October 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.16.10 release. There are 143 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 Oct 2025 14:37:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.16.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.16.10-rc1 Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Fix race during abort for file descriptors Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> spi: cadence-qspi: defer runtime support on socfpga if reset bit is enabled Khairul Anuar Romli <khairul.anuar.romli(a)altera.com> spi: cadence-quadspi: Implement refcount to handle unbind during busy Andrea Righi <arighi(a)nvidia.com> sched_ext: idle: Handle migration-disabled tasks in BPF code Andrea Righi <arighi(a)nvidia.com> sched_ext: idle: Make local functions static in ext_idle.c Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: pcie: fix byte count table for some devices Johannes Berg <johannes.berg(a)intel.com> wifi: iwlwifi: fix byte count table for old devices Thomas Zimmermann <tzimmermann(a)suse.de> fbcon: Fix OOB access in font allocation Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> fbcon: fix integer overflow in fbcon_do_set_font Akinobu Mita <akinobu.mita(a)gmail.com> mm/damon/sysfs: do not ignore callback's return value in damon_sysfs_damon_call() Jinjiang Tu <tujinjiang(a)huawei.com> mm/hugetlb: fix folio is still mapped when deleted Alexander Popov <alex.popov(a)linux.com> x86/Kconfig: Reenable PTDUMP on i386 Thomas Gleixner <tglx(a)linutronix.de> x86/topology: Implement topology_is_core_online() to address SMT regression Alexandre Ghiti <alexghiti(a)rivosinc.com> riscv: Use an atomic xchg in pudp_huge_get_and_clear() Max Kellermann <max.kellermann(a)ionos.com> netfs: fix reference leak Eric Biggers <ebiggers(a)kernel.org> kmsan: fix out-of-bounds access to shadow memory Hans de Goede <hansg(a)kernel.org> gpiolib: Extend software-node support to support secondary software-nodes Jakub Acs <acsjakub(a)amazon.de> fs/proc/task_mmu: check p->vec_buf for NULL Zhen Ni <zhen.ni(a)easystack.cn> afs: Fix potential null pointer dereference in afs_put_server Jason Wang <jasowang(a)redhat.com> vhost-net: flush batched before enabling notifications Michael S. Tsirkin <mst(a)redhat.com> Revert "vhost/net: Defer TX queue re-enable until after sendmsg" Christian Marangi <ansuelsmth(a)gmail.com> pinctrl: airoha: fix wrong MDIO function bitmaks Christian Marangi <ansuelsmth(a)gmail.com> pinctrl: airoha: fix wrong PHY LED mux value for LED1 GPIO46 Matthew Schwartz <matthew.schwartz(a)linux.dev> drm/amd/display: Only restore backlight after amdgpu_dm_init or dm_resume Nirmoy Das <nirmoyd(a)nvidia.com> drm/ast: Use msleep instead of mdelay for edid read Thomas Hellström <thomas.hellstrom(a)linux.intel.com> drm/xe: Don't copy pinned kernel bos twice on suspend Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn9132-clearfog: fix multi-lane pci x2 and x4 ports Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn9132-clearfog: disable eMMC high-speed modes Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn913x-solidrun: fix sata ports status Nobuhiro Iwamatsu <iwamatsu(a)nigauri.org> ARM: dts: socfpga: sodia: Fix mdio bus probe and PHY address Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe: Fix to remove recorded module addresses from filter Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fgraph: Protect return handler from recursion loop Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: dynevent: Add a missing lockdown check on dynevent Eric Biggers <ebiggers(a)kernel.org> crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: improve VF MAC filters accounting Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add mask to apply valid bits for itr_idx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add max boundary check for VF filters Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix validation of VF state in get resources Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix input validation logic for action_meta Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in config queues msg Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in i40e_validate_queue_map Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add validation for ring_len param Amit Chaudhari <amitchaudhari(a)mac.com> HID: asus: add support for missing PX series fn keys Xinpeng Sun <xinpeng.sun(a)intel.com> HID: intel-thc-hid: intel-quickspi: Add WCL Device IDs Wang Liang <wangliang74(a)huawei.com> tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit() Sasha Levin <sashal(a)kernel.org> Revert "drm/xe/guc: Enable extended CAT error reporting" Sasha Levin <sashal(a)kernel.org> Revert "drm/xe/guc: Set RCS/CCS yield policy" Sang-Heon Jeon <ekffu200098(a)gmail.com> smb: client: fix wrong index reference in smb2_compound_op() Daniel Lee <dany97(a)live.ca> platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() Adrián Larumbe <adrian.larumbe(a)collabora.com> drm/panthor: Defer scheduler entitiy destruction to queue release Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> futex: Use correct exit on failure from futex_hash_allocate_default() Melissa Wen <mwen(a)igalia.com> drm/amd/display: remove output_tf_change flag Suraj Kandpal <suraj.kandpal(a)intel.com> drm/i915/ddi: Guard reg_val against a INVALID_TRANSCODER Lucas De Marchi <lucas.demarchi(a)intel.com> drm/xe: Fix build with CONFIG_MODULES=n Michal Wajdeczko <michal.wajdeczko(a)intel.com> drm/xe/vf: Don't expose sysfs attributes not applicable for VFs Ioana Ciornei <ioana.ciornei(a)nxp.com> gpio: regmap: fix memory leak of gpio_regmap structure Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> futex: Prevent use-after-free during requeue-PI Zabelin Nikita <n.zabelin(a)mt-integration.ru> drm/gma500: Fix null dereference in hdmi teardown Dan Carpenter <dan.carpenter(a)linaro.org> octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() Carolina Jubran <cjubran(a)nvidia.com> net/mlx5e: Fix missing FEC RS stats for RS_544_514_INTERLEAVED_QUAD Yevgeny Kliteynik <kliteyn(a)nvidia.com> net/mlx5: HWS, ignore flow level for multi-dest table Vlad Dogaru <vdogaru(a)nvidia.com> net/mlx5: HWS, remove unused create_dest_array parameter Moshe Shemesh <moshe(a)nvidia.com> net/mlx5: fs, fix UAF in flow counter release Ido Schimmel <idosch(a)nvidia.com> selftests: fib_nexthops: Fix creation of non-FDB nexthops Ido Schimmel <idosch(a)nvidia.com> nexthop: Forbid FDB status change while nexthop is in a group Jason Baron <jbaron(a)akamai.com> net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: correct offset handling for IPv6 destination address Jacob Keller <jacob.e.keller(a)intel.com> broadcom: fix support for PTP_EXTTS_REQUEST2 ioctl Jacob Keller <jacob.e.keller(a)intel.com> broadcom: fix support for PTP_PEROUT_DUTY_CYCLE Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: MGMT: Fix possible UAFs Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> vhost: Take a reference on the task in struct vhost_task. Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix UAF in hci_conn_tx_dequeue Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix hci_resume_advertising_sync Petr Malat <oss(a)malat.biz> ethernet: rvu-af: Remove slash from the driver name Sidraya Jayagond <sidraya(a)linux.ibm.com> net/smc: fix warning in smc_rx_splice() when calling get_page() Wang Liang <wangliang74(a)huawei.com> net: tun: Update napi->skb after XDP process Stéphane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix shift-out-of-bounds issue Vincent Mailhol <mailhol(a)kernel.org> can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Sabrina Dubroca <sd(a)queasysnail.net> xfrm: fix offloading of cross-family tunnels Sabrina Dubroca <sd(a)queasysnail.net> xfrm: xfrm_alloc_spi shouldn't use 0 as SPI Leon Hwang <leon.hwang(a)linux.dev> selftests/bpf: Skip timer cases when bpf_timer is not supported Leon Hwang <leon.hwang(a)linux.dev> bpf: Reject bpf_timer for PREEMPT_RT Geert Uytterhoeven <geert+renesas(a)glider.be> can: rcar_can: rcar_can_resume(): fix s2ram with PSCI James Guan <guan_yufei(a)163.com> wifi: virt_wifi: Fix page fault on connect Yifan Zhang <yifan1.zhang(a)amd.com> amd/amdkfd: correct mem limit calculation for small APUs Eric Huang <jinhuieric.huang(a)amd.com> drm/amdkfd: fix p2p links bug in topology Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.2: Protect copy offload and clone against 'eof page pollution' Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Protect against 'eof page pollution' Mark Harmstone <mark(a)harmstone.com> btrfs: don't allow adding block device of less than 1 MB Xing Guo <higuoxing(a)gmail.com> selftests/fs/mount-notify: Fix compilation failure. Jiri Olsa <olsajiri(a)gmail.com> bpf: Check the helper function is valid in get_helper_proto Stefan Metzmacher <metze(a)samba.org> smb: server: use disable_work_sync in transport_rdma.c Stefan Metzmacher <metze(a)samba.org> smb: server: don't use delayed_work for post_recv_credits_work Christian Loehle <christian.loehle(a)arm.com> cpufreq: Initialize cpufreq-based invariance before subsys Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: kirkwood: Fix sound DAI cells for OpenRD clients Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: Correct thermal sensor index Peng Fan <peng.fan(a)nxp.com> firmware: imx: Add stub functions for SCMI CPU API Peng Fan <peng.fan(a)nxp.com> firmware: imx: Add stub functions for SCMI LMM API Peng Fan <peng.fan(a)nxp.com> firmware: imx: Add stub functions for SCMI MISC API Jimmy Hon <honyuenkwun(a)gmail.com> arm64: dts: rockchip: Fix the headphone detection on the orangepi 5 Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> HID: amd_sfh: Add sync across amd sfh work functions Sébastien Szymanski <sebastien.szymanski(a)armadeus.com> HID: cp2112: fix setter callbacks return value Or Har-Toov <ohartoov(a)nvidia.com> IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions Aleksander Jan Bajkowski <olek2(a)wp.pl> net: sfp: add quirk for FLYPRO copper SFP+ module qaqland <anguoli(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on more devices Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: move mixer_quirks' min_mute into common quirk Mario Limonciello (AMD) <superm1(a)kernel.org> gpiolib: acpi: Add quirk for ASUS ProArt PX13 noble.yang <noble.yang(a)comtrue-inc.com> ALSA: usb-audio: Add DSD support for Comtrue USB Audio device Antheas Kapenekakis <lkml(a)antheas.dev> platform/x86: oxpec: Add support for OneXPlayer X1 Mini Pro (Strix Point) Balamurugan C <balamurugan.c(a)intel.com> ASoC: Intel: sof_rt5682: Add HDMI-In capture with rt5682 support for PTL. Balamurugan C <balamurugan.c(a)intel.com> ASoC: Intel: soc-acpi: Add entry for HDMI_In capture support in PTL match table Balamurugan C <balamurugan.c(a)intel.com> ASoC: Intel: soc-acpi: Add entry for sof_es8336 in PTL match table. Heikki Krogerus <heikki.krogerus(a)linux.intel.com> i2c: designware: Add quirk for Intel Xe Benoît Monin <benoit.monin(a)bootlin.com> mmc: sdhci-cadence: add Mobileye eyeQ support Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> drm/panfrost: Add support for Mali on the MT8370 SoC Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> drm/panfrost: Commonize Mediatek power domain array definitions Louis-Alexis Eyraud <louisalexis.eyraud(a)collabora.com> drm/panfrost: Drop duplicated Mediatek supplies arrays Chris Morgan <macromorgan(a)hotmail.com> net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Marc Kleine-Budde <mkl(a)pengutronix.de> net: fec: rename struct fec_devinfo fec_imx6x_info -> fec_imx6sx_info Jiayi Li <lijiayi(a)kylinos.cn> usb: core: Add 0x prefix to quirks debug output Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix build with CONFIG_INPUT=n Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for ASUS NUC using CS35L41 HDA Chen Ni <nichen(a)iscas.ac.cn> ALSA: usb-audio: Convert comma to semicolon Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: specify that Apple Touch Bar is direct Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: take cls->maxcontacts into account for Apple Touch Bar even without a HID_DG_CONTACTMAX field Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: support getting the tip state from HID_DG_TOUCH fields in Apple Touch Bar Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: Get the contact ID from HID_DG_TRANSDUCER_INDEX fields in case of Apple Touch Bar Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Simplify NULL comparison in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Avoid multiple assignments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix block comments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix whitespace & blank line issues in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix code alignment in mixer_quirks Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: fix overlooked update of subsystem ABI version Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: ufs: mcq: Fix memory allocation checks for SQE and CQE ------------- Diffstat: Documentation/admin-guide/laptops/lg-laptop.rst | 4 +- Makefile | 4 +- .../dts/intel/socfpga/socfpga_cyclone5_sodia.dts | 6 +- .../boot/dts/marvell/kirkwood-openrd-client.dts | 2 +- arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 +- arch/arm64/boot/dts/marvell/cn9130-cf.dtsi | 7 +- arch/arm64/boot/dts/marvell/cn9131-cf-solidwan.dts | 6 +- arch/arm64/boot/dts/marvell/cn9132-clearfog.dts | 22 +- arch/arm64/boot/dts/marvell/cn9132-sr-cex7.dtsi | 8 + .../boot/dts/rockchip/rk3588s-orangepi-5.dtsi | 3 +- arch/riscv/include/asm/pgtable.h | 17 + arch/x86/Kconfig | 2 +- arch/x86/include/asm/topology.h | 10 + arch/x86/kernel/cpu/topology.c | 13 + drivers/cpufreq/cpufreq.c | 20 +- drivers/firewire/core-cdev.c | 2 +- drivers/gpio/gpio-regmap.c | 2 +- drivers/gpio/gpiolib-acpi-quirks.c | 14 + drivers/gpio/gpiolib.c | 21 +- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 44 +- drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 12 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 7 + drivers/gpu/drm/amd/display/dc/dc.h | 1 - .../drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 +- .../drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +- drivers/gpu/drm/ast/ast_dp.c | 2 +- drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- drivers/gpu/drm/i915/display/intel_ddi.c | 5 +- drivers/gpu/drm/panfrost/panfrost_drv.c | 61 ++- drivers/gpu/drm/panthor/panthor_sched.c | 8 +- drivers/gpu/drm/xe/abi/guc_actions_abi.h | 5 - drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 40 -- drivers/gpu/drm/xe/xe_bo_evict.c | 4 +- drivers/gpu/drm/xe/xe_configfs.c | 2 +- drivers/gpu/drm/xe/xe_device_sysfs.c | 2 +- drivers/gpu/drm/xe/xe_gt.c | 3 +- drivers/gpu/drm/xe/xe_guc.c | 62 +-- drivers/gpu/drm/xe/xe_guc.h | 1 - drivers/gpu/drm/xe/xe_guc_submit.c | 87 +--- drivers/gpu/drm/xe/xe_guc_submit.h | 2 - drivers/gpu/drm/xe/xe_uc.c | 4 - drivers/hid/amd-sfh-hid/amd_sfh_client.c | 12 +- drivers/hid/amd-sfh-hid/amd_sfh_common.h | 3 + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 4 + drivers/hid/hid-asus.c | 3 + drivers/hid/hid-cp2112.c | 10 +- drivers/hid/hid-multitouch.c | 45 +- .../intel-thc-hid/intel-quickspi/pci-quickspi.c | 2 + .../intel-thc-hid/intel-quickspi/quickspi-dev.h | 2 + drivers/i2c/busses/i2c-designware-platdrv.c | 7 +- drivers/infiniband/hw/mlx5/devx.c | 1 + drivers/iommu/iommufd/eventq.c | 9 +- drivers/iommu/iommufd/main.c | 35 +- drivers/mmc/host/sdhci-cadence.c | 11 + drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/spi/hi311x.c | 1 + drivers/net/can/sun4i_can.c | 1 + drivers/net/can/usb/etas_es58x/es58x_core.c | 3 +- drivers/net/can/usb/mcba_usb.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- drivers/net/dsa/lantiq_gswip.c | 21 +- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 4 +- drivers/net/ethernet/intel/i40e/i40e.h | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++-- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.h | 1 + .../net/ethernet/mellanox/mlx5/core/fs_counters.c | 25 +- .../mellanox/mlx5/core/steering/hws/action.c | 7 +- .../mellanox/mlx5/core/steering/hws/fs_hws.c | 18 +- .../mellanox/mlx5/core/steering/hws/fs_hws_pools.c | 8 +- .../mellanox/mlx5/core/steering/hws/mlx5hws.h | 7 +- drivers/net/phy/bcm-phy-ptp.c | 6 +- drivers/net/phy/sfp.c | 24 +- drivers/net/tun.c | 3 + drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 3 +- drivers/net/wireless/virtual/virt_wifi.c | 4 +- drivers/pinctrl/mediatek/pinctrl-airoha.c | 31 +- drivers/platform/x86/lg-laptop.c | 34 +- drivers/platform/x86/oxpec.c | 7 + drivers/spi/spi-cadence-quadspi.c | 90 +++- drivers/ufs/core/ufs-mcq.c | 4 +- drivers/usb/core/quirks.c | 2 +- drivers/vhost/net.c | 33 +- drivers/video/fbdev/core/fbcon.c | 13 +- fs/afs/server.c | 3 +- fs/btrfs/volumes.c | 5 + fs/hugetlbfs/inode.c | 10 +- fs/netfs/buffered_read.c | 10 +- fs/netfs/direct_read.c | 7 +- fs/netfs/direct_write.c | 6 +- fs/netfs/internal.h | 1 + fs/netfs/objects.c | 30 +- fs/netfs/read_pgpriv2.c | 2 +- fs/netfs/read_single.c | 2 +- fs/netfs/write_issue.c | 3 +- fs/nfs/file.c | 33 ++ fs/nfs/inode.c | 9 +- fs/nfs/internal.h | 2 + fs/nfs/nfs42proc.c | 33 +- fs/nfs/nfstrace.h | 1 + fs/proc/task_mmu.c | 3 + fs/smb/client/smb2inode.c | 2 +- fs/smb/server/transport_rdma.c | 22 +- include/crypto/if_alg.h | 2 +- include/linux/firmware/imx/sm.h | 47 ++ include/linux/mlx5/fs.h | 2 + include/net/bluetooth/hci_core.h | 21 + kernel/bpf/core.c | 5 +- kernel/bpf/verifier.c | 6 +- kernel/fork.c | 2 +- kernel/futex/requeue.c | 6 +- kernel/sched/ext_idle.c | 52 +- kernel/sched/ext_idle.h | 7 - kernel/trace/fgraph.c | 12 + kernel/trace/fprobe.c | 7 +- kernel/trace/trace_dynevent.c | 4 + kernel/trace/trace_osnoise.c | 3 +- kernel/vhost_task.c | 3 +- mm/damon/sysfs.c | 4 +- mm/kmsan/core.c | 10 +- mm/kmsan/kmsan_test.c | 16 + net/bluetooth/hci_event.c | 30 +- net/bluetooth/hci_sync.c | 7 + net/bluetooth/mgmt.c | 259 +++++++--- net/bluetooth/mgmt_util.c | 46 ++ net/bluetooth/mgmt_util.h | 3 + net/core/skbuff.c | 2 +- net/ipv4/nexthop.c | 7 + net/smc/smc_loopback.c | 14 +- net/xfrm/xfrm_device.c | 2 +- net/xfrm/xfrm_state.c | 3 + sound/pci/hda/patch_realtek.c | 11 + sound/soc/intel/boards/sof_es8336.c | 10 + sound/soc/intel/boards/sof_rt5682.c | 7 + sound/soc/intel/common/soc-acpi-intel-ptl-match.c | 32 ++ sound/usb/mixer_quirks.c | 571 +++++++++++++++------ sound/usb/quirks.c | 24 +- sound/usb/usbaudio.h | 4 + .../testing/selftests/bpf/prog_tests/free_timer.c | 4 + tools/testing/selftests/bpf/prog_tests/timer.c | 4 + .../testing/selftests/bpf/prog_tests/timer_crash.c | 4 + .../selftests/bpf/prog_tests/timer_lockup.c | 4 + tools/testing/selftests/bpf/prog_tests/timer_mim.c | 4 + .../filesystems/mount-notify/mount-notify_test.c | 17 +- .../mount-notify/mount-notify_test_ns.c | 18 +- tools/testing/selftests/net/fib_nexthops.sh | 12 +- 153 files changed, 1833 insertions(+), 852 deletions(-)

