: fix SMBus block read NACK after byte count
watchdog/softlockup: fix sample ring index wrap in need_counting_irqs()
kcsan, compiler_types: avoid duplicate type issues in BPF Type Format
staging: rtl8723bs: fix null dereference in find_network
mptcp: pm: in-kernel: always set ID as avail when rm endp
parisc: kernel: replace kfree() with put_device() in create_tree_node()
PCI: Fix pci_slot_trylock() error handling
PCI: Don't claim disabled bridge windows
net: cpsw_new: Fix potential unregister of netdev that has not been registered yet
net: cpsw_new: Fix unnecessary netdev unregistration in cpsw_probe() error path
drm/amdgpu: Protect GPU register accesses in powergated state in some paths
drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()
tipc: fix RCU dereference race in tipc_aead_users_dec()
mtd: rawnand: pl353: Fix software ECC support
usb: dwc2: fix resume failure if dr_mode is host
usb: dwc3: gadget: Move vbus draw to workqueue context
mux: mmio: fix regmap leak on probe failure
PCI: dwc: Fix msg_atu_index assignment
MIPS: Loongson2ef: Use pcibios_align_resource() to block io range
MIPS: Loongson2ef: Register PCI controller in early stage
mm/slab: use unsigned long for orig_size to ensure proper metadata align
mm/slab: avoid allocating slabobj_ext array from its own slab
scsi: ufs: core: Flush exception handling work when RPM level is zero
perf/arm-cmn: Reject unsupported hardware configurations
remoteproc: imx_rproc: Fix invalid loaded resource table detection
btrfs: continue trimming remaining devices on failure
btrfs: zoned: fixup last alloc pointer after extent removal for DUP
btrfs: zoned: fixup last alloc pointer after extent removal for RAID1
btrfs: fix periodic reclaim condition
clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841
uprobes: Fix incorrect lockdep condition in filter_chain()
arm64: Fix non-atomic __READ_ONCE() with CONFIG_LTO=y
PCI/IOV: Fix race between SR-IOV enable/disable and hotplug
Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"
kho: skip memoryless NUMA nodes when reserving scratch areas
crash_dump: fix dm_crypt keys locking and ref leak
kexec: derive purgatory entry from symbol
ocfs2: fix reflink preserve cleanup issue
rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net()
compiler-clang.h: require LLVM 19.1.0 or higher for __typeof_unqual__
mm/highmem: fix __kmap_to_page() build error
power: reset: tdx-ec-poweroff: fix restart
mtd: spinand: Disable continuous read during probe
iio: gyro: itg3200: Fix unchecked return value in read_raw
powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()
vhost: move vdpa group bound check to vhost_vdpa
tools: Fix bitfield dependency failure
arm64: poe: fix stale POR_EL0 values for ptrace
dm mpath: make pg_init_delay_msecs settable
bus: fsl-mc: fix an error handling in fsl_mc_device_add()
io_uring/net: don't continue send bundle if poll was required for retry
mm/slab: add rcu_barrier() to kvfree_rcu_barrier_on_cache()
usb: gadget: tegra-xudc: Add handling for BLCG_COREPLL_PWRDN
mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node
x86/kexec: add a sanity check on previous kernel's ima kexec buffer
of/kexec: refactor ima_get_kexec_buffer() to use ima_validate_range()
ima: verify the previous kernel's IMA buffer lies in addressable RAM
PCI: Fix bridge window alignment with optional resources
nvmem: Drop OF node reference on nvmem_add_one_cell() failure
nfsd: fix return error code for nfsd_map_name_to_[ug]id
NFSD: fix setting FMODE_NOCMTIME in nfs4_open_delegation
md/bitmap: fix GPF in write_page caused by resize race
xfs: check for deleted cursors when revalidating two btrees
xfs: check return value of xchk_scrub_create_subord
xfs: only call xf{array,blob}_destroy if we have a valid pointer
pinctrl: intel: Add code name documentation
PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions
KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()
rust/drm: Fix Registration::{new,new_foreign_owned}() docs
spmi: apple: Add "apple,t8103-spmi" compatible
xfs: get rid of the xchk_xfile_*_descr calls
xfs: fix remote xattr valuelblk check
xfs: fix the xattr scrub to detect freemap/entries array collisions
xfs: fix freemap adjustments when adding xattrs to leaf blocks
xfs: delete attr leaf freemap entries when empty
usb: host: tegra: Remove manual wake IRQ disposal
iommu/arm-smmu-v3: Do not set disable_ats unless vSTE is Translate
iommu/arm-smmu-v3: Mark EATS_TRANS safe when computing the update sequence
iommu/arm-smmu-v3: Mark STE MEV safe when computing the update sequence
iommu/arm-smmu-v3: Add update_safe bits to fix STE update sequence
iio: accel: adxl380: Avoid reading more entries than present in FIFO
PCI/PM: Prevent runtime suspend until devices are fully initialized
arm64: dts: rockchip: Explicitly request UFS reset pin on RK3576
erofs: fix incorrect early exits in volume label handling
erofs: fix incorrect early exits for invalid metabox-enabled images
mfd: omap-usb-host: Fix OF populate on driver rebind
mfd: qcom-pm8xxx: Fix OF populate on driver rebind
mfd: macsmc: Initialize mutex
mfd: tps65219: Implement LOCK register handling for TPS65214
mfd: core: Add locking around 'mfd_of_node_list'
KVM: arm64: nv: Return correct RES0 bits for FGT registers
iommu/vt-d: Flush piotlb for SVM and Nested domain
iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode
media: uvcvideo: Return queued buffers on start_streaming() failure
dm: fix excessive blk-crypto operations for invalid keys
media: verisilicon: AV1: Fix tile info buffer size
xfs: remove xfs_attr_leaf_hasname
xfs: mark data structures corrupt on EIO and ENODATA
PCI: dwc: Skip waiting for L2/L3 Ready if dw_pcie_rp::skip_l23_wait is true
phy: fsl-imx8mq-usb: set platform driver data
drm/bridge: anx7625: Fix invalid EDID size
drm/buddy: Prevent BUG_ON by validating rounded allocation
selftests/mm/charge_reserved_hugetlb: drop mount size for hugetlbfs
mm, page_alloc, thp: prevent reclaim for __GFP_THISNODE THP allocations
docs: kdoc: avoid error_count overflows
drm: of: drm_of_panel_bridge_remove(): fix device_node leak
media: iris: Prevent output buffer queuing before stream-on completes
media: iris: gen2: Add sanity check for session stop
media: iris: gen1: Destroy internal buffers after FW releases
media: iris: Skip resolution set on first IPSC
media: iris: Add buffer to list only after successful allocation
media: iris: use fallback size when S_FMT is called without width/height
media: iris: Fix fps calculation
media: iris: Fix ffmpeg corrupted frame error
Revert "media: iris: Add sanity check for stop streaming"
media: venus: vdec: restrict EOS addr quirk to IRIS2 only
media: venus: vdec: fix error state assignment for zero bytesused
arm64: dts: rockchip: Do not enable hdmi_sound node on Pinebook Pro
drm/tyr: fix register name in error print
rtc: pcf8563: use correct of_node for output clock
dm-unstripe: fix mapping bug when there are multiple targets in a table
dm-integrity: fix recalculation in bitmap mode
reset: gpio: suppress bind attributes in sysfs
drm/i915/psr: Don't enable Panel Replay on sink if globally disabled
mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate()
s390/pci: Handle futile config accesses of disabled devices directly
clk: tegra: tegra124-emc: Fix potential memory leak in tegra124_clk_register_emc()
arm64: dts: rockchip: Fix SD card support for RK3576 EVB1
media: i2c: ov01a10: Fix digital gain range
media: stm32: dcmipp: byteproc: disable compose for all bayers
media: stm32: dcmipp: bytecap: clear all interrupts upon stream stop
media: stm32: dcmipp: avoid naming clock if only one is needed
soc: rockchip: grf: Support multiple grf to be handled
soc: rockchip: grf: Fix wrong RK3576_IOCGRF_MISC_CON definition
clk: clk-apple-nco: Add "apple,t8103-nco" compatible
bus: omap-ocp2scp: fix OF populate on driver rebind
KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation
soc: ti: pruss: Fix double free in pruss_clk_mux_setup()
soc: ti: k3-socinfo: Fix regmap leak on probe failure
dm: clear cloned request bio pointer when last clone bio completes
dm-integrity: fix a typo in the code for write/discard race
platform/x86: ISST: Store and restore all domains data
platform/x86: ISST: Add missing write block check
media: staging/ipu7: Fix the loop bound in l2 table alloc
media: staging/ipu7: Update CDPHY register settings
media: staging/ipu7: Call synchronous RPM suspend in probe failure
media: staging/ipu7: Ignore interrupts when device is suspended
media: ipu6: Fix RPM reference leak in probe error paths
media: ipu6: Fix typo and wrong constant in ipu6-mmu.c
media: dw9714: Fix powerup sequence
media: i2c: ov5647: use our own mutex for the ctrl lock
media: ccs: Fix setting initial sub-device state
media: i2c: ov5647: Fix PIXEL_RATE value for VGA mode
media: i2c: ov5647: Sensor should report RAW color space
media: i2c: ov5647: Correct minimum VBLANK value
media: i2c: ov5647: Correct pixel array offset
media: i2c: ov5647: Initialize subdev before controls
media: ccs: Avoid possible division by zero
media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()
media: i2c: ov01a10: Fix test-pattern disabling
media: i2c: ov01a10: Fix passing stream instead of pad to v4l2_subdev_state_get_format()
media: i2c: ov01a10: Add missing v4l2_subdev_cleanup() calls
media: i2c: ov01a10: Fix analogue gain range
media: i2c: ov01a10: Fix reported pixel-rate value
media: i2c: ov01a10: Fix the horizontal flip control
media: i2c/tw9906: Fix potential memory leak in tw9906_probe()
media: i2c/tw9903: Fix potential memory leak in tw9903_probe()
media: cx25821: Add missing unmap in snd_cx25821_hw_params()
media: cx23885: Add missing unmap in snd_cx23885_hw_params()
media: cx88: Add missing unmap in snd_cx88_hw_params()
media: radio-keene: fix memory leak in error path
media: verisilicon: AV1: Set IDR flag for intra_only frame type
media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()
media: amphion: Drop min_queued_buffers assignment
arm64: dts: apple: t8112-j473: Keep the HDMI port powered on
fs: ensure that internal tmpfs mount gets mount id zero
HID: logitech-hidpp: Check maxfield in hidpp_get_report_length()
HID: prodikeys: Check presence of pm->input_ep82
HID: magicmouse: Do not crash on missing msc->input
HID: hid-pl: handle probe errors
pinctrl: meson: amlogic-a4: mark the GPIO controller as sleeping
arm64: Disable branch profiling for all arm64 code
KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding
KVM: x86: Return "unsupported" instead of "invalid" on access to unsupported PV MSR
powerpc/pseries: Fix MSI-X allocation failure when quota is exceeded
arm64: kernel: initialize missing kexec_buf->random field
ARM: omap2: Fix reference count leaks in omap_control_init()
arm64: dts: qcom: sm8750: Fix BAM DMA probing
arm64: dts: qcom: x1e80100: Add missing TCSR ref clock to the DP PHYs
media: verisilicon: AV1: Fix tx mode bit setting
media: verisilicon: AV1: Fix enable cdef computation
media: chips-media: wave5: Fix Null reference while testing fluster
media: chips-media: wave5: Fix SError of kernel panic when closed
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
media: chips-media: wave5: Fix kthread worker destruction in polling mode
media: chips-media: wave5: Fix PM runtime usage count underflow
media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove()
media: mtk-mdp: Fix error handling in probe function
media: mediatek: encoder: Fix uninitialized scalar variable issue
media: uvcvideo: Fix support for V4L2_CTRL_FLAG_HAS_WHICH_MIN_MAX
dm-verity: correctly handle dm_bufio_client_create() failure
arm64: dts: qcom: sdm630: Add missing MDSS reset
phy: qcom: edp: Make the number of clocks flexible
PCI: Use resource_set_range() that correctly sets ->end
Revert "PCI: dwc: Don't wait for link up if driver can detect Link Up event"
Revert "PCI: qcom: Enumerate endpoints based on Link up event in 'global_irq' interrupt"
Revert "PCI: qcom: Enable MSI interrupts together with Link up if 'Global IRQ' is supported"
Revert "PCI: qcom: Don't wait for link if we can detect Link Up"
Revert "PCI: dw-rockchip: Don't wait for link since we can detect Link Up"
drm/xe: Fix ggtt fb alignment
drm/tests: shmem: Hold reservation lock around purge
drm/tests: shmem: Hold reservation lock around madvise
drm/tests: shmem: Hold reservation lock around vmap/vunmap
drm/tests: shmem: Add clean-up action to unpin pages
drm/tests: shmem: Swap names of export tests
fpga: dfl: use subsys_initcall to allow built-in drivers to be added
ASoC: SOF: ipc4-control: Keep the payload size up to date
ASoC: SOF: ipc4-control: Use the correct size for scontrol->ipc_control_data
ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls
ASoC: SOF: ipc4-control: If there is no data do not send bytes update
drm/panthor: fix for dma-fence safe access rules
arm64: dts: ti: am62p-verdin: Fix SD regulator startup delay
hfsplus: ensure sb->s_fs_info is always cleaned up
clk: renesas: rzg2l: Select correct div round macro
clk: renesas: rzg2l: Fix intin variable size
rpmsg: core: fix race in driver_override_show() and use core helper
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
net: consume xmit errors of GSO frames
net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query
net/mlx5: Fix missing devlink lock in SRIOV enable error path
net/mlx5: E-switch, Clear legacy flag when moving to switchdev
net/mlx5: LAG, disable MPESW in lag_disable_change()
net/mlx5: DR, Fix circular locking dependency in dump
team: avoid NETDEV_CHANGEMTU event when unregistering slave
team: use common function to compute the features
net: add a common function to compute features for upper devices
net: mana: Fix double destroy_workqueue on service rescan PCI path
dpll: zl3073x: Remove redundant cleanup in devm_dpll_init()
tcp: re-enable acceptance of FIN packets when RWIN is 0
RDMA/umem: Fix double dma_buf_unpin in failure path
erofs: fix interlaced plain identification for encoded extents
net: usb: pegasus: enable basic endpoint checking
net: Drop the lock in skb_may_tx_timestamp()
RDMA/efa: Fix typo in efa_alloc_mr()
RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port
netconsole: avoid OOB reads, msg is not nul-terminated
net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets
RDMA/core: Fix stale RoCE GIDs during netdev events at registration
tipc: fix duplicate publication key in tipc_service_insert_publ()
dpll: zl3073x: fix REF_PHASE_OFFSET_COMP register width for some chip IDs
dpll: zl3073x: Cache all reference properties in zl3073x_ref
dpll: zl3073x: Cache reference monitor status
kcm: fix zero-frag skb in frag_list on partial sendmsg error
tls: Fix race condition in tls_sw_cancel_work_tx()
net: do not pass flow_id to set_rps_cpu()
Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ
Bluetooth: L2CAP: Fix not checking output MTU is acceptable on L2CAP_ECRED_CONN_REQ
Bluetooth: L2CAP: Fix response to L2CAP_ECRED_CONN_REQ
Bluetooth: hci_qca: Cleanup on all setup failures
Bluetooth: L2CAP: Fix result of L2CAP_ECRED_CONN_RSP when MTU is too short
Bluetooth: L2CAP: Fix invalid response to L2CAP_ECRED_RECONF_REQ
Remove WARN_ALL_UNSEEDED_RANDOM kernel config option
wifi: brcmfmac: Fix potential kernel oops when probe fails
wifi: cfg80211: wext: fix IGTK key ID off-by-one
dma-mapping: avoid random addr value print out on error path
ksmbd: fix signededness bug in smb_direct_prepare_negotiation()
ovpn: tcp - fix packet extraction from stream
bnxt_en: Fix deleting of Ntuple filters
bnxt_en: Fix RSS context delete logic
udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().
net: ethernet: xscale: Check for PTP support properly
net: phy: qcom: qca807x: normalize return value of gpio_get
proc: Fix pointer error dereference
net: usb: lan78xx: scan all MDIO addresses on LAN7801
net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode
espintcp: Fix race condition in espintcp_close()
psp: use sk->sk_hash in psp_write_headers()
tcp: fix potential race in tcp_v6_syn_recv_sock()
ipv6: Move ipv6_fl_list from ipv6_pinfo to inet_sock.
xfrm: always flush state and policy upon NETDEV_UNREGISTER event
ipmi: ipmb: initialise event handler read bytes
xfrm: skip templates check for packet offload tunnel mode
xfrm6: fix uninitialized saddr in xfrm6_get_saddr()
iommu/amd: serialize sequence allocation under concurrent TLB invalidations
ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut
ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access
rtc: zynqmp: correct frequency value
drm/amdgpu: avoid sdma ring reset in sriov
drm/amd/display: Remove conditional for shaper 3DLUT power-on
arm64: hugetlbpage: avoid unused-but-set-parameter warning (gcc-16)
ALSA: hda/hdmi: Add quirk for TUXEDO IBS14G6
ASoC: amd: amd_sdw: add machine driver quirk for Lenovo models
btrfs: replace BUG() with error handling in __btrfs_balance()
ALSA: usb-audio: Add sanity check for OOB writes at silencing
drm/radeon: Add HAINAN clock adjustment
spi: spidev: fix lock inversion between spi_lock and buf_lock
drm/amd/display: bypass post csc for additional color spaces in dal
drm/amdgpu: Add HAINAN clock adjustment
ALSA: usb-audio: Update the number of packets properly at receiving
ALSA: hda/realtek: Fix headset mic on ASUS Zenbook 14 UX3405MA
drm/amdgpu: Adjust usleep_range in fence wait
drm/amdgpu: return when ras table checksum is error
drm/amd/display: Avoid updating surface with the same surface under MPO
drm/amd/display: Fix system resume lag issue
ALSA: hda/tas2781: Ignore reset check for SPI device
regulator: core: Remove regulator supply_name length limit
ASoC: rt721-sdca: Fix issue of fail to detect OMTP jack type
mshv: clear eventfd counter on irqfd shutdown
drm/amdgpu: Skip vcn poison irq release on VF
drm/amd/display: Fix writeback on DCN 3.2+
ARM: 9467/1: mm: Don't use %pK through printk
include: uapi: netfilter_bridge.h: Cover for musl libc
ACPI: x86: Force enabling of PWM2 on the Yogabook YB1-X90
thermal: int340x: Fix sysfs group leak on DLVR registration failure
libceph: define and enforce CEPH_MAX_KEY_LEN
ceph: supply snapshot context in ceph_uninline_data()
fs/ntfs3: avoid calling run_get_entry() when run == NULL in ntfs_read_run_nb_ra()
ntfs3: fix circular locking dependency in run_unpack_ex
fs/ntfs3: drop preallocated clusters for sparse and compressed files
fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
fs: ntfs3: check return value of indx_find to avoid infinite loop
MIPS: Loongson: Make cpumask_of_node() robust against NUMA_NO_NODE
iio: magnetometer: Remove IRQF_ONESHOT
iio: Use IRQF_NO_THREAD
mfd: intel-lpss: Add Intel Nova Lake-S PCI IDs
Revert "mfd: da9052-spi: Change read-mask to write-mask"
phy: fsl-imx8mq-usb: disable bind/unbind platform driver feature
phy: mvebu-cp110-utmi: fix dr_mode property read from dts
watchdog: rzv2h_wdt: Discard pm_runtime_put() return value
watchdog: imx7ulp_wdt: handle the nowayout option
binder: don't use %pK through printk
fix it87_wdt early reboot by reporting running timer
serial: 8250: 8250_omap.c: Clear DMA RX running status only after DMA termination is done
serial: 8250: 8250_omap.c: Add support for handling UART error conditions
staging: rtl8723bs: fix memory leak on failure path
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
usb: gadget: f_fs: Fix ioctl error handling
usb: gadget: f_fs: fix DMA-BUF OUT queues
iio: bmi270_i2c: Add MODULE_DEVICE_TABLE for BMI260/270
pinctrl: renesas: rzt2h: Allow .get_direction() for IRQ function GPIOs
