Merge tag 'v6.18.37' into qcom-6.18.y#782
Open
svankas (svankas) wants to merge 2219 commits into
Open
Conversation
[ Upstream commit dbba6b7 ] QSFP supported will be introduced for AML 40G devices, the code related to identify various modules should be renamed to more appropriate names. And struct txgbe_hic_i2c_read used to get module information is renamed as struct txgbe_hic_get_module_info, because another SW-FW command to read I2C will be added later. Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com> Link: https://patch.msgid.link/20251118080259.24676-3-jiawenwu@trustnetic.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Stable-dep-of: 0487cfc ("net: txgbe: initialize module info buffer") Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0487cfc ] The module info buffer should be initialized to 0 before the firmware returns information. Otherwise, there is a risk that the buffer field not filled by the firmware is random value. Fixes: 3439297 ("net: txgbe: Support to handle GPIO IRQs for AML devices") Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com> Link: https://patch.msgid.link/20260608070842.36504-2-jiawenwu@trustnetic.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b70c687 ] addrconf_get_prefix_route() can return the fib6_null_entry sentinel entry which has a NULL fib6_table pointer. Therefore, before setting the route's expiration time, check that we are not working with this entry, as otherwise a NPD will be triggered [1]. Note that the other callers of addrconf_get_prefix_route() are not susceptible to this bug: 1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF | RTF_PREFIX_RT' flags which are not set on fib6_null_entry. 2. modify_prefix_route(): Fixed by commit a747e02 ("ipv6: avoid possible NULL deref in modify_prefix_route()"). 3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for fib6_null_entry and returns an error. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [qualcomm-linux#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [...] Call Trace: <TASK> __kasan_check_byte (mm/kasan/common.c:573) lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1)) _raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1)) cleanup_prefix_route (net/ipv6/addrconf.c:1280) ipv6_del_addr (net/ipv6/addrconf.c:1342) inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119) inet6_rtm_deladdr (net/ipv6/addrconf.c:4812) rtnetlink_rcv_msg (net/core/rtnetlink.c:6997) netlink_rcv_skb (net/netlink/af_netlink.c:2555) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1899) __sock_sendmsg (net/socket.c:802 (discriminator 4)) ____sys_sendmsg (net/socket.c:2698) ___sys_sendmsg (net/socket.c:2752) __sys_sendmsg (net/socket.c:2784) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121) Fixes: 5eb902b ("net/ipv6: Remove expired routes with a separated list of routes.") Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com> Reviewed-by: David Ahern <dahern@nvidia.com> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260609145448.768318-1-idosch@nvidia.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
commit b2849be upstream. The APICv (apic->apicv_active) can be activated or deactivated at runtime, for instance, because of APICv inhibit reasons. Intel VMX employs different mechanisms to virtualize LAPIC based on whether APICv is active. When APICv is activated at runtime, GUEST_INTR_STATUS is used to configure and report the current pending IRR and ISR states. Unless a specific vector is explicitly included in EOI_EXIT_BITMAP, its EOI will not be trapped to KVM. Intel VMX automatically clears the corresponding ISR bit based on the GUEST_INTR_STATUS.SVI field. When APICv is deactivated at runtime, the VM_ENTRY_INTR_INFO_FIELD is used to specify the next interrupt vector to invoke upon VM-entry. The VMX IDT_VECTORING_INFO_FIELD is used to report un-invoked vectors on VM-exit. EOIs are always trapped to KVM, so the software can manually clear pending ISR bits. There are scenarios where, with APICv activated at runtime, a guest-issued EOI may not be able to clear the pending ISR bit. Taking vector 236 as an example, here is one scenario. 1. Suppose APICv is inactive. Vector 236 is pending in the IRR. 2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR, and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq(). 3. After VM-entry, vector 236 is invoked through the guest IDT. At this point, the data in VM_ENTRY_INTR_INFO_FIELD is no longer valid. The guest interrupt handler for vector 236 is invoked. 4. Suppose a VM exit occurs very early in the guest interrupt handler, before the EOI is issued. 5. Nothing is reported through the IDT_VECTORING_INFO_FIELD because vector 236 has already been invoked in the guest. 6. Now, suppose APICv is activated. Before the next VM-entry, KVM calls kvm_vcpu_update_apicv() to activate APICv. 7. Unfortunately, GUEST_INTR_STATUS.SVI is not configured, although vector 236 is still pending in the ISR. 8. After VM-entry, the guest finally issues the EOI for vector 236. However, because SVI is not configured, vector 236 is not cleared. 9. ISR is stalled forever on vector 236. Here is another scenario. 1. Suppose APICv is inactive. Vector 236 is pending in the IRR. 2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR, and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq(). 3. VM-exit occurs immediately after the next VM-entry. The vector 236 is not invoked through the guest IDT. Instead, it is saved to the IDT_VECTORING_INFO_FIELD during the VM-exit. 4. KVM calls kvm_queue_interrupt() to re-queue the un-invoked vector 236 into vcpu->arch.interrupt. A KVM_REQ_EVENT is requested. 5. Now, suppose APICv is activated. Before the next VM-entry, KVM calls kvm_vcpu_update_apicv() to activate APICv. 6. Although APICv is now active, KVM still uses the legacy VM_ENTRY_INTR_INFO_FIELD to re-inject vector 236. GUEST_INTR_STATUS.SVI is not configured. 7. After the next VM-entry, vector 236 is invoked through the guest IDT. Finally, an EOI occurs. However, due to the lack of GUEST_INTR_STATUS.SVI configuration, vector 236 is not cleared from the ISR. 8. ISR is stalled forever on vector 236. Using QEMU as an example, vector 236 is stuck in ISR forever. (qemu) info lapic 1 dumping local APIC state for CPU 1 LVT0 0x00010700 active-hi edge masked ExtINT (vec 0) LVT1 0x00010400 active-hi edge masked NMI LVTPC 0x00000400 active-hi edge NMI LVTERR 0x000000fe active-hi edge Fixed (vec 254) LVTTHMR 0x00010000 active-hi edge masked Fixed (vec 0) LVTT 0x000400ec active-hi edge tsc-deadline Fixed (vec 236) Timer DCR=0x0 (divide by 2) initial_count = 0 current_count = 0 SPIV 0x000001ff APIC enabled, focus=off, spurious vec 255 ICR 0x000000fd physical edge de-assert no-shorthand ICR2 0x00000000 cpu 0 (X2APIC ID) ESR 0x00000000 ISR 236 IRR 37(level) 236 The issue isn't applicable to AMD SVM as KVM simply writes vmcb01 directly irrespective of whether L1 (vmcs01) or L2 (vmcb02) is active (unlike VMX, there is no need/cost to switch between VMCBs). In addition, APICV_INHIBIT_REASON_IRQWIN ensures AMD SVM AVIC is not activated until the last interrupt is EOI'd. Fix the bug by configuring Intel VMX GUEST_INTR_STATUS.SVI if APICv is activated at runtime. Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> Reviewed-by: Chao Gao <chao.gao@intel.com> Link: https://patch.msgid.link/20251110063212.34902-1-dongli.zhang@oracle.com [sean: call out that SVM writes vmcb01 directly, tweak comment] Link: https://patch.msgid.link/20251205231913.441872-2-seanjc@google.com Signed-off-by: Sean Christopherson <seanjc@google.com> (cherry picked from commit b2849be) Cc: stable@vger.kernel.org # 6.6.x and above Cc: Gulshan Gabel <gulshan.gabel@nutanix.com> Signed-off-by: Jon Kohler <jon@nutanix.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
…g parked [ Upstream commit bc27dbe ] Parking disp_cc_mdss_mdp_clk_src at 19.2MHz causing the EFI GOP framebuffer to stop functioning. The EFI GOP framebuffer should keep working until the msm display driver loads, to help with boot debugging and to ensure display output when the msm module is not in the initramfs. Switch disp_cc_mdss_mdp_clk_src over to clk_rcg2_shared_no_init_park_ops to keep the EFI GOP working after binding the x1e80100-dispcc driver. Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration") Link: https://lore.kernel.org/r/20260425123351.6292-1-johannes.goede@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 78ee734 ] In the peric0_clk_regs array, the divider register offset for USI6 was accidentally listed twice, while the divider for USI7 was omitted. Missing this DIV register causes the USI7 clock divider setting to be lost and reset to its hardware default value during a suspend/resume cycle. Replace the duplicated USI6 DIV entry with the correct USI7 DIV register. Fixes: 893f133 ("clk: samsung: gs101: add support for cmu_peric0") Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com> Reviewed-by: Peter Griffin <peter.griffin@linaro.org> Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org> Link: https://patch.msgid.link/20260505171457.1960837-1-visitorckw@gmail.com Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5285b04 ] Parking disp{0,1}_cc_mdss_mdp_clk_src clk broke simplefb on HUAWEI Gaokun3, the image will stuck at grey for seconds until msm takes over framebuffer. Use clk_rcg2_shared_no_init_park_ops to skip it. Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com> Tested-by: Jérôme de Bretagne <jerome.debretagne@gmail.com> Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration") Link: https://lore.kernel.org/r/20260303150152.90685-1-mitltlatltl@gmail.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2673cef ] intel_edp_set_sink_rates() reads DP_SUPPORTED_LINK_RATES into a local stack array and then parses the array unconditionally. If the read fails, the array contents are not valid and may result in bogus sink link rates being used. Use drm_dp_dpcd_read_data() and clear the sink rate array on failure, so the existing parser falls back to the default sink rate handling. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 68f357c ("drm/i915/dp: generate and cache sink rate array for all DP, not just eDP 1.4") Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru> Reviewed-by: Jani Nikula <jani.nikula@intel.com> Link: https://patch.msgid.link/20260529145759.1640646-1-n.zhandarovich@fintech.ru Signed-off-by: Jani Nikula <jani.nikula@intel.com> (cherry picked from commit bd61c7756b34157e093028225a69383b4b1203cc) Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f329e83 ] DRM atomic and modesetting aren't initialized if virtio-gpu driver built with disabled KMS, leading to access of uninitialized data on driver removal/unbinding and crashing kernel. Fix it by skipping shutting down atomic core with unavailable KMS. Fixes: 72122c6 ("drm/virtio: Add option to disable KMS support") Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Tested-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Reviewed-by: Ryosuke Yasuoka <ryasuoka@redhat.com> Link: https://patch.msgid.link/20260604122743.13383-1-dmitry.osipenko@collabora.com Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5d563a5 ] Don't just overwrite the original pointer passed to krealloc() with its return value without checking latter: MEM = krealloc(MEM, SZ, GFP); If krealloc() returns NULL, that erases the pointer to the still allocated memory, hence leaks this memory. Instead, use a temporary variable, check it's not NULL and only then assign it to the original pointer: TMP = krealloc(MEM, SZ, GFP); if (!TMP) return; MEM = TMP; While on it, use krealloc_array(). Fixes: 6d45c81 ("drm/vc4: Add support for branching in shader validation.") Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Maíra Canal <mcanal@igalia.com> Link: https://patch.msgid.link/20260606123817.37222-1-grandmaster@al2klimov.de Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ba36786 ] xe_range_fence_insert() acquires a reference on fence via dma_fence_get() and stores it in rfence->fence. It then calls dma_fence_add_callback() and handles two cases: when the callback is successfully registered (err == 0) the fence is transferred to the tree for later cleanup; when the fence is already signaled (err == -ENOENT) it manually drops the extra reference with dma_fence_put(fence). However, dma_fence_add_callback() can fail with other errors (e.g. -EINVAL) and in that case the code falls through to the free: label without releasing the acquired reference, leaking it. Fix the leak by adding an else branch that calls dma_fence_put() before jumping to free: for any error other than -ENOENT. Fixes: 845f64b ("drm/xe: Introduce a range-fence utility") Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Signed-off-by: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/20260610172705.3450560-1-matthew.brost@intel.com (cherry picked from commit 98c4a4201290823c2c5c7ba21692bd9a64b61021) Signed-off-by: Matthew Brost <matthew.brost@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2f41af6 ] aie2_populate_range() jumps back to the again label without calling mmput(mm), leaking a reference to the mm_struct. Add the missing mmput() before jumping to again. Fixes: e486147 ("accel/amdxdna: Add BO import and export") Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com> Link: https://patch.msgid.link/20260610151127.2994185-1-lizhi.hou@amd.com Signed-off-by: Sasha Levin <sashal@kernel.org>
