August 2025 - Linux-stable-mirror

Re: Bug report - Sticky keys acting not sticky sometimes

by Alerymin

Note: The issue looks like it's from tty directly but I don't see who is the maintainer, so I email the closest I can get Description: In command line, sticky keys reset only when typing ASCII and ISO-8859-1 characters. Tested with the QWERTY Lafayette layout: https://codeberg.org/Alerymin/kbd-qwerty-lafayette Observed Behaviour: When the layout is loaded in ISO-8859-15, most characters typed don't reset the sticky key, unless it's basic ASCII characters or Unicode When the layout is loaded in ISO-8859-1, the sticky key works fine. Expected behaviour: Sticky key working in ISO-8859-1 and ISO-8859-15 System used: Arch Linux, kernel 6.16.3-arch1-1

1 week, 2 days

2
3
0 0

[PATCH 3/3] drm/xe: Block exec and rebind worker while evicting for suspend / hibernate

by Thomas Hellström

When the xe pm_notifier evicts for suspend / hibernate, there might be racing tasks trying to re-validate again. This can lead to suspend taking excessive time or get stuck in a live-lock. This behaviour becomes much worse with the fix that actually makes re-validation bring back bos to VRAM rather than letting them remain in TT. Prevent that by having exec and the rebind worker waiting for a completion that is set to block by the pm_notifier before suspend and is signaled by the pm_notifier after resume / wakeup. It's probably still possible to craft malicious applications that block suspending. More work is pending to fix that. Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4288 Fixes: c6a4d46ec1d7 ("drm/xe: evict user memory in PM notifier") Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.16+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_device_types.h | 2 ++ drivers/gpu/drm/xe/xe_exec.c | 9 +++++++++ drivers/gpu/drm/xe/xe_pm.c | 4 ++++ drivers/gpu/drm/xe/xe_vm.c | 14 ++++++++++++++ 4 files changed, 29 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_device_types.h b/drivers/gpu/drm/xe/xe_device_types.h index 092004d14db2..6602bd678cbc 100644 --- a/drivers/gpu/drm/xe/xe_device_types.h +++ b/drivers/gpu/drm/xe/xe_device_types.h @@ -507,6 +507,8 @@ struct xe_device { /** @pm_notifier: Our PM notifier to perform actions in response to various PM events. */ struct notifier_block pm_notifier; + /** @pm_block: Completion to block validating tasks on suspend / hibernate prepare */ + struct completion pm_block; /** @pmt: Support the PMT driver callback interface */ struct { diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c index 44364c042ad7..374c831e691b 100644 --- a/drivers/gpu/drm/xe/xe_exec.c +++ b/drivers/gpu/drm/xe/xe_exec.c @@ -237,6 +237,15 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) goto err_unlock_list; } + /* + * It's OK to block interruptible here with the vm lock held, since + * on task freezing during suspend / hibernate, the call will + * return -ERESTARTSYS and the IOCTL will be rerun. + */ + err = wait_for_completion_interruptible(&xe->pm_block); + if (err) + goto err_unlock_list; + vm_exec.vm = &vm->gpuvm; vm_exec.flags = DRM_EXEC_INTERRUPTIBLE_WAIT; if (xe_vm_in_lr_mode(vm)) { diff --git a/drivers/gpu/drm/xe/xe_pm.c b/drivers/gpu/drm/xe/xe_pm.c index b57b46ad9f7c..2d7b05d8a78b 100644 --- a/drivers/gpu/drm/xe/xe_pm.c +++ b/drivers/gpu/drm/xe/xe_pm.c @@ -306,6 +306,7 @@ static int xe_pm_notifier_callback(struct notifier_block *nb, switch (action) { case PM_HIBERNATION_PREPARE: case PM_SUSPEND_PREPARE: + reinit_completion(&xe->pm_block); xe_pm_runtime_get(xe); err = xe_bo_evict_all_user(xe); if (err) @@ -318,6 +319,7 @@ static int xe_pm_notifier_callback(struct notifier_block *nb, break; case PM_POST_HIBERNATION: case PM_POST_SUSPEND: + complete_all(&xe->pm_block); xe_pm_runtime_get(xe); xe_bo_notifier_unprepare_all_pinned(xe); xe_pm_runtime_put(xe); @@ -345,6 +347,8 @@ int xe_pm_init(struct xe_device *xe) if (err) return err; + init_completion(&xe->pm_block); + complete_all(&xe->pm_block); /* For now suspend/resume is only allowed with GuC */ if (!xe_device_uc_enabled(xe)) return 0; diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c index 3ff3c67aa79d..edcdb0528f2a 100644 --- a/drivers/gpu/drm/xe/xe_vm.c +++ b/drivers/gpu/drm/xe/xe_vm.c @@ -394,6 +394,9 @@ static int xe_gpuvm_validate(struct drm_gpuvm_bo *vm_bo, struct drm_exec *exec) list_move_tail(&gpuva_to_vma(gpuva)->combined_links.rebind, &vm->rebind_list); + if (!try_wait_for_completion(&vm->xe->pm_block)) + return -EAGAIN; + ret = xe_bo_validate(gem_to_xe_bo(vm_bo->obj), vm, false); if (ret) return ret; @@ -494,6 +497,12 @@ static void preempt_rebind_work_func(struct work_struct *w) xe_assert(vm->xe, xe_vm_in_preempt_fence_mode(vm)); trace_xe_vm_rebind_worker_enter(vm); + /* + * This blocks the wq during suspend / hibernate. + * Don't hold any locks. + */ +retry_pm: + wait_for_completion(&vm->xe->pm_block); down_write(&vm->lock); if (xe_vm_is_closed_or_banned(vm)) { @@ -503,6 +512,11 @@ static void preempt_rebind_work_func(struct work_struct *w) } retry: + if (!try_wait_for_completion(&vm->xe->pm_block)) { + up_write(&vm->lock); + goto retry_pm; + } + if (xe_vm_userptr_check_repin(vm)) { err = xe_vm_userptr_pin(vm); if (err) -- 2.50.1

1 week, 2 days

1
0
0 0

[PATCH 1/3] drm/xe: Attempt to bring bos back to VRAM after eviction

by Thomas Hellström

VRAM+TT bos that are evicted from VRAM to TT may remain in TT also after a revalidation following eviction or suspend. This manifests itