Skip to content

Merge tag 'v6.18.37' into qcom-6.18.y#782

Open
svankas (svankas) wants to merge 2219 commits into
qualcomm-linux:qcom-6.18.yfrom
svankas:6.18.37-lts
Open

Merge tag 'v6.18.37' into qcom-6.18.y#782
svankas (svankas) wants to merge 2219 commits into
qualcomm-linux:qcom-6.18.yfrom
svankas:6.18.37-lts

Conversation

@svankas

Copy link
Copy Markdown

No description provided.

Jiawen Wu and others added 30 commits June 19, 2026 13:44
[ Upstream commit dbba6b7 ]

QSFP supported will be introduced for AML 40G devices, the code related
to identify various modules should be renamed to more appropriate names.

And struct txgbe_hic_i2c_read used to get module information is renamed
as struct txgbe_hic_get_module_info, because another SW-FW command to
read I2C will be added later.

Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20251118080259.24676-3-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 0487cfc ("net: txgbe: initialize module info buffer")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0487cfc ]

The module info buffer should be initialized to 0 before the firmware
returns information. Otherwise, there is a risk that the buffer field
not filled by the firmware is random value.

Fixes: 3439297 ("net: txgbe: Support to handle GPIO IRQs for AML devices")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Link: https://patch.msgid.link/20260608070842.36504-2-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b70c687 ]

addrconf_get_prefix_route() can return the fib6_null_entry sentinel
entry which has a NULL fib6_table pointer. Therefore, before setting the
route's expiration time, check that we are not working with this entry,
as otherwise a NPD will be triggered [1].

Note that the other callers of addrconf_get_prefix_route() are not
susceptible to this bug:

1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF |
   RTF_PREFIX_RT' flags which are not set on fib6_null_entry.

2. modify_prefix_route(): Fixed by commit a747e02 ("ipv6: avoid
   possible NULL deref in modify_prefix_route()").

3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for
   fib6_null_entry and returns an error.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [qualcomm-linux#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[...]
Call Trace:
<TASK>
__kasan_check_byte (mm/kasan/common.c:573)
lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))
_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))
cleanup_prefix_route (net/ipv6/addrconf.c:1280)
ipv6_del_addr (net/ipv6/addrconf.c:1342)
inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)
inet6_rtm_deladdr (net/ipv6/addrconf.c:4812)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6997)
netlink_rcv_skb (net/netlink/af_netlink.c:2555)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1899)
__sock_sendmsg (net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)

Fixes: 5eb902b ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Reviewed-by: David Ahern <dahern@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260609145448.768318-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit b2849be upstream.

The APICv (apic->apicv_active) can be activated or deactivated at runtime,
for instance, because of APICv inhibit reasons. Intel VMX employs different
mechanisms to virtualize LAPIC based on whether APICv is active.

When APICv is activated at runtime, GUEST_INTR_STATUS is used to configure
and report the current pending IRR and ISR states. Unless a specific vector
is explicitly included in EOI_EXIT_BITMAP, its EOI will not be trapped to
KVM. Intel VMX automatically clears the corresponding ISR bit based on the
GUEST_INTR_STATUS.SVI field.

When APICv is deactivated at runtime, the VM_ENTRY_INTR_INFO_FIELD is used
to specify the next interrupt vector to invoke upon VM-entry. The
VMX IDT_VECTORING_INFO_FIELD is used to report un-invoked vectors on
VM-exit. EOIs are always trapped to KVM, so the software can manually clear
pending ISR bits.

There are scenarios where, with APICv activated at runtime, a guest-issued
EOI may not be able to clear the pending ISR bit.

Taking vector 236 as an example, here is one scenario.

1. Suppose APICv is inactive. Vector 236 is pending in the IRR.
2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR,
and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq().
3. After VM-entry, vector 236 is invoked through the guest IDT. At this
point, the data in VM_ENTRY_INTR_INFO_FIELD is no longer valid. The guest
interrupt handler for vector 236 is invoked.
4. Suppose a VM exit occurs very early in the guest interrupt handler,
before the EOI is issued.
5. Nothing is reported through the IDT_VECTORING_INFO_FIELD because
vector 236 has already been invoked in the guest.
6. Now, suppose APICv is activated. Before the next VM-entry, KVM calls
kvm_vcpu_update_apicv() to activate APICv.
7. Unfortunately, GUEST_INTR_STATUS.SVI is not configured, although
vector 236 is still pending in the ISR.
8. After VM-entry, the guest finally issues the EOI for vector 236.
However, because SVI is not configured, vector 236 is not cleared.
9. ISR is stalled forever on vector 236.

Here is another scenario.

1. Suppose APICv is inactive. Vector 236 is pending in the IRR.
2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR,
and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq().
3. VM-exit occurs immediately after the next VM-entry. The vector 236 is
not invoked through the guest IDT. Instead, it is saved to the
IDT_VECTORING_INFO_FIELD during the VM-exit.
4. KVM calls kvm_queue_interrupt() to re-queue the un-invoked vector 236
into vcpu->arch.interrupt. A KVM_REQ_EVENT is requested.
5. Now, suppose APICv is activated. Before the next VM-entry, KVM calls
kvm_vcpu_update_apicv() to activate APICv.
6. Although APICv is now active, KVM still uses the legacy
VM_ENTRY_INTR_INFO_FIELD to re-inject vector 236. GUEST_INTR_STATUS.SVI is
not configured.
7. After the next VM-entry, vector 236 is invoked through the guest IDT.
Finally, an EOI occurs. However, due to the lack of GUEST_INTR_STATUS.SVI
configuration, vector 236 is not cleared from the ISR.
8. ISR is stalled forever on vector 236.

Using QEMU as an example, vector 236 is stuck in ISR forever.

(qemu) info lapic 1
dumping local APIC state for CPU 1

LVT0	 0x00010700 active-hi edge  masked                      ExtINT (vec 0)
LVT1	 0x00010400 active-hi edge  masked                      NMI
LVTPC	 0x00000400 active-hi edge                              NMI
LVTERR	 0x000000fe active-hi edge                              Fixed  (vec 254)
LVTTHMR	 0x00010000 active-hi edge  masked                      Fixed  (vec 0)
LVTT	 0x000400ec active-hi edge                 tsc-deadline Fixed  (vec 236)
Timer	 DCR=0x0 (divide by 2) initial_count = 0 current_count = 0
SPIV	 0x000001ff APIC enabled, focus=off, spurious vec 255
ICR	 0x000000fd physical edge de-assert no-shorthand
ICR2	 0x00000000 cpu 0 (X2APIC ID)
ESR	 0x00000000
ISR	 236
IRR	 37(level) 236

The issue isn't applicable to AMD SVM as KVM simply writes vmcb01 directly
irrespective of whether L1 (vmcs01) or L2 (vmcb02) is active (unlike VMX,
there is no need/cost to switch between VMCBs).  In addition,
APICV_INHIBIT_REASON_IRQWIN ensures AMD SVM AVIC is not activated until
the last interrupt is EOI'd.

Fix the bug by configuring Intel VMX GUEST_INTR_STATUS.SVI if APICv is
activated at runtime.

Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Reviewed-by: Chao Gao <chao.gao@intel.com>
Link: https://patch.msgid.link/20251110063212.34902-1-dongli.zhang@oracle.com
[sean: call out that SVM writes vmcb01 directly, tweak comment]
Link: https://patch.msgid.link/20251205231913.441872-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
(cherry picked from commit b2849be)
Cc: stable@vger.kernel.org # 6.6.x and above
Cc: Gulshan Gabel <gulshan.gabel@nutanix.com>
Signed-off-by: Jon Kohler <jon@nutanix.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
…g parked

[ Upstream commit bc27dbe ]

Parking disp_cc_mdss_mdp_clk_src at 19.2MHz causing the EFI GOP framebuffer
to stop functioning. The EFI GOP framebuffer should keep working until
the msm display driver loads, to help with boot debugging and to ensure
display output when the msm module is not in the initramfs.

Switch disp_cc_mdss_mdp_clk_src over to clk_rcg2_shared_no_init_park_ops
to keep the EFI GOP working after binding the x1e80100-dispcc driver.

Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/20260425123351.6292-1-johannes.goede@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 78ee734 ]

In the peric0_clk_regs array, the divider register offset for USI6 was
accidentally listed twice, while the divider for USI7 was omitted.

Missing this DIV register causes the USI7 clock divider setting to be
lost and reset to its hardware default value during a suspend/resume
cycle.

Replace the duplicated USI6 DIV entry with the correct USI7 DIV
register.

Fixes: 893f133 ("clk: samsung: gs101: add support for cmu_peric0")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Link: https://patch.msgid.link/20260505171457.1960837-1-visitorckw@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5285b04 ]

Parking disp{0,1}_cc_mdss_mdp_clk_src clk broke simplefb on HUAWEI
Gaokun3, the image will stuck at grey for seconds until msm takes
over framebuffer. Use clk_rcg2_shared_no_init_park_ops to skip it.

Signed-off-by: Pengyu Luo <mitltlatltl@gmail.com>
Tested-by: Jérôme de Bretagne <jerome.debretagne@gmail.com>
Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/20260303150152.90685-1-mitltlatltl@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2673cef ]

intel_edp_set_sink_rates() reads DP_SUPPORTED_LINK_RATES into a local
stack array and then parses the array unconditionally. If the read
fails, the array contents are not valid and may result in bogus sink
link rates being used.

Use drm_dp_dpcd_read_data() and clear the sink rate array on failure,
so the existing parser falls back to the default sink rate handling.

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Fixes: 68f357c ("drm/i915/dp: generate and cache sink rate array for all DP, not just eDP 1.4")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patch.msgid.link/20260529145759.1640646-1-n.zhandarovich@fintech.ru
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit bd61c7756b34157e093028225a69383b4b1203cc)
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f329e83 ]

DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.

Fixes: 72122c6 ("drm/virtio: Add option to disable KMS support")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Tested-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Reviewed-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
Link: https://patch.msgid.link/20260604122743.13383-1-dmitry.osipenko@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5d563a5 ]

Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:

    MEM = krealloc(MEM, SZ, GFP);

If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:

    TMP = krealloc(MEM, SZ, GFP);
    if (!TMP) return;
    MEM = TMP;

While on it, use krealloc_array().

Fixes: 6d45c81 ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Maíra Canal <mcanal@igalia.com>
Link: https://patch.msgid.link/20260606123817.37222-1-grandmaster@al2klimov.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ba36786 ]

xe_range_fence_insert() acquires a reference on fence via
dma_fence_get() and stores it in rfence->fence.  It then calls
dma_fence_add_callback() and handles two cases: when the callback
is successfully registered (err == 0) the fence is transferred to
the tree for later cleanup; when the fence is already signaled
(err == -ENOENT) it manually drops the extra reference with
dma_fence_put(fence).

However, dma_fence_add_callback() can fail with other errors
(e.g. -EINVAL) and in that case the code falls through to the free:
label without releasing the acquired reference, leaking it.

Fix the leak by adding an else branch that calls dma_fence_put()
before jumping to free: for any error other than -ENOENT.

Fixes: 845f64b ("drm/xe: Introduce a range-fence utility")
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20260610172705.3450560-1-matthew.brost@intel.com
(cherry picked from commit 98c4a4201290823c2c5c7ba21692bd9a64b61021)
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2f41af6 ]

aie2_populate_range() jumps back to the again label without calling
mmput(mm), leaking a reference to the mm_struct.

Add the missing mmput() before jumping to again.

Fixes: e486147 ("accel/amdxdna: Add BO import and export")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260610151127.2994185-1-lizhi.hou@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit c32b26a upstream.

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Fixes: af308b9 ("netfilter: nf_tables: add tunnel support")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7d5735 upstream.

NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is
written.

Fixes: cbd2257 ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 26682f5 upstream.

register_shm_helper() allocates shm before calling
iov_iter_npages(). If iov_iter_npages() returns 0, the function
jumps to err_ctx_put and leaks shm.

This can be triggered by TEE_IOC_SHM_REGISTER with
struct tee_ioctl_shm_register_data where length is 0.

Jump to err_free_shm instead.

Fixes: 7bdee41 ("tee: Use iov_iter to better support shared buffer registration")
Cc: stable@vger.kernel.org
Cc: lvc-project@linuxtesting.org
Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5c65b96 upstream.

Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.

Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.

Fixes: 5725bc6 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd21473 upstream.

net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.

Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.

Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.

The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.

The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.

Cc: stable@vger.kernel.org
Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d922113 upstream.

The current platform driver design causes probe ordering races with
consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
driver probe has failed due to above reasons or it is waiting for the SCM
driver.

Moreover, there is no devlink dependency between ICE and consumer drivers
as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
have no idea of when the ICE driver is going to probe.

To address these issues, store the error pointer in a global xarray with
ice node phandle as a key during probe in addition to the valid ice pointer
and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.

If the xarray entry is NULL, then it implies that the driver is not
probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
that error pointer directly. Otherwise, add the devlink as usual and return
the valid pointer to the consumer.

Xarray is used instead of platform drvdata, since driver core frees the
drvdata during probe failure. So it cannot be used to pass the error
pointer to the consumers.

Note that this change only fixes the standalone ICE DT node bindings and
not the ones with 'ice' range embedded in the consumer nodes, where there
is no issue.

Fixes: 2afbf43 ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
Cc: stable@vger.kernel.org # 6.4
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…hwpoison

commit 3c2d42b upstream.

Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
when racing with a concurrent unmap:

  thread#0                              thread#1
  --------                              --------
  madvise(folio, MADV_HWPOISON)
    -> poisons the folio successfully
  madvise(folio, MADV_HWPOISON)         unmap(folio)
    try_memory_failure_hugetlb
      get_huge_page_for_hwpoison
        spin_lock_irq(&hugetlb_lock)    <- held
        __get_huge_page_for_hwpoison
          hugetlb_update_hwpoison()
            -> MF_HUGETLB_FOLIO_PRE_POISONED
          goto out:
            folio_put()
              refcount: 1 -> 0
              free_huge_folio()
                spin_lock_irqsave(&hugetlb_lock)
                  -> AA DEADLOCK!

The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
the GUP reference while the hugetlb_lock is still held by the hugetlb.c
wrapper get_huge_page_for_hwpoison().  If concurrent unmap has released
the page table mapping reference, folio_put() drops the folio refcount to
zero, triggering free_huge_folio() which attempts to re-acquire the
non-recursive hugetlb_lock.

Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
into get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the
folio_put() at the out: label so the folio is always released outside the
lock.

[akpm@linux-foundation.org: fix race, rename label per Miaohe]
  Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com
  Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com
Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com
Fixes: 405ce05 ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Acked-by: Muchun Song <muchun.song@linux.dev>
Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Acked-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <ljs@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd1311b upstream.

Add validation that read and write indices in the firmware log buffer
are within valid bounds (< data_size) before using them. If
out-of-bounds indices are encountered (from firmware), clamp them to
safe values instead of proceeding with invalid offsets.

This prevents potential out-of-bounds buffer access when firmware
supplies invalid log indices.

Fixes: 1fc1251 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fb17642 upstream.

Add validation that the info size returned from the metric stream info
query is not exceeded when checked against the allocated buffer size.
If the firmware returns a size larger than the buffer, reject the
operation with -EOVERFLOW instead of proceeding with an incorrect
buffer copy.

Fixes: cdfad4d ("accel/ivpu: Add NPU profiling support")
Cc: stable@vger.kernel.org # v6.18+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9faef5 upstream.

Fix potential buffer overflow where firmware-supplied data_size is cast
to signed int before being used in min_t(). Large unsigned values
(>= 0x80000000) become negative, causing unsigned wraparound and
oversized memcpy operations that can overflow the stack buffer.

Change min_t(int, ...) to min() as both values are unsigned and can be
handled by min() without explicit cast.

Fixes: 3b434a3 ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0652a3d upstream.

The probestub is a function to allow tprobes to hook to a tracepoint to
gain access to its parameters. The function itself is only referenced by
the tracepoint structure which lives in the __tracepoint section. objtool
explicitly ignores that section and when processing functions in the
kernel, if it detects one that has no references it will seal it to have
its ENDBR stripped on boot up.

This means when a tprobe is attached to the sched_wakeup tracepoint, when it
is triggered it will call __probestub_sched_wakeup and due to the missing
ENDBR on a CFI-enabled machine it will take a #CP exception.

Fix this by adding CFI_NOSEAL annotation to probestub declaration.

Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com
Fixes: d5173f7 ("objtool: Exclude __tracepoints data from ENDBR checks")
Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
[ Updated change log ]
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…error

commit 85e0f27 upstream.

Fix to point the error offset correctly for eprobe argument error.
In the cleanup commit 1b8b0cd ("tracing/probes: Move event parameter
fetching code to common parser"), due to incorrect backward compatibility
aimed at conforming to the test specifications, the error location was set
to 0 when a non-existent formal parameter was specified for Eprobe.
However, this should be corrected in both the test and the implementation
to point correct error position.

Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/

Fixes: 1b8b0cd ("tracing/probes: Move event parameter fetching code to common parser")
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 905b06d upstream.

Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
which is an alias. Otherwise, one gets:

    error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
      |
      = help: run `rustc --print target-list` for a list of built-in targets

Thus conditionally use one or the other depending on the version.

The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
use the newer version instead to avoid changing how the build works for
existing compilers, at least until more testing takes place.

Cc: Ralf Jung <post@ralfj.de>
Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: rust-lang/rust#157151 [1]
Link: rust-lang/rust#151154 [2]
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 84a0f7c upstream.

When KASAN is enabled, such as with allmodconfig, the build fails when
building the Rust code with:

  error: kernel-address sanitizer is not supported for this target

  error: aborting due to 1 previous error

  make[4]: *** [rust/Makefile:654: rust/core.o] Error 1

The arm-unknown-linux-gnueabi target does not support KASAN, so avoid
saying Rust is supported when it is enabled.

Cc: stable@vger.kernel.org
Fixes: ccb8ce5 ("ARM: 9441/1: rust: Enable Rust support for ARMv7")
Link: Rust-for-Linux/linux#1234
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ac35b55 upstream.

Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
uwtable annotation for functions, but not for the module. This means
that compiler-generated functions such as 'asan.module_ctor' do not
receive the uwtable annotation.

When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
failures because the dwarf information emitted for the kasan
constructors is wrong, which causes the SCS boot patching code to
patch the constructor in an illegal manner. Specifically, the paciasp
instruction is patched, but the autiasp instruction is not. This
mismatch leads to a crash when the constructor is called during boot.

	==================================================================
	BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
	Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1

Specifically the faulting instruction is the (*fn)() to invoke the
constructor in do_ctors() of the init/main.c file.

Once the fix lands in rustc, this flag can be made conditional on the
rustc version. Note that passing the flag on a rustc with the fix
present has no effect.

[ The fix [1] has landed for Rust 1.98.0 (expected release on
  2026-08-20).

  Thus add a version check as discussed.

    - Miguel ]

Fixes: d077242 ("rust: support for shadow call stack sanitizer")
Cc: stable@kernel.org
Link: rust-lang/rust#156973 [1]
Reported-by: Bo Ye <bo.ye@mediatek.com>
Debugged-by: Isaac Manjarres <isaacmanjarres@google.com>
Debugged-by: Sami Tolvanen <samitolvanen@google.com>
Tested-by: Isaac Manjarres <isaacmanjarres@google.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com
[ Adjusted link and comment. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4a44b17 upstream.

The Makefile version of rustc-option currently checks whether the option
exists for the host target instead of the target actually being compiled
for. It was done this way in commit 46e24a5 ("rust: kasan/kbuild:
fix missing flags on first build") to avoid a circular dependency on
target.json. However, because of this, rustc-option currently does not
function when cross-compiling from x86_64 to aarch64 if
CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
contains -Zfixed-x18 under this configuration. Since that flag does not
exist on the host target, rustc-option runs into a compilation failure
every time, leading to all flags being rejected as unsupported.

To fix this, update rustc-option to pass a --target parameter so that
the host target is not used. For targets using target.json, use a
built-in target that is as close as possible to the target created with
target.json to avoid the circular dependency on target.json.

One scenario where this causes a boot failure:
* Cross-compiled from x86_64 to aarch64.
* With CONFIG_SHADOW_CALL_STACK=y
* With CONFIG_KASAN_SW_TAGS=y
* With CONFIG_KASAN_INLINE=n
Then the resulting kernel image will fail to boot when it first calls
into Rust code with a crash along the lines of "Unable to handle kernel
paging request at virtual address 0ffffffc08541796". This is because the
call threshold is not specified, so rustc will inline kasan operations,
but the kasan shadow offset is not specified, which leads to the inlined
kasan instructions being incorrect.

Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
lead to a rustc-option failure despite being aarch64-specific because
RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
rustc-option is evaluated by the kasan Makefile.

Cc: stable@vger.kernel.org
Fixes: 46e24a5 ("rust: kasan/kbuild: fix missing flags on first build")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com
[ Edited slightly:
    - Reset variable to avoid using the environment.
    - Use a simply expanded variable flavor for simplicity.
    - Export variable so that behavior in sub-`make`s is consistent.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

  This matches other variables. - Miguel ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
commit b837e38 upstream.

The previous clock uses roundup_pow_of_two() to calculate the core
clock frequency. It does not meet the actual hardware meaning.
The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".

Fix the clock divider calculation.

Fixes: 92e0991 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulfh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 48fcc89 upstream.

That was missed when importing the header.

Reported-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com>
Reported-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
Fixes: e68bda7 ("hyperv: Add new Hyper-V headers in include/hyperv")
Cc: stable@kernel.org
Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ljskernel and others added 20 commits June 27, 2026 11:06
commit 9119d6c upstream.

The vma_modify_*() family of functions each either perform splits, a merge
or no changes at all in preparation for the requested modification to
occur.

When doing so for a VMA flags change, we currently don't account for any
flags which may remain (for instance, VM_SOFTDIRTY) despite the requested
change in the case that a merge succeeded.

This is made more important by subsequent patches which will introduce the
concept of sticky VMA flags which rely on this behaviour.

This patch fixes this by passing the VMA flags parameter as a pointer and
updating it accordingly on merge and updating callers to accommodate for
this.

Additionally, while we are here, we add kdocs for each of the
vma_modify_*() functions, as the fact that the requested modification is
not performed is confusing so it is useful to make this abundantly clear.

We also update the VMA userland tests to account for this change.

Link: https://lkml.kernel.org/r/23b5b549b0eaefb2922625626e58c2a352f3e93c.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 64212ba upstream.

It is useful to be able to designate that certain flags are 'sticky', that
is, if two VMAs are merged one with a flag of this nature and one without,
the merged VMA sets this flag.

As a result we ignore these flags for the purposes of determining VMA flag
differences between VMAs being considered for merge.

This patch therefore updates the VMA merge logic to perform this action,
with flags possessing this property being described in the VM_STICKY
bitmap.

Those flags which ought to be ignored for the purposes of VMA merge are
described in the VM_IGNORE_MERGE bitmap, which the VMA merge logic is also
updated to use.

As part of this change we place VM_SOFTDIRTY in VM_IGNORE_MERGE as it
already had this behaviour, alongside VM_STICKY as sticky flags by
implication must not disallow merge.

Ultimately it seems that we should make VM_SOFTDIRTY a sticky flag in its
own right, but this change is out of scope for this series.

The only sticky flag designated as such is VM_MAYBE_GUARD, so as a result
of this change, once the VMA flag is set upon guard region installation,
VMAs with guard ranges will now not have their merge behaviour impacted as
a result and can be freely merged with other VMAs without VM_MAYBE_GUARD
set.

Also update the comments for vma_modify_flags() to directly reference
sticky flags now we have established the concept.

We also update the VMA userland tests to account for the changes.

Link: https://lkml.kernel.org/r/22ad5269f7669d62afb42ce0c79bad70b994c58d.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab04b53 upstream.

Gather all the VMA flags whose presence implies that page tables must be
copied on fork into a single bitmap - VM_COPY_ON_FORK - and use this
rather than specifying individual flags in vma_needs_copy().

We also add VM_MAYBE_GUARD to this list, as it being set on a VMA implies
that there may be metadata contained in the page tables (that is - guard
markers) which would will not and cannot be propagated upon fork.

This was already being done manually previously in vma_needs_copy(), but
this makes it very explicit, alongside VM_PFNMAP, VM_MIXEDMAP and
VM_UFFD_WP all of which imply the same.

Note that VM_STICKY flags ought generally to be marked VM_COPY_ON_FORK too
- because equally a flag being VM_STICKY indicates that the VMA contains
metadat that is not propagated by being faulted in - i.e.  that the VMA
metadata does not fully describe the VMA alone, and thus we must propagate
whatever metadata there is on a fork.

However, for maximum flexibility, we do not make this necessarily the case
here.

Link: https://lkml.kernel.org/r/5d41b24e7bc622cda0af92b6d558d7f4c0d1bc8c.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 49e14da upstream.

Now we have established the VM_MAYBE_GUARD flag and added the capacity to
set it atomically, do so upon MADV_GUARD_INSTALL.

The places where this flag is used currently and matter are:

* VMA merge - performed under mmap/VMA write lock, therefore excluding
  racing writes.

* /proc/$pid/smaps - can race the write, however this isn't meaningful
  as the flag write is performed at the point of the guard region being
  established, and thus an smaps reader can't reasonably expect to avoid
  races.  Due to atomicity, a reader will observe either the flag being
  set or not.  Therefore consistency will be maintained.

In all other cases the flag being set is irrelevant and atomicity
guarantees other flags will be read correctly.

Note that non-atomic updates of unrelated flags do not cause an issue with
this flag being set atomically, as writes of other flags are performed
under mmap/VMA write lock, and these atomic writes are performed under
mmap/VMA read lock, which excludes the write, avoiding RMW races.

Note that we do not encounter issues with KCSAN by adjusting this flag
atomically, as we are only updating a single bit in the flag bitmap and
therefore we do not need to annotate these changes.

We intentionally set this flag in advance of actually updating the page
tables, to ensure that any racing atomic read of this flag will only
return false prior to page tables being updated, to allow for
serialisation via page table locks.

Note that we set vma->anon_vma for anonymous mappings.  This is because
the expectation for anonymous mappings is that an anon_vma is established
should they possess any page table mappings.  This is also consistent with
what we were doing prior to this patch (unconditionally setting anon_vma
on guard region installation).

We also need to update retract_page_tables() to ensure that madvise(...,
MADV_COLLAPSE) doesn't incorrectly collapse file-backed ranges contain
guard regions.

This was previously guarded by anon_vma being set to catch MAP_PRIVATE
cases, but the introduction of VM_MAYBE_GUARD necessitates that we check
this flag instead.

We utilise vma_flag_test_atomic() to do so - we first perform an
optimistic check, then after the PTE page table lock is held, we can check
again safely, as upon guard marker install the flag is set atomically
prior to the page table lock being taken to actually apply it.

So if the initial check fails either:

* Page table retraction acquires page table lock prior to VM_MAYBE_GUARD
  being set - guard marker installation will be blocked until page table
  retraction is complete.

OR:

* Guard marker installation acquires page table lock after setting
  VM_MAYBE_GUARD, which raced and didn't pick this up in the initial
  optimistic check, blocking page table retraction until the guard regions
  are installed - the second VM_MAYBE_GUARD check will prevent page table
  retraction.

Either way we're safe.

We refactor the retraction checks into a single
file_backed_vma_is_retractable(), there doesn't seem to be any reason that
the checks were separated as before.

Note that VM_MAYBE_GUARD being set atomically remains correct as
vma_needs_copy() is invoked with the mmap and VMA write locks held,
excluding any race with madvise_guard_install().

Link: https://lkml.kernel.org/r/e9e9ce95b6ac17497de7f60fc110c7dd9e489e8d.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Pedro Falcato <pfalcato@suse.de>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6707915 upstream.

Patch series "make VM_SOFTDIRTY a sticky VMA flag", v2.

Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by
establishing a new VMA, or via merge) as implemented in __mmap_complete()
and do_brk_flags().

However, when performing a merge of existing mappings such as when
performing mprotect(), we may lose the VM_SOFTDIRTY flag.

Now we have the concept of making VMA flags 'sticky', that is that they
both don't prevent merge and, importantly, are propagated to merged VMAs,
this seems a sensible alternative to the existing special-casing of
VM_SOFTDIRTY.

We additionally add a self-test that demonstrates that this logic behaves
as expected.

This patch (of 2):

Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by
establishing a new VMA, or via merge) as implemented in __mmap_complete()
and do_brk_flags().

However, when performing a merge of existing mappings such as when
performing mprotect(), we may lose the VM_SOFTDIRTY flag.

This is because currently we simply ignore VM_SOFTDIRTY for the purposes
of merge, so one VMA may possess the flag and another not, and whichever
happens to be the target VMA will be the one upon which the merge is
performed which may or may not have VM_SOFTDIRTY set.

Now we have the concept of 'sticky' VMA flags, let's make VM_SOFTDIRTY one
which solves this issue.

Additionally update VMA userland tests to propagate changes.

[akpm@linux-foundation.org: update comments, per Lorenzo]
  Link: https://lkml.kernel.org/r/0019e0b8-ee1e-4359-b5ee-94225cbe5588@lucifer.local
Link: https://lkml.kernel.org/r/cover.1763399675.git.ljs@kernel.org
Link: https://lkml.kernel.org/r/955478b5170715c895d1ef3b7f68e0cd77f76868.1763399675.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Suggested-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Reviewed-by: Pedro Falcato <pfalcato@suse.de>
Acked-by: Andrey Vagin <avagin@gmail.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Fixes: 34228d4 ("mm: ignore VM_SOFTDIRTY on VMA merging")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7ba92b upstream.

Assert that we correctly merge VMAs containing VM_SOFTDIRTY flags now that
we correctly handle these as sticky.

In order to do so, we have to account for the fact the pagemap interface
checks soft dirty PTEs and additionally that newly merged VMAs are marked
VM_SOFTDIRTY.

We do this by using use unfaulted anon VMAs, establishing one and clearing
references on that one, before establishing another and merging the two
before checking that soft-dirty is propagated as expected.

We check that this functions correctly with mremap() and mprotect() as
sample cases, because VMA merge of adjacent newly mapped VMAs will
automatically be made soft-dirty due to existing logic which does so.

We are therefore exercising other means of merging VMAs.

Link: https://lkml.kernel.org/r/d5a0f735783fb4f30a604f570ede02ccc5e29be9.1763399675.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <ljs@kernel.org>
Cc: Andrey Vagin <avagin@gmail.com>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Pedro Falcato <pfalcato@suse.de>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ahmed Elaidy <elaidya225@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3fdd336 upstream.

dev_open() already is exported, but drivers which use the netdev
instance lock need to use netif_open() instead. netif_close() is
also already exported [1] so this completes the pairing.

This export is required for the following fbnic self tests to
avoid calling ndo_stop() and ndo_open() in favor of the
more appropriate netif_open() and netif_close() that notifies
any listeners that the interface went down to test and is now
coming back up.

Link: https://patch.msgid.link/20250309215851.2003708-1-sdf@fomichev.me [1]
Signed-off-by: Mike Marciniszyn (Meta) <mike.marciniszyn@gmail.com>
Link: https://patch.msgid.link/20260307105847.1438-2-mike.marciniszyn@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b84c563 upstream.

There is netdev_lock_ops() before the NETDEV_REGISTER notifier
in register_netdevice(), so use the non-locking functions
in net_failover_slave_register().
failover_slave_register() in failover_existing_slave_register() adds lock
and unlock ops too.

Call Trace:
 <TASK>
 __schedule+0x30d/0x7a0
 schedule+0x27/0x90
 schedule_preempt_disabled+0x15/0x30
 __mutex_lock.constprop.0+0x538/0x9e0
 __mutex_lock_slowpath+0x13/0x20
 mutex_lock+0x3b/0x50
 dev_set_mtu+0x40/0xe0
 net_failover_slave_register+0x24/0x280
 failover_slave_register+0x103/0x1b0
 failover_event+0x15e/0x210
 ? dropmon_net_event+0xac/0xe0
 notifier_call_chain+0x5e/0xe0
 raw_notifier_call_chain+0x16/0x30
 call_netdevice_notifiers_info+0x52/0xa0
 register_netdevice+0x5f4/0x7c0
 register_netdev+0x1e/0x40
 _mlx5e_probe+0xe2/0x370 [mlx5_core]
 mlx5e_probe+0x59/0x70 [mlx5_core]
 ? __pfx_mlx5e_probe+0x10/0x10 [mlx5_core]

Fixes: 4c975fd ("net: hold instance lock during NETDEV_REGISTER/UP")
Signed-off-by: Faicker Mo <faicker.mo@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 307dc42 upstream.

veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7.
If it returns a value >= 5, this causes an out-of-bounds array access.
Add a bounds check and return -EINVAL if the index is out of range.

The problem values are reserved so should never be read from the
register. Hence this is hardening against fault device, missprogramming
or bus corruption.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 95e8a48 upstream.

ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
values 0-7. If it yields a value >= 7, this causes an out-of-bounds
array access. Add a bounds check and return -EINVAL if the index
is out of range.

Note that the remaining value b111 is reserved so should not be seen
in a correctly functioning system.

Assisted-by: gkh_clanker_2000
Cc: stable <stable@kernel.org>
Cc: Jonathan Cameron <jic23@kernel.org>
Cc: David Lechner <dlechner@baylibre.com>
Cc: "Nuno Sá" <nuno.sa@analog.com>
Cc: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Sam Daly <sam@samdaly.ie>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d237230 upstream.

The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
for device configuration, start, stop, status query and enumeration.
These IOCTLs are not part of any public uAPI header and have no known
in-tree or out-of-tree users. Device lifecycle is already managed via
sysfs.

The ioctl interface also increases the attack surface and is the
subject of a number of bug reports.

Remove the character device, the IOCTL definitions, and the related
data structures (adf_dev_status_info, adf_user_cfg_key_val,
adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
module_init/module_exit hooks for workqueue, AER, and crypto/compression
algorithm registration.

Clean up leftover dead code that was only reachable from the removed
IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
adf_get_vf_real_id() and the unused ADF_CFG macros.

Additionally, drop the entry associated to QAT IOCTLs in
ioctl-number.rst.

Cc: stable@vger.kernel.org
Fixes: d8cba25 ("crypto: qat - Intel(R) QAT driver framework")
Reported-by: Zhi Wang <wangzhi@stu.xidian.edu.cn>
Reported-by: Bin Yu <byu@xidian.edu.cn>
Reported-by: MingYu Wang <w15303746062@163.com>
Closes: https://lore.kernel.org/all/61d6d499.ab89.19b9b7f3186.Coremail.wangzhi_xd@stu.xidian.edu.cn/
Link: https://lore.kernel.org/all/20260508034841.256794-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260508023542.256299-1-w15303746062@163.com/
Link: https://lore.kernel.org/all/20260504025120.98242-1-w15303746062@163.com/
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…_write

commit a287620 upstream.

A KASAN null-ptr-deref was observed in vcs_notifier():

BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}

The issue is a race condition in vcs_write(). When the console_lock is
temporarily dropped (to copy data from userspace), the vc_data pointer
obtained from vcs_vc() may become stale. After re-acquiring the lock,
vcs_vc() is called again to re-validate the pointer. If the vc has been
deallocated in the meantime, vcs_vc() returns NULL, and the while loop
breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
is still called with the now-NULL vc pointer, leading to a null pointer
dereference in the notifier chain (vcs_notifier dereferences param->vc).

Fix this by adding a NULL check for vc before calling vcs_scr_updated().

Fixes: 8fb9ea6 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
Cc: stable@vger.kernel.org
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://patch.msgid.link/20260604060734.2914976-1-yiyang13@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b93062b upstream.

In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears
port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero,
for example when the RX stale counter fires on an idle line, the handler
returns without calling geni_se_rx_dma_prep().

The next RX DMA interrupt then hits the !port->rx_dma_addr guard and
returns immediately, so the RX DMA buffer is never rearmed and later input
is lost.

Keep the handler on the rearm path when rx_in is zero. Warn about the
unexpected zero-length DMA completion, skip received-data handling, and
always call geni_se_rx_dma_prep().

Fixes: 2aaa43c ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
Cc: stable@vger.kernel.org
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Viken Dadhaniya <viken.dadhaniya@oss.qualcomm.com>
Link: https://patch.msgid.link/20260528-serial-rx-0-byte-fix-v2-1-b4195cfe342f@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…tion

commit a2b8d78 upstream.

If __add_memory_block() fails at xa_store() (under memory pressure for
example), device_unregister() is called, which eventually triggers
memory_block_release() with mem->altmap still set, causing a
WARN_ON(mem->altmap).  This was triggered by modifying virtio-mem driver.

Fix this by delaying the assignment of mem->altmap until after
__add_memory_block() has succeeded.

Link: https://lore.kernel.org/20260514092657.3057141-1-georgi.djakov@oss.qualcomm.com
Fixes: 1a8c64e ("mm/memory_hotplug: embed vmem_altmap details in memory block")
Signed-off-by: Georgi Djakov <georgi.djakov@oss.qualcomm.com>
Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Richard Cheng <icheng@nvidia.com>
Cc: David Hildenbrand <david@kernel.org>
Cc: Georgi Djakov <djakov@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 609ca17 upstream.

smb2_check_user_session() takes a shortcut for any operation that is not
the first in a COMPOUND request: it reuses work->sess (the session bound by
the first operation) and validates only the SessionId, then returns
"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a
SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation
value) skips even the id comparison. The standalone path
(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does
enforce the VALID state; the compound branch bypasses all of it.

A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes
a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL
(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of
a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX,
\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and
reaches ksmbd_ipc_tree_connect_request(), which dereferences
user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704)
-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd
worker for all clients.

Reject any non-first compound operation that lands on a session which is
not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path
enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session,
but it is never carried as a non-first compound operation, so multi-leg
authentication is unaffected by this check.

Fixes: 5005bcb ("ksmbd: validate session id and tree id in the compound request")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Portnoy <dddhkts1@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7d8bf3d upstream.

syzbot reported a general protection fault in
vidtv_psi_ts_psi_write_into [1].

vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
not check for this before dereferencing the returned pointer to access
the continuity counter. This leads to a general protection fault when
accessing a near-NULL address.

The root cause is that vidtv_mux_pid_ctx_init() does not check the
return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
If the allocation fails, the PID context is never created, but init
returns success. The subsequent vidtv_mux_push_si() call then gets
NULL from vidtv_mux_get_pid_ctx() and crashes.

Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
all vidtv_mux_get_pid_ctx() calls.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [qualcomm-linux#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events vidtv_mux_tick
RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
Call Trace:
 <TASK>
 vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
 vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
 vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
 vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408

Fixes: f90cf60 ("media: vidtv: add a bridge driver")
Cc: stable@vger.kernel.org
Reported-by: syzbot+814c351d094f4f1a1b86@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
Signed-off-by: Ruslan Valiyev <linuxoid@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 06b4135 upstream.

iput() called from fuse_release_end() can Oops if the super block has
already been destroyed.  Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.

This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.

Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.

Reported-by: Aurélien Bombo <abombo@microsoft.com>
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: Greg Kurz <gkurz@redhat.com>
Closes: kata-containers/kata-containers#12589
Fixes: 26e5c67 ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kurz <gkurz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 35e2470 upstream.

Commit ab04b53 ("mm: introduce copy-on-fork VMAs and make
VM_MAYBE_GUARD one") aggregates flags checks in vma_needs_copy(),
including VM_UFFD_WP.

However in doing so, it incorrectly performed this check against src_vma.
This check was done on the assumption that all relevant flags are copied
upon fork.

However the userfaultfd logic is very innovative in that it implements
custom logic on fork in dup_userfaultfd(), including a rather well hidden
case where lacking UFFD_FEATURE_EVENT_FORK causes VM_UFFD_WP to not be
propagated to the destination VMA.

And indeed, vma_needs_copy(), prior to this patch, did check this property
on dst_vma, not src_vma.

Since all the other relevant flags are copied on fork, we can simply fix
this by checking against dst_vma.

While we're here, we fix a comment against VM_COPY_ON_FORK (noting that it
did indeed already reference dst_vma) to make it abundantly clear that we
must check against the destination VMA.

Link: https://lkml.kernel.org/r/20260114110006.1047071-1-lorenzo.stoakes@oracle.com
Fixes: ab04b53 ("mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reported-by: Chris Mason <clm@meta.com>
Closes: https://lore.kernel.org/all/20260113231257.3002271-1-clm@meta.com/
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Pedro Falcato <pfalcato@suse.de>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20260625125645.554579168@linuxfoundation.org
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Tested-by: Brett A C Sheffield <bacs@librecast.net>
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
Tested-by: Ron Economos <re@w6rz.net>
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Tested-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/0c503cf
  Linux 6.18.37
  mm: do not copy page tables unnecessarily for VM_UFFD_WP
  virtiofs: fix UAF on submount umount
  media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si
  ksmbd: reject non-VALID session in compound request branch
  drivers/base/memory: set mem->altmap after successful device registration
  serial: qcom_geni: Fix RX DMA stall when SE_DMA_RX_LEN_IN is zero
  vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write
  crypto: qat - remove unused character device and IOCTLs
  iio: adc: ti-ads1298: add bounds check to pga_settings index
  iio: light: veml6075: add bounds check to veml6075_it_ms index
  net: net_failover: Fix the deadlock in slave register
  net: export netif_open for self_test usage
  testing/selftests/mm: add soft-dirty merge self-test
  mm: propagate VM_SOFTDIRTY on merge
  mm: set the VM_MAYBE_GUARD flag on guard region install
  mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one
  mm: implement sticky VMA flags
  mm: update vma_modify_flags() to handle residual flags, document
  mm: add atomic VMA flags and set VM_MAYBE_GUARD as such
  mm: introduce VM_MAYBE_GUARD and make visible in /proc/$pid/smaps
  sctp: disable BH before calling udp_tunnel_xmit_skb()
  firmware: samsung: acpm: Fix cross-thread RX length corruption
  Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs
  hv: utils: handle and propagate errors in kvp_register
  regulator: core: fix locking in regulator_resolve_supply() error path
  rose: don't free fd-owned sockets when reaping in the heartbeat
  rose: clear neighbour pointer in rose_kill_by_device()
  rose: cancel neighbour timers in rose_neigh_put() before freeing
  rose: drop CALL_REQUEST in loopback timer when device is not running
  rose: release netdev ref and destroy orphaned incoming sockets
  rose: fix netdev double-hold in rose_make_new()
  rose: disconnect orphaned STATE_2 sockets when device is gone
  rose: set SOCK_DESTROY in rose_kill_by_device() for prompt cleanup
  rose: fix notifier unregistered too early in rose_exit()
  rose: fix netdev double-hold in rose_rx_call_request()
  rose: guard rose_neigh_put() against NULL in timer expiry
  rose: clear neighbour pointer after rose_neigh_put() in state machines
  rose: fix race between loopback timer and module removal
  rose: hold loopback neighbour reference across timer callback
  rose: fix dev_put() leak in rose_loopback_timer()
  ACPI: scan: Use async schedule function in acpi_scan_clear_dep_fn()
  agp/amd64: Fix broken error propagation in agp_amd64_probe()
  net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink()
  i2c: stub: Reject I2C block transfers with invalid length
  RDMA/bnxt_re: zero shared page before exposing to userspace
  debugobjects: Dont call fill_pool() in early boot hardirq context
  debugobjects: Do not fill_pool() if pi_blocked_on
  debugobjects: Use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP
  debugobjects: Allow to refill the pool before SYSTEM_SCHEDULING
  Revert "NFSD: Defer sub-object cleanup in export put callbacks"
  fuse: re-lock request before replacing page cache folio
  net: stmmac: fix stm32 (and potentially others) resume regression
  io_uring/net: Avoid msghdr on op_connect/op_bind async data
  Linux 6.18.36
  netfilter: require Ethernet MAC header before using eth_hdr()
  cfi: Include uaccess.h for get_kernel_nofault()
  vsock/virtio: fix skb overhead overflow on 32-bit builds
  block: fix handling of dead zone write plugs
  arm64: errata: Mitigate TLBI errata on Microsoft Azure Cobalt 100 CPU
  arm64: errata: Mitigate TLBI errata on NVIDIA Olympus CPU
  arm64: errata: Mitigate TLBI errata on various Arm CPUs
  arm64: cputype: Add C1-Premium definitions
  arm64: cputype: Add C1-Ultra definitions
  vsock/virtio: fix skb overhead accounting to preserve full buf_alloc
  vsock/virtio: fix potential unbounded skb queue
  ipvs: skip ipv6 extension headers for csum checks
  RDMA/umem: Fix truncation for block sizes >= 4G
  RDMA: Move DMA block iterator logic into dedicated files
  RDMA/umem: fix kernel-doc warnings
  netfilter: nft_fib: fix stale stack leak via the OIFNAME register
  RDMA: During rereg_mr ensure that REREG_ACCESS is compatible
  RDMA/umem: Add helpers for umem dmabuf revoke lock
  RDMA/umem: Move umem dmabuf revoke logic into helper function
  RDMA/umem: Add ib_umem_dmabuf_get_pinned_and_lock helper
  sched_ext: Don't warn on NULL cgrp_moving_from in scx_cgroup_move_task()
  wifi: mac80211: tests: mark HT check strict
  wifi: mac80211: skip ieee80211_verify_sta_ht_mcs_support check in non-strict mode
  driver core: reject devices with unregistered buses
  fs/fcntl: fix SOFTIRQ-unsafe lock order in fasync signaling
  drm/amd/display: Use krealloc_array() in dal_vector_reserve()
  drm/amd/display: Fix out-of-bounds read in dp_get_eq_aux_rd_interval()
  drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs
  drm/amd/display: add missing CSC entries for BT.2020 for DCE IPs
  drm/amd/display: Clamp VBIOS HDMI retimer register count to array size
  drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size
  drm/amd/display: Bound VBIOS record-chain walk loops
  drm/amd/pm: smu_v14_0_0: use SoftMin for gfxclk in set_soft_freq_limited_range
  drm/amd/pm: mark metrics.energy_accumulator is invalid for smu 14.0.2
  drm/amd/pm: fix smu13 power limit default/cap calculation
  drm/amdgpu: set noretry=1 as default for GFX 10.1.x (Navi10/12/14)
  drm/amdgpu: restart the CS if some parts of the VM are still invalidated
  drm/amdgpu: fix waiting for all submissions for userptrs
  drm/v3d: Skip CSD when it has zeroed workgroups
  drm/v3d: Fix vaddr leak when indirect CSD has zeroed workgroups
  drm/v3d: Fix global performance monitor reference counting
  drm/v3d: Wait for pending L2T flush before cleaning caches
  drm/xe: Clear pending_disable before signaling suspend fence
  drm/xe/display: fix oops in suspend/shutdown without display
  drm/amdkfd: Fix buffer overflow in SDMA queue checkpoint/restore on GFX11
  drm/amdkfd: fix NULL dereference in get_queue_ids()
  drm/gem: Try to fix change_handle ioctl, attempt 4
  slimbus: qcom-ngd-ctrl: Avoid ABBA on tx_lock/ctrl->lock
  slimbus: qcom-ngd-ctrl: Balance pm_runtime enablement for NGD
  slimbus: qcom-ngd-ctrl: Correct PDR and SSR cleanup ownership
  slimbus: qcom-ngd-ctrl: Initialize controller resources in controller
  slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
  slimbus: qcom-ngd-ctrl: Fix probe error path ordering
  slimbus: qcom-ngd-ctrl: Fix up platform_driver registration
  slimbus: qcom-ngd-ctrl: fix OF node refcount
  thunderbolt: Limit XDomain response copy to actual frame size
  thunderbolt: Validate XDomain request packet size before type cast
  thunderbolt: Clamp XDomain response data copy to allocation size
  thunderbolt: Bound root directory content to block size
  thunderbolt: Reject zero-length property entries in validator
  sctp: stream: fully roll back denied add-stream state
  sctp: diag: reject stale associations in dump_one path
  rxrpc: Fix the ACK parser to extract the SACK table for parsing
  rtase: Reset TX subqueue when clearing TX ring
  rtase: Avoid sleeping in get_stats64()
  pmdomain: ti_sci: add wakeup constraint to parent devices of wakeup source
  pmdomain: imx: fix OF node refcount
  mmc: sdhci: add signal voltage switch in sdhci_resume_host
  mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC
  mmc: litex_mmc: Set mandatory idle clocks before CMD0
  mmc: dw_mmc-rockchip: Add missing private data for very old controllers
  mmc: core: Fix host controller programming for fixed driver type
  mm/mincore: handle non-swap entries before !CONFIG_SWAP guard
  mm/list_lru: drain before clearing xarray entry on reparent
  mm/hugetlb: restore reservation on error in hugetlb folio copy paths
  mm/hugetlb: avoid false positive lockdep assertion
  mm/damon/reclaim: handle ctx allocation failure
  mm/damon/lru_sort: handle ctx allocation failure
  mm/cma_debug: fix invalid accesses for inactive CMA areas
  mm/cma: fix reserved page leak on activation failure
  io_uring/wait: fix min_timeout behavior
  io_uring/kbuf: don't truncate end buffer for bundles
  pinctrl: mcp23s08: Read spi-present-mask as u8 not u32
  octeontx2-af: fix memory leak in rvu_setup_hw_resources()
  nvmem: layouts: onie-tlv: fix hang on unknown types
  nvmem: core: fix use-after-free bugs in error paths
  net: sfp: initialize i2c_block_size at adapter configure time
  net: rds: clear i_sends on setup unwind
  net: phonet: free phonet_device after RCU grace period
  net: mv643xx: fix OF node refcount
  net: bonding: fix NULL pointer dereference in bond_do_ioctl()
  net: airoha: Add NULL check for of_reserved_mem_lookup() in airoha_qdma_init_hfwd_queues()
  net/mlx5: Reorder completion before putting command entry in cmd_work_handler
  firmware: samsung: acpm: Fix mailbox channel leak on probe error
  misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
  misc: fastrpc: fix DMA address corruption due to find_vma misuse
  misc: fastrpc: fix use-after-free race in fastrpc_map_create
  misc: fastrpc: fix use-after-free of fastrpc_user in workqueue context
  memcg: use round-robin victim selection in refill_stock
  locking/rtmutex: Skip remove_waiter() when waiter is not enqueued
  ipc/shm: serialize orphan cleanup with shm_nattch updates
  iommu/dma: Do not try to iommu_map a 0 length region in swiotlb
  Input: atkbd - skip deactivate for HONOR BCC-N's internal keyboard
  Input: atkbd - add DMI quirk for Lenovo Yoga Air 14 (83QK)
  i2c: tegra: Fix NOIRQ suspend/resume
  i2c: stm32f7: fix timing computation ignoring i2c-analog-filter
  i2c: qcom-cci: Fix NULL pointer dereference in cci_remove()
  i2c: imx: fix clock and pinctrl state inconsistency in runtime PM
  i2c: imx-lpi2c: fix resource leaks switching to devm_dma_request_chan()
  futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock
  fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios
  fuse: reject fuse_notify() pagecache ops on directories
  fs/qnx6: fix pointer arithmetic in directory iteration
  pidfd: refuse access to tasks that have started exiting harder
  inet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
  IB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
  fhandle: fix UAF due to unlocked ->mnt_ns read in may_decode_fh()
  bnxt_en: Fix NULL pointer dereference
  ASoC: fsl_sai: Fix 32 slots TDM broken by integer shift UB in xMR write
  staging: rtl8723bs: fix buffer over-read in rtw_update_protection
  timers/migration: Fix livelock in tmigr_handle_remote_up()
  vsock/vmci: fix sk_ack_backlog leak on failed handshake
  wifi: nl80211: reject oversized EMA RNR lists
  wifi: iwlwifi: pcie: simplify the resume flow if fast resume is not used
  xfs: fix rtgroup cleanup in CoW fork repair
  xfs: fix error returns in CoW fork repair
  mptcp: add-addr: always drop other suboptions
  selftests: mptcp: add test for extra_subflows underflow on userspace PM
  mptcp: sockopt: set sockopt on all subflows
  mptcp: sockopt: check timestamping ret value
  mptcp: pm: fix extra_subflows underflow on userspace PM subflow creation
  mptcp: allow subflow rcv wnd to shrink
  mptcp: close TOCTOU race while computing rcv_wnd
  mptcp: fix retransmission loop when csum is enabled
  arm64: mm: call pagetable dtor when freeing hot-removed page tables
  ARM: 9475/1: entry: use byte load for KASAN VMAP stack shadow
  ARM: 9474/1: io: avoid KASAN instrumentation of raw halfword I/O
  ARM: socfpga: Fix OF node refcount leak in SMP setup
  udp: clear skb->dev before running a sockmap verdict
  zram: fix use-after-free in zram_bvec_write_partial()
  RDMA/srp: bound SRP_RSP sense copy by the received length
  RDMA/core: Validate cpu_id against nr_cpu_ids in DMAH alloc
  RDMA/core: Validate the passed in fops for ib_get_ucaps()
  mm/huge_memory: update file PUD counter before folio_put()
  mm/damon/ops-common: call folio_test_lru() after folio_get()
  mm/huge_memory: update file PMD counter before folio_put()
  drm/amd/display: Reject gpio_bitshift >= 32 in bios_parser_get_gpio_pin_info()
  drm/virtio: fix dma_fence refcount leak on error in virtio_gpu_dma_fence_wait()
  io_uring/net: inherit IORING_CQE_F_BUF_MORE across bundle recv retries
  ALSA: timer: Fix UAF at snd_timer_user_params()
  ALSA: timer: Forcibly close timer instances at closing
  USB: serial: kl5kusb105: fix bulk-out buffer overflow
  USB: serial: option: add usb-id for Dell Wireless DW5826e-m
  USB: serial: io_ti: fix heap overflow in build_i2c_fw_hdr()
  USB: serial: io_ti: fix heap overflow in get_manuf_info()
  xfrm: iptfs: fix ABBA deadlock in iptfs_destroy_state()
  xfrm: iptfs: preserve shared-frag marker in iptfs_consume_frags()
  xfrm: espintcp: do not reuse an in-progress partial send
  ksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
  hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
  drm/i915/gem: Fix phys BO pread/pwrite with offset
  KVM: arm64: Restore POR_EL0 access to host EL0
  KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
  KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
  mshv: add a missing padding field
  mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
  rust: kasan/kbuild: fix rustc-option when cross-compiling
  rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
  ARM: Do not select HAVE_RUST when KASAN is enabled
  rust: x86: support Rust >= 1.98.0 target spec
  tracing/probes: Point the error offset correctly for eprobe argument error
  tracing: Fix CFI violation in probestub being called by tprobes
  accel/ivpu: Fix signed integer truncation in IPC receive
  accel/ivpu: Add buffer overflow check in MS get_info_ioctl
  accel/ivpu: Add bounds checks for firmware log indices
  mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
  soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
  Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
  Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
  tee: shm: fix shm leak in register_shm_helper()
  netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
  netfilter: nft_tunnel: fix use-after-free on object destroy
  accel/amdxdna: Fix mm_struct reference leak in aie2_populate_range()
  drm/xe: fix refcount leak in xe_range_fence_insert()
  drm/vc4: fix krealloc() memory leak
  drm/virtio: Fix driver removal with disabled KMS
  drm/i915/edp: Check supported link rates DPCD read
  clk: qcom: dispcc-sc8280xp: Don't park mdp_clk_src at registration time
  clk: samsung: gs101: Fix missing USI7_USI DIV clock in peric0_clk_regs
  clk: qcom: x1e80100-dispcc: Stop disp_cc_mdss_mdp_clk_src from getting parked
  KVM: VMX: Update SVI during runtime APICv activation
  ipv6: Fix a potential NPD in cleanup_prefix_route()
  net: txgbe: initialize module info buffer
  net: txgbe: rename the SFP related
  net: txgbe: support CR modules for AML devices
  net: txgbe: optimize the flow to setup PHY for AML devices
  net: mvpp2: build skb from XDP-adjusted data on XDP_PASS
  net: mvpp2: refill RX buffers before XDP or skb use
  net: mvpp2: limit XDP frame size to the RX buffer
  net: mvpp2: sync RX data at the hardware packet offset
  netfilter: nft_exthdr: fix register tracking for F_PRESENT flag
  netfilter: nf_log: validate MAC header was set before dumping it
  netfilter: x_tables: avoid leaking percpu counter pointers
  netfilter: nf_conntrack: destroy stale expectfn expectations on unregister
  netfilter: revalidate bridge ports
  spi: rzv2h-rspi: Fix SPDR read access width for 16-bit RX
  rds: mark snapshot pages dirty in rds_info_getsockopt()
  ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
  tun: zero the whole vnet header in tun_put_user()
  net/rds: fix NULL deref in rds_ib_send_cqe_handler() on masked atomic completion
  net: guard timestamp cmsgs to real error queue skbs
  sctp: validate embedded INIT chunk and address list lengths in cookie
  ip6_vti: set netns_immutable on the fallback device.
  sctp: fix uninit-value in __sctp_rcv_asconf_lookup()
  ASoC: SOF: amd: fix for ipc flags check
  net: mctp: usb: don't fail mctp_usb_rx_queue on a deferred submission
  net: mctp: usb: fix race between urb completion and rx_retry cancellation
  gpio: rockchip: fix generic IRQ chip leak on remove
  gpio: zynq: fix runtime PM leak on remove
  r8152: handle the return value of usb_reset_device()
  net: openvswitch: fix possible kfree_skb of ERR_PTR
  ipv6: sit: reload inner IPv6 header after GSO offloads
  net/mlx5: Use effective affinity mask for IRQ selection
  net/mlx5e: xsk: Fix DMA and xdp_frame leak on XDP_TX xmit failure
  net/mlx5: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list
  net: qrtr: fix refcount saturation and potential UAF in qrtr_port_remove
  net: phy: clean the sfp upstream if phy probing fails
  netdev: fix double-free in netdev_nl_bind_rx_doit()
  net: ibm: emac: Fix use-after-free during device removal
  net/mlx4: avoid GCC 10 __bad_copy_from() false positive
  net: add pskb_may_pull() to skb_gro_receive_list()
  tcp: restrict SO_ATTACH_FILTER to priv users
  ASoC: wm_adsp: Fix NULL dereference when removing firmware controls
  gpio: mvebu: fix NULL pointer dereference in suspend/resume
  netlabel: validate unlabeled address and mask attribute lengths
  bnge: fix context mem iteration
  net: ena: PHC: Add missing barrier
  idpf: fix mailbox capability for set device clock time
  ice: fix missing priority callbacks for U.FL DPLL pins
  xfrm: policy: fix use-after-free on inexact bin in xfrm_policy_bysel_ctx()
  dma-debug: fix physical address retrieval in debug_dma_sync_sg_for_device
  dma-mapping: direct: fix missing mapping for THRU_HOST_BRIDGE segments
  xfrm: iptfs: fix use-after-free on first_skb in __input_process_payload
  tap: free page on error paths in tap_get_user_xdp()
  verification/rvgen: Fix ltl2k writing True as a literal
  verification/rvgen: Fix options shared among commands
  tools/rv: Fix cleanup after failed trace setup
  tools/rv: Fix substring match when listing container monitors
  tools/rv: Fix substring match bug in monitor name search
  tools/rv: Ensure monitor name and desc are NUL-terminated
  cpufreq/amd-pstate: drop stale @epp_cached kdoc
  spi: cadence-quadspi: fix unclocked access on unbind
  ALSA: seq: dummy: fix UMP event stack overread
  ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on linked streams
  time: Fix off-by-one in settimeofday() usec validation
  hyperv: Clean up and fix the guest ID comment in hvgdk.h
  signal: clear JOBCTL_PENDING_MASK for caller in zap_other_threads()
  selftests: harness: fix pidfd leak in __wait_for_test
  drm/hyperv: During panic do VMBus unload after frame buffer is flushed
  Drivers: hv: vmbus: Provide option to skip VMBus unload on panic
  Drivers: hv: VMBus protocol version 6.0
  sctp: purge outqueue on stale COOKIE-ECHO handling
  net/802/mrp: fix vector attribute parsing in mrp_pdu_parse_vecattr
  ieee802154: 6lowpan: only accept IPv6 packets in lowpan_xmit()
  vxlan: vnifilter: fix spurious notification on VNI update
  vxlan: vnifilter: send notification on VNI add
  octeontx2-af: npc: Fix CPT channel mask in npc_install_flow
  sctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
  net/sched: fix pedit partial COW leading to page cache corruption
  net: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
  net: airoha: Fix use-after-free in metadata dst teardown
  ptp: vclock: Switch from RCU to SRCU
  ipv4: restrict IPOPT_SSRR and IPOPT_LSRR options
  af_unix: Fix inq_len update problem in partial read
  octeontx2-af: Fix initialization of mcam's entry2target_pffunc field
  octeontx2-pf: Fix NDC sync operation errors
  xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()
  Bluetooth: MGMT: Fix backward compatibility with userspace
  Bluetooth: SCO: Fix data-race on sco_pi fields in sco_connect
  Bluetooth: ISO: Fix data-race on iso_pi fields in hci_get_route calls
  Bluetooth: ISO: Fix not releasing hdev reference on iso_conn_big_sync
  Bluetooth: fix memory leak in error path of hci_alloc_dev()
  Bluetooth: bnep: reject short frames before parsing
  Bluetooth: bnep: fix incorrect length parsing in bnep_rx_frame() extension handling
  Bluetooth: RFCOMM: validate skb length in MCC handlers
  Bluetooth: MGMT: validate advertising TLV before type checks
  Bluetooth: RFCOMM: hold listener socket in rfcomm_connect_ind()
  wifi: fix leak if split 6 GHz scanning fails
  ipv6: anycast: insert aca into global hash under idev->lock
  net: fec: fix pinctrl default state restore order on resume
  net: lan743x: permit VLAN-tagged packets up to configured MTU
  net: garp: fix unsigned integer underflow in garp_pdu_parse_attr
  hsr: Remove WARN_ONCE() in hsr_addr_is_self().
  net: Annotate sk->sk_write_space() for UDP SOCKMAP.
  pcnet32: stop holding device spin lock during napi_complete_done
  wifi: mac80211: limit injected antenna index in ieee80211_parse_tx_radiotap
  drm/imx: Fix three kernel-doc warnings in dcss-scaler.c
  devlink: Release nested relation on devlink free
  l2tp: pppol2tp: hold reference to session in pppol2tp_ioctl()
  6lowpan: fix off-by-one in multicast context address compression
  net/sched: act_api: use RCU with deferred freeing for action lifecycle
  dm cache policy smq: check allocation under invalidate lock
  netfilter: bridge: make ebt_snat ARP rewrite writable
  netfilter: nft_ct: bail out on template ct in get eval
  netfilter: conntrack_irc: fix possible out-of-bounds read
  netfilter: synproxy: add mutex to guard hook reference counting
  ipvs: clear the svc scheduler ptr early on edit
  netfilter: xt_NFQUEUE: prefer raw_smp_processor_id
  ksmbd: fix NULL-deref of opinfo->conn in oplock/lease break notifiers
  wifi: iwlwifi: mvm: don't support the reset handshake for old firmwares
  erofs: fix use-after-free on sbi->sync_decompress
  erofs: tidy up synchronous decompression
  tee: qcomtee: add missing va_end in early return qcomtee_object_user_init()
  tee: fix tee_ioctl_object_invoke_arg padding
  soc: qcom: ice: Return -ENODEV if the ICE platform device is not found
  ARM: dts: microchip: sam9x7: fix GMAC clock configuration
  arm64: dts: qcom: x1-dell-thena: remove i2c20 (battery SMBus) and reserve its pins
  soc: qcom: ice: Allow explicit votes on 'iface' clock for ICE
  tee: optee: prevent use-after-free when the client exits before the supplicant
  net/smc: fix sleep-inside-lock in __smc_setsockopt() causing local DoS
  ipv6: mcast: Fix use-after-free when processing MLD queries
  i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl
  KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation
  ARM: fix branch predictor hardening
  ARM: fix hash_name() fault
  ARM: allow __do_kernel_fault() to report execution of memory faults
  ARM: group is_permission_fault() with is_translation_fault()
  bpf: Free reuseport cBPF prog after RCU grace period.
  Linux 6.18.35
  KVM: arm64: Reassign nested_mmus array behind mmu_lock
  KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry
  tools: ynl: add scope qualifier for definitions
  usb: core: Fix SuperSpeed root hub wMaxPacketSize
  thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()
  drm/i915/psr: Use DC_OFF wake reference to block DC6 on vblank enable
  mailbox: Fix NULL message support in mbox_send_message()
  xhci: tegra: Fix ghost USB device on dual-role port unplug
  net: phy: micrel: fix LAN8814 QSGMII soft reset
  mm/slub: hold cpus_read_lock around flush_rcu_sheaves_on_cache()
  hwmon: (pmbus/adm1266) serialize GPIO PMBus accesses with pmbus_lock
  hwmon: (pmbus/adm1266) serialize sequencer_state debugfs read with pmbus_lock
  hwmon: (pmbus) Add support for guarded PMBus lock
  USB: serial: mct_u232: fix memory corruption with small endpoint
  USB: serial: digi_acceleport: fix memory corruption with small endpoints
  USB: serial: cypress_m8: fix memory corruption with small endpoint
  usb: dwc3: xilinx: fix error handling in zynqmp init error paths
  xfrm: iptfs: reset runtime state when cloning SAs
  cpufreq: intel_pstate: Use correct scaling factor on Raptor Lake-E
  cpufreq: intel_pstate: Add and use hybrid_get_cpu_type()
  mptcp: reset rcv wnd on disconnect
  mptcp: cleanup fallback dummy mapping generation
  octeontx2-pf: avoid double free of pool->stack on AQ init failure
  arm64: tlb: Flush walk cache when unsharing PMD tables
  mptcp: do not drop partial packets
  mptcp: borrow forward memory from subflow
  mptcp: handle first subflow closing consistently
  net: devmem: reject dma-buf bind with non-page-aligned size or SG length
  selftests: mptcp: drop nanoseconds width specifier
  Bluetooth: hci_qca: Convert timeout from jiffies to ms
  Bluetooth: hci_qca: Migrate to serdev specific shutdown function
  serdev: Provide a bustype shutdown function
  rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer
  rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
  x86/mm: Disable broadcast TLB flush when PCID is disabled
  platform/x86/intel/vsec: Fix enable_cnt imbalance on PCIe error recovery
  platform/x86/intel/vsec: Make driver_data info const
  platform/x86/intel/vsec: Refactor base_addr handling
  serial: 8250_dw: dispatch SysRq character in dw8250_handle_irq()
  serial: 8250: dispatch SysRq character in serial8250_handle_irq()
  serial: core: introduce guard(uart_port_lock_check_sysrq_irqsave)
  serial: zs: Convert to use a platform device
  serial: zs: Switch to using channel reset
  serial: zs: Fix bootconsole handover lockup
  serial: dz: Convert to use a platform device
  serial: dz: Fix bootconsole handover lockup
  serial: dz: Fix bootconsole message clobbering at chip reset
  drm/amdgpu: check num_entries in GEM_OP GET_MAPPING_INFO
  drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx
  drm/amdgpu: fix lock leak on ENOMEM in AMDGPU_GEM_OP_GET_MAPPING_INFO
  drm/amdkfd: Check for pdd drm file first in CRIU restore path
  drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger
  drm/amdkfd: fix NULL pointer bug in svm_range_set_attr
  serial: fsl_lpuart: fix rx buffer and DMA map leaks in start_rx_dma
  serial: zs: Fix swapped RI/DSR modem line transition counting
  serial: sh-sci: fix memory region release in error path
  serial: qcom_geni: fix kfifo underflow when flush precedes DMA completion IRQ
  serial: qcom-geni: fix UART_RX_PAR_EN bit position
  serial: altera_jtaguart: handle uart_add_one_port() failures
  drm/amd/pm/si: Disregard vblank time when no displays are connected
  drm/i915: Fix potential UAF in TTM object purge
  drm/i915/psr: Block DC states on vblank enable when Panel Replay supported
  drm/gem: fix race between change_handle and handle_delete
  drm/hyperv: validate VMBus packet size in receive callback
  drm/hyperv: validate resolution_count and fix WIN8 fallback
  scsi: target: iscsi: Validate CHAP_R length before base64 decode
  scsi: target: iscsi: Bound iscsi_encode_text_output() appends to rsp_buf
  scsi: target: iscsi: Fix CRC overread and double-free in iscsit_handle_text_cmd()
  scsi: scsi_transport_fc: Widen FPIN pname walker counter to u32
  scsi: fcoe: Reject FIP descriptors with zero fip_dlen in CVL walker
  thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow
  thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()
  usb: gadget: f_fs: serialize DMABUF cancel against request completion
  usb: gadget: f_fs: copy only received bytes on short ep0 read
  usb: gadget: dummy_hcd: Reject hub port requests for non-existent ports
  usb: gadget: composite: fix integer underflow in WebUSB GET_URL handling
  usb: gadget: f_hid: fix device reference leak in hidg_alloc()
  usb: gadget: net2280: Fix double free in probe error path
  usb: gadget: uvc: hold opts->lock across XU walks in uvc_function_bind
  USB: serial: mct_u232: fix missing interrupt-in transfer sanity check
  USB: serial: mxuport: fix memory corruption with small endpoint
  USB: serial: keyspan: fix missing indat transfer sanity check
  USB: serial: cypress_m8: validate interrupt packet headers
  USB: serial: belkin_sa: validate interrupt status length
  USB: serial: option: add missing RSVD(5) flag for Rolling RW135R-GL
  USB: serial: option: add MeiG SRM813Q
  usb: typec: ucsi: Don't update power_supply on power role change if not connected
  usb: typec: ucsi: Check if power role change actually happened before handling
  usb: typec: tcpm: improve handling of DISCOVER_MODES failures
  usb: typec: tipd: Fix error code in tps6598x_probe()
  usb: usbtmc: reject interrupt endpoints with small wMaxPacketSize
  usb: usbtmc: check URB actual_length for interrupt-IN notifications
  usbip: vudc: Fix use after free bug in vudc_remove due to race condition
  usb: storage: Add quirks for PNY Elite Portable SSD
  USB: quirks: add NO_LPM for Lenovo ThinkPad USB-C Dock Gen2 hub controllers
  usb: musb: omap2430: Fix use-after-free in omap2430_probe()
  usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval
  usb: chipidea: core: convert ci_role_switch to local variable
  tty: serial: samsung: Remove redundant port lock acquisition in rx helpers
  tty: serial: pch_uart: add check for dma_alloc_coherent()
  counter: Fix refcount leak in counter_alloc() error path
  comedi: comedi_test: Fix limiting of convert_arg in waveform_ai_cmdtest()
  comedi: comedi_test: fix check for valid scan_begin_src in waveform_ai_cmdtest()
  Input: synaptics - add LEN2058 to SMBus passlist for ThinkPad E490
  Input: atmel_mxt_ts - fix boundary check in mxt_prepare_cfg_mem
  misc: rp1: Send IACK on IRQ activate to fix kdump/kexec
  ksmbd: OOB read regression in smb_check_perm_dacl() ACE-walk loops
  Input: xpad - add support for ASUS ROG RAIKIRI II
  Input: xpad - add "Nova 2 Lite" from GameSir
  ALSA: hda/realtek: Fix speaker output on ASUS ROG Strix G615LP
  xfrm: esp: restore combined single-frag length gate
  ASoC: qcom: q6asm-dai: do not set stream state in event and trigger callbacks
  ASoC: qcom: q6asm-dai: close stream only when running
  netfilter: conntrack: tcp: do not force CLOSE on invalid-seq RST without direction check
  ALSA: firewire-motu: Protect register DSP event queue positions
  ALSA: scarlett2: Fix 2i2 Gen 4 direct monitor gain on firmware 2417
  xfrm: ah: use skb_to_full_sk in async output callbacks
  xfrm: ipcomp: Free destination pages on acomp errors
  xfrm: route MIGRATE notifications to caller's netns
  nfc: hci: fix out-of-bounds read in HCP header parsing
  iommu, debugobjects: avoid gcc-16.1 section mismatch warnings
  HID: wacom: Fix OOB write in wacom_hid_set_device_mode()
  spi: spi-mem: avoid mutating op template in spi_mem_supports_op()
  net: skbuff: fix missing zerocopy reference in pskb_carve helpers
  ip6: vti: Use ip6_tnl.net in vti6_changelink().
  l2tp: use refcount_inc_not_zero in l2tp_session_get_by_ifname
  xfrm: input: hold netns during deferred transport reinjection
  ipv6: validate extension header length before copying to cmsg
  ip6: vti: Use ip6_tnl.net in vti6_siocdevprivate().
  ipv6: exthdrs: refresh nh after handling HAO option
  ASoC: qcom: q6asm-dai: fix error handling in prepare and set_params
  ipv6: exthdrs: refresh nh pointer after ipv6_hop_jumbo()
  macsec: fix replay protection at XPN lower-PN wrap
  bpf: sockmap: fix tail fragment offset in bpf_msg_push_data
  wireguard: send: append trailer after expanding head
  x86/ftrace: Relocate %rip-relative percpu refs in dynamic trampolines
  i2c: davinci: fix division by zero on missing clock-frequency
  Input: elan_i2c - validate firmware size before use
  usb: dwc2: Fix use after free in debug code
  usb: cdns3: plat: fix unbalanced pm_runtime_forbid() call permanently leaks the runtime PM usage counter across bind/unbind cycles
  usb: cdns3: plat: fix leaked usb2_phy initialization on usb3_phy acquisition failure
  usb: cdns3: gadget: fix request skipping after clearing halt
  USB: serial: omninet: fix memory corruption with small endpoint
  iio: buffer: Fix DMA fence leak in iio_buffer_enqueue_dmabuf()
  iio: buffer: hw-consumer: fix use-after-free in error path
  iio: light: cm3323: fix reg_conf not being initialized correctly
  iio: chemical: scd30: fix division by zero in write_raw
  iio: chemical: mhz19b: reject oversized serial replies
  iio: Fix iio_multiply_value use in iio_read_channel_processed_scale
  iio: light: veml6070: Fix resource leak in probe error path
  iio: magnetometer: st_magn: fix default DRDY pin selection for LIS2MDL
  iio: temperature: tsys01: fix broken PROM checksum validation
  iio: ssp_sensors: cancel delayed work_refresh on remove
  iio: gyro: adis16260: fix division by zero in write_raw
  iio: gyro: itg3200: fix i2c read into the wrong stack location
  iio: adc: ad4695: Fix call ordering in offload buffer postenable
  iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw
  iio: adc: mt6359: fix unchecked return value in mt6358_read_imp
  iio: dac: ad5686: fix powerdown control on dual-channel devices
  iio: dac: ad5686: acquire lock when doing powerdown control
  iio: dac: ad5686: fix input raw value check
  iio: dac: ad5686: fix ref bit initialization for single-channel parts
  iio: dac: max5821: fix return value check in powerdown sync
  iio: dac: ad3530r: Fix AD3531/AD3531R powerdown mode strings
  iio: adc: npcm: fix unbalanced clk_disable_unprepare()
  iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux
  Disable -Wattribute-alias for clang-23 and newer
  KVM: SEV: Don't explicitly pass PSC buffer to snp_begin_psc()
  KVM: SEV: Use READ_ONCE() when reading entries/indices from PSC buffer
  KVM: SEV: Check PSC request indices against the actual size of the buffer
  KVM: SEV: Compute the correct max length of the in-GHCB scratch area
  KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0
  KVM: SEV: Use the size of the PSC header as the minimum size for PSC requests
  KVM: SEV: Ignore Port I/O requests of length '0'
  KVM: SEV: Require in-GHCB scratch area if GHCB v2+ is in use
  KVM: SVM: Flush the current TLB when transitioning from xAVIC => x2AVIC
  KVM: arm64: PMU: Preserve AArch32 counter low bits
  USB: cdc-acm: Fix bit overlap and move quirk definitions to header
  rust_binder: avoid calling pending_oneway_finished() on TF_UPDATE_TXN
  rust_binder: Avoid holding lock when dropping delivered_death
  parport: Fix race between port and client registration
  Input: xpad - fix out-of-bounds access for Share button
  Bluetooth: hci_sync: fix UAF in hci_le_create_cis_sync
  Bluetooth: hci_qca: Use 100 ms SSR delay for rampatch and NVM loading
  Bluetooth: hci_conn: Fix memory leak in hci_le_big_terminate()
  Bluetooth: ISO: serialize iso_sock_clear_timer with socket lock
  Bluetooth: ISO: fix UAF in iso_recv_frame
  Bluetooth: HIDP: fix missing length checks in hidp_input_report()
  Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn
  Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen()
  smb: client: fix uninitialized variable in smb2_writev_callback
  auxdisplay: line-display: fix OOB read on zero-length message_store()
  mm/rmap: initialize nr_pages to 1 at loop start in try_to_unmap_one
  memfd: deny writeable mappings when implying SEAL_WRITE
  mm: memcontrol: propagate NMI slab stats to memcg vmstats
  ipc: limit next_id allocation to the valid ID range
  mm/damon/sysfs-schemes: delete tried region in regions_rmdirs()
  hpfs: fix a crash if hpfs_map_dnode_bitmap fails
  Bluetooth: btusb: Allow firmware re-download when version matches
  HID: quirks: Add ALWAYS_POLL quirk for SIGMACHIP USB mouse
  Input: ims-pcu - fix usb_free_coherent() size in ims_pcu_buffers_free()
  media: rc: igorplugusb: fix control request setup packet
  USB: serial: safe_serial: fix memory corruption with small endpoint
  usb: typec: ucsi: validate connector number in ucsi_connector_change()
  usb: typec: tcpm/tcpci_maxim: validate header NDO against RX_BYTE_CNT
  usb: typec: wcove: don't write past struct pd_message in wcove_read_rx_buffer()
  usb: typec: altmodes/displayport: validate count before reading Status Update VDO
  usb: typec: ucsi: displayport: NAK DP_CMD_CONFIGURE without a payload VDO
  usb: typec: tcpm: bound altmode_desc[] per iteration in svdm_consume_modes()
  usb: typec: tcpm: validate VDO count in Discover Identity ACK handlers
  usb: typec: ucsi: ccg: reject firmware images without a ':' record header
  iio: pressure: bmp280: fix stack leak in bmp580 trigger handler
  iio: imu: adis16550: fix stack leak in trigger handler
  iio: imu: st_lsm6dsx: fix stack leak in tagged FIFO buffer
  phy: mscc: Use PHY_ID_MATCH_EXACT for VSC8584, VSC8582, VSC8575, VSC856X
  drm/i915/psr: Apply Intel DPCD workaround when SDP on prior line used
  drm/i915/psr: Read Intel DPCD workaround register
  drm/i915/psr: Add defininitions for INTEL_WA_REGISTER_CAPS DPCD register
  s390/cio: Restore GFP_DMA for CHSC allocation
  Revert "x86/fpu: Refine and simplify the magic number check during signal return"
  smb: client: validate the whole DACL before rewriting it in cifsacl
  media: rc: ttusbir: fix inverted error logic
  media: rc: fix race between unregister and urb/irq callbacks
  net: skbuff: fix pskb_carve leaking zcopy pages
  ipv6: fix possible infinite loop in fib6_select_path()
  ipv6: fix possible infinite loop in rt6_fill_node()
  vsock/virtio: bind uarg before filling zerocopy skb
  sctp: fix race between sctp_wait_for_connect and peeloff
  net: mana: Skip redundant detach on already-detached port
  net: mana: Add NULL guards in teardown path to prevent panic on attach failure
  gpio: rockchip: teardown bugs and resource leaks
  gpio: rockchip: convert bank->clk to devm_clk_get_enabled()
  gpio: virtuser: Fix uninitialized data bug in gpio_virtuser_direction_do_write()
  gpio: adnp: fix flow control regression caused by scoped_guard()
  Bluetooth: hci_sync: Reset device counters in hci_dev_close_sync()
  Bluetooth: hci_sync: Set HCI_CMD_DRAIN_WORKQUEUE during device close
  Bluetooth: L2CAP: Fix possible crash on l2cap_ecred_conn_rsp
  Bluetooth: l2cap: clear chan->ident on ECRED reconfiguration success
  net/handshake: Pass negative errno through handshake_complete()
  nvme-tcp: store negative errno in queue->tls_err
  net/handshake: Use spin_lock_bh for hn_lock
  net: hibmcge: disable Relaxed Ordering to fix RX packet corruption
  net/sched: Revert "net/sched: Restrict conditions for adding duplicating netems to qdisc tree"
  ipv6: rpl: fix hdrlen overflow in ipv6_rpl_srh_decompress()
  ethtool: eeprom: add more safeties to EEPROM Netlink fallback
  ethtool: eeprom: add missing ethnl_ops_begin() / _complete() during fallback
  ethtool: strset: fix header attribute index in ethnl_req_get_phydev()
  ethtool: tsinfo: don't pass ERR_PTR to genlmsg_cancel on prepare failure
  ethtool: tsinfo: fix uninitialized stats on the by-PHC path
  ethtool: tsconfig: fix missing ethnl_ops_complete()
  ethtool: pse-pd: fix missing ethnl_ops_complete()
  ethtool: linkstate: fix unbalanced ethnl_ops_complete() on PHY lookup error
  ethtool: tsconfig: fix reply error handling
  ethtool: coalesce: cap profile updates at NET_DIM_PARAMS_NUM_PROFILES
  bridge: Fix sleep in atomic context in sysfs path
  bridge: Fix sleep in atomic context in netlink path
  bonding: refuse to enslave CAN devices
  Bluetooth: 6lowpan: check skb_clone() return value in send_mcast_pkt()
  drm/xe: Restore IDLEDLY regiter on engine reset
  ASoC: codecs: simple-mux: Fix enum control bounds check
  ksmbd: fix FSCTL permission bypass by adding a permission check for FSCTL_SET_SPARSE
  tunnels: do not assume transport header in iptunnel_pmtud_check_icmp()
  vxlan: do not reuse cached ip_hdr() value after skb_tunnel_check_pmtu()
  tunnels: load network headers after skb_cow() in iptunnel_pmtud_build_icmp[v6]()
  cxl/test: Update mock dev array before calling platform_device_add()
  ethtool: cmis: validate fw->size against start_cmd_payload_size
  ethtool: cmis: validate start_cmd_payload_size from module
  ethtool: cmis: fix u16-to-u8 truncation of msleep_pre_rpl
  ethtool: cmis: require exact CDB reply length
  ethtool: module: fix cleanup if socket used for flashing multiple devices
  ethtool: module: check fw_flash_in_progress under rtnl_lock
  ethtool: module: avoid racy updates to dev->ethtool bitfield
  ethtool: module: avoid leaking a netdev ref on module flash errors
  ethtool: module: call ethnl_ops_complete() on module flash errors
  ethtool: rss: avoid device context leak on reply-build failure
  ethtool: rss: fix hkey leak when indir_size is 0
  ethtool: rss: fix indir_table and hkey leak on get_rxfh failure
  ethtool: rss: fix falsely ignoring indir table updates
  ethtool: rss: add missing errno on RSS context delete
  ethtool: rss: avoid modifying the RSS context response
  net: Avoid checksumming unreadable skb tail on trim
  net: team: fix NULL pointer dereference in team_xmit during mode change
  net: team: Rename port_disabled team mode op to port_tx_disabled
  net: team: Remove unused team_mode_op, port_enabled
  gpio: mxc: fix irq_high handling
  net: hsr: fix potential OOB access in supervision frame handling
  net/mlx5: HWS: Reject unsupported remove-header action
  ASoC: Intel: bytcht_es8316: Fix MCLK leak on init errors
  ALSA: pcm: oss: Fix setup list UAF on proc write error
  ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
  scsi: core: Run queues for all non-SDEV_DEL devices from scsi_run_host_queues
  net/iucv: fix locking in .getsockopt
  net/smc: Do not re-initialize smc hashtables
  net: netlink: don't set nsid on local notifications
  net: netlink: fix sending unassigned nsid after assigned one
  vsock: keep poll shutdown state consistent
  tun: free page on build_skb failure in tun_xdp_one()
  tun: free page on short-frame rejection in tun_xdp_one()
  netfilter: nf_tables: fix dst corruption in same register operation
  netfilter: ebtables: fix OOB read in compat_mtw_from_user
  netfilter: xt_cpu: prefer raw_smp_processor_id
  netfilter: synproxy: refresh tcphdr after skb_ensure_writable
  accel/rocket: fix UAF via dangling GEM handle in create_bo
  kunit: fix use-after-free in debugfs when using kunit.filter
  HID: remove duplicate hid_warn_ratelimited definition
  tools/bootconfig: Fix buf leaks in apply_xbc
  nfc: nxp-nci: i2c: use rising-edge IRQ on ACPI systems
  xfrm: Check for underflow in xfrm_state_mtu
  nfc: llcp: Fix use-after-free race in nfc_llcp_recv_cc()
  nfc: llcp: Fix use-after-free in llcp_sock_release()
  bcache: fix uninitialized closure object
  net/sched: sch_sfb: Replace direct dequeue call with peek and qdisc_dequeue_peeked
  xfrm: move policy_bydst RCU sync from per-netns .exit to .pre_exit
  net: mctp: ensure our nlmsg responses are initialised
  net/sched: cls_fw: fix NULL dereference of "old" filters before change()
  Input: usbtouchscreen - clamp NEXIO data_len/x_len to URB buffer size
  Linux 6.18.34
  security/keys: fix missed RCU read section on lookup
  drm/msm: Restore second parameter name in purge() and evict()
  LoongArch: kprobes: Fix handling of fatal unrecoverable recursions
  ksmbd: fix durable reconnect error path file lifetime
  io_uring/nop: pass all errors to userspace
  net: gro: don't merge zcopy skbs
  pds_core: ensure null-termination for firmware version strings
  net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback
  tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
  net: mana: validate rx_req_idx to prevent out-of-bounds array access
  octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs
  selftests: net: Fix checksums in xdp_native
  drm/xe/oa: Fix exec_queue leak on width check in stream open
  ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()
  gpio: aggregator: lock device when calling device_is_bound()
  gpio: aggregator: remove the software node when deactivating the aggregator
  gpio: aggregator: stop using dev-sync-probe
  gpio: aggregator: fix a potential use-after-free
  gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
  tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction
  bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
  net: ag71xx: check error for platform_get_irq
  crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks
  net: shaper: rework the VALID marking (again)
  net: shaper: annotate the data races
  net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
  Bluetooth: btmtk: fix urb->setup_packet leak in error paths
  Bluetooth: btintel_pcie: Fix incorrect MAC access programming
  tracing: Avoid NULL return from hist_field_name() on truncation
  cgroup: rstat: relax NMI guard after switch to try_cmpxchg
  ALSA: seq: Serialize UMP output teardown with event_input
  wifi: wilc1000: fix dma_buffer leak on bus acquire failure
  wifi: mac80211: fix MLE defragmentation
  wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs
  erofs: fix managed cache race for unaligned extents
  pds_core: fix debugfs_lookup dentry leak and error handling
  pds_core: fix error handling in pdsc_devcmd_wait
  net: airoha: Fix NPU RX DMA descriptor bits
  net: phy: honor eee_disabled_modes in phy_advertise_eee_all()
  net: phy: honor eee_disabled_modes in phy_support_eee()
  bridge: mcast: Fix a possible use-after-free when removing a bridge port
  net: bridge: Flush multicast groups when snooping is disabled
  RDMA/rtrs: Fix use-after-free in path file creation cleanup
  RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port
  ASoC: soc-utils: Add missing va_end in snd_soc_ret()
  platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
  platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
  platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
  platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
  platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
  net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
  net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
  net: dsa: mt7530: fix FDB entries not aging out with short timeout
  kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
  drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
  igc: set tx buffer type for SMD frames
  ice: ptp: use primary NAC semaphore on E825
  ice: ptp: serialize E825 PHY timer start with PTP lock
  cgroup/rstat: validate cpu before css_rstat_cpu() access
  drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable
  drm/mediatek: mtk_cec: Fix non-static global variable
  wifi: ath11k: fix peer resolution on rx path when peer_id=0
  drm/xe/pf: Fix CFI failure in debugfs access
  drm/xe/vf: Fix signature of print functions
  drm/xe/gsc: Fix double-free of managed BO in error path
  dma-mapping: move dma_map_resource() sanity check into debug code
  wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it
  wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
  hwmon: (lm90) Add lock protection to lm90_alert
  hwmon: (lm90) Stop work before releasing hwmon device
  drm/msm/snapshot: fix dumping of the unaligned regions
  ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5
  netfilter: nft_inner: release local_lock before re-enabling softirqs
  spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
  ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging
  btrfs: fix squota accounting during enable generation
  btrfs: check for subvolume before deleting squota qgroup
  btrfs: relax squota parent qgroup deletion rule
  btrfs: check squota parent usage on membership change