commit c32b26a upstream. nft_tunnel_obj_destroy() calls metadata_dst_free() which directly kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets that took a reference via dst_hold() in nft_tunnel_obj_eval() and are still queued (e.g. in a netem qdisc) are left with a dangling pointer. When these packets are eventually dequeued, dst_release() operates on freed memory. Replace metadata_dst_free() with dst_release() so the metadata_dst is freed only after all references are dropped. The dst subsystem already handles metadata_dst cleanup in dst_destroy() when DST_METADATA is set. Fixes: af308b9 ("netfilter: nf_tables: add tunnel support") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7d5735 upstream. NFT_META_BRI_IIFHWADDR declares its destination register with len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and leaving the upper 2 bytes of the second register as uninitialised nft_do_chain() stack. A downstream load of that register span leaks those stale bytes to userspace. Zero the second register before the memcpy so the full declared span is written. Fixes: cbd2257 ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support") Cc: stable@vger.kernel.org Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 26682f5 upstream. register_shm_helper() allocates shm before calling iov_iter_npages(). If iov_iter_npages() returns 0, the function jumps to err_ctx_put and leaks shm. This can be triggered by TEE_IOC_SHM_REGISTER with struct tee_ioctl_shm_register_data where length is 0. Jump to err_free_shm instead. Fixes: 7bdee41 ("tee: Use iov_iter to better support shared buffer registration") Cc: stable@vger.kernel.org Cc: lvc-project@linuxtesting.org Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev> Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5c65b96 upstream. Existing advertising instances can already hold the maximum extended advertising payload. When hci_adv_bcast_annoucement() prepends the Broadcast Announcement service data to that payload, the combined data may no longer fit in the temporary buffer used to rebuild the advertising data. Reject that case before copying the existing payload and report the failure through the device log. This keeps the existing advertising data intact and avoids overrunning the temporary buffer. Fixes: 5725bc6 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Signed-off-by: Yuqi Xu <xuyq21@lenovo.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd21473 upstream. net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR signaling packets up to the channel MTU and dispatches each command without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer within radio range can send a fixed-channel CID 0x0001 packet that is larger than MTUsig and contains many L2CAP_ECHO_REQ commands before pairing. In a real-radio stock-kernel run, one 681-byte signaling packet containing 168 zero-length ECHO_REQ commands made the target transmit 168 ECHO_RSP frames over about 220 ms. Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling packet containing packed ECHO_REQ commands. Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched. The Bluetooth Core spec wording for MTUExceeded says the reject identifier shall match the first request command in the packet, and that packets containing only responses shall be silently discarded. Linux intentionally deviates from that prescription: silently discarding desynchronizes the peer because the remote stack never learns its responses were dropped, and locating the first request command requires walking command headers past MTUsig, i.e. processing bytes from a packet we have already decided is too large to process. We therefore always emit one reject and use the identifier from the first command header, a single fixed-offset byte read. The unrestricted BR/EDR signaling parser and ECHO_REQ response path both trace to the initial git import; no later introducing commit is available for a Fixes tag. Cc: stable@vger.kernel.org Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com> Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com Assisted-by: Claude:claude-opus-4-7 Assisted-by: Codex:gpt-5-5-xhigh Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d922113 upstream. The current platform driver design causes probe ordering races with consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops with -EPROBE_DEFER, leaving consumers non-functional even when ICE should be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE driver probe has failed due to above reasons or it is waiting for the SCM driver. Moreover, there is no devlink dependency between ICE and consumer drivers as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers have no idea of when the ICE driver is going to probe. To address these issues, store the error pointer in a global xarray with ice node phandle as a key during probe in addition to the valid ice pointer and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex. If the xarray entry is NULL, then it implies that the driver is not probed yet, so return -EPROBE_DEFER. If it has any error pointer, return that error pointer directly. Otherwise, add the devlink as usual and return the valid pointer to the consumer. Xarray is used instead of platform drvdata, since driver core frees the drvdata during probe failure. So it cannot be used to pass the error pointer to the consumers. Note that this change only fixes the standalone ICE DT node bindings and not the ones with 'ice' range embedded in the consumer nodes, where there is no issue. Fixes: 2afbf43 ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver") Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com> Cc: stable@vger.kernel.org # 6.4 Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com> Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…hwpoison commit 3c2d42b upstream. Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock when racing with a concurrent unmap: thread#0 thread#1 -------- -------- madvise(folio, MADV_HWPOISON) -> poisons the folio successfully madvise(folio, MADV_HWPOISON) unmap(folio) try_memory_failure_hugetlb get_huge_page_for_hwpoison spin_lock_irq(&hugetlb_lock) <- held __get_huge_page_for_hwpoison hugetlb_update_hwpoison() -> MF_HUGETLB_FOLIO_PRE_POISONED goto out: folio_put() refcount: 1 -> 0 free_huge_folio() spin_lock_irqsave(&hugetlb_lock) -> AA DEADLOCK! The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop the GUP reference while the hugetlb_lock is still held by the hugetlb.c wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released the page table mapping reference, folio_put() drops the folio refcount to zero, triggering free_huge_folio() which attempts to re-acquire the non-recursive hugetlb_lock. Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the folio_put() at the out: label so the folio is always released outside the lock. [akpm@linux-foundation.org: fix race, rename label per Miaohe] Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com Fixes: 405ce05 ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()") Signed-off-by: Wupeng Ma <mawupeng1@huawei.com> Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org> Acked-by: Muchun Song <muchun.song@linux.dev> Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com> Acked-by: Miaohe Lin <linmiaohe@huawei.com> Cc: David Hildenbrand <david@kernel.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <ljs@kernel.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Naoya Horiguchi <nao.horiguchi@gmail.com> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd1311b upstream. Add validation that read and write indices in the firmware log buffer are within valid bounds (< data_size) before using them. If out-of-bounds indices are encountered (from firmware), clamp them to safe values instead of proceeding with invalid offsets. This prevents potential out-of-bounds buffer access when firmware supplies invalid log indices. Fixes: 1fc1251 ("accel/ivpu: Refactor functions in ivpu_fw_log.c") Cc: stable@vger.kernel.org # v6.18+ Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com> Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com> Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fb17642 upstream. Add validation that the info size returned from the metric stream info query is not exceeded when checked against the allocated buffer size. If the firmware returns a size larger than the buffer, reject the operation with -EOVERFLOW instead of proceeding with an incorrect buffer copy. Fixes: cdfad4d ("accel/ivpu: Add NPU profiling support") Cc: stable@vger.kernel.org # v6.18+ Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com> Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com> Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9faef5 upstream. Fix potential buffer overflow where firmware-supplied data_size is cast to signed int before being used in min_t(). Large unsigned values (>= 0x80000000) become negative, causing unsigned wraparound and oversized memcpy operations that can overflow the stack buffer. Change min_t(int, ...) to min() as both values are unsigned and can be handled by min() without explicit cast. Fixes: 3b434a3 ("accel/ivpu: Use threaded IRQ to handle JOB done messages") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com> Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com> Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com> Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0652a3d upstream. The probestub is a function to allow tprobes to hook to a tracepoint to gain access to its parameters. The function itself is only referenced by the tracepoint structure which lives in the __tracepoint section. objtool explicitly ignores that section and when processing functions in the kernel, if it detects one that has no references it will seal it to have its ENDBR stripped on boot up. This means when a tprobe is attached to the sched_wakeup tracepoint, when it is triggered it will call __probestub_sched_wakeup and due to the missing ENDBR on a CFI-enabled machine it will take a #CP exception. Fix this by adding CFI_NOSEAL annotation to probestub declaration. Cc: stable@vger.kernel.org Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com Fixes: d5173f7 ("objtool: Exclude __tracepoints data from ENDBR checks") Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com> [ Updated change log ] Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…error commit 85e0f27 upstream. Fix to point the error offset correctly for eprobe argument error. In the cleanup commit 1b8b0cd ("tracing/probes: Move event parameter fetching code to common parser"), due to incorrect backward compatibility aimed at conforming to the test specifications, the error location was set to 0 when a non-existent formal parameter was specified for Eprobe. However, this should be corrected in both the test and the implementation to point correct error position. Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/ Fixes: 1b8b0cd ("tracing/probes: Move event parameter fetching code to common parser") Cc: stable@vger.kernel.org Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Reviewed-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 905b06d upstream. Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used, which is an alias. Otherwise, one gets: error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32 | = help: run `rustc --print target-list` for a list of built-in targets Thus conditionally use one or the other depending on the version. The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but use the newer version instead to avoid changing how the build works for existing compilers, at least until more testing takes place. Cc: Ralf Jung <post@ralfj.de> Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs). Link: rust-lang/rust#157151 [1] Link: rust-lang/rust#151154 [2] Reviewed-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 84a0f7c upstream. When KASAN is enabled, such as with allmodconfig, the build fails when building the Rust code with: error: kernel-address sanitizer is not supported for this target error: aborting due to 1 previous error make[4]: *** [rust/Makefile:654: rust/core.o] Error 1 The arm-unknown-linux-gnueabi target does not support KASAN, so avoid saying Rust is supported when it is enabled. Cc: stable@vger.kernel.org Fixes: ccb8ce5 ("ARM: 9441/1: rust: Enable Rust support for ARMv7") Link: Rust-for-Linux/linux#1234 Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com> Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ac35b55 upstream. Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the uwtable annotation for functions, but not for the module. This means that compiler-generated functions such as 'asan.module_ctor' do not receive the uwtable annotation. When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot failures because the dwarf information emitted for the kasan constructors is wrong, which causes the SCS boot patching code to patch the constructor in an illegal manner. Specifically, the paciasp instruction is patched, but the autiasp instruction is not. This mismatch leads to a crash when the constructor is called during boot. ================================================================== BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90 Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1 Specifically the faulting instruction is the (*fn)() to invoke the constructor in do_ctors() of the init/main.c file. Once the fix lands in rustc, this flag can be made conditional on the rustc version. Note that passing the flag on a rustc with the fix present has no effect. [ The fix [1] has landed for Rust 1.98.0 (expected release on 2026-08-20). Thus add a version check as discussed. - Miguel ] Fixes: d077242 ("rust: support for shadow call stack sanitizer") Cc: stable@kernel.org Link: rust-lang/rust#156973 [1] Reported-by: Bo Ye <bo.ye@mediatek.com> Debugged-by: Isaac Manjarres <isaacmanjarres@google.com> Debugged-by: Sami Tolvanen <samitolvanen@google.com> Tested-by: Isaac Manjarres <isaacmanjarres@google.com> Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com [ Adjusted link and comment. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a44b17 upstream. The Makefile version of rustc-option currently checks whether the option exists for the host target instead of the target actually being compiled for. It was done this way in commit 46e24a5 ("rust: kasan/kbuild: fix missing flags on first build") to avoid a circular dependency on target.json. However, because of this, rustc-option currently does not function when cross-compiling from x86_64 to aarch64 if CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS contains -Zfixed-x18 under this configuration. Since that flag does not exist on the host target, rustc-option runs into a compilation failure every time, leading to all flags being rejected as unsupported. To fix this, update rustc-option to pass a --target parameter so that the host target is not used. For targets using target.json, use a built-in target that is as close as possible to the target created with target.json to avoid the circular dependency on target.json. One scenario where this causes a boot failure: * Cross-compiled from x86_64 to aarch64. * With CONFIG_SHADOW_CALL_STACK=y * With CONFIG_KASAN_SW_TAGS=y * With CONFIG_KASAN_INLINE=n Then the resulting kernel image will fail to boot when it first calls into Rust code with a crash along the lines of "Unable to handle kernel paging request at virtual address 0ffffffc08541796". This is because the call threshold is not specified, so rustc will inline kasan operations, but the kasan shadow offset is not specified, which leads to the inlined kasan instructions being incorrect. Note that the -Zsanitizer=kernel-hwaddress parameter itself does not lead to a rustc-option failure despite being aarch64-specific because RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when rustc-option is evaluated by the kasan Makefile. Cc: stable@vger.kernel.org Fixes: 46e24a5 ("rust: kasan/kbuild: fix missing flags on first build") Signed-off-by: Alice Ryhl <aliceryhl@google.com> Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com [ Edited slightly: - Reset variable to avoid using the environment. - Use a simply expanded variable flavor for simplicity. - Export variable so that behavior in sub-`make`s is consistent. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> This matches other variables. - Miguel ] Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