2 hours, 32 minutes

13
155
0 0

KVM: arm64: Regression in at least linux-6.1.y tree with recent FPSIMD/SVE/SME fix

by Kenneth Van Alstyne

Greetings: Sending via plain text email -- apologies if you receive this twice. If this isn't the process for reporting a regression in a LTS kernel per https://www.kernel.org/doc/html/latest/admin-guide/reporting-issues.html, I'm happy to follow another process. Kernel 6.1.149 introduced a regression, at least on our ARM Cortex A57-based platforms, via commit 8f4dc4e54eed4bebb18390305eb1f721c00457e1 in arch/arm64/kernel/fpsimd.c where booting KVM VMs eventually leads to a spinlock recursion BUG and crash of the box. Reverting that commit via the below reverts to the old (working) behavior: diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c index 837d1937300a57..bc42163a7fd1f0 100644 --- a/arch/arm64/kernel/fpsimd.c +++ b/arch/arm64/kernel/fpsimd.c @@ -1851,10 +1851,10 @@ void fpsimd_save_and_flush_cpu_state(void) if (!system_supports_fpsimd()) return; WARN_ON(preemptible()); - get_cpu_fpsimd_context(); + __get_cpu_fpsimd_context(); fpsimd_save(); fpsimd_flush_cpu_state(); - put_cpu_fpsimd_context(); + __put_cpu_fpsimd_context(); } #ifdef CONFIG_KERNEL_MODE_NEON It's not entirely clear to me if this is specific to our firmware, specific to ARM Cortex A57, or more systemic as we lack sufficiently differentiated hardware to know. I've tested on the latest 6.1 kernel in addition to the one in the log below and have also tested a number of firmware versions available for these boxes. Steps to reproduce: Boot VM in qemu-system-aarch64 with "-accel kvm" and "-cpu host" flags set -- no other arguments seem to matter Generate CPU load in VM Kernel log: [sjc1] root@si-compute-kvm-e0fff70016b4:/# [ 805.905413] BUG: spinlock recursion on CPU#7, CPU 3/KVM/57616 [ 805.905452] lock: 0xffff3045ef850240, .magic: dead4ead, .owner: CPU 3/KVM/57616, .owner_cpu: 7 [ 805.905477] CPU: 7 PID: 57616 Comm: CPU 3/KVM Tainted: G O 6.1.152 #1 [ 805.905495] Hardware name: SoftIron SoftIron Platform Mainboard/SoftIron Platform Mainboard, BIOS 1.31 May 11 2023 [ 805.905516] Call trace: [ 805.905524] dump_backtrace+0xe4/0x110 [ 805.905538] show_stack+0x20/0x30 [ 805.905548] dump_stack_lvl+0x6c/0x88 [ 805.905561] dump_stack+0x18/0x34 [ 805.905571] spin_dump+0x98/0xac [ 805.905583] do_raw_spin_lock+0x70/0x128 [ 805.905596] _raw_spin_lock+0x18/0x28 [ 805.905607] raw_spin_rq_lock_nested+0x18/0x28 [ 805.905620] update_blocked_averages+0x70/0x550 [ 805.905634] run_rebalance_domains+0x50/0x70 [ 805.905645] handle_softirqs+0x198/0x328 [ 805.905659] __do_softirq+0x1c/0x28 [ 805.905669] ____do_softirq+0x18/0x28 [ 805.905680] call_on_irq_stack+0x30/0x48 [ 805.905691] do_softirq_own_stack+0x24/0x30 [ 805.905703] do_softirq+0x74/0x90 [ 805.905714] __local_bh_enable_ip+0x64/0x80 [ 805.905727] fpsimd_save_and_flush_cpu_state+0x5c/0x68 [ 805.905740] kvm_arch_vcpu_put_fp+0x4c/0x88 [ 805.905752] kvm_arch_vcpu_put+0x28/0x88 [ 805.905764] kvm_sched_out+0x38/0x58 [ 805.905774] __schedule+0x55c/0x6c8 [ 805.905786] schedule+0x60/0xa8 [ 805.905796] kvm_vcpu_block+0x5c/0x90 [ 805.905807] kvm_vcpu_halt+0x440/0x468 [ 805.905818] kvm_vcpu_wfi+0x3c/0x70 [ 805.905828] kvm_handle_wfx+0x18c/0x1f0 [ 805.905840] handle_exit+0xb8/0x148 [ 805.905851] kvm_arch_vcpu_ioctl_run+0x6c4/0x7b0 [ 805.905863] kvm_vcpu_ioctl+0x1d0/0x8b8 [ 805.905874] __arm64_sys_ioctl+0x9c/0xe0 [ 805.905886] invoke_syscall+0x78/0x108 [ 805.905899] el0_svc_common.constprop.3+0xb4/0xf8 [ 805.905912] do_el0_svc+0x78/0x88 [ 805.905922] el0_svc+0x48/0x78 [ 805.905932] el0t_64_sync_handler+0x40/0xc0 [ 805.905943] el0t_64_sync+0x18c/0x190 [ 806.048300] hrtimer: interrupt took 2976 ns [ 826.924613] rcu: INFO: rcu_sched detected stalls on CPUs/tasks: SoC 0 became not ready SoC 0 became ready Thanks, -- Kenneth Van Alstyne, Jr.

2 hours, 33 minutes

2
2
0 0

[PATCH 6.12 00/89] 6.12.50-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.50 release. There are 89 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 Oct 2025 14:37:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.50-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.50-rc1 Niklas Neronin <niklas.neronin(a)linux.intel.com> Revert "usb: xhci: remove option to change a default ring's TRB cycle bit" Jason Gunthorpe <jgg(a)ziepe.ca> iommufd: Fix race during abort for file descriptors Thomas Zimmermann <tzimmermann(a)suse.de> fbcon: Fix OOB access in font allocation Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> fbcon: fix integer overflow in fbcon_do_set_font Jinjiang Tu <tujinjiang(a)huawei.com> mm/hugetlb: fix folio is still mapped when deleted Eric Biggers <ebiggers(a)kernel.org> kmsan: fix out-of-bounds access to shadow memory Hans de Goede <hansg(a)kernel.org> gpiolib: Extend software-node support to support secondary software-nodes Jakub Acs <acsjakub(a)amazon.de> fs/proc/task_mmu: check p->vec_buf for NULL Zhen Ni <zhen.ni(a)easystack.cn> afs: Fix potential null pointer dereference in afs_put_server Nirmoy Das <nirmoyd(a)nvidia.com> drm/ast: Use msleep instead of mdelay for edid read Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn9132-clearfog: fix multi-lane pci x2 and x4 ports Josua Mayer <josua(a)solid-run.com> arm64: dts: marvell: cn9132-clearfog: disable eMMC high-speed modes Nobuhiro Iwamatsu <iwamatsu(a)nigauri.org> ARM: dts: socfpga: sodia: Fix mdio bus probe and PHY address Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: dynevent: Add a missing lockdown check on dynevent Eric Biggers <ebiggers(a)kernel.org> crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: improve VF MAC filters accounting Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add mask to apply valid bits for itr_idx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add max boundary check for VF filters Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix validation of VF state in get resources Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix input validation logic for action_meta Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in config queues msg Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in i40e_validate_queue_map Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add validation for ring_len param Amit Chaudhari <amitchaudhari(a)mac.com> HID: asus: add support for missing PX series fn keys Sang-Heon Jeon <ekffu200098(a)gmail.com> smb: client: fix wrong index reference in smb2_compound_op() Daniel Lee <dany97(a)live.ca> platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() Adrián Larumbe <adrian.larumbe(a)collabora.com> drm/panthor: Defer scheduler entitiy destruction to queue release Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> futex: Prevent use-after-free during requeue-PI Zabelin Nikita <n.zabelin(a)mt-integration.ru> drm/gma500: Fix null dereference in hdmi teardown Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm: revert "mm/gup: clear the LRU flag of a page before adding to LRU batch" Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Dan Carpenter <dan.carpenter(a)linaro.org> octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() Ido Schimmel <idosch(a)nvidia.com> selftests: fib_nexthops: Fix creation of non-FDB nexthops Ido Schimmel <idosch(a)nvidia.com> nexthop: Forbid FDB status change while nexthop is in a group Jason Baron <jbaron(a)akamai.com> net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: correct offset handling for IPv6 destination address Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> vhost: Take a reference on the task in struct vhost_task. Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix hci_resume_advertising_sync Petr Malat <oss(a)malat.biz> ethernet: rvu-af: Remove slash from the driver name Sidraya Jayagond <sidraya(a)linux.ibm.com> net/smc: fix warning in smc_rx_splice() when calling get_page() Wang Liang <wangliang74(a)huawei.com> net: tun: Update napi->skb after XDP process Stéphane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix shift-out-of-bounds issue Vincent Mailhol <mailhol(a)kernel.org> can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Sabrina Dubroca <sd(a)queasysnail.net> xfrm: xfrm_alloc_spi shouldn't use 0 as SPI Leon Hwang <leon.hwang(a)linux.dev> bpf: Reject bpf_timer for PREEMPT_RT Geert Uytterhoeven <geert+renesas(a)glider.be> can: rcar_can: rcar_can_resume(): fix s2ram with PSCI James Guan <guan_yufei(a)163.com> wifi: virt_wifi: Fix page fault on connect Mark Harmstone <mark(a)harmstone.com> btrfs: don't allow adding block device of less than 1 MB Jiri Olsa <olsajiri(a)gmail.com> bpf: Check the helper function is valid in get_helper_proto Stefan Metzmacher <metze(a)samba.org> smb: server: use disable_work_sync in transport_rdma.c Stefan Metzmacher <metze(a)samba.org> smb: server: don't use delayed_work for post_recv_credits_work Christian Loehle <christian.loehle(a)arm.com> cpufreq: Initialize cpufreq-based invariance before subsys Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: kirkwood: Fix sound DAI cells for OpenRD clients Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: Correct thermal sensor index Peng Fan <peng.fan(a)nxp.com> firmware: imx: Add stub functions for SCMI MISC API Basavaraj Natikar <Basavaraj.Natikar(a)amd.com> HID: amd_sfh: Add sync across amd sfh work functions Or Har-Toov <ohartoov(a)nvidia.com> IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions Aleksander Jan Bajkowski <olek2(a)wp.pl> net: sfp: add quirk for FLYPRO copper SFP+ module qaqland <anguoli(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on more devices Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: move mixer_quirks' min_mute into common quirk noble.yang <noble.yang(a)comtrue-inc.com> ALSA: usb-audio: Add DSD support for Comtrue USB Audio device Heikki Krogerus <heikki.krogerus(a)linux.intel.com> i2c: designware: Add quirk for Intel Xe Benoît Monin <benoit.monin(a)bootlin.com> mmc: sdhci-cadence: add Mobileye eyeQ support Chris Morgan <macromorgan(a)hotmail.com> net: sfp: add quirk for Potron SFP+ XGSPON ONU Stick Marc Kleine-Budde <mkl(a)pengutronix.de> net: fec: rename struct fec_devinfo fec_imx6x_info -> fec_imx6sx_info Jiayi Li <lijiayi(a)kylinos.cn> usb: core: Add 0x prefix to quirks debug output Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix build with CONFIG_INPUT=n Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda/realtek: Add support for ASUS NUC using CS35L41 HDA Chen Ni <nichen(a)iscas.ac.cn> ALSA: usb-audio: Convert comma to semicolon Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: specify that Apple Touch Bar is direct Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: take cls->maxcontacts into account for Apple Touch Bar even without a HID_DG_CONTACTMAX field Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: support getting the tip state from HID_DG_TOUCH fields in Apple Touch Bar Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: Get the contact ID from HID_DG_TRANSDUCER_INDEX fields in case of Apple Touch Bar Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Simplify NULL comparison in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Avoid multiple assignments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix block comments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix code alignment in mixer_quirks Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: fix overlooked update of subsystem ABI version Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: ufs: mcq: Fix memory allocation checks for SQE and CQE ------------- Diffstat: Documentation/admin-guide/laptops/lg-laptop.rst | 4 +- Makefile | 4 +- .../dts/intel/socfpga/socfpga_cyclone5_sodia.dts | 6 +- .../boot/dts/marvell/kirkwood-openrd-client.dts | 2 +- arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 +- arch/arm64/boot/dts/marvell/cn9132-clearfog.dts | 16 +- arch/arm64/boot/dts/marvell/cn9132-sr-cex7.dtsi | 8 + drivers/cpufreq/cpufreq.c | 20 +- drivers/firewire/core-cdev.c | 2 +- drivers/gpio/gpiolib.c | 21 +- drivers/gpu/drm/ast/ast_dp.c | 2 +- drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- drivers/gpu/drm/panthor/panthor_sched.c | 8 +- drivers/hid/amd-sfh-hid/amd_sfh_client.c | 12 +- drivers/hid/amd-sfh-hid/amd_sfh_common.h | 3 + drivers/hid/amd-sfh-hid/amd_sfh_pcie.c | 4 + drivers/hid/hid-asus.c | 3 + drivers/hid/hid-multitouch.c | 45 +- drivers/i2c/busses/i2c-designware-platdrv.c | 7 +- drivers/infiniband/hw/mlx5/devx.c | 1 + drivers/iommu/iommufd/fault.c | 4 +- drivers/iommu/iommufd/main.c | 34 +- drivers/mmc/host/sdhci-cadence.c | 11 + drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/spi/hi311x.c | 1 + drivers/net/can/sun4i_can.c | 1 + drivers/net/can/usb/etas_es58x/es58x_core.c | 3 +- drivers/net/can/usb/mcba_usb.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- drivers/net/dsa/lantiq_gswip.c | 21 +- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 4 +- drivers/net/ethernet/intel/i40e/i40e.h | 3 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 +++-- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 2 +- drivers/net/phy/sfp.c | 24 +- drivers/net/tun.c | 3 + drivers/net/wireless/virtual/virt_wifi.c | 4 +- drivers/platform/x86/lg-laptop.c | 34 +- drivers/ufs/core/ufs-mcq.c | 4 +- drivers/usb/core/quirks.c | 2 +- drivers/usb/host/xhci-dbgcap.c | 2 +- drivers/usb/host/xhci-mem.c | 50 +- drivers/usb/host/xhci.c | 2 +- drivers/usb/host/xhci.h | 6 +- drivers/video/fbdev/core/fbcon.c | 13 +- fs/afs/server.c | 3 +- fs/btrfs/volumes.c | 5 + fs/hugetlbfs/inode.c | 10 +- fs/proc/task_mmu.c | 3 + fs/smb/client/smb2inode.c | 2 +- fs/smb/server/transport_rdma.c | 22 +- include/crypto/if_alg.h | 2 +- include/linux/firmware/imx/sm.h | 12 + include/linux/swap.h | 10 + include/net/bluetooth/hci_core.h | 21 + kernel/bpf/core.c | 5 +- kernel/bpf/verifier.c | 6 +- kernel/futex/requeue.c | 6 +- kernel/trace/trace_dynevent.c | 4 + kernel/vhost_task.c | 3 +- mm/gup.c | 15 +- mm/kmsan/core.c | 10 +- mm/kmsan/kmsan_test.c | 16 + mm/mlock.c | 6 +- mm/swap.c | 51 +- net/bluetooth/hci_event.c | 26 +- net/bluetooth/hci_sync.c | 7 + net/core/skbuff.c | 2 +- net/ipv4/nexthop.c | 7 + net/smc/smc_loopback.c | 14 +- net/xfrm/xfrm_state.c | 3 + sound/pci/hda/patch_realtek.c | 11 + sound/usb/mixer_quirks.c | 545 +++++++++++++++------ sound/usb/quirks.c | 24 +- sound/usb/usbaudio.h | 4 + tools/testing/selftests/net/fib_nexthops.sh | 12 +- 80 files changed, 1037 insertions(+), 387 deletions(-)

2 hours, 40 minutes

13
101
0 0

Re: Patch "LoongArch: Handle jump tables options for RUST" has been added to the 6.16-stable tree

by Miguel Ojeda

On Sun, Sep 21, 2025 at 3:05 PM <gregkh(a)linuxfoundation.org> wrote: > > This is a note to let you know that I've just added the patch titled > > LoongArch: Handle jump tables options for RUST > > to the 6.16-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… ... > commit 74f8295c6fb8436bec9995baf6ba463151b6fb68 upstream. Huacai et al.: I wonder if we could get this one into 6.12.y? Maybe no one actually cares in practice, so please feel free to ignore it, but it is the only `objtool` warning (a lot of instances, but just that kind from a quick look) I have in my LoongArch Rust builds I have in 6.12.y, and it would be nice to have it clean. Thanks! Cheers, Miguel

2 hours, 41 minutes

1
0
0 0

[PATCH 6.6 00/91] 6.6.109-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.6.109 release. There are 91 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 Oct 2025 14:37:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.109-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.6.109-rc1 David Laight <David.Laight(a)ACULAB.COM> minmax.h: remove some #defines that are only expanded once David Laight <David.Laight(a)ACULAB.COM> minmax.h: simplify the variants of clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: move all the clamp() definitions after the min/max() ones David Laight <David.Laight(a)ACULAB.COM> minmax.h: use BUILD_BUG_ON_MSG() for the lo < hi test in clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: reduce the #define expansion of min(), max() and clamp() David Laight <David.Laight(a)ACULAB.COM> minmax.h: update some comments David Laight <David.Laight(a)ACULAB.COM> minmax.h: add whitespace around operators and after commas Linus Torvalds <torvalds(a)linux-foundation.org> minmax: fix up min3() and max3() too Linus Torvalds <torvalds(a)linux-foundation.org> minmax: improve macro expansion and type checking Linus Torvalds <torvalds(a)linux-foundation.org> minmax: don't use max() in situations that want a C constant expression Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify min()/max()/clamp() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: make generic MIN() and MAX() macros available everywhere Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add validation for ring_len param Justin Bronder <jsbronder(a)cold-front.org> i40e: increase max descriptors for XL710 Nirmoy Das <nirmoyd(a)nvidia.com> drm/ast: Use msleep instead of mdelay for edid read Hans de Goede <hansg(a)kernel.org> gpiolib: Extend software-node support to support secondary software-nodes Jan Kara <jack(a)suse.cz> loop: Avoid updating block size under exclusive owner David Hildenbrand <david(a)redhat.com> mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() Kefeng Wang <wangkefeng.wang(a)huawei.com> mm: migrate_device: use more folio in migrate_device_finalize() Florian Fainelli <florian.fainelli(a)broadcom.com> ARM: bcm: Select ARM_GIC_V3 for ARCH_BRCMSTB Nathan Chancellor <nathan(a)kernel.org> s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b Thomas Zimmermann <tzimmermann(a)suse.de> fbcon: Fix OOB access in font allocation Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> fbcon: fix integer overflow in fbcon_do_set_font Jinjiang Tu <tujinjiang(a)huawei.com> mm/hugetlb: fix folio is still mapped when deleted Eric Biggers <ebiggers(a)kernel.org> kmsan: fix out-of-bounds access to shadow memory Zhen Ni <zhen.ni(a)easystack.cn> afs: Fix potential null pointer dereference in afs_put_server Nobuhiro Iwamatsu <iwamatsu(a)nigauri.org> ARM: dts: socfpga: sodia: Fix mdio bus probe and PHY address Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: dynevent: Add a missing lockdown check on dynevent Eric Biggers <ebiggers(a)kernel.org> crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: improve VF MAC filters accounting Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add mask to apply valid bits for itr_idx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add max boundary check for VF filters Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix validation of VF state in get resources Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix input validation logic for action_meta Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in config queues msg Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in i40e_validate_queue_map Amit Chaudhari <amitchaudhari(a)mac.com> HID: asus: add support for missing PX series fn keys Sang-Heon Jeon <ekffu200098(a)gmail.com> smb: client: fix wrong index reference in smb2_compound_op() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> futex: Prevent use-after-free during requeue-PI Zabelin Nikita <n.zabelin(a)mt-integration.ru> drm/gma500: Fix null dereference in hdmi teardown Dan Carpenter <dan.carpenter(a)linaro.org> octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() Martin Schiller <ms(a)dev.tdt.de> net: dsa: lantiq_gswip: do also enable or disable cpu port Ido Schimmel <idosch(a)nvidia.com> selftests: fib_nexthops: Fix creation of non-FDB nexthops Ido Schimmel <idosch(a)nvidia.com> nexthop: Forbid FDB status change while nexthop is in a group Jason Baron <jbaron(a)akamai.com> net: allow alloc_skb_with_frags() to use MAX_SKB_FRAGS Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: correct offset handling for IPv6 destination address Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> vhost: Take a reference on the task in struct vhost_task. Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix hci_resume_advertising_sync Petr Malat <oss(a)malat.biz> ethernet: rvu-af: Remove slash from the driver name Stéphane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix shift-out-of-bounds issue Vincent Mailhol <mailhol(a)kernel.org> can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Sabrina Dubroca <sd(a)queasysnail.net> xfrm: xfrm_alloc_spi shouldn't use 0 as SPI Leon Hwang <leon.hwang(a)linux.dev> bpf: Reject bpf_timer for PREEMPT_RT Geert Uytterhoeven <geert+renesas(a)glider.be> can: rcar_can: rcar_can_resume(): fix s2ram with PSCI James Guan <guan_yufei(a)163.com> wifi: virt_wifi: Fix page fault on connect Stefan Metzmacher <metze(a)samba.org> smb: server: don't use delayed_work for post_recv_credits_work Christian Loehle <christian.loehle(a)arm.com> cpufreq: Initialize cpufreq-based invariance before subsys Jihed Chaibi <jihed.chaibi.dev(a)gmail.com> ARM: dts: kirkwood: Fix sound DAI cells for OpenRD clients Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: Correct thermal sensor index Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Shivank Garg <shivankg(a)amd.com> mm: add folio_expected_ref_count() for reference count calculation David Hildenbrand <david(a)redhat.com> mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Or Har-Toov <ohartoov(a)nvidia.com> IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions qaqland <anguoli(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on more devices Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: move mixer_quirks' min_mute into common quirk noble.yang <noble.yang(a)comtrue-inc.com> ALSA: usb-audio: Add DSD support for Comtrue USB Audio device Heikki Krogerus <heikki.krogerus(a)linux.intel.com> i2c: designware: Add quirk for Intel Xe Benoît Monin <benoit.monin(a)bootlin.com> mmc: sdhci-cadence: add Mobileye eyeQ support Jiayi Li <lijiayi(a)kylinos.cn> usb: core: Add 0x prefix to quirks debug output Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix build with CONFIG_INPUT=n Chen Ni <nichen(a)iscas.ac.cn> ALSA: usb-audio: Convert comma to semicolon Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: specify that Apple Touch Bar is direct Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: take cls->maxcontacts into account for Apple Touch Bar even without a HID_DG_CONTACTMAX field Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: support getting the tip state from HID_DG_TOUCH fields in Apple Touch Bar Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: Get the contact ID from HID_DG_TRANSDUCER_INDEX fields in case of Apple Touch Bar Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Simplify NULL comparison in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Avoid multiple assignments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix block comments in mixer_quirks Takashi Sakamoto <o-takashi(a)sakamocchi.jp> firewire: core: fix overlooked update of subsystem ABI version Alok Tiwari <alok.a.tiwari(a)oracle.com> scsi: ufs: mcq: Fix memory allocation checks for SQE and CQE ------------- Diffstat: Makefile | 4 +- .../dts/intel/socfpga/socfpga_cyclone5_sodia.dts | 6 +- .../boot/dts/marvell/kirkwood-openrd-client.dts | 2 +- arch/arm/mach-bcm/Kconfig | 1 + arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/um/drivers/mconsole_user.c | 2 + drivers/block/loop.c | 40 ++- drivers/cpufreq/cpufreq.c | 20 +- drivers/edac/skx_common.h | 1 - drivers/firewire/core-cdev.c | 2 +- drivers/gpio/gpiolib.c | 19 +- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 + .../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 2 + .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 3 + .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 + drivers/gpu/drm/amd/pm/swsmu/smu_cmn.c | 2 +- drivers/gpu/drm/ast/ast_dp.c | 2 +- drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hid/hid-asus.c | 3 + drivers/hid/hid-multitouch.c | 45 +++- drivers/hwmon/adt7475.c | 24 +- drivers/i2c/busses/i2c-designware-platdrv.c | 7 +- drivers/infiniband/hw/mlx5/devx.c | 1 + drivers/input/touchscreen/cyttsp4_core.c | 2 +- drivers/irqchip/irq-sun6i-r.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + drivers/mmc/host/sdhci-cadence.c | 11 + drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/spi/hi311x.c | 1 + drivers/net/can/sun4i_can.c | 1 + drivers/net/can/usb/etas_es58x/es58x_core.c | 3 +- drivers/net/can/usb/etas_es58x/es58x_devlink.c | 2 +- drivers/net/can/usb/mcba_usb.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- drivers/net/dsa/lantiq_gswip.c | 41 +-- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 2 +- drivers/net/ethernet/intel/i40e/i40e.h | 4 +- drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 25 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++++---- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/net/wireless/virtual/virt_wifi.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - drivers/ufs/core/ufs-mcq.c | 4 +- drivers/usb/core/quirks.c | 2 +- drivers/video/fbdev/core/fbcon.c | 13 +- fs/afs/server.c | 3 +- fs/btrfs/tree-checker.c | 2 +- fs/hugetlbfs/inode.c | 10 +- fs/smb/client/smb2inode.c | 2 +- fs/smb/server/transport_rdma.c | 18 +- include/crypto/if_alg.h | 2 +- include/linux/compiler.h | 9 + include/linux/minmax.h | 234 +++++++++------- include/linux/mm.h | 55 ++++ include/linux/swap.h | 10 + include/net/bluetooth/hci_core.h | 21 ++ kernel/bpf/verifier.c | 4 + kernel/futex/requeue.c | 6 +- kernel/trace/preemptirq_delay_test.c | 2 - kernel/trace/trace_dynevent.c | 4 + kernel/vhost_task.c | 3 +- lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/vsprintf.c | 2 +- mm/gup.c | 28 +- mm/kmsan/core.c | 10 +- mm/kmsan/kmsan_test.c | 16 ++ mm/migrate_device.c | 42 ++- mm/mlock.c | 6 +- mm/swap.c | 4 +- mm/zsmalloc.c | 2 - net/bluetooth/hci_event.c | 26 +- net/bluetooth/hci_sync.c | 7 + net/core/skbuff.c | 2 +- net/ipv4/nexthop.c | 7 + net/xfrm/xfrm_state.c | 3 + sound/usb/mixer_quirks.c | 295 +++++++++++++++++++-- sound/usb/quirks.c | 24 +- sound/usb/usbaudio.h | 4 + tools/testing/selftests/mm/mremap_test.c | 2 + tools/testing/selftests/net/fib_nexthops.sh | 12 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 + 93 files changed, 1031 insertions(+), 363 deletions(-)