  btrfs: remaining BTRFS_PATH_AUTO_FREE conversions
  btrfs: don't search back for dir inode item in INO_LOOKUP_USER
  btrfs: use the key format macros when printing keys
  btrfs: add macros to facilitate printing of keys
  vsock/virtio: fix zerocopy completion for multi-skb sends
  io_uring/net: punt IORING_OP_BIND async if it needs file create
  ALSA: scarlett2: Add missing error check when initialise Autogain Status
  ASoC: codecs: fs210x: fix possible buffer overflow
  scsi: sd: Fix return code handling in sd_spinup_disk()
  net/mlx5: Do not restore destination-less TC rules
  tls: Preserve sk_err across recvmsg() when data has been copied
  ovpn: disable BHs when updating device stats
  x86/xen: Fix xen_e820_swap_entry_with_ram()
  gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE
  ovpn: fix race between deleting interface and adding new peer
  ovpn: respect peer refcount in CMD_NEW_PEER error path
  ovpn: tcp - use cached peer pointer in ovpn_tcp_close()
  net: phy: DP83TC811: add reading of abilities
  net: tls: prevent chain-after-chain in plain text SG
  net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
  net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
  powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
  drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
  drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
  Documentation: intel_pstate: Fix description of asymmetric packing with SMT
  x86/mce: Restore MCA polling interval halving
  selftests: ublk: cap nthreads to kernel's actual nr_hw_queues
  drm/msm/dpu: don't mix devm and drmm functions
  drm/msm/dsi: don't dump registers past the mapped region
  ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
  net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
  accel/qaic: Add overflow check to remap_pfn_range during mmap
  block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
  HID: quirks: really enable the intended work around for appledisplay
  block: recompute nr_integrity_segments in blk_insert_cloned_request
  block: don't overwrite bip_vcnt in bio_integrity_copy_user()
  net: shaper: reject QUEUE scope handle with missing id
  net: shaper: enforce singleton NETDEV scope with id 0
  net: shaper: fix undersized reply skb allocation in GROUP command
  net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit
  net: shaper: reject duplicate leaves in GROUP request
  net: shaper: fix trivial ordering issue in net_shaper_commit()
  net: shaper: flip the polarity of the valid flag
  wifi: ath10k: skip WMI and beacon transmission when device is wedged
  wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
  wifi: ath11k: fix error path leaks in some WMI WOW calls
  net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
  net: ethernet: cortina: Carry over frag counter
  net: ethernet: cortina: Drop half-assembled SKB
  net: ethernet: cortina: Make RX SKB per-port
  netfs, afs: Fix write skipping in dir/link writepages
  netfs: Fix netfs_read_folio() to wait on writeback
  netfs: Fix folio->private handling in netfs_perform_write()
  netfs: Fix partial invalidation of streaming-write folio
  netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()
  netfs: Fix leak of request in netfs_write_begin() error handling
  netfs: Fix early put of sink folio in netfs_read_gaps()
  netfs: Fix write streaming disablement if fd open O_RDWR
  netfs: Fix read-gaps to remove netfs_folio from filled folio
  netfs: Fix potential deadlock in write-through mode
  netfs: Fix streaming write being overwritten
  netfs: Defer the emission of trace_netfs_folio()
  netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone
  netfs: Fix overrun check in netfs_extract_user_iter()
  netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call
  netfs: Fix netfs_read_to_pagecache() to pause on subreq failure
  netfs: Fix cancellation of a DIO and single read subrequests
  powerpc: fix dead default for GUEST_STATE_BUFFER_TEST
  powerpc: 82xx: fix uninitialized pointers with free attribute
  ASoC: SOF: amd: Fix error code handling in psp_send_cmd()
  tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().
  zonefs: handle integer overflow in zonefs_fname_to_fno
  nvme-pci: fix use-after-free in nvme_free_host_mem()
  nvme: fix bio leak on mapping failure
  irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
  nsfs: fix wrong error code returned for pidns ioctls
  ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation
  irqchip/ath79-cpu: Remove unused function
  fs: Fix return in jfs_mkdir and orangefs_mkdir
  fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap
  fprobe: Fix unregister_fprobe() to wait for RCU grace period
  ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC
  ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC
  NFSD: Fix infinite loop in layout state revocation
  phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
  net: ti: icssm-prueth: fix eth_ports_node leak in probe
  net: lan966x: avoid unregistering netdev on register failure
  ice: fix locking in ice_dcb_rebuild()
  ice: fix setting RSS VSI hash for E830
  idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
  net: shaper: Reject reparenting of existing nodes
  net: napi: Avoid gro timer misfiring at end of busypoll
  tcp: Fix imbalanced icsk_accept_queue count.
  test_kprobes: clear kprobes between test runs
  kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
  netfilter: bridge: eb_tables: close module init race
  netfilter: x_tables: close dangling table module init race
  netfilter: ebtables: close dangling table module init race
  netfilter: ebtables: move to two-stage removal scheme
  netfilter: x_tables: add and use xtables_unregister_table_exit
  netfilter: x_tables: add and use xt_unregister_table_pre_exit
  netfilter: x_tables: unregister the templates first
  btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
  ALSA: hda: cs35l41: Put ACPI device on missing physical node
  ALSA: hda: cs35l56: Put ACPI device after setting companion
  ARM: integrator: Fix early initialization
  firmware: arm_ffa: Fix sched-recv callback partition lookup
  firmware: arm_ffa: Snapshot notifier callbacks under lock
  firmware: arm_ffa: Align RxTx buffer size before mapping
  firmware: arm_ffa: Validate framework notification message layout
  firmware: arm_ffa: Keep framework RX release under lock
  firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
  pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
  kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
  kunit: config: Enable KUNIT_DEBUGFS by default
  riscv: mm: Fixup no5lvl failure when vaddr is invalid
  riscv: errata: Fix bitwise vs logical AND in MIPS errata patching
  firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0
  firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue
  firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
  firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
  HID: uclogic: Fix regression of input name assignment
  HID: intel-thc-hid: Intel-quickspi: Fix some error codes
  pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615
  pinctrl: meson: amlogic-a4: fix deadlock issue
  pinctrl: renesas: rzg2l: Fix SMT register cache handling
  pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume
  ARM: dts: renesas: rskrza1: Drop superfluous cells
  ARM: dts: renesas: genmai: Drop superfluous cells
  pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function
  hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
  hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
  hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
  hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple
  hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
  hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
  hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
  hwmon: (pmbus/adm1266) reject implausible blackbox record_count
  hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
  batman-adv: tt: prevent TVLV entry number overflow
  batman-adv: tt: fix negative tt_buff_len
  batman-adv: tt: fix negative last_changeset_len
  batman-adv: tt: avoid empty VLAN responses
  batman-adv: tt: reject oversized local TVLV buffers
  batman-adv: tt: fix TOCTOU race for reported vlans
  batman-adv: tp_meter: avoid role confusion in tp_list
  batman-adv: tp_meter: fix race condition in send error reporting
  batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
  batman-adv: tp_meter: directly shut down timer on cleanup
  batman-adv: tp_meter: avoid use of uninit sender vars
  batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
  batman-adv: bla: avoid double decrement of bla.num_requests
  batman-adv: bla: fix report_work leak on backbone_gw purge
  batman-adv: frag: disallow unicast fragment in fragment
  batman-adv: fix tp_meter counter underflow during shutdown
  batman-adv: fix fragment reassembly length accounting
  batman-adv: dat: handle forward allocation error
  batman-adv: clear current gateway during teardown
  batman-adv: mcast: fix use-after-free in orig_node RCU release
  batman-adv: iv: recover OGM scheduling after forward packet error
  batman-adv: tvlv: reject oversized TVLV packets
  batman-adv: tvlv: abort OGM send on tvlv append failure
  batman-adv: v: stop OGMv2 on disabled interface
  drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
  drm/amd/display: Validate GPIO pin LUT table size before iterating
  drm/amd/display: Fix integer overflow in bios_get_image()
  drm/bridge: megachips: remove bridge when irq request fails
  drm/bridge: it66121: acquire reset GPIO in probe
  drm/amdgpu/vpe: Force collaborate sync after TRAP
  drm/virtio: use uninterruptible resv lock for plane updates
  drm/v3d: Release indirect CSD GEM reference on CPU job free
  drm/v3d: Fix use-after-free of CPU job query arrays on error path
  drm/msm: Fix shrinker deadlock
  device property: set fwnode->secondary to NULL in fwnode_init()
  LoongArch: Remove unused code to avoid build warning
  LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions
  fwctl: pds: Validate RPC input size before parsing
  RDMA/siw: Reject MPA FPDU length underflow before signed receive math
  spi: ti-qspi: fix use-after-free after DMA setup failure
  spi: sprd: fix error pointer deref after DMA setup failure
  spi: ep93xx: fix error pointer deref after DMA setup failure
  scsi: isci: Fix use-after-free in device removal path
  phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4 fix
  phy: tegra: xusb: Fix per-pad high-speed termination calibration
  phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870
  spi: qup: fix error pointer deref after DMA setup failure
  drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
  virt: sev-guest: Explicitly leak pages in unknown state
  riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM
  riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
  KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
  KVM: arm64: vgic: Free private_irqs when init fails after allocation
  KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
  arm64: probes: Handle probes on hinted conditional branch instructions
  tracing: Do not call map->ops->elt_free() if elt_alloc() fails
  cifs: Fix busy dentry used after unmounting
  wifi: mac80211: consume only present negotiated TTLM maps
  af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
  wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
  ice: restore PTP Rx timestamp config after ethtool set-channels
  ice: fix setting promisc mode while adding VID filter
  ice: fix locking around wait_event_interruptible_locked_irq
  igc: fix potential skb leak in igc_fpe_xmit_smd_frame()
  octeontx2-pf: fix double free in rvu_rep_rsrc_init()
  octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
  lsm: hold cred_guard_mutex for lsm_set_self_attr()
  rbd: eliminate a race in lock_dwork draining on unmap
  ixgbevf: fix use-after-free in VEPA multicast source pruning
  ipv4: raw: reject IP_HDRINCL packets with ihl < 5
  wifi: iwlwifi: mld: stop TX during firmware restart
  wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
  wifi: ath11k: clear shared SRNG pointer state on restart
  ice: fix VF queue configuration with low MTU values
  vsock/virtio: reset connection on receiving queue overflow
  vsock/vmci: fix UAF when peer resets connection during handshake
  mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
  ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
  ring-buffer: Flush and stop persistent ring buffer on panic
  ring-buffer: Fix reporting of missed events in iterator
  qed: fix double free in qed_cxt_tables_alloc()
  l2tp: use list_del_rcu in l2tp_session_unhash
  fs/ntfs3: handle attr_set_size() errors when truncating files
  net: ethtool: phy: avoid NULL deref when PHY driver is unbound
  net: ethtool: fix NULL pointer dereference in phy_reply_size
  cgroup/cpuset: Reset DL migration state on can_attach() failure
  tracing/fprobe: Check the same type fprobe on table as the unregistered one
  tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
  tracing: fprobe: use ftrace if CONFIG_DYNAMIC_FTRACE_WITH_ARGS
  tracing: fprobe: Remove unused local variable
  sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
  sched_ext: Fix missing warning in scx_set_task_state() default case
  netfilter: nft_inner: Fix IPv6 inner_thoff desync
  netfilter: ipset: stop hash:* range iteration at end
  netfilter: nf_queue: hold bridge skb->dev while queued
  netfilter: ip6t_hbh: reject oversized option lists
  net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()
  net: ifb: report ethtool stats over num_tx_queues
  net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover
  net: phy: skip EEE advertisement write when autoneg is disabled
  net: bcmgenet: keep RBUF EEE/PM disabled
  phonet/pep: disable BH around forwarded sk_receive_skb()
  Bluetooth: serialize accept_q access
  Bluetooth: MGMT: validate Add Extended Advertising Data length
  Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
  Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
  Bluetooth: bnep: Fix UAF read of dev->name
  Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
  Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
  net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
  selftests/mm: run_vmtests.sh: fix destructive tests invocation
  mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free
  mm/memory_hotplug: fix memory block reference leak on remove
  mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
  mm/memory: fix spurious warning when unmapping device-private/exclusive pages
  ipv6: ioam: refresh hdr pointer before ioam6_event()
  drivers/base/memory: fix memory block reference leak in poison accounting
  io_uring/waitid: clear waitid info before copying it to userspace
  spi: amd: Set correct bus number in ACPI probe path
  efi: Allocate runtime workqueue before ACPI init
  ALSA: scarlett2: Allow flash writes ending at segment boundary
  ALSA: asihpi: Fix potential OOB array access at reading cache
  ALSA: pcm: Don't setup bogus iov_iter for silencing
  ALSA: ua101: Reject too-short USB descriptors
  hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
  smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close
  smb: client: use data_len for SMB2 READ encrypted folioq copy
  smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
  smb: client: require net admin for CIFS SWN netlink
  regulator: tps65219: fix irq_data.rdev not being assigned
  ksmbd: validate SID in parent security descriptor during ACL inheritance
  ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
  ksmbd: fix null pointer dereference in compare_guid_key()
  mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
  sysfs: don't remove existing directory on update failure
  drm/vblank: Fix kernel docs for vblank timer
  drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()
  drm/vkms: Convert to DRM's vblank timer
  drm/vblank: Add CRTC helpers for simple use cases
  drm/vblank: Add vblank timer
  Revert "ice: Remove jumbo_remove step from TX path"
  Revert "ice: fix double-free of tx_buf skb"
  ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
  ata: libata-scsi: do not use the d…
@qswat-orbit-external