commit b837e38 upstream. The previous clock uses roundup_pow_of_two() to calculate the core clock frequency. It does not meet the actual hardware meaning. The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)". Fix the clock divider calculation. Fixes: 92e0991 ("mmc: Add driver for LiteX's LiteSDCard interface") Signed-off-by: Inochi Amaoto <inochiama@gmail.com> Reviewed-by: Gabriel Somlo <gsomlo@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulfh@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 48fcc89 upstream. That was missed when importing the header. Reported-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com> Reported-by: Magnus Kulke <magnuskulke@linux.microsoft.com> Fixes: e68bda7 ("hyperv: Add new Hyper-V headers in include/hyperv") Cc: stable@kernel.org Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com> Signed-off-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9119d6c upstream. The vma_modify_*() family of functions each either perform splits, a merge or no changes at all in preparation for the requested modification to occur. When doing so for a VMA flags change, we currently don't account for any flags which may remain (for instance, VM_SOFTDIRTY) despite the requested change in the case that a merge succeeded. This is made more important by subsequent patches which will introduce the concept of sticky VMA flags which rely on this behaviour. This patch fixes this by passing the VMA flags parameter as a pointer and updating it accordingly on merge and updating callers to accommodate for this. Additionally, while we are here, we add kdocs for each of the vma_modify_*() functions, as the fact that the requested modification is not performed is confusing so it is useful to make this abundantly clear. We also update the VMA userland tests to account for this change. Link: https://lkml.kernel.org/r/23b5b549b0eaefb2922625626e58c2a352f3e93c.1763460113.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Reviewed-by: Pedro Falcato <pfalcato@suse.de> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Andrei Vagin <avagin@gmail.com> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Dev Jain <dev.jain@arm.com> Cc: Jann Horn <jannh@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Lance Yang <lance.yang@linux.dev> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Nico Pache <npache@redhat.com> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 64212ba upstream. It is useful to be able to designate that certain flags are 'sticky', that is, if two VMAs are merged one with a flag of this nature and one without, the merged VMA sets this flag. As a result we ignore these flags for the purposes of determining VMA flag differences between VMAs being considered for merge. This patch therefore updates the VMA merge logic to perform this action, with flags possessing this property being described in the VM_STICKY bitmap. Those flags which ought to be ignored for the purposes of VMA merge are described in the VM_IGNORE_MERGE bitmap, which the VMA merge logic is also updated to use. As part of this change we place VM_SOFTDIRTY in VM_IGNORE_MERGE as it already had this behaviour, alongside VM_STICKY as sticky flags by implication must not disallow merge. Ultimately it seems that we should make VM_SOFTDIRTY a sticky flag in its own right, but this change is out of scope for this series. The only sticky flag designated as such is VM_MAYBE_GUARD, so as a result of this change, once the VMA flag is set upon guard region installation, VMAs with guard ranges will now not have their merge behaviour impacted as a result and can be freely merged with other VMAs without VM_MAYBE_GUARD set. Also update the comments for vma_modify_flags() to directly reference sticky flags now we have established the concept. We also update the VMA userland tests to account for the changes. Link: https://lkml.kernel.org/r/22ad5269f7669d62afb42ce0c79bad70b994c58d.1763460113.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Reviewed-by: Pedro Falcato <pfalcato@suse.de> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Andrei Vagin <avagin@gmail.com> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Dev Jain <dev.jain@arm.com> Cc: Jann Horn <jannh@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Lance Yang <lance.yang@linux.dev> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Nico Pache <npache@redhat.com> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab04b53 upstream. Gather all the VMA flags whose presence implies that page tables must be copied on fork into a single bitmap - VM_COPY_ON_FORK - and use this rather than specifying individual flags in vma_needs_copy(). We also add VM_MAYBE_GUARD to this list, as it being set on a VMA implies that there may be metadata contained in the page tables (that is - guard markers) which would will not and cannot be propagated upon fork. This was already being done manually previously in vma_needs_copy(), but this makes it very explicit, alongside VM_PFNMAP, VM_MIXEDMAP and VM_UFFD_WP all of which imply the same. Note that VM_STICKY flags ought generally to be marked VM_COPY_ON_FORK too - because equally a flag being VM_STICKY indicates that the VMA contains metadat that is not propagated by being faulted in - i.e. that the VMA metadata does not fully describe the VMA alone, and thus we must propagate whatever metadata there is on a fork. However, for maximum flexibility, we do not make this necessarily the case here. Link: https://lkml.kernel.org/r/5d41b24e7bc622cda0af92b6d558d7f4c0d1bc8c.1763460113.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Reviewed-by: Pedro Falcato <pfalcato@suse.de> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Andrei Vagin <avagin@gmail.com> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: Dev Jain <dev.jain@arm.com> Cc: Jann Horn <jannh@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Lance Yang <lance.yang@linux.dev> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Nico Pache <npache@redhat.com> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 49e14da upstream. Now we have established the VM_MAYBE_GUARD flag and added the capacity to set it atomically, do so upon MADV_GUARD_INSTALL. The places where this flag is used currently and matter are: * VMA merge - performed under mmap/VMA write lock, therefore excluding racing writes. * /proc/$pid/smaps - can race the write, however this isn't meaningful as the flag write is performed at the point of the guard region being established, and thus an smaps reader can't reasonably expect to avoid races. Due to atomicity, a reader will observe either the flag being set or not. Therefore consistency will be maintained. In all other cases the flag being set is irrelevant and atomicity guarantees other flags will be read correctly. Note that non-atomic updates of unrelated flags do not cause an issue with this flag being set atomically, as writes of other flags are performed under mmap/VMA write lock, and these atomic writes are performed under mmap/VMA read lock, which excludes the write, avoiding RMW races. Note that we do not encounter issues with KCSAN by adjusting this flag atomically, as we are only updating a single bit in the flag bitmap and therefore we do not need to annotate these changes. We intentionally set this flag in advance of actually updating the page tables, to ensure that any racing atomic read of this flag will only return false prior to page tables being updated, to allow for serialisation via page table locks. Note that we set vma->anon_vma for anonymous mappings. This is because the expectation for anonymous mappings is that an anon_vma is established should they possess any page table mappings. This is also consistent with what we were doing prior to this patch (unconditionally setting anon_vma on guard region installation). We also need to update retract_page_tables() to ensure that madvise(..., MADV_COLLAPSE) doesn't incorrectly collapse file-backed ranges contain guard regions. This was previously guarded by anon_vma being set to catch MAP_PRIVATE cases, but the introduction of VM_MAYBE_GUARD necessitates that we check this flag instead. We utilise vma_flag_test_atomic() to do so - we first perform an optimistic check, then after the PTE page table lock is held, we can check again safely, as upon guard marker install the flag is set atomically prior to the page table lock being taken to actually apply it. So if the initial check fails either: * Page table retraction acquires page table lock prior to VM_MAYBE_GUARD being set - guard marker installation will be blocked until page table retraction is complete. OR: * Guard marker installation acquires page table lock after setting VM_MAYBE_GUARD, which raced and didn't pick this up in the initial optimistic check, blocking page table retraction until the guard regions are installed - the second VM_MAYBE_GUARD check will prevent page table retraction. Either way we're safe. We refactor the retraction checks into a single file_backed_vma_is_retractable(), there doesn't seem to be any reason that the checks were separated as before. Note that VM_MAYBE_GUARD being set atomically remains correct as vma_needs_copy() is invoked with the mmap and VMA write locks held, excluding any race with madvise_guard_install(). Link: https://lkml.kernel.org/r/e9e9ce95b6ac17497de7f60fc110c7dd9e489e8d.1763460113.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Andrei Vagin <avagin@gmail.com> Cc: Baolin Wang <baolin.wang@linux.alibaba.com> Cc: Barry Song <baohua@kernel.org> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Dev Jain <dev.jain@arm.com> Cc: Jann Horn <jannh@google.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Lance Yang <lance.yang@linux.dev> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Nico Pache <npache@redhat.com> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6707915 upstream. Patch series "make VM_SOFTDIRTY a sticky VMA flag", v2. Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by establishing a new VMA, or via merge) as implemented in __mmap_complete() and do_brk_flags(). However, when performing a merge of existing mappings such as when performing mprotect(), we may lose the VM_SOFTDIRTY flag. Now we have the concept of making VMA flags 'sticky', that is that they both don't prevent merge and, importantly, are propagated to merged VMAs, this seems a sensible alternative to the existing special-casing of VM_SOFTDIRTY. We additionally add a self-test that demonstrates that this logic behaves as expected. This patch (of 2): Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by establishing a new VMA, or via merge) as implemented in __mmap_complete() and do_brk_flags(). However, when performing a merge of existing mappings such as when performing mprotect(), we may lose the VM_SOFTDIRTY flag. This is because currently we simply ignore VM_SOFTDIRTY for the purposes of merge, so one VMA may possess the flag and another not, and whichever happens to be the target VMA will be the one upon which the merge is performed which may or may not have VM_SOFTDIRTY set. Now we have the concept of 'sticky' VMA flags, let's make VM_SOFTDIRTY one which solves this issue. Additionally update VMA userland tests to propagate changes. [akpm@linux-foundation.org: update comments, per Lorenzo] Link: https://lkml.kernel.org/r/0019e0b8-ee1e-4359-b5ee-94225cbe5588@lucifer.local Link: https://lkml.kernel.org/r/cover.1763399675.git.ljs@kernel.org Link: https://lkml.kernel.org/r/955478b5170715c895d1ef3b7f68e0cd77f76868.1763399675.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Suggested-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> Reviewed-by: Pedro Falcato <pfalcato@suse.de> Acked-by: Andrey Vagin <avagin@gmail.com> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Cyrill Gorcunov <gorcunov@gmail.com> Cc: Jann Horn <jannh@google.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Fixes: 34228d4 ("mm: ignore VM_SOFTDIRTY on VMA merging") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7ba92b upstream. Assert that we correctly merge VMAs containing VM_SOFTDIRTY flags now that we correctly handle these as sticky. In order to do so, we have to account for the fact the pagemap interface checks soft dirty PTEs and additionally that newly merged VMAs are marked VM_SOFTDIRTY. We do this by using use unfaulted anon VMAs, establishing one and clearing references on that one, before establishing another and merging the two before checking that soft-dirty is propagated as expected. We check that this functions correctly with mremap() and mprotect() as sample cases, because VMA merge of adjacent newly mapped VMAs will automatically be made soft-dirty due to existing logic which does so. We are therefore exercising other means of merging VMAs. Link: https://lkml.kernel.org/r/d5a0f735783fb4f30a604f570ede02ccc5e29be9.1763399675.git.ljs@kernel.org Signed-off-by: Lorenzo Stoakes <ljs@kernel.org> Cc: Andrey Vagin <avagin@gmail.com> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Cyrill Gorcunov <gorcunov@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3fdd336 upstream. dev_open() already is exported, but drivers which use the netdev instance lock need to use netif_open() instead. netif_close() is also already exported [1] so this completes the pairing. This export is required for the following fbnic self tests to avoid calling ndo_stop() and ndo_open() in favor of the more appropriate netif_open() and netif_close() that notifies any listeners that the interface went down to test and is now coming back up. Link: https://patch.msgid.link/20250309215851.2003708-1-sdf@fomichev.me [1] Signed-off-by: Mike Marciniszyn (Meta) <mike.marciniszyn@gmail.com> Link: https://patch.msgid.link/20260307105847.1438-2-mike.marciniszyn@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b84c563 upstream. There is netdev_lock_ops() before the NETDEV_REGISTER notifier in register_netdevice(), so use the non-locking functions in net_failover_slave_register(). failover_slave_register() in failover_existing_slave_register() adds lock and unlock ops too. Call Trace: <TASK> __schedule+0x30d/0x7a0 schedule+0x27/0x90 schedule_preempt_disabled+0x15/0x30 __mutex_lock.constprop.0+0x538/0x9e0 __mutex_lock_slowpath+0x13/0x20 mutex_lock+0x3b/0x50 dev_set_mtu+0x40/0xe0 net_failover_slave_register+0x24/0x280 failover_slave_register+0x103/0x1b0 failover_event+0x15e/0x210 ? dropmon_net_event+0xac/0xe0 notifier_call_chain+0x5e/0xe0 raw_notifier_call_chain+0x16/0x30 call_netdevice_notifiers_info+0x52/0xa0 register_netdevice+0x5f4/0x7c0 register_netdev+0x1e/0x40 _mlx5e_probe+0xe2/0x370 [mlx5_core] mlx5e_probe+0x59/0x70 [mlx5_core] ? __pfx_mlx5e_probe+0x10/0x10 [mlx5_core] Fixes: 4c975fd ("net: hold instance lock during NETDEV_REGISTER/UP") Signed-off-by: Faicker Mo <faicker.mo@gmail.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 307dc42 upstream. veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7. If it returns a value >= 5, this causes an out-of-bounds array access. Add a bounds check and return -EINVAL if the index is out of range. The problem values are reserved so should never be read from the register. Hence this is hardening against fault device, missprogramming or bus corruption. Assisted-by: gkh_clanker_2000 Cc: stable <stable@kernel.org> Signed-off-by: Sam Daly <sam@samdaly.ie> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 95e8a48 upstream. ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield values 0-7. If it yields a value >= 7, this causes an out-of-bounds array access. Add a bounds check and return -EINVAL if the index is out of range. Note that the remaining value b111 is reserved so should not be seen in a correctly functioning system. Assisted-by: gkh_clanker_2000 Cc: stable <stable@kernel.org> Cc: Jonathan Cameron <jic23@kernel.org> Cc: David Lechner <dlechner@baylibre.com> Cc: "Nuno Sá" <nuno.sa@analog.com> Cc: Andy Shevchenko <andy@kernel.org> Signed-off-by: Sam Daly <sam@samdaly.ie> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d237230 upstream. The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs for device configuration, start, stop, status query and enumeration. These IOCTLs are not part of any public uAPI header and have no known in-tree or out-of-tree users. Device lifecycle is already managed via sysfs. The ioctl interface also increases the attack surface and is the subject of a number of bug reports. Remove the character device, the IOCTL definitions, and the related data structures (adf_dev_status_info, adf_user_cfg_key_val, adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal module_init/module_exit hooks for workqueue, AER, and crypto/compression algorithm registration. Clean up leftover dead code that was only reachable from the removed IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(), adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(), adf_get_vf_real_id() and the unused ADF_CFG macros. Additionally, drop the entry associated to QAT IOCTLs in ioctl-number.rst. Cc: stable@vger.kernel.org Fixes: d8cba25 ("crypto: qat - Intel(R) QAT driver framework") Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn> Reported-by: Bin Yu <byu@xidian.edu.cn> Reported-by: MingYu Wang <w15303746062@163.com> Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/ Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/ Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/ Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/ Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Ahsan Atta <ahsan.atta@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…_write commit a287620 upstream. A KASAN null-ptr-deref was observed in vcs_notifier(): BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130 Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {} The issue is a race condition in vcs_write(). When the console_lock is temporarily dropped (to copy data from userspace), the vc_data pointer obtained from vcs_vc() may become stale. After re-acquiring the lock, vcs_vc() is called again to re-validate the pointer. If the vc has been deallocated in the meantime, vcs_vc() returns NULL, and the while loop breaks (with written > 0). However, after the loop, vcs_scr_updated(vc) is still called with the now-NULL vc pointer, leading to a null pointer dereference in the notifier chain (vcs_notifier dereferences param->vc). Fix this by adding a NULL check for vc before calling vcs_scr_updated(). Fixes: 8fb9ea6 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF") Cc: stable@vger.kernel.org Signed-off-by: Yi Yang <yiyang13@huawei.com> Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b93062b upstream. In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero, for example when the RX stale counter fires on an idle line, the handler returns without calling geni_se_rx_dma_prep(). The next RX DMA interrupt then hits the !port->rx_dma_addr guard and returns immediately, so the RX DMA buffer is never rearmed and later input is lost. Keep the handler on the rearm path when rx_in is zero. Warn about the unexpected zero-length DMA completion, skip received-data handling, and always call geni_se_rx_dma_prep(). Fixes: 2aaa43c ("tty: serial: qcom-geni-serial: add support for serial engine DMA") Cc: stable@vger.kernel.org Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com> Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…tion commit a2b8d78 upstream. If __add_memory_block() fails at xa_store() (under memory pressure for example), device_unregister() is called, which eventually triggers memory_block_release() with mem->altmap still set, causing a WARN_ON(mem->altmap). This was triggered by modifying virtio-mem driver. Fix this by delaying the assignment of mem->altmap until after __add_memory_block() has succeeded. Link: https://lore.kernel.org/20260514092657.3057141-1-georgi.djakov@oss.qualcomm.com Fixes: 1a8c64e ("mm/memory_hotplug: embed vmem_altmap details in memory block") Signed-off-by: Georgi Djakov <georgi.djakov@oss.qualcomm.com> Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org> Cc: Vishal Verma <vishal.l.verma@intel.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Richard Cheng <icheng@nvidia.com> Cc: David Hildenbrand <david@kernel.org> Cc: Georgi Djakov <djakov@kernel.org> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: "Rafael J. Wysocki" <rafael@kernel.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 609ca17 upstream. smb2_check_user_session() takes a shortcut for any operation that is not the first in a COMPOUND request: it reuses work->sess (the session bound by the first operation) and validates only the SessionId, then returns "valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation value) skips even the id comparison. The standalone path (ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does enforce the VALID state; the compound branch bypasses all of it. A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL (->user is assigned later, by ntlm_authenticate()). Used as operation 1 of a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX, \\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and reaches ksmbd_ipc_tree_connect_request(), which dereferences user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704) -> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd worker for all clients. Reject any non-first compound operation that lands on a session which is not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session, but it is never carried as a non-first compound operation, so multi-leg authentication is unaffected by this check. Fixes: 5005bcb ("ksmbd: validate session id and tree id in the compound request") Cc: stable@vger.kernel.org Signed-off-by: Gil Portnoy <dddhkts1@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7d8bf3d upstream. syzbot reported a general protection fault in vidtv_psi_ts_psi_write_into [1]. vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does not check for this before dereferencing the returned pointer to access the continuity counter. This leads to a general protection fault when accessing a near-NULL address. The root cause is that vidtv_mux_pid_ctx_init() does not check the return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs. If the allocation fails, the PID context is never created, but init returns success. The subsequent vidtv_mux_push_si() call then gets NULL from vidtv_mux_get_pid_ctx() and crashes. Fix both the root cause (add error check in vidtv_mux_pid_ctx_init for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for all vidtv_mux_get_pid_ctx() calls. [1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [qualcomm-linux#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Workqueue: events vidtv_mux_tick RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197 Call Trace: <TASK> vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline] vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231 vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196 vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408 Fixes: f90cf60 ("media: vidtv: add a bridge driver") Cc: stable@vger.kernel.org Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86 Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 06b4135 upstream. iput() called from fuse_release_end() can Oops if the super block has already been destroyed. Normally this is prevented by waiting for num_waiting to go down to zero before commencing with super block shutdown. This only works, however, for the last submount instance, as the wait counter is per connection, not per superblock. Revert to using synchronous release requests for the auto_submounts case, which is virtiofs only at this time. Reported-by: Aurélien Bombo <abombo@microsoft.com> Reported-by: Zhihao Cheng <chengzhihao1@huawei.com> Cc: Greg Kurz <gkurz@redhat.com> Closes: kata-containers/kata-containers#12589 Fixes: 26e5c67 ("fuse: fix livelock in synchronous file put from fuseblk workers") Cc: stable@vger.kernel.org Reviewed-by: Greg Kurz <gkurz@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 35e2470 upstream. Commit ab04b53 ("mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one") aggregates flags checks in vma_needs_copy(), including VM_UFFD_WP. However in doing so, it incorrectly performed this check against src_vma. This check was done on the assumption that all relevant flags are copied upon fork. However the userfaultfd logic is very innovative in that it implements custom logic on fork in dup_userfaultfd(), including a rather well hidden case where lacking UFFD_FEATURE_EVENT_FORK causes VM_UFFD_WP to not be propagated to the destination VMA. And indeed, vma_needs_copy(), prior to this patch, did check this property on dst_vma, not src_vma. Since all the other relevant flags are copied on fork, we can simply fix this by checking against dst_vma. While we're here, we fix a comment against VM_COPY_ON_FORK (noting that it did indeed already reference dst_vma) to make it abundantly clear that we must check against the destination VMA. Link: https://lkml.kernel.org/r/20260114110006.1047071-1-lorenzo.stoakes@oracle.com Fixes: ab04b53 ("mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Reported-by: Chris Mason <clm@meta.com> Closes: https://lore.kernel.org/all/20260113231257.3002271-1-clm@meta.com/ Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> Acked-by: Pedro Falcato <pfalcato@suse.de> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20260625125645.554579168@linuxfoundation.org Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/0c503cf Linux 6.18.37 mm: do not copy page tables unnecessarily for VM_UFFD_WP virtiofs: fix UAF on submount umount media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si ksmbd: reject non-VALID session in compound request branch drivers/base/memory: set mem->altmap after successful device registration serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write crypto: qat - remove unused character device and IOCTLs iio: adc: ti-ads1298: add bounds check to pga_settings index iio: light: veml6075: add bounds check to veml6075_it_ms index net: net_failover: Fix the deadlock in slave register net: export netif_open for self_test usage testing/selftests/mm: add soft-dirty merge self-test mm: propagate VM_SOFTDIRTY on merge mm: set the VM_MAYBE_GUARD flag on guard region install mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one mm: implement sticky VMA flags mm: update vma_modify_flags() to handle residual flags, document mm: add atomic VMA flags and set VM_MAYBE_GUARD as such mm: introduce VM_MAYBE_GUARD and make visible in /proc/$pid/smaps sctp: disable BH before calling udp_tunnel_xmit_skb() firmware: samsung: acpm: Fix cross-thread RX length corruption Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs hv: utils: handle and propagate errors in kvp_register regulator: core: fix locking in regulator_resolve_supply() error path rose: don't free fd-owned sockets when reaping in the heartbeat rose: clear neighbour pointer in rose_kill_by_device() rose: cancel neighbour timers in rose_neigh_put() before freeing rose: drop CALL_REQUEST in loopback timer when device is not running rose: release netdev ref and destroy orphaned incoming sockets rose: fix netdev double-hold in rose_make_new() rose: disconnect orphaned STATE_2 sockets when device is gone rose: set SOCK_DESTROY in rose_kill_by_device() for prompt cleanup rose: fix notifier unregistered too early in rose_exit() rose: fix netdev double-hold in rose_rx_call_request() rose: guard rose_neigh_put() against NULL in timer expiry rose: clear neighbour pointer after rose_neigh_put() in state machines rose: fix race between loopback timer and module removal rose: hold loopback neighbour reference across timer callback rose: fix dev_put() leak in rose_loopback_timer() ACPI: scan: Use async schedule function in acpi_scan_clear_dep_fn() agp/amd64: Fix broken error propagation in agp_amd64_probe() net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() i2c: stub: Reject I2C block transfers with invalid length RDMA/bnxt_re: zero shared page before exposing to userspace debugobjects: Dont call fill_pool() in early boot hardirq context debugobjects: Do not fill_pool() if pi_blocked_on debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING Revert "NFSD: Defer sub-object cleanup in export put callbacks" fuse: re-lock request before replacing page cache folio net: stmmac: fix stm32 (and potentially others) resume regression io_uring/net: Avoid msghdr on op_connect/op_bind async data Linux 6.18.36 netfilter: require Ethernet MAC header before using eth_hdr() cfi: Include uaccess.h for get_kernel_nofault() vsock/virtio: fix skb overhead overflow on 32-bit builds block: fix handling of dead zone write plugs arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU arm64: errata: Mitigate TLBI errata on various Arm CPUs arm64: cputype: Add C1-Premium definitions arm64: cputype: Add C1-Ultra definitions vsock/virtio: fix skb overhead accounting to preserve full buf_alloc vsock/virtio: fix potential unbounded skb queue ipvs: skip ipv6 extension headers for csum checks RDMA/umem: Fix truncation for block sizes >= 4G RDMA: Move DMA block iterator logic into dedicated files RDMA/umem: fix kernel-doc warnings netfilter: nft_fib: fix stale stack leak via the OIFNAME register RDMA: During rereg_mr ensure that REREG_ACCESS is compatible RDMA/umem: Add helpers for umem dmabuf revoke lock RDMA/umem: Move umem dmabuf revoke logic into helper function RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task() wifi: mac80211: tests: mark HT check strict wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode driver core: reject devices with unregistered buses fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling drm/amd/display: Use krealloc_array() in dal_vector_reserve() drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval() drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs drm/amd/display: Clamp VBIOS HDMI retimer register count to array size drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size drm/amd/display: Bound VBIOS record-chain walk loops drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2 drm/amd/pm: fix smu13 power limit default/cap calculation drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14) drm/amdgpu: restart the CS if some parts of the VM are still invalidated drm/amdgpu: fix waiting for all submissions for userptrs drm/v3d: Skip CSD when it has zeroed workgroups drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups drm/v3d: Fix global performance monitor reference counting drm/v3d: Wait for pending L2T flush before cleaning caches drm/xe: Clear pending_disable before signaling suspend fence drm/xe/display: fix oops in suspend/shutdown without display drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11 drm/amdkfd: fix NULL dereference in get_queue_ids() drm/gem: Try to fix change_handle ioctl, attempt 4 slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership slimbus: qcom-ngd-ctrl: Initialize controller resources in controller slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd slimbus: qcom-ngd-ctrl: Fix probe error path ordering slimbus: qcom-ngd-ctrl: Fix up platform_driver registration slimbus: qcom-ngd-ctrl: fix OF node refcount thunderbolt: Limit XDomain response copy to actual frame size thunderbolt: Validate XDomain request packet size before type cast thunderbolt: Clamp XDomain response data copy to allocation size thunderbolt: Bound root directory content to block size thunderbolt: Reject zero-length property entries in validator sctp: stream: fully roll back denied add-stream state sctp: diag: reject stale associations in dump_one path rxrpc: Fix the ACK parser to extract the SACK table for parsing rtase: Reset TX subqueue when clearing TX ring rtase: Avoid sleeping in get_stats64() pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source pmdomain: imx: fix OF node refcount mmc: sdhci: add signal voltage switch in sdhci_resume_host mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC mmc: litex_mmc: Set mandatory idle clocks before CMD0 mmc: dw_mmc-rockchip: Add missing private data for very old controllers mmc: core: Fix host controller programming for fixed driver type mm/mincore: handle non-swap entries before !CONFIG_SWAP guard mm/list_lru: drain before clearing xarray entry on reparent mm/hugetlb: restore reservation on error in hugetlb folio copy paths mm/hugetlb: avoid false positive lockdep assertion mm/damon/reclaim: handle ctx allocation failure mm/damon/lru_sort: handle ctx allocation failure mm/cma_debug: fix invalid accesses for inactive CMA areas mm/cma: fix reserved page leak on activation failure io_uring/wait: fix min_timeout behavior io_uring/kbuf: don't truncate end buffer for bundles pinctrl: mcp23s08: Read spi-present-mask as u8 not u32 octeontx2-af: fix memory leak in rvu_setup_hw_resources() nvmem: layouts: onie-tlv: fix hang on unknown types nvmem: core: fix use-after-free bugs in error paths net: sfp: initialize i2c_block_size at adapter configure time net: rds: clear i_sends on setup unwind net: phonet: free phonet_device after RCU grace period net: mv643xx: fix OF node refcount net: bonding: fix NULL pointer dereference in bond_do_ioctl() net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues() net/mlx5: Reorder completion before putting command entry in cmd_work_handler firmware: samsung: acpm: Fix mailbox channel leak on probe error misc: fastrpc: Fix NULL pointer dereference in rpmsg callback misc: fastrpc: fix DMA address corruption due to find_vma misuse misc: fastrpc: fix use-after-free race in fastrpc_map_create misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context memcg: use round-robin victim selection in refill_stock locking/rtmutex: Skip remove_waiter() when waiter is not enqueued ipc/shm: serialize orphan cleanup with shm_nattch updates iommu/dma: Do not try to iommu_map a 0 length region in swiotlb Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK) i2c: tegra: Fix NOIRQ suspend/resume i2c: stm32f7: fix timing computation ignoring i2c-analog-filter i2c: qcom-cci: Fix NULL pointer dereference in cci_remove() i2c: imx: fix clock and pinctrl state inconsistency in runtime PM i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan() futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios fuse: reject fuse_notify() pagecache ops on directories fs/qnx6: fix pointer arithmetic in directory iteration pidfd: refuse access to tasks that have started exiting harder inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh() bnxt_en: Fix NULL pointer dereference ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write staging: rtl8723bs: fix buffer over-read in rtw_update_protection timers/migration: Fix livelock in tmigr_handle_remote_up() vsock/vmci: fix sk_ack_backlog leak on failed handshake wifi: nl80211: reject oversized EMA RNR lists wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used xfs: fix rtgroup cleanup in CoW fork repair xfs: fix error returns in CoW fork repair mptcp: add-addr: always drop other suboptions selftests: mptcp: add test for extra_subflows underflow on userspace PM mptcp: sockopt: set sockopt on all subflows mptcp: sockopt: check timestamping ret value mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation mptcp: allow subflow rcv wnd to shrink mptcp: close TOCTOU race while computing rcv_wnd mptcp: fix retransmission loop when csum is enabled arm64: mm: call pagetable dtor when freeing hot-removed page tables ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O ARM: socfpga: Fix OF node refcount leak in SMP setup udp: clear skb->dev before running a sockmap verdict zram: fix use-after-free in zram_bvec_write_partial() RDMA/srp: bound SRP_RSP sense copy by the received length RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc RDMA/core: Validate the passed in fops for ib_get_ucaps() mm/huge_memory: update file PUD counter before folio_put() mm/damon/ops-common: call folio_test_lru() after folio_get() mm/huge_memory: update file PMD counter before folio_put() drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info() drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait() io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries ALSA: timer: Fix UAF at snd_timer_user_params() ALSA: timer: Forcibly close timer instances at closing USB: serial: kl5kusb105: fix bulk-out buffer overflow USB: serial: option: add usb-id for Dell Wireless DW5826e-m USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr() USB: serial: io_ti: fix heap overflow in get_manuf_info() xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state() xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags() xfrm: espintcp: do not reuse an in-progress partial send ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf drm/i915/gem: Fix phys BO pread/pwrite with offset KVM: arm64: Restore POR_EL0 access to host EL0 KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying mshv: add a missing padding field mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation rust: kasan/kbuild: fix rustc-option when cross-compiling rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES ARM: Do not select HAVE_RUST when KASAN is enabled rust: x86: support Rust >= 1.98.0 target spec tracing/probes: Point the error offset correctly for eprobe argument error tracing: Fix CFI violation in probestub being called by tprobes accel/ivpu: Fix signed integer truncation in IPC receive accel/ivpu: Add buffer overflow check in MS get_info_ioctl accel/ivpu: Add bounds checks for firmware log indices mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get() Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend tee: shm: fix shm leak in register_shm_helper() netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register netfilter: nft_tunnel: fix use-after-free on object destroy accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range() drm/xe: fix refcount leak in xe_range_fence_insert() drm/vc4: fix krealloc() memory leak drm/virtio: Fix driver removal with disabled KMS drm/i915/edp: Check supported link rates DPCD read clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked KVM: VMX: Update SVI during runtime APICv activation ipv6: Fix a potential NPD in cleanup_prefix_route() net: txgbe: initialize module info buffer net: txgbe: rename the SFP related net: txgbe: support CR modules for AML devices net: txgbe: optimize the flow to setup PHY for AML devices net: mvpp2: build skb from XDP-adjusted data on XDP_PASS net: mvpp2: refill RX buffers before XDP or skb use net: mvpp2: limit XDP frame size to the RX buffer net: mvpp2: sync RX data at the hardware packet offset netfilter: nft_exthdr: fix register tracking for F_PRESENT flag netfilter: nf_log: validate MAC header was set before dumping it netfilter: x_tables: avoid leaking percpu counter pointers netfilter: nf_conntrack: destroy stale expectfn expectations on unregister netfilter: revalidate bridge ports spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX rds: mark snapshot pages dirty in rds_info_getsockopt() ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() tun: zero the whole vnet header in tun_put_user() net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion net: guard timestamp cmsgs to real error queue skbs sctp: validate embedded INIT chunk and address list lengths in cookie ip6_vti: set netns_immutable on the fallback device. sctp: fix uninit-value in __sctp_rcv_asconf_lookup() ASoC: SOF: amd: fix for ipc flags check net: mctp: usb: don't fail mctp_usb_rx_queue on a deferred submission net: mctp: usb: fix race between urb completion and rx_retry cancellation gpio: rockchip: fix generic IRQ chip leak on remove gpio: zynq: fix runtime PM leak on remove r8152: handle the return value of usb_reset_device() net: openvswitch: fix possible kfree_skb