misc: ti_fpc202: fix a potential memory leak in probe function
misc: eeprom: Fix EWEN/EWDS/ERAL commands for 93xx56 and 93xx66
pinctrl: mediatek: make devm allocations safer and clearer in mtk_eint_do_init()
misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read()
phy: cadence-torrent: restore parent clock for refclk during resume
phy: ti: phy-j721e-wiz: restore mux selection during resume
dmaengine: stm32-mdma: initialize m2m_hw_period and ccr to fix warnings
dmaengine: sun6i: Choose appropriate burst length under maxburst
most: core: fix resource leak in most_register_interface error paths
fpga: of-fpga-region: Fail if any bridge is missing
usb: typec: ucsi: psy: Fix voltage and current max for non-Fixed PDOs
serial: 8250_dw: handle clock enable errors in runtime_resume
staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure
soundwire: intel_auxdevice: add cs42l45 codec to wake_capable_list
soundwire: dmi-quirks: add mapping for Avell B.ON (OEM rebranded of NUC15)
dmaengine: stm32-dma3: use module_platform_driver
9p/xen: protect xen_9pfs_front_free against concurrent calls
m68k: nommu: fix memmove() with differently aligned src and dest for 68000
HID: i2c-hid: Add FocalTech FT8112
clk: microchip: core: correct return value on *_get_parent()
clk: renesas: rzg2l: Deassert reset on assert timeout
clk: amlogic: remove potentially unsafe flags from S4 video clocks
mailbox: sprd: clear delivery flag before handling TX done
remoteproc: mediatek: Break lock dependency to `prepare_lock`
mailbox: sprd: mask interrupts that are not handled
mailbox: mchp-ipc-sbi: fix uninitialized symbol and other smatch warnings
mailbox: imx: Skip the suspend flag for i.MX7ULP
mailbox: pcc: Remove spurious IRQF_ONESHOT usage
mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()
remoteproc: imx_dsp_rproc: Skip RP_MBOX_SUSPEND_SYSTEM when mailbox TX channel is uninitialized
tracing: Fix false sharing in hwlat get_sample()
riscv: vector: init vector context with proper vlenb
scsi: ufs: mediatek: Fix page faults in ufs_mtk_clk_scale() trace event
vhost: fix caching attributes of MMIO regions by setting them explicitly
scsi: buslogic: Reduce stack usage
hisi_acc_vfio_pci: update status after RAS error
ata: libata: avoid long timeouts on hot-unplugged SATA DAS
um: Preserve errno within signal handler
hisi_acc_vfio_pci: fix the queue parameter anomaly issue
RDMA/rtrs-clt: For conn rejection use actual err number
hisi_acc_vfio_pci: resolve duplicate migration states
nfc: nxp-nci: remove interrupt trigger type
myri10ge: avoid uninitialized variable use
PCI/bwctrl: Disable BW controller on Intel P45 using a quirk
PCI: Mark Nvidia GB10 to avoid bus reset
PCI: Add ACS quirk for Qualcomm Hamoa & Glymur
PCI: Enable ACS after configuring IOMMU for OF platforms
PCI: Fix pci_slot_lock () device locking
PCI/AER: Clear stale errors on reporting agents upon probe
PCI: Mark ASM1164 SATA controller to avoid bus reset
net/rds: Clear reconnect pending bit
vmw_vsock: bypass false-positive Wnonnull warning with gcc-16
net: usb: sr9700: remove code to drive nonexistent multicast filter
ptp: ptp_vmclock: add 'VMCLOCK' to ACPI device match
bnxt_en: Allow ntuple filters for drops
wifi: ath10k: fix lock protection in ath10k_wmi_event_peer_sta_ps_state_chg()
wifi: rtw89: pci: restore LDO setting after device resume
net: sfp: add quirk for Lantech 8330-265D
octeontx2-af: Workaround SQM/PSE stalls by disabling sticky
Bluetooth: btusb: Add device ID for Realtek RTL8761BU
Bluetooth: btusb: Add new VID/PID for RTL8852CE
Bluetooth: hci_conn: use mod_delayed_work for active mode timeout
Bluetooth: btusb: Add USB ID 0489:e112 for Realtek 8851BE
Bluetooth: hci_conn: Set link_policy on incoming ACL connections
Bluetooth: hci_qca: Fix SSR (SubSystem Restart) fail when BT_EN is pulled up by hw
Bluetooth: btusb: Add support for MediaTek7920 0489:e158
ipv4: fib: Annotate access to struct fib_alias.fa_state.