3 hours

11
102
0 0

[PATCH 6.1 00/73] 6.1.155-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.155 release. There are 73 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 02 Oct 2025 14:37:59 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.155-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.155-rc1 Linus Torvalds <torvalds(a)linux-foundation.org> minmax: simplify and clarify min_t()/max_t() implementation Linus Torvalds <torvalds(a)linux-foundation.org> minmax: add a few more MIN_T/MAX_T users Linus Torvalds <torvalds(a)linux-foundation.org> minmax: make generic MIN() and MAX() macros available everywhere Eric Biggers <ebiggers(a)kernel.org> kmsan: fix out-of-bounds access to shadow memory Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add validation for ring_len param Justin Bronder <jsbronder(a)cold-front.org> i40e: increase max descriptors for XL710 Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in config queues msg Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix validation of VF state in get resources Nirmoy Das <nirmoyd(a)nvidia.com> drm/ast: Use msleep instead of mdelay for edid read Linus Torvalds <torvalds(a)linux-foundation.org> minmax: avoid overly complicated constant expressions in VM code David Laight <David.Laight(a)ACULAB.COM> minmax: fix indentation of __cmp_once() and __clamp_once() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> minmax: deduplicate __unconst_integer_typeof() Herve Codina <herve.codina(a)bootlin.com> minmax: Introduce {min,max}_array() Matthew Wilcox (Oracle) <willy(a)infradead.org> minmax: add in_range() macro David Hildenbrand <david(a)redhat.com> mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() Kefeng Wang <wangkefeng.wang(a)huawei.com> mm: migrate_device: use more folio in migrate_device_finalize() Nathan Chancellor <nathan(a)kernel.org> s390/cpum_cf: Fix uninitialized warning after backport of ce971233242b Thomas Zimmermann <tzimmermann(a)suse.de> fbcon: Fix OOB access in font allocation Samasth Norway Ananda <samasth.norway.ananda(a)oracle.com> fbcon: fix integer overflow in fbcon_do_set_font Jinjiang Tu <tujinjiang(a)huawei.com> mm/hugetlb: fix folio is still mapped when deleted Zhen Ni <zhen.ni(a)easystack.cn> afs: Fix potential null pointer dereference in afs_put_server Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: dynevent: Add a missing lockdown check on dynevent Eric Biggers <ebiggers(a)kernel.org> crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: improve VF MAC filters accounting Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add mask to apply valid bits for itr_idx Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: add max boundary check for VF filters Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix input validation logic for action_meta Lukasz Czapnik <lukasz.czapnik(a)intel.com> i40e: fix idx validation in i40e_validate_queue_map Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> futex: Prevent use-after-free during requeue-PI Zabelin Nikita <n.zabelin(a)mt-integration.ru> drm/gma500: Fix null dereference in hdmi teardown Dan Carpenter <dan.carpenter(a)linaro.org> octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: suppress -EINVAL errors for bridge FDB entries added to the CPU port Vladimir Oltean <vladimir.oltean(a)nxp.com> net: dsa: lantiq_gswip: move gswip_add_single_port_br() call to port_setup() Martin Schiller <ms(a)dev.tdt.de> net: dsa: lantiq_gswip: do also enable or disable cpu port Ido Schimmel <idosch(a)nvidia.com> selftests: fib_nexthops: Fix creation of non-FDB nexthops Ido Schimmel <idosch(a)nvidia.com> nexthop: Forbid FDB status change while nexthop is in a group Alok Tiwari <alok.a.tiwari(a)oracle.com> bnxt_en: correct offset handling for IPv6 destination address Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_event: Fix UAF in hci_acl_create_conn_sync Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix hci_resume_advertising_sync Petr Malat <oss(a)malat.biz> ethernet: rvu-af: Remove slash from the driver name Stéphane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix shift-out-of-bounds issue Vincent Mailhol <mailhol(a)kernel.org> can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol(a)kernel.org> can: etas_es58x: populate ndo_change_mtu() to prevent buffer overflow Vincent Mailhol <mailhol.vincent(a)wanadoo.fr> can: etas_es58x: sort the includes by alphabetic order Leon Hwang <leon.hwang(a)linux.dev> bpf: Reject bpf_timer for PREEMPT_RT Geert Uytterhoeven <geert+renesas(a)glider.be> can: rcar_can: rcar_can_resume(): fix s2ram with PSCI Stefan Metzmacher <metze(a)samba.org> smb: server: don't use delayed_work for post_recv_credits_work Christian Loehle <christian.loehle(a)arm.com> cpufreq: Initialize cpufreq-based invariance before subsys Peng Fan <peng.fan(a)nxp.com> arm64: dts: imx8mp: Correct thermal sensor index Hugh Dickins <hughd(a)google.com> mm: folio_may_be_lru_cached() unless folio_test_large() Hugh Dickins <hughd(a)google.com> mm/gup: local lru_add_drain() to avoid lru_add_drain_all() Hugh Dickins <hughd(a)google.com> mm/gup: check ref_count instead of lru before migration Shivank Garg <shivankg(a)amd.com> mm: add folio_expected_ref_count() for reference count calculation David Hildenbrand <david(a)redhat.com> mm/gup: revert "mm: gup: fix infinite loop within __get_longterm_locked" Or Har-Toov <ohartoov(a)nvidia.com> IB/mlx5: Fix obj_type mismatch for SRQ event subscriptions qaqland <anguoli(a)uniontech.com> ALSA: usb-audio: Add mute TLV for playback volumes on more devices Cryolitia PukNgae <cryolitia(a)uniontech.com> ALSA: usb-audio: move mixer_quirks' min_mute into common quirk noble.yang <noble.yang(a)comtrue-inc.com> ALSA: usb-audio: Add DSD support for Comtrue USB Audio device Jiayi Li <lijiayi(a)kylinos.cn> usb: core: Add 0x prefix to quirks debug output Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix build with CONFIG_INPUT=n Chen Ni <nichen(a)iscas.ac.cn> ALSA: usb-audio: Convert comma to semicolon Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: specify that Apple Touch Bar is direct Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: take cls->maxcontacts into account for Apple Touch Bar even without a HID_DG_CONTACTMAX field Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: support getting the tip state from HID_DG_TOUCH fields in Apple Touch Bar Kerem Karabay <kekrby(a)gmail.com> HID: multitouch: Get the contact ID from HID_DG_TRANSDUCER_INDEX fields in case of Apple Touch Bar Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5 Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Remove unneeded wmb() in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Simplify NULL comparison in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Avoid multiple assignments in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Drop unnecessary parentheses in mixer_quirks Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Fix block comments in mixer_quirks ------------- Diffstat: Makefile | 4 +- arch/arm/mm/pageattr.c | 6 +- arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 +- arch/s390/kernel/perf_cpum_cf.c | 4 +- arch/um/drivers/mconsole_user.c | 2 + arch/x86/mm/pgtable.c | 2 +- drivers/cpufreq/cpufreq.c | 20 +- drivers/edac/sb_edac.c | 4 +- drivers/edac/skx_common.h | 1 - drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 + .../gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 2 + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppevvmath.h | 14 +- .../drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 2 + .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 3 + .../gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 3 + drivers/gpu/drm/arm/display/include/malidp_utils.h | 2 +- .../drm/arm/display/komeda/komeda_pipeline_state.c | 24 +- drivers/gpu/drm/ast/ast_dp.c | 2 +- drivers/gpu/drm/drm_color_mgmt.c | 2 +- drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 - drivers/gpu/drm/radeon/evergreen_cs.c | 2 + drivers/hid/hid-multitouch.c | 45 +++- drivers/hwmon/adt7475.c | 24 +- drivers/infiniband/hw/mlx5/devx.c | 1 + drivers/md/dm-integrity.c | 2 +- drivers/media/dvb-frontends/stv0367_priv.h | 3 + drivers/net/can/rcar/rcar_can.c | 8 +- drivers/net/can/spi/hi311x.c | 1 + drivers/net/can/sun4i_can.c | 1 + drivers/net/can/usb/etas_es58x/es581_4.c | 4 +- drivers/net/can/usb/etas_es58x/es58x_core.c | 7 +- drivers/net/can/usb/etas_es58x/es58x_core.h | 8 +- drivers/net/can/usb/etas_es58x/es58x_fd.c | 4 +- drivers/net/can/usb/mcba_usb.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_core.c | 2 +- drivers/net/dsa/lantiq_gswip.c | 41 +-- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 2 +- drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 18 +- drivers/net/ethernet/intel/i40e/i40e.h | 4 +- drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 25 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 26 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 110 ++++---- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h | 3 +- drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 3 +- .../net/ethernet/marvell/octeontx2/nic/otx2_tc.c | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/fjes/fjes_main.c | 4 +- drivers/nfc/pn544/i2c.c | 2 - drivers/platform/x86/sony-laptop.c | 1 - drivers/scsi/isci/init.c | 6 +- .../pci/hive_isp_css_include/math_support.h | 5 - drivers/usb/core/quirks.c | 2 +- drivers/video/fbdev/core/fbcon.c | 13 +- drivers/virt/acrn/ioreq.c | 4 +- fs/afs/server.c | 3 +- fs/btrfs/misc.h | 2 - fs/ext2/balloc.c | 2 - fs/ext4/ext4.h | 2 - fs/hugetlbfs/inode.c | 10 +- fs/smb/server/transport_rdma.c | 18 +- fs/ufs/util.h | 6 - include/crypto/if_alg.h | 2 +- include/linux/minmax.h | 122 +++++++-- include/linux/mm.h | 54 ++++ include/linux/pageblock-flags.h | 2 +- include/linux/swap.h | 10 + include/net/bluetooth/hci_core.h | 21 ++ kernel/bpf/verifier.c | 4 + kernel/futex/requeue.c | 6 +- kernel/trace/preemptirq_delay_test.c | 2 - kernel/trace/trace_dynevent.c | 4 + lib/btree.c | 1 - lib/decompress_unlzma.c | 2 + lib/logic_pio.c | 3 - mm/gup.c | 28 +- mm/kmsan/core.c | 10 +- mm/kmsan/kmsan_test.c | 16 ++ mm/migrate_device.c | 42 ++- mm/mlock.c | 2 +- mm/swap.c | 4 +- mm/zsmalloc.c | 1 - net/bluetooth/hci_event.c | 26 +- net/bluetooth/hci_sync.c | 7 + net/ipv4/nexthop.c | 7 + net/ipv4/proc.c | 2 +- net/ipv6/proc.c | 2 +- net/netfilter/nf_nat_core.c | 6 +- net/tipc/core.h | 2 +- net/tipc/link.c | 10 +- sound/usb/mixer_quirks.c | 295 +++++++++++++++++++-- sound/usb/quirks.c | 24 +- sound/usb/usbaudio.h | 4 + .../selftests/bpf/progs/get_branch_snapshot.c | 4 +- tools/testing/selftests/net/fib_nexthops.sh | 12 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 2 + tools/testing/selftests/vm/mremap_test.c | 2 + 97 files changed, 950 insertions(+), 331 deletions(-)