of ERR_PTR ipv6: sit: reload inner IPv6 header after GSO offloads net/mlx5: Use effective affinity mask for IRQ selection net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove net: phy: clean the sfp upstream if phy probing fails netdev: fix double-free in netdev_nl_bind_rx_doit() net: ibm: emac: Fix use-after-free during device removal net/mlx4: avoid GCC 10 __bad_copy_from() false positive net: add pskb_may_pull() to skb_gro_receive_list() tcp: restrict SO_ATTACH_FILTER to priv users ASoC: wm_adsp: Fix NULL dereference when removing firmware controls gpio: mvebu: fix NULL pointer dereference in suspend/resume netlabel: validate unlabeled address and mask attribute lengths bnge: fix context mem iteration net: ena: PHC: Add missing barrier idpf: fix mailbox capability for set device clock time ice: fix missing priority callbacks for U.FL DPLL pins xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx() dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload tap: free page on error paths in tap_get_user_xdp() verification/rvgen: Fix ltl2k writing True as a literal verification/rvgen: Fix options shared among commands tools/rv: Fix cleanup after failed trace setup tools/rv: Fix substring match when listing container monitors tools/rv: Fix substring match bug in monitor name search tools/rv: Ensure monitor name and desc are NUL-terminated cpufreq/amd-pstate: drop stale @epp_cached kdoc spi: cadence-quadspi: fix unclocked access on unbind ALSA: seq: dummy: fix UMP event stack overread ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams time: Fix off-by-one in settimeofday() usec validation hyperv: Clean up and fix the guest ID comment in hvgdk.h signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads() selftests: harness: fix pidfd leak in __wait_for_test drm/hyperv: During panic do VMBus unload after frame buffer is flushed Drivers: hv: vmbus: Provide option to skip VMBus unload on panic Drivers: hv: VMBus protocol version 6.0 sctp: purge outqueue on stale COOKIE-ECHO handling net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit() vxlan: vnifilter: fix spurious notification on VNI update vxlan: vnifilter: send notification on VNI add octeontx2-af: npc: Fix CPT channel mask in npc_install_flow sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing net/sched: fix pedit partial COW leading to page cache corruption net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown net: airoha: Fix use-after-free in metadata dst teardown ptp: vclock: Switch from RCU to SRCU ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options af_unix: Fix inq_len update problem in partial read octeontx2-af: Fix initialization of mcam's entry2target_pffunc field octeontx2-pf: Fix NDC sync operation errors xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata() Bluetooth: MGMT: Fix backward compatibility with userspace Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync Bluetooth: fix memory leak in error path of hci_alloc_dev() Bluetooth: bnep: reject short frames before parsing Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling Bluetooth: RFCOMM: validate skb length in MCC handlers Bluetooth: MGMT: validate advertising TLV before type checks Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind() wifi: fix leak if split 6 GHz scanning fails ipv6: anycast: insert aca into global hash under idev->lock net: fec: fix pinctrl default state restore order on resume net: lan743x: permit VLAN-tagged packets up to configured MTU net: garp: fix unsigned integer underflow in garp_pdu_parse_attr hsr: Remove WARN_ONCE() in hsr_addr_is_self(). net: Annotate sk->sk_write_space() for UDP SOCKMAP. pcnet32: stop holding device spin lock during napi_complete_done wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap drm/imx: Fix three kernel-doc warnings in dcss-scaler.c devlink: Release nested relation on devlink free l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl() 6lowpan: fix off-by-one in multicast context address compression net/sched: act_api: use RCU with deferred freeing for action lifecycle dm cache policy smq: check allocation under invalidate lock netfilter: bridge: make ebt_snat ARP rewrite writable netfilter: nft_ct: bail out on template ct in get eval netfilter: conntrack_irc: fix possible out-of-bounds read netfilter: synproxy: add mutex to guard hook reference counting ipvs: clear the svc scheduler ptr early on edit netfilter: xt_NFQUEUE: prefer raw_smp_processor_id ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers wifi: iwlwifi: mvm: don't support the reset handshake for old firmwares erofs: fix use-after-free on sbi->sync_decompress erofs: tidy up synchronous decompression tee: qcomtee: add missing va_end in early return qcomtee_object_user_init() tee: fix tee_ioctl_object_invoke_arg padding soc: qcom: ice: Return -ENODEV if the ICE platform device is not found ARM: dts: microchip: sam9x7: fix GMAC clock configuration arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins soc: qcom: ice: Allow explicit votes on 'iface' clock for ICE tee: optee: prevent use-after-free when the client exits before the supplicant net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS ipv6: mcast: Fix use-after-free when processing MLD queries i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation ARM: fix branch predictor hardening ARM: fix hash_name() fault ARM: allow __do_kernel_fault() to report execution of memory faults ARM: group is_permission_fault() with is_translation_fault() bpf: Free reuseport cBPF prog after RCU grace period. Linux 6.18.35 KVM: arm64: Reassign nested_mmus array behind mmu_lock KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry tools: ynl: add scope qualifier for definitions usb: core: Fix SuperSpeed root hub wMaxPacketSize thunderbolt: property: Cap recursion depth in __tb_property_parse_dir() drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable mailbox: Fix NULL message support in mbox_send_message() xhci: tegra: Fix ghost USB device on dual-role port unplug net: phy: micrel: fix LAN8814 QSGMII soft reset mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache() hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock hwmon: (pmbus) Add support for guarded PMBus lock USB: serial: mct_u232: fix memory corruption with small endpoint USB: serial: digi_acceleport: fix memory corruption with small endpoints USB: serial: cypress_m8: fix memory corruption with small endpoint usb: dwc3: xilinx: fix error handling in zynqmp init error paths xfrm: iptfs: reset runtime state when cloning SAs cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E cpufreq: intel_pstate: Add and use hybrid_get_cpu_type() mptcp: reset rcv wnd on disconnect mptcp: cleanup fallback dummy mapping generation octeontx2-pf: avoid double free of pool->stack on AQ init failure arm64: tlb: Flush walk cache when unsharing PMD tables mptcp: do not drop partial packets mptcp: borrow forward memory from subflow mptcp: handle first subflow closing consistently net: devmem: reject dma-buf bind with non-page-aligned size or SG length selftests: mptcp: drop nanoseconds width specifier Bluetooth: hci_qca: Convert timeout from jiffies to ms Bluetooth: hci_qca: Migrate to serdev specific shutdown function serdev: Provide a bustype shutdown function rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg x86/mm: Disable broadcast TLB flush when PCID is disabled platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery platform/x86/intel/vsec: Make driver_data info const platform/x86/intel/vsec: Refactor base_addr handling serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq() serial: 8250: dispatch SysRq character in serial8250_handle_irq() serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave) serial: zs: Convert to use a platform device serial: zs: Switch to using channel reset serial: zs: Fix bootconsole handover lockup serial: dz: Convert to use a platform device serial: dz: Fix bootconsole handover lockup serial: dz: Fix bootconsole message clobbering at chip reset drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO drm/amdkfd: Check for pdd drm file first in CRIU restore path drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger drm/amdkfd: fix NULL pointer bug in svm_range_set_attr serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma serial: zs: Fix swapped RI/DSR modem line transition counting serial: sh-sci: fix memory region release in error path serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ serial: qcom-geni: fix UART_RX_PAR_EN bit position serial: altera_jtaguart: handle uart_add_one_port() failures drm/amd/pm/si: Disregard vblank time when no displays are connected drm/i915: Fix potential UAF in TTM object purge drm/i915/psr: Block DC states on vblank enable when Panel Replay supported drm/gem: fix race between change_handle and handle_delete drm/hyperv: validate VMBus packet size in receive callback drm/hyperv: validate resolution_count and fix WIN8 fallback scsi: target: iscsi: Validate CHAP_R length before base64 decode scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd() scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32 scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow thunderbolt: property: Reject u32 wrap in tb_property_entry_valid() usb: gadget: f_fs: serialize DMABUF cancel against request completion usb: gadget: f_fs: copy only received bytes on short ep0 read usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling usb: gadget: f_hid: fix device reference leak in hidg_alloc() usb: gadget: net2280: Fix double free in probe error path usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind USB: serial: mct_u232: fix missing interrupt-in transfer sanity check USB: serial: mxuport: fix memory corruption with small endpoint USB: serial: keyspan: fix missing indat transfer sanity check USB: serial: cypress_m8: validate interrupt packet headers USB: serial: belkin_sa: validate interrupt status length USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL USB: serial: option: add MeiG SRM813Q usb: typec: ucsi: Don't update power_supply on power role change if not connected usb: typec: ucsi: Check if power role change actually happened before handling usb: typec: tcpm: improve handling of DISCOVER_MODES failures usb: typec: tipd: Fix error code in tps6598x_probe() usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize usb: usbtmc: check URB actual_length for interrupt-IN notifications usbip: vudc: Fix use after free bug in vudc_remove due to race condition usb: storage: Add quirks for PNY Elite Portable SSD USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers usb: musb: omap2430: Fix use-after-free in omap2430_probe() usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval usb: chipidea: core: convert ci_role_switch to local variable tty: serial: samsung: Remove redundant port lock acquisition in rx helpers tty: serial: pch_uart: add check for dma_alloc_coherent() counter: Fix refcount leak in counter_alloc() error path comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest() comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest() Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490 Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem misc: rp1: Send IACK on IRQ activate to fix kdump/kexec ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops Input: xpad - add support for ASUS ROG RAIKIRI II Input: xpad - add "Nova 2 Lite" from GameSir ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP xfrm: esp: restore combined single-frag length gate ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks ASoC: qcom: q6asm-dai: close stream only when running netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check ALSA: firewire-motu: Protect register DSP event queue positions ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417 xfrm: ah: use skb_to_full_sk in async output callbacks xfrm: ipcomp: Free destination pages on acomp errors xfrm: route MIGRATE notifications to caller's netns nfc: hci: fix out-of-bounds read in HCP header parsing iommu, debugobjects: avoid gcc-16.1 section mismatch warnings HID: wacom: Fix OOB write in wacom_hid_set_device_mode() spi: spi-mem: avoid mutating op template in spi_mem_supports_op() net: skbuff: fix missing zerocopy reference in pskb_carve helpers ip6: vti: Use ip6_tnl.net in vti6_changelink(). l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname xfrm: input: hold netns during deferred transport reinjection ipv6: validate extension header length before copying to cmsg ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate(). ipv6: exthdrs: refresh nh after handling HAO option ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo() macsec: fix replay protection at XPN lower-PN wrap bpf: sockmap: fix tail fragment offset in bpf_msg_push_data wireguard: send: append trailer after expanding head x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines i2c: davinci: fix division by zero on missing clock-frequency Input: elan_i2c - validate firmware size before use usb: dwc2: Fix use after free in debug code usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure usb: cdns3: gadget: fix request skipping after clearing halt USB: serial: omninet: fix memory corruption with small endpoint iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf() iio: buffer: hw-consumer: fix use-after-free in error path iio: light: cm3323: fix reg_conf not being initialized correctly iio: chemical: scd30: fix division by zero in write_raw iio: chemical: mhz19b: reject oversized serial replies iio: Fix iio_multiply_value use in iio_read_channel_processed_scale iio: light: veml6070: Fix resource leak in probe error path iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL iio: temperature: tsys01: fix broken PROM checksum validation iio: ssp_sensors: cancel delayed work_refresh on remove iio: gyro: adis16260: fix division by zero in write_raw iio: gyro: itg3200: fix i2c read into