wifi: rtw89: pci: validate release report content before using for RTL8922DE
wifi: iwlegacy: add missing mutex protection in il3945_store_measurement()
wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power()
net: hns3: extend HCLGE_FD_AD_QID to 11 bits
ipv4: igmp: annotate data-races around idev->mr_maxdelay
gro: change the BUG_ON() in gro_pull_from_frag0()
ext4: propagate flags to convert_initialized_extent()
net/rds: No shortcut out of RDS_CONN_ERROR
wifi: rtw89: 8922a: add digital compensation for 2GHz
wifi: rtw89: fix unable to receive probe responses under MLO connection
driver core: faux: stop using static struct device
wifi: iwlwifi: mld: Fix primary link selection logic
wifi: iwlwifi: mld: fix chandef start calculation
wifi: iwlwifi: fix 22000 series SMEM parsing
wifi: iwlwifi: mvm: check the validity of noa_len
wifi: iwlwifi: mld: Handle rate selection for NAN interface
PCI: imx6: Add CLKREQ# override to enable REFCLK for i.MX95 PCIe
net: usb: r8152: fix transmit queue timeout
openrisc: define arch-specific version of nop()
netfilter: xt_tcpmss: check remaining length before reading optlen
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
ext4: use reserved metadata blocks when splitting extent on endio
ext4: mark group extend fast-commit ineligible
ext4: move ext4_percpu_param_init() before ext4_mb_init()
ext4: mark group add fast-commit ineligible
ipv6: exthdrs: annotate data-race over multiple sysctl
ipv6: annotate data-races in net/ipv6/route.c
ipv6: annotate data-races over sysctl.flowlabel_reflect
ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}()
wifi: cfg80211: allow only one NAN interface, also in multi radio
wifi: ath12k: fix mac phy capability parsing
wifi: ath12k: fix preferred hardware mode calculation
wifi: ath11k: Fix failure to connect to a 6 GHz AP
wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1
wifi: rtw89: disable EHT protocol by chip capabilities
PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port
wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode
wifi: rtw89: mac: correct page number for CSI response
wifi: rtw89: pci: validate sequence number of TX release report
wifi: rtw89: Add support for MSI AX1800 Nano (GUAX18N)
iommu/amd: move wait_on_sem() out of spinlock
wifi: libertas: fix WARNING in usb_tx_block
rtla: Fix NULL pointer dereference in actions_parse
wifi: rtw89: fix potential zero beacon interval in beacon tracking
net: wwan: mhi: Add network support for Foxconn T99W760
iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency
dm: remove fake timeout to avoid leak request
dm: replace -EEXIST with -EBUSY
wifi: rtw89: regd: 6 GHz power type marks default when inactive
wifi: rtw88: Fix inadvertent sharing of struct ieee80211_supported_band data
wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band()
wifi: rtw89: mcc: reset probe counter when receiving beacon
wifi: rtw89: setting TBTT AGG number when mac port initialization
wifi: rtw89: ser: enable error IMR after recovering from L1
wifi: rtw89: 8922a: set random mac if efuse contains zeroes
wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H
wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode()
wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero
PCI: dwc: Skip PME_Turn_Off broadcast and L2/L3 transition during suspend if link is not up
jfs: nlink overflow in jfs_rename
jfs: Add missing set_freezable() for freezable kthread
ALSA: usb-audio: Add iface reset and delay quirk for AB13X USB Audio
ALSA: mixer: oss: Add card disconnect checkpoints
ALSA: hda/realtek - Enable mute LEDs on HP ENVY x360 15-es0xxx
ASoC: fsl: imx-rpmsg: use snd_soc_find_dai_with_mutex() in probe
spi: geni-qcom: Fix abort sequence execution for serial engine errors
ASoC: SOF: Intel: hda: Fix NULL pointer dereference
power: sequencing: fix missing state_lock in pwrseq_power_on() error path
modpost: Amend ppc64 save/restfpr symnames for -Os build
ASoC: es8328: Add error unwind in resume
HID: logitech-hidpp: Add support for Logitech K980
hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin
hwmon: (f71882fg) Add F81968 support
hwmon: (emc2305) Fix a resource leak in emc2305_of_parse_pwm_child
hwmon: (nct6683) Add customer ID for ASRock Z590 Taichi
hwmon: (nct6775) Add ASUS Pro WS WRX90E-SAGE SE
hwmon: (dell-smm) Add support for Dell OptiPlex 7080
ASoC: codecs: max98390: Check return value of devm_gpiod_get_optional() in max98390_i2c_probe()
spi: cadence-qspi: Try hard to disable the clocks
drm/amdgpu: validate user queue size constraints
drm/amd/display: avoid dig reg access timeout on usb4 link training fail
drm/amd/display: Fix GFX12 family constant checks
spi: spi-mem: Protect dirmap_create() with spi_mem_access_start/end
ASoC: sunxi: sun50i-dmic: Add missing check for devm_regmap_init_mmio
gpio: aspeed-sgpio: Change the macro to support deferred probe
ALSA: hda/realtek: fix LG Gram Style 14 speakers
ALSA: hda/conexant: Add headset mic fix for MECHREVO Wujie 15X Pro
HID: elecom: Add support for ELECOM HUGE Plus M-HT1MRBK
media: uvcvideo: Create an ID namespace for streaming output terminals
HID: multitouch: add eGalaxTouch EXC3188 support
drm/amd/display: Revert "init dispclk from bootup clock for DCN315"
media: rkisp1: Fix filter mode register configuration
drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
drm/atmel-hlcdc: don't reject the commit if the src rect has fractional parts
drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback
drm/amd/display: Ensure link output is disabled in backend reset for PLL_ON
drm/amd/display: Disable FEC when powering down encoders
PCI: Add Intel Nova Lake audio Device ID
ASoC: soc-acpi-intel-arl-match: change rt722 amp endpoint to aggregated
virt: vbox: uapi: Mark inner unions in packed structs as packed
hyper-v: Mark inner union in hv_kvp_exchg_msg_value as packed
drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels
drm: Account property blob allocations to memcg
drm/amdkfd: Fix GART PTE for non-4K pagesize in svm_migrate_gart_map()
drm/amdkfd: Relax size checking during queue buffer get
ALSA: usb-audio: presonus s18xx uses little-endian
ALSA: hda/realtek: add HP Victus 16-e0xxx mute LED quirk
media: ipu6: Always close firmware stream
media: ipu6: Close firmware streams on streaming enable failure
media: ipu6: Ensure stream_mutex is acquired when dealing with node list
media: mt9m114: Return -EPROBE_DEFER if no endpoint is found
media: mt9m114: Avoid a reset low spike during probe()
media: v4l2-async: Fix error handling on steps after finding a match
media: qcom: camss: Do not enable cpas fast ahb clock for SM8550 VFE lite
media: cx25821: Fix a resource leak in cx25821_dev_setup()
media: solo6x10: Check for out of bounds chip_id
media: pvrusb2: fix URB leak in pvr2_send_request_ex
media: adv7180: fix frame interval in progressive mode
drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()
media: amphion: Clear last_buffer_dequeued flag for DEC_CMD_START
cgroup/cpuset: Don't fail cpuset.cpus change in v2
spi: spi-mem: Limit octal DTR constraints to octal DTR situations
ASoC: wm8962: Don't report a microphone if it's shorted to ground on plug
ASoC: wm8962: Add WM8962_ADC_MONOMIX to "3D Coefficients" mask
drm/xe: Only toggle scheduling in TDR if GuC is running
drm/amd/display: only power down dig on phy endpoints
drm/amdgpu: Skip loading SDMA_RS64 in VF
HID: multitouch: add quirks for Lenovo Yoga Book 9i
HID: pidff: Do not set out of range trigger button
HID: apple: Add "SONiX KN85 Keyboard" to the list of non-apple keyboards
drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4
drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src
drm/amdgpu: avoid a warning in timedout job handler
drm/amd/display: Fix dsc eDP issue
drm/amdgpu: add support for HDP IP version 6.1.1
media: mediatek: vcodec: Don't try to decode 422/444 VP9
drm/panel: edp: add BOE NV140WUM-T08 panel
media: chips-media: wave5: Process ready frames when CMD_STOP sent to Encoder
media: chips-media: wave5: Fix conditional in start_streaming
media: omap3isp: set initial format
media: omap3isp: isppreview: always clamp in preview_try_format()
media: omap3isp: isp_video_mbus_to_pix/pix_to_mbus fixes
drm/v3d: Set DMA segment size to avoid debug warnings
spi: stm32: fix Overrun issue at < 8bpw
gpio: pca953x: Add support for TCAL6408 TCAL6416
media: dvb-core: dmxdevfilter must always flush bufs
ASoC: SOF: ipc4: Support for sending payload along with LARGE_CONFIG_GET
drm/amd/display: Don't disable DPCD mst_en if sink connected
drm/amd/display: Add USB-C DP Alt Mode lane limitation in DCN32
spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing
spi-geni-qcom: use xfer->bits_per_word for can_dma()
spi-geni-qcom: initialize mode related registers to 0
drm/amdkfd: Handle GPU reset and drain retry fault race
drm/panel-edp: Add AUO B140QAX01.H panel
drm/amd/display: Guard FAMS2 configuration updates
drm/amd/display: Correct FIXED_VS Link Rate Toggle Condition
drm/amdgpu/ras: Move ras data alloc before bad page check
drm/amdgpu: fix the calculation of RAS bad page number
drm/amdgpu: fix NULL pointer issue buffer funcs
accel/amdxdna: Fix tail-pointer polling in mailbox_get_msg()
gpu/panel-edp: add AUO panel entry for B140HAN06.4
drm/xe/xe3_lpg: Apply Wa_16028005424
drm/panthor: Always wait after sending a command to an AS
drm/display/dp_mst: Add protection against 0 vcpi
drm/xe/vm: Skip ufence association for CPU address mirror VMA during MAP
drm/xe: Covert return of -EBUSY to -ENOMEM in VM bind IOCTL
drm/xe/ggtt: Use scope-based runtime pm
parisc: Prevent interrupts during reboot
x86/sev: Use kfree_sensitive() when freeing a SNP message descriptor
soc: imx8m: Fix error handling for clk_prepare_enable()
arm64: tegra: smaug: Add usb-role-switch support
EDAC/igen6: Add two Intel Amston Lake SoCs support
EDAC/igen6: Add more Intel Panther Lake-H SoCs support
Revert "arm64: zynqmp: Add an OP-TEE node to the device tree"
firmware: arm_ffa: Unmap Rx/Tx buffers on init failure
pstore: ram_core: fix incorrect success return when vmap() fails
sched/debug: Fix updating of ppos on server write ops
char: tpm: cr50: Remove IRQF_ONESHOT
mailbox: bcm-ferxrm-mailbox: Use default primary handler
crypto: hisilicon/qm - move the barrier before writing to the mailbox register
bpftool: Fix dependencies for static build
PCI/MSI: Unmap MSI-X region on error
clocksource/drivers/timer-integrator-ap: Add missing Kconfig dependency on OF
clocksource/drivers/sh_tmu: Always leave device running after probe
arm64/ftrace,bpf: Fix partial regs after bpf_prog_run
perf/core: Fix slow perf_event_task_exit() with LBR callstacks
bpf: Properly mark live registers for indirect jumps
genirq/cpuhotplug: Notify about affinity changes breaking the affinity mask
bpf: Recognize special arithmetic shift in the verifier
bpf: net_sched: Use the correct destructor kfunc type
bpf: crypto: Use the correct destructor kfunc type