3 hours, 4 minutes

11
83
0 0

[PATCH 6.1 00/61] 6.1.154-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.154 release. There are 61 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 24 Sep 2025 19:23:52 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.154-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.154-rc1 Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg David Howells <dhowells(a)redhat.com> crypto: af_alg: Convert af_alg_sendpage() to use MSG_SPLICE_PAGES Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ASoC: qcom: q6apm-lpass-dais: Fix NULL pointer dereference if source graph failed Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: q6apm-lpass-dai: close graph on prepare errors Srinivas Kandagatla <srinivas.kandagatla(a)linaro.org> ASoC: qcom: q6apm-lpass-dai: close graphs before opening a new one Hans de Goede <hansg(a)kernel.org> net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Philipp Zabel <p.zabel(a)pengutronix.de> net: rfkill: gpio: add DT support Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: connect: catch IO errors on listen side Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: propagate shutdown to subflows when possible Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: Fix full DbC transfer ring after several reconnects Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: dbc: decouple endpoint allocation from initialization Johan Hovold <johan(a)kernel.org> phy: ti: omap-usb2: fix device leak at unbind Rob Herring <robh(a)kernel.org> phy: Use device_get_match_data() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> phy: broadcom: ns-usb3: fix Wvoid-pointer-to-enum-cast warning Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: userspace pm: validate deny-join-id0 flag Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: nl: announce deny-join-id0 flag Stefan Metzmacher <metze(a)samba.org> smb: client: fix smbdirect_recv_io leak in smbd_negotiate() error path Herbert Xu <herbert(a)gondor.apana.org.au> crypto: af_alg - Set merge to zero early in af_alg_sendmsg David Howells <dhowells(a)redhat.com> crypto: af_alg: Indent the loop in af_alg_sendmsg() Qi Xi <xiqi2(a)huawei.com> drm: bridge: cdns-mhdp8546: Fix missing mutex unlock on error path Loic Poulain <loic.poulain(a)oss.qualcomm.com> drm: bridge: anx7625: Fix NULL pointer dereference with early IRQ Colin Ian King <colin.i.king(a)gmail.com> ASoC: SOF: Intel: hda-stream: Fix incorrect variable used in error message Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8974: Correct PLL rate rounding Charles Keepax <ckeepax(a)opensource.cirrus.com> ASoC: wm8940: Correct typo in control name Jens Axboe <axboe(a)kernel.dk> io_uring: include dying ring in task_work "should cancel" state Jens Axboe <axboe(a)kernel.dk> io_uring: backport io_should_terminate_tw() Praful Adiga <praful.adiga(a)gmail.com> ALSA: hda/realtek: Fix mute led for HP Laptop 15-dw4xx Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: avoid spurious errors on TCP disconnect Håkon Bugge <haakon.bugge(a)oracle.com> rds: ib: Increment i_fastreg_wrs before bailing out Maciej S. Szmigiero <maciej.szmigiero(a)oracle.com> KVM: SVM: Sync TPR from LAPIC into VMCB::V_TPR even if AVIC is active Thomas Fourier <fourier.thomas(a)gmail.com> mmc: mvsdio: Fix dma_unmap_sg() nents value Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: q6apm-lpass-dais: Fix missing set_fmt DAI op for I2S Mohammad Rafi Shaik <mohammad.rafi.shaik(a)oss.qualcomm.com> ASoC: qcom: audioreach: Fix lpaif_type configuration for the I2S interface Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: fix the incorrect inode ref size check Eugene Koira <eugkoira(a)amazon.com> iommu/vt-d: Fix __domain_mapping()'s usage of switch_to_super_page() Tao Cui <cuitao(a)kylinos.cn> LoongArch: Check the return value when creating kobj Huacai Chen <chenhuacai(a)kernel.org> LoongArch: Align ACPI structures if ARCH_STRICT_ALIGN enabled H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: restrict no-battery detection to bq27000 H. Nikolaus Schaller <hns(a)goldelico.com> power: supply: bq27xxx: fix error return in case of no bq27000 hdq battery Nathan Chancellor <nathan(a)kernel.org> nilfs2: fix CFI failure when accessing /sys/fs/nilfs2/features/* Stefan Metzmacher <metze(a)samba.org> ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer Duoming Zhou <duoming(a)zju.edu.cn> octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() Duoming Zhou <duoming(a)zju.edu.cn> cnic: Fix use-after-free bugs in cnic_delete_task Alexey Nepomnyashih <sdl(a)nppct.ru> net: liquidio: fix overflow in octeon_init_instr_queue() Tariq Toukan <tariqt(a)nvidia.com> Revert "net/mlx5e: Update and set Xon/Xoff upon port speed set" Jakub Kicinski <kuba(a)kernel.org> tls: make sure to abort the stream if headers are bogus Kuniyuki Iwashima <kuniyu(a)google.com> tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). Hangbin Liu <liuhangbin(a)gmail.com> bonding: don't set oif to bond dev when getting NS target destination Maciej Fijalkowski <maciej.fijalkowski(a)intel.com> i40e: remove redundant memory barrier when cleaning Tx descs Yeounsu Moon <yyyynoom(a)gmail.com> net: natsemi: fix `rx_dropped` double accounting on `netif_rx()` failure Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: set remote_deny_join_id0 on SYN recv Jamie Bainbridge <jamie.bainbridge(a)gmail.com> qed: Don't collect too many protection override GRC elements Ioana Ciornei <ioana.ciornei(a)nxp.com> dpaa2-switch: fix buffer pool seeding for control traffic Miaoqian Lin <linmq006(a)gmail.com> um: virtio_uml: Fix use-after-free after put_device in probe Filipe Manana <fdmanana(a)suse.com> btrfs: fix invalid extref key setup when replaying dentry Chen Ridong <chenridong(a)huawei.com> cgroup: split cgroup_destroy_wq into 3 workqueues Geert Uytterhoeven <geert+renesas(a)glider.be> pcmcia: omap_cf: Mark driver struct with __refdata to prevent section mismatch Liao Yuanhong <liaoyuanhong(a)vivo.com> wifi: mac80211: fix incorrect type for ret Lachlan Hodges <lachlan.hodges(a)morsemicro.com> wifi: mac80211: increase scan_ies_len for S1G Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: firewire-motu: drop EPOLLOUT from poll return values as write is not supported ------------- Diffstat: Makefile | 4 +- arch/loongarch/include/asm/acenv.h | 7 +- arch/loongarch/kernel/env.c | 2 + arch/um/drivers/virtio_uml.c | 6 +- arch/x86/kvm/svm/svm.c | 3 +- crypto/af_alg.c | 112 ++++++++------------- drivers/gpu/drm/bridge/analogix/anx7625.c | 6 +- .../gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 6 +- drivers/iommu/intel/iommu.c | 7 +- drivers/mmc/host/mvsdio.c | 2 +- drivers/net/bonding/bond_main.c | 1 - drivers/net/ethernet/broadcom/cnic.c | 3 +- .../net/ethernet/cavium/liquidio/request_manager.c | 2 +- .../net/ethernet/freescale/dpaa2/dpaa2-switch.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 - .../net/ethernet/marvell/octeontx2/nic/otx2_ptp.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 - drivers/net/ethernet/natsemi/ns83820.c | 13 ++- drivers/net/ethernet/qlogic/qed/qed_debug.c | 7 +- drivers/pcmcia/omap_cf.c | 8 +- drivers/phy/broadcom/phy-bcm-ns-usb3.c | 9 +- drivers/phy/marvell/phy-berlin-usb.c | 7 +- drivers/phy/ralink/phy-ralink-usb.c | 10 +- drivers/phy/rockchip/phy-rockchip-pcie.c | 11 +- drivers/phy/rockchip/phy-rockchip-usb.c | 10 +- drivers/phy/ti/phy-omap-control.c | 9 +- drivers/phy/ti/phy-omap-usb2.c | 24 +++-- drivers/phy/ti/phy-ti-pipe3.c | 14 +-- drivers/power/supply/bq27xxx_battery.c | 4 +- drivers/usb/host/xhci-dbgcap.c | 94 ++++++++++++----- fs/btrfs/tree-checker.c | 4 +- fs/btrfs/tree-log.c | 2 +- fs/nilfs2/sysfs.c | 4 +- fs/nilfs2/sysfs.h | 8 +- fs/smb/client/smbdirect.c | 4 +- fs/smb/server/transport_rdma.c | 26 +++-- include/crypto/if_alg.h | 10 +- include/uapi/linux/mptcp.h | 6 +- io_uring/io_uring.c | 13 ++- io_uring/io_uring.h | 13 +++ io_uring/poll.c | 3 +- io_uring/timeout.c | 2 +- kernel/cgroup/cgroup.c | 43 ++++++-- net/ipv4/tcp.c | 5 + net/mac80211/driver-ops.h | 2 +- net/mac80211/main.c | 7 +- net/mptcp/pm_netlink.c | 7 ++ net/mptcp/protocol.c | 15 +++ net/mptcp/subflow.c | 4 + net/rds/ib_frmr.c | 20 ++-- net/rfkill/rfkill-gpio.c | 22 +++- net/tls/tls.h | 1 + net/tls/tls_strp.c | 14 ++- net/tls/tls_sw.c | 3 +- sound/firewire/motu/motu-hwdep.c | 2 +- sound/pci/hda/patch_realtek.c | 1 + sound/soc/codecs/wm8940.c | 2 +- sound/soc/codecs/wm8974.c | 8 +- sound/soc/qcom/qdsp6/audioreach.c | 1 + sound/soc/qcom/qdsp6/q6apm-lpass-dais.c | 36 +++++-- sound/soc/sof/intel/hda-stream.c | 2 +- tools/testing/selftests/net/mptcp/mptcp_connect.c | 11 +- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 7 ++ tools/testing/selftests/net/mptcp/userspace_pm.sh | 14 ++- 64 files changed, 440 insertions(+), 272 deletions(-)