the wrong stack location iio: adc: ad4695: Fix call ordering in offload buffer postenable iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw iio: adc: mt6359: fix unchecked return value in mt6358_read_imp iio: dac: ad5686: fix powerdown control on dual-channel devices iio: dac: ad5686: acquire lock when doing powerdown control iio: dac: ad5686: fix input raw value check iio: dac: ad5686: fix ref bit initialization for single-channel parts iio: dac: max5821: fix return value check in powerdown sync iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings iio: adc: npcm: fix unbalanced clk_disable_unprepare() iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux Disable -Wattribute-alias for clang-23 and newer KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc() KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer KVM: SEV: Check PSC request indices against the actual size of the buffer KVM: SEV: Compute the correct max length of the in-GHCB scratch area KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests KVM: SEV: Ignore Port I/O requests of length '0' KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC KVM: arm64: PMU: Preserve AArch32 counter low bits USB: cdc-acm: Fix bit overlap and move quirk definitions to header rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN rust_binder: Avoid holding lock when dropping delivered_death parport: Fix race between port and client registration Input: xpad - fix out-of-bounds access for Share button Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate() Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock Bluetooth: ISO: fix UAF in iso_recv_frame Bluetooth: HIDP: fix missing length checks in hidp_input_report() Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() smb: client: fix uninitialized variable in smb2_writev_callback auxdisplay: line-display: fix OOB read on zero-length message_store() mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one memfd: deny writeable mappings when implying SEAL_WRITE mm: memcontrol: propagate NMI slab stats to memcg vmstats ipc: limit next_id allocation to the valid ID range mm/damon/sysfs-schemes: delete tried region in regions_rmdirs() hpfs: fix a crash if hpfs_map_dnode_bitmap fails Bluetooth: btusb: Allow firmware re-download when version matches HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free() media: rc: igorplugusb: fix control request setup packet USB: serial: safe_serial: fix memory corruption with small endpoint usb: typec: ucsi: validate connector number in ucsi_connector_change() usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer() usb: typec: altmodes/displayport: validate count before reading Status Update VDO usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes() usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers usb: typec: ucsi: ccg: reject firmware images without a ':' record header iio: pressure: bmp280: fix stack leak in bmp580 trigger handler iio: imu: adis16550: fix stack leak in trigger handler iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used drm/i915/psr: Read Intel DPCD workaround register drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register s390/cio: Restore GFP_DMA for CHSC allocation Revert "x86/fpu: Refine and simplify the magic number check during signal return" smb: client: validate the whole DACL before rewriting it in cifsacl media: rc: ttusbir: fix inverted error logic media: rc: fix race between unregister and urb/irq callbacks net: skbuff: fix pskb_carve leaking zcopy pages ipv6: fix possible infinite loop in fib6_select_path() ipv6: fix possible infinite loop in rt6_fill_node() vsock/virtio: bind uarg before filling zerocopy skb sctp: fix race between sctp_wait_for_connect and peeloff net: mana: Skip redundant detach on already-detached port net: mana: Add NULL guards in teardown path to prevent panic on attach failure gpio: rockchip: teardown bugs and resource leaks gpio: rockchip: convert bank->clk to devm_clk_get_enabled() gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write() gpio: adnp: fix flow control regression caused by scoped_guard() Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync() Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success net/handshake: Pass negative errno through handshake_complete() nvme-tcp: store negative errno in queue->tls_err net/handshake: Use spin_lock_bh for hn_lock net: hibmcge: disable Relaxed Ordering to fix RX packet corruption net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree" ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress() ethtool: eeprom: add more safeties to EEPROM Netlink fallback ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback ethtool: strset: fix header attribute index in ethnl_req_get_phydev() ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure ethtool: tsinfo: fix uninitialized stats on the by-PHC path ethtool: tsconfig: fix missing ethnl_ops_complete() ethtool: pse-pd: fix missing ethnl_ops_complete() ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error ethtool: tsconfig: fix reply error handling ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES bridge: Fix sleep in atomic context in sysfs path bridge: Fix sleep in atomic context in netlink path bonding: refuse to enslave CAN devices Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt() drm/xe: Restore IDLEDLY regiter on engine reset ASoC: codecs: simple-mux: Fix enum control bounds check ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE tunnels: do not assume transport header in iptunnel_pmtud_check_icmp() vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu() tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]() cxl/test: Update mock dev array before calling platform_device_add() ethtool: cmis: validate fw->size against start_cmd_payload_size ethtool: cmis: validate start_cmd_payload_size from module ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl ethtool: cmis: require exact CDB reply length ethtool: module: fix cleanup if socket used for flashing multiple devices ethtool: module: check fw_flash_in_progress under rtnl_lock ethtool: module: avoid racy updates to dev->ethtool bitfield ethtool: module: avoid leaking a netdev ref on module flash errors ethtool: module: call ethnl_ops_complete() on module flash errors ethtool: rss: avoid device context leak on reply-build failure ethtool: rss: fix hkey leak when indir_size is 0 ethtool: rss: fix indir_table and hkey leak on get_rxfh failure ethtool: rss: fix falsely ignoring indir table updates ethtool: rss: add missing errno on RSS context delete ethtool: rss: avoid modifying the RSS context response net: Avoid checksumming unreadable skb tail on trim net: team: fix NULL pointer dereference in team_xmit during mode change net: team: Rename port_disabled team mode op to port_tx_disabled net: team: Remove unused team_mode_op, port_enabled gpio: mxc: fix irq_high handling net: hsr: fix potential OOB access in supervision frame handling net/mlx5: HWS: Reject unsupported remove-header action ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors ALSA: pcm: oss: Fix setup list UAF on proc write error ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues net/iucv: fix locking in .getsockopt net/smc: Do not re-initialize smc hashtables net: netlink: don't set nsid on local notifications net: netlink: fix sending unassigned nsid after assigned one vsock: keep poll shutdown state consistent tun: free page on build_skb failure in tun_xdp_one() tun: free page on short-frame rejection in tun_xdp_one() netfilter: nf_tables: fix dst corruption in same register operation netfilter: ebtables: fix OOB read in compat_mtw_from_user netfilter: xt_cpu: prefer raw_smp_processor_id netfilter: synproxy: refresh tcphdr after skb_ensure_writable accel/rocket: fix UAF via dangling GEM handle in create_bo kunit: fix use-after-free in debugfs when using kunit.filter HID: remove duplicate hid_warn_ratelimited definition tools/bootconfig: Fix buf leaks in apply_xbc nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems xfrm: Check for underflow in xfrm_state_mtu nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc() nfc: llcp: Fix use-after-free in llcp_sock_release() bcache: fix uninitialized closure object net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit net: mctp: ensure our nlmsg responses are initialised net/sched: cls_fw: fix NULL dereference of "old" filters before change() Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size Linux 6.18.34 security/keys: fix missed RCU read section on lookup drm/msm: Restore second parameter name in purge() and evict() LoongArch: kprobes: Fix handling of fatal unrecoverable recursions ksmbd: fix durable reconnect error path file lifetime io_uring/nop: pass all errors to userspace net: gro: don't merge zcopy skbs pds_core: ensure null-termination for firmware version strings net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR net: mana: validate rx_req_idx to prevent out-of-bounds array access octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs selftests: net: Fix checksums in xdp_native drm/xe/oa: Fix exec_queue leak on width check in stream open ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove() gpio: aggregator: lock device when calling device_is_bound() gpio: aggregator: remove the software node when deactivating the aggregator gpio: aggregator: stop using dev-sync-probe gpio: aggregator: fix a potential use-after-free gpio: cdev: check if uAPI v2 config attributes are correctly zeroed tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction bpf, skmsg: fix verdict sk_data_ready racing with ktls rx net: ag71xx: check error for platform_get_irq crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks net: shaper: rework the VALID marking (again) net: shaper: annotate the data races net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA Bluetooth: btmtk: fix urb->setup_packet leak in error paths Bluetooth: btintel_pcie: Fix incorrect MAC access programming tracing: Avoid NULL return from hist_field_name() on truncation cgroup: rstat: relax NMI guard after switch to try_cmpxchg ALSA: seq: Serialize UMP output teardown with event_input wifi: wilc1000: fix dma_buffer leak on bus acquire failure wifi: mac80211: fix MLE defragmentation wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs erofs: fix managed cache race for unaligned extents pds_core: fix debugfs_lookup dentry leak and error handling pds_core: fix error handling in pdsc_devcmd_wait net: airoha: Fix NPU RX DMA descriptor bits net: phy: honor eee_disabled_modes in phy_advertise_eee_all() net: phy: honor eee_disabled_modes in phy_support_eee() bridge: mcast: Fix a possible use-after-free when removing a bridge port net: bridge: Flush multicast groups when snooping is disabled RDMA/rtrs: Fix use-after-free in path file creation cleanup RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port ASoC: soc-utils: Add missing va_end in snd_soc_ret() platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL platform/x86: intel-hid: Check ACPI_HANDLE() against NULL platform/x86: hp_accel: Check ACPI_COMPANION() against NULL platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7 net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer net: dsa: mt7530: preserve VLAN tags on trapped link-local frames net: dsa: mt7530: fix FDB entries not aging out with short timeout kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP igc: set tx buffer type for SMD frames ice: ptp: use primary NAC semaphore on E825 ice: ptp: serialize E825 PHY timer start with PTP lock cgroup/rstat: validate cpu before css_rstat_cpu() access drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable drm/mediatek: mtk_cec: Fix non-static global variable wifi: ath11k: fix peer resolution on rx path when peer_id=0 drm/xe/pf: Fix CFI failure in debugfs access drm/xe/vf: Fix signature of print functions drm/xe/gsc: Fix double-free of managed BO in error path dma-mapping: move dma_map_resource() sanity check into debug code wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled hwmon: (lm90) Add lock protection to lm90_alert hwmon: (lm90) Stop work before releasing hwmon device drm/msm/snapshot: fix dumping of the unaligned regions ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5 netfilter: nft_inner: release local_lock before re-enabling softirqs spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache() ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging btrfs: fix squota accounting during enable generation btrfs: check for subvolume before deleting squota qgroup btrfs: relax squota parent qgroup deletion rule btrfs: check squota parent usage on membership change btrfs: remaining BTRFS_PATH_AUTO_FREE conversions btrfs: don't search back for dir inode item in INO_LOOKUP_USER btrfs: use the key format macros when printing keys btrfs: add macros to facilitate printing of keys vsock/virtio: fix zerocopy completion for multi-skb sends io_uring/net: punt IORING_OP_BIND async if it needs file create ALSA: scarlett2: Add missing error check when initialise Autogain Status ASoC: codecs: fs210x: fix possible buffer overflow scsi: sd: Fix return code handling in sd_spinup_disk() net/mlx5: Do not restore destination-less TC rules tls: Preserve sk_err across recvmsg() when data has been copied ovpn: disable BHs when updating device stats x86/xen: Fix xen_e820_swap_entry_with_ram() gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE ovpn: fix race between deleting interface and adding new peer ovpn: respect peer refcount in CMD_NEW_PEER error path ovpn: tcp - use cached peer pointer in ovpn_tcp_close() net: phy: DP83TC811: add reading of abilities net: tls: prevent chain-after-chain in plain text SG net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise() drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx Documentation: intel_pstate: Fix description of asymmetric packing with SMT x86/mce: Restore MCA