gendwarfksyms: Fix build on 32-bit hosts
perf/x86/intel: Add Airmont NP
perf/x86/cstate: Add Airmont NP
perf/x86/msr: Add Airmont NP
irqchip/riscv-imsic: Add a CPU pm notifier to restore the IMSIC on exit
bpf: verifier improvement in 32bit shift sign extension pattern
sparc: don't reference obsolete termio struct for TC* constants
sparc: Synchronize user stack on fork and clone
block: decouple secure erase size limit from discard size limit
blk-mq-sched: unify elevators checking for async requests
blk-mq-debugfs: add missing debugfs_mutex in blk_mq_debugfs_register_hctxs()
xenbus: Use .freeze/.thaw to handle xenbus devices
ACPI: battery: fix incorrect charging status when current is zero
ACPI: x86: s2idle: Invoke Microsoft _DSM Function 9 (Turn On Display)
perf/cxlpmu: Replace IRQF_ONESHOT with IRQF_NO_THREAD
s390/perf: Disable register readout on sampling events
cpufreq: dt-platdev: Block the driver from probing on more QC platforms
rust: cpufreq: always inline functions using build_assert with arguments
md raid: fix hang when stopping arrays with metadata through dm-raid
md-cluster: fix NULL pointer dereference in process_metadata_update
alpha: fix user-space corruption during memory compaction
io_uring/timeout: annotate data race in io_flush_timeouts()
powercap: intel_rapl: Add PL4 support for Ice Lake
ACPICA: Abort AML bytecode execution when executing AML_FATAL_OP
ACPI: resource: Add JWIPC JVC9100 to irq1_level_low_skip_override[]
ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
EFI/CPER: don't go past the ARM processor CPER record buffer
APEI/GHES: ARM processor Error: don't go past allocated memory
APEI/GHES: ensure that won't go past CPER allocated record
EFI/CPER: don't dump the entire memory region
ntfs: ->d_compare() must not block
x86/xen/pvh: Enable PAE mode for 32-bit guest only when CONFIG_X86_PAE is set
rnbd-srv: Zero the rsp buffer before using it
arm64: Add support for TSV110 Spectre-BHB mitigation
perf/arm-cmn: Support CMN-600AE
s390/purgatory: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS
tools/power cpupower: Reset errno before strtoull()
s390/boot: Add -Wno-default-const-init-unsafe to KBUILD_CFLAGS
tools/cpupower: Fix inverted APERF capability check
smb: client: prevent races in ->query_interfaces()
gfs2: fiemap page fault fix
smb: client: add proper locking around ses->iface_last_update
netfs: when subreq is marked for retry, do not check if it faced an error
btrfs: handle user interrupt properly in btrfs_trim_fs()
btrfs: fallback to buffered IO if the data profile has duplication
dlm: validate length in dlm_search_rsb_tree
minix: Add required sanity checking to minix_check_superblock()
dlm: fix recovery pending middle conversion
i3c: mipi-i3c-hci: Reset RING_OPERATION1 fields during init
i3c: mipi-i3c-hci: Stop reading Extended Capabilities if capability ID is 0
i3c: master: svc: Initialize 'dev' to NULL in svc_i3c_master_ibi_isr()
hfsplus: pretend special inodes as regular files
audit: add missing syscalls to read class
kselftest/kublk: include message in _Static_assert for C11 compatibility
fs/buffer: add alert in try_to_free_buffers() for folios without buffers
hfsplus: fix volume corruption issue for generic/498
audit: add fchmodat2() to change attributes class
hfsplus: fix volume corruption issue for generic/480
statmount: permission check should return EPERM
rtc: interface: Alarm race handling should not discard preceding error
perf test: Fix test case perftool-testsuite_report for s390
libperf build: Always place libperf includes first
perf build: Remove NO_LIBCAP that controls nothing
perf vendor events amd: Fix Zen 5 MAB allocation events
perf annotate: Fix BUILD_NONDISTRO=1 missing args->ms conversions to pointer
tools headers: Go back to include asm-generic/unistd.h for arm64
perf annotate: Fix memcpy size in arch__grow_instructions()
perf tests sched: Avoid error in cleanup on loaded machines
perf maps: Fix reference count leak in maps__find_ams()
perf annotate: Fix args leak of map_symbol
perf cs-etm: Fix decoding for sparse CPU maps
perf tools: Get debug info of DSO properly
perf symbol-elf: Fix leak of ELF files with GNU debugdata
rtc: max31335: use correct CONFIG symbol in IS_REACHABLE()
libsubcmd: Fix null intersection case in exclude_cmds()
perf callchain: Fix srcline printing with inlines
perf unwind-libdw: Fix inva…
sgaud-quic
approved these changes
Mar 20, 2026
Contributor
|
Compilation error : https://github.com/qualcomm-linux/kernel-config/actions/runs/23329418440/job/67857748834 |
sgaud-quic
requested changes
Mar 20, 2026
Contributor
sgaud-quic
left a comment
sgaud-quic
left a comment
There was a problem hiding this comment.
Fix compilation issues
Contributor
miaoqing-quic
left a comment
miaoqing-quic
left a comment
There was a problem hiding this comment.
Please drop the changes in drivers/net/wireless/ath/ath12k/mhi.c; the MHI configuration has already been moved to wifi/mhi.c
Reference:
commit 7f54938 ("wifi: ath12k: Move Wi-Fi 7 MHI configuration to dedicated file")
Contributor
miaoqing-quic
left a comment
miaoqing-quic
left a comment
There was a problem hiding this comment.
For the changes in drivers/net/wireless/ath/ath11k/core.h, it seems some corresponding updates in drivers/net/wireless/ath/ath11k/core.c were missed. Please refer to commit c386a2b ("wifi: ath11k: add usecase firmware handling based on device compatible").
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v6.18.18 LTS commits into qcom-6.18.y