Copy link
Copy Markdown

Merge Check Failed: No CR Numbers Found

Error: No Change Request numbers were found.

Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests.

@svankas svankas (svankas) changed the title 6.18.37 lts Merge tag 'v6.18.37' into qcom-6.18.y Jun 29, 2026
@qcomlnxci

Copy link
Copy Markdown

Test Matrix

Test Case lemans-evk monaco-evk qcs615-ride qcs6490-rb3gen2 qcs8300-ride qcs9100-ride-r3 x1e80100-crd
BT_FW_KMD_Service ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
BT_ON_OFF ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
BT_SCAN ❌ Fail ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
CPUFreq_Validation ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
CPU_affinity ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
DSP_AudioPD ✅ Pass ✅ Pass ⚠️ skip ✅ Pass ✅ Pass ⚠️ skip ◻️
Ethernet ⚠️ skip ✅ Pass ⚠️ skip ⚠️ skip ⚠️ skip ⚠️ skip ◻️
Freq_Scaling ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
GIC ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
IPA ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Interrupts ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
OpenCV ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
PCIe ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
Probe_Failure_Check ❌ Fail ❌ Fail ❌ Fail ❌ Fail ❌ Fail ❌ Fail ◻️
RMNET ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
UFS_Validation ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
USBHost ❌ Fail ❌ Fail ❌ Fail ❌ Fail ❌ Fail ❌ Fail ◻️
WiFi_Firmware_Driver ❌ Fail ❌ Fail ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
WiFi_OnOff ✅ Pass ❌ Fail ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
adsp_remoteproc ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
cdsp_remoteproc ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
gpdsp_remoteproc ✅ Pass ✅ Pass ⚠️ skip ⚠️ skip ✅ Pass ❌ Fail ◻️
hotplug ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
irq ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
kaslr ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
pinctrl ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
qcom_hwrng ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
remoteproc ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ❌ Fail ◻️
rngtest ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
shmbridge ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
smmu ❌ Fail ✅ Pass ❌ Fail ✅ Pass ✅ Pass ❌ Fail ◻️
watchdog ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️
wpss_remoteproc ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ✅ Pass ◻️

@ekanshibu Ekansh Gupta (ekanshibu) left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for fastrpc

@shuaz-shuai

Copy link
Copy Markdown
Contributor

+1 for bt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.