3 hours, 11 minutes

13
76
0 0

Inquiry: Availability for New Project Estimate

by Chester

3 hours, 18 minutes

1
0
0 0

[PATCH] stable: crypto: sha256 - fix crash at kexec

by Breno Leitao

Loading a large (~2.1G) files with kexec crashes the host with when running: # kexec --load kernel --initrd initrd_with_2G_or_more UBSAN: signed-integer-overflow in ./include/crypto/sha256_base.h:64:19 34152083 * 64 cannot be represented in type 'int' ... BUG: unable to handle page fault for address: ff9fffff83b624c0 sha256_update (lib/crypto/sha256.c:137) crypto_sha256_update (crypto/sha256_generic.c:40) kexec_calculate_store_digests (kernel/kexec_file.c:769) __se_sys_kexec_file_load (kernel/kexec_file.c:397 kernel/kexec_file.c:332) ... (Line numbers based on commit da274362a7bd9 ("Linux 6.12.49") This is not happening upstream (v6.16+), given that `block` type was upgraded from "int" to "size_t" in commit 74a43a2cf5e8 ("crypto: lib/sha256 - Move partial block handling out") Upgrade the block type similar to the commit above, avoiding hitting the overflow. This patch is only suitable for the stable tree, and before 6.16, which got commit 74a43a2cf5e8 ("crypto: lib/sha256 - Move partial block handling out") Signed-off-by: Breno Leitao <leitao(a)debian.org> Fixes: 11b8d5ef9138 ("crypto: sha256 - implement base layer for SHA-256") # not after v6.16 Reported-by: Michael van der Westhuizen <rmikey(a)meta.com> Reported-by: Tobias Fleig <tfleig(a)meta.com> --- include/crypto/sha256_base.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h index e0418818d63c8..fa63af10102b2 100644 --- a/include/crypto/sha256_base.h +++ b/include/crypto/sha256_base.h @@ -44,7 +44,7 @@ static inline int lib_sha256_base_do_update(struct sha256_state *sctx, sctx->count += len; if (unlikely((partial + len) >= SHA256_BLOCK_SIZE)) { - int blocks; + size_t blocks; if (partial) { int p = SHA256_BLOCK_SIZE - partial; --- base-commit: da274362a7bd9ab3a6e46d15945029145ebce672 change-id: 20251001-stable_crash-f2151baf043b Best regards, -- Breno Leitao <leitao(a)debian.org>

3 hours, 26 minutes

3
4
0 0

[PATCH v3 1/2] mm/ksm: fix flag-dropping behavior in ksm_madvise

by Jakub Acs

syzkaller discovered the following crash: (kernel BUG) [ 44.607039] ------------[ cut here ]------------ [ 44.607422] kernel BUG at mm/userfaultfd.c:2067! [ 44.608148] Oops: invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN NOPTI [ 44.608814] CPU: 1 UID: 0 PID: 2475 Comm: reproducer Not tainted 6.16.0-rc6 #1 PREEMPT(none) [ 44.609635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 44.610695] RIP: 0010:userfaultfd_release_all+0x3a8/0x460 <snip other registers, drop unreliable trace> [ 44.617726] Call Trace: [ 44.617926] <TASK> [ 44.619284] userfaultfd_release+0xef/0x1b0 [ 44.620976] __fput+0x3f9/0xb60 [ 44.621240] fput_close_sync+0x110/0x210 [ 44.622222] __x64_sys_close+0x8f/0x120 [ 44.622530] do_syscall_64+0x5b/0x2f0 [ 44.622840] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 44.623244] RIP: 0033:0x7f365bb3f227 Kernel panics because it detects UFFD inconsistency during userfaultfd_release_all(). Specifically, a VMA which has a valid pointer to vma->vm_userfaultfd_ctx, but no UFFD flags in vma->vm_flags. The inconsistency is caused in ksm_madvise(): when user calls madvise() with MADV_UNMEARGEABLE on a VMA that is registered for UFFD in MINOR mode, it accidentally clears all flags stored in the upper 32 bits of vma->vm_flags. Assuming x86_64 kernel build, unsigned long is 64-bit and unsigned int and int are 32-bit wide. This setup causes the following mishap during the &= ~VM_MERGEABLE assignment. VM_MERGEABLE is a 32-bit constant of type unsigned int, 0x8000'0000. After ~ is applied, it becomes 0x7fff'ffff unsigned int, which is then promoted to unsigned long before the & operation. This promotion fills upper 32 bits with leading 0s, as we're doing unsigned conversion (and even for a signed conversion, this wouldn't help as the leading bit is 0). & operation thus ends up AND-ing vm_flags with 0x0000'0000'7fff'ffff instead of intended 0xffff'ffff'7fff'ffff and hence accidentally clears the upper 32-bits of its value. Fix it by changing `VM_MERGEABLE` constant to unsigned long, using the BIT() macro. Note: other VM_* flags are not affected: This only happens to the VM_MERGEABLE flag, as the other VM_* flags are all constants of type int and after ~ operation, they end up with leading 1 and are thus converted to unsigned long with leading 1s. Note 2: After commit 31defc3b01d9 ("userfaultfd: remove (VM_)BUG_ON()s"), this is no longer a kernel BUG, but a WARNING at the same place: [ 45.595973] WARNING: CPU: 1 PID: 2474 at mm/userfaultfd.c:2067 but the root-cause (flag-drop) remains the same. Fixes: 7677f7fd8be76 ("userfaultfd: add minor fault registration mode") Signed-off-by: Jakub Acs <acsjakub(a)amazon.de> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: David Hildenbrand <david(a)redhat.com> Cc: Xu Xin <xu.xin16(a)zte.com.cn> Cc: Chengming Zhou <chengming.zhou(a)linux.dev> Cc: Peter Xu <peterx(a)redhat.com> Cc: Axel Rasmussen <axelrasmussen(a)google.com> Cc: linux-mm(a)kvack.org Cc: linux-kernel(a)vger.kernel.org Cc: stable(a)vger.kernel.org --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index 1ae97a0b8ec7..c6794d0e24eb 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -296,7 +296,7 @@ extern unsigned int kobjsize(const void *objp); #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */ #define VM_HUGEPAGE 0x20000000 /* MADV_HUGEPAGE marked this vma */ #define VM_NOHUGEPAGE 0x40000000 /* MADV_NOHUGEPAGE marked this vma */ -#define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */ +#define VM_MERGEABLE BIT(31) /* KSM may merge identical pages */ #ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS #define VM_HIGH_ARCH_BIT_0 32 /* bit only usable on 64-bit architectures */ -- 2.47.3 Amazon Web Services Development Center Germany GmbH Tamara-Danz-Str. 13 10243 Berlin Geschaeftsfuehrung: Christian Schlaeger Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B Sitz: Berlin Ust-ID: DE 365 538 597

3 hours, 37 minutes

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2025