polling interval halving selftests: ublk: cap nthreads to kernel's actual nr_hw_queues drm/msm/dpu: don't mix devm and drmm functions drm/msm/dsi: don't dump registers past the mapped region ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint accel/qaic: Add overflow check to remap_pfn_range during mmap block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() HID: quirks: really enable the intended work around for appledisplay block: recompute nr_integrity_segments in blk_insert_cloned_request block: don't overwrite bip_vcnt in bio_integrity_copy_user() net: shaper: reject QUEUE scope handle with missing id net: shaper: enforce singleton NETDEV scope with id 0 net: shaper: fix undersized reply skb allocation in GROUP command net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit net: shaper: reject duplicate leaves in GROUP request net: shaper: fix trivial ordering issue in net_shaper_commit() net: shaper: flip the polarity of the valid flag wifi: ath10k: skip WMI and beacon transmission when device is wedged wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm() wifi: ath11k: fix error path leaks in some WMI WOW calls net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference net: ethernet: cortina: Carry over frag counter net: ethernet: cortina: Drop half-assembled SKB net: ethernet: cortina: Make RX SKB per-port netfs, afs: Fix write skipping in dir/link writepages netfs: Fix netfs_read_folio() to wait on writeback netfs: Fix folio->private handling in netfs_perform_write() netfs: Fix partial invalidation of streaming-write folio netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages() netfs: Fix leak of request in netfs_write_begin() error handling netfs: Fix early put of sink folio in netfs_read_gaps() netfs: Fix write streaming disablement if fd open O_RDWR netfs: Fix read-gaps to remove netfs_folio from filled folio netfs: Fix potential deadlock in write-through mode netfs: Fix streaming write being overwritten netfs: Defer the emission of trace_netfs_folio() netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone netfs: Fix overrun check in netfs_extract_user_iter() netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call netfs: Fix netfs_read_to_pagecache() to pause on subreq failure netfs: Fix cancellation of a DIO and single read subrequests powerpc: fix dead default for GUEST_STATE_BUFFER_TEST powerpc: 82xx: fix uninitialized pointers with free attribute ASoC: SOF: amd: Fix error code handling in psp_send_cmd() tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key(). zonefs: handle integer overflow in zonefs_fname_to_fno nvme-pci: fix use-after-free in nvme_free_host_mem() nvme: fix bio leak on mapping failure irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT nsfs: fix wrong error code returned for pidns ioctls ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation irqchip/ath79-cpu: Remove unused function fs: Fix return in jfs_mkdir and orangefs_mkdir fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap fprobe: Fix unregister_fprobe() to wait for RCU grace period ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC NFSD: Fix infinite loop in layout state revocation phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access net: ti: icssm-prueth: fix eth_ports_node leak in probe net: lan966x: avoid unregistering netdev on register failure ice: fix locking in ice_dcb_rebuild() ice: fix setting RSS VSI hash for E830 idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init() net: shaper: Reject reparenting of existing nodes net: napi: Avoid gro timer misfiring at end of busypoll tcp: Fix imbalanced icsk_accept_queue count. test_kprobes: clear kprobes between test runs kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist() netfilter: bridge: eb_tables: close module init race netfilter: x_tables: close dangling table module init race netfilter: ebtables: close dangling table module init race netfilter: ebtables: move to two-stage removal scheme netfilter: x_tables: add and use xtables_unregister_table_exit netfilter: x_tables: add and use xt_unregister_table_pre_exit netfilter: x_tables: unregister the templates first btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file() ALSA: hda: cs35l41: Put ACPI device on missing physical node ALSA: hda: cs35l56: Put ACPI device after setting companion ARM: integrator: Fix early initialization firmware: arm_ffa: Fix sched-recv callback partition lookup firmware: arm_ffa: Snapshot notifier callbacks under lock firmware: arm_ffa: Align RxTx buffer size before mapping firmware: arm_ffa: Validate framework notification message layout firmware: arm_ffa: Keep framework RX release under lock firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150 kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS kunit: config: Enable KUNIT_DEBUGFS by default riscv: mm: Fixup no5lvl failure when vaddr is invalid riscv: errata: Fix bitwise vs logical AND in MIPS errata patching firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue firmware: arm_ffa: Skip free_pages on RX buffer alloc failure firmware: arm_ffa: Check for NULL FF-A ID table while driver registration HID: uclogic: Fix regression of input name assignment HID: intel-thc-hid: Intel-quickspi: Fix some error codes pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615 pinctrl: meson: amlogic-a4: fix deadlock issue pinctrl: renesas: rzg2l: Fix SMT register cache handling pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume ARM: dts: renesas: rskrza1: Drop superfluous cells ARM: dts: renesas: genmai: Drop superfluous cells pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe() hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe() hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer hwmon: (pmbus/adm1266) reject implausible blackbox record_count hwmon: (pmbus/adm1266) seed timestamp from the real-time clock batman-adv: tt: prevent TVLV entry number overflow batman-adv: tt: fix negative tt_buff_len batman-adv: tt: fix negative last_changeset_len batman-adv: tt: avoid empty VLAN responses batman-adv: tt: reject oversized local TVLV buffers batman-adv: tt: fix TOCTOU race for reported vlans batman-adv: tp_meter: avoid role confusion in tp_list batman-adv: tp_meter: fix race condition in send error reporting batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown batman-adv: tp_meter: directly shut down timer on cleanup batman-adv: tp_meter: avoid use of uninit sender vars batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface batman-adv: bla: avoid double decrement of bla.num_requests batman-adv: bla: fix report_work leak on backbone_gw purge batman-adv: frag: disallow unicast fragment in fragment batman-adv: fix tp_meter counter underflow during shutdown batman-adv: fix fragment reassembly length accounting batman-adv: dat: handle forward allocation error batman-adv: clear current gateway during teardown batman-adv: mcast: fix use-after-free in orig_node RCU release batman-adv: iv: recover OGM scheduling after forward packet error batman-adv: tvlv: reject oversized TVLV packets batman-adv: tvlv: abort OGM send on tvlv append failure batman-adv: v: stop OGMv2 on disabled interface drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async drm/amd/display: Validate GPIO pin LUT table size before iterating drm/amd/display: Fix integer overflow in bios_get_image() drm/bridge: megachips: remove bridge when irq request fails drm/bridge: it66121: acquire reset GPIO in probe drm/amdgpu/vpe: Force collaborate sync after TRAP drm/virtio: use uninterruptible resv lock for plane updates drm/v3d: Release indirect CSD GEM reference on CPU job free drm/v3d: Fix use-after-free of CPU job query arrays on error path drm/msm: Fix shrinker deadlock device property: set fwnode->secondary to NULL in fwnode_init() LoongArch: Remove unused code to avoid build warning LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions fwctl: pds: Validate RPC input size before parsing RDMA/siw: Reject MPA FPDU length underflow before signed receive math spi: ti-qspi: fix use-after-free after DMA setup failure spi: sprd: fix error pointer deref after DMA setup failure spi: ep93xx: fix error pointer deref after DMA setup failure scsi: isci: Fix use-after-free in device removal path phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4 fix phy: tegra: xusb: Fix per-pad high-speed termination calibration phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870 spi: qup: fix error pointer deref after DMA setup failure drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe virt: sev-guest: Explicitly leak pages in unknown state riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235) KVM: arm64: vgic: Free private_irqs when init fails after allocation KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits arm64: probes: Handle probes on hinted conditional branch instructions tracing: Do not call map->ops->elt_free() if elt_alloc() fails cifs: Fix busy dentry used after unmounting wifi: mac80211: consume only present negotiated TTLM maps af_unix: Fix UAF read of tail->len in unix_stream_data_wait() wifi: cfg80211: advance loop vars in cfg80211_merge_profile() ice: restore PTP Rx timestamp config after ethtool set-channels ice: fix setting promisc mode while adding VID filter ice: fix locking around wait_event_interruptible_locked_irq igc: fix potential skb leak in igc_fpe_xmit_smd_frame() octeontx2-pf: fix double free in rvu_rep_rsrc_init() octeontx2-af: CGX: add bounds check to cgx_speed_mbps index lsm: hold cred_guard_mutex for lsm_set_self_attr() rbd: eliminate a race in lock_dwork draining on unmap ixgbevf: fix use-after-free in VEPA multicast source pruning ipv4: raw: reject IP_HDRINCL packets with ihl < 5 wifi: iwlwifi: mld: stop TX during firmware restart wifi: iwlwifi: mvm: fix driver-set TX rates on old devices wifi: ath11k: clear shared SRNG pointer state on restart ice: fix VF queue configuration with low MTU values vsock/virtio: reset connection on receiving queue overflow vsock/vmci: fix UAF when peer resets connection during handshake mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient ipv6: ioam: add NULL check for idev in ipv6_hop_ioam() ring-buffer: Flush and stop persistent ring buffer on panic ring-buffer: Fix reporting of missed events in iterator qed: fix double free in qed_cxt_tables_alloc() l2tp: use list_del_rcu in l2tp_session_unhash fs/ntfs3: handle attr_set_size() errors when truncating files net: ethtool: phy: avoid NULL deref when PHY driver is unbound net: ethtool: fix NULL pointer dereference in phy_reply_size cgroup/cpuset: Reset DL migration state on can_attach() failure tracing/fprobe: Check the same type fprobe on table as the unregistered one tracing/fprobe: Avoid kcalloc() in rcu_read_lock section tracing: fprobe: use ftrace if CONFIG_DYNAMIC_FTRACE_WITH_ARGS tracing: fprobe: Remove unused local variable sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path sched_ext: Fix missing warning in scx_set_task_state() default case netfilter: nft_inner: Fix IPv6 inner_thoff desync netfilter: ipset: stop hash:* range iteration at end netfilter: nf_queue: hold bridge skb->dev while queued netfilter: ip6t_hbh: reject oversized option lists net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis() net: ifb: report ethtool stats over num_tx_queues net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover net: phy: skip EEE advertisement write when autoneg is disabled net: bcmgenet: keep RBUF EEE/PM disabled phonet/pep: disable BH around forwarded sk_receive_skb() Bluetooth: serialize accept_q access Bluetooth: MGMT: validate Add Extended Advertising Data length Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Bluetooth: bnep: Fix UAF read of dev->name Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del() net: wwan: iosm: fix potential memory leaks in ipc_imem_init() selftests/mm: run_vmtests.sh: fix destructive tests invocation mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free mm/memory_hotplug: fix memory block reference leak on remove mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special() mm/memory: fix spurious warning when unmapping device-private/exclusive pages ipv6: ioam: refresh hdr pointer before ioam6_event() drivers/base/memory: fix memory block reference leak in poison accounting io_uring/waitid: clear waitid info before copying it to userspace spi: amd: Set correct bus number in ACPI probe path efi: Allocate runtime workqueue before ACPI init ALSA: scarlett2: Allow flash writes ending at segment boundary ALSA: asihpi: Fix potential OOB array access at reading cache ALSA: pcm: Don't setup bogus iov_iter for silencing ALSA: ua101: Reject too-short USB descriptors hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close smb: client: use data_len for SMB2 READ encrypted folioq copy smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked() smb: client: require net admin for CIFS SWN netlink regulator: tps65219: fix irq_data.rdev not being assigned ksmbd: validate SID in parent security descriptor during ACL inheritance ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow ksmbd: fix null pointer dereference in compare_guid_key() mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break() sysfs: don't remove existing directory on update failure drm/vblank: Fix kernel docs for vblank timer drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks() drm/vkms: Convert to DRM's vblank timer drm/vblank: Add CRTC helpers for simple use cases drm/vblank: Add vblank timer Revert "ice: Remove jumbo_remove step from TX path" Revert "ice: fix double-free of tx_buf skb" ata: libata-scsi: do not needlessly defer commands when using PMP with FBS ata: libata-scsi: do not use the d…
|
Merge Check Failed: No CR Numbers Found Error: No Change Request numbers were found. Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests. |
Test Matrix
|
Contributor
|
+1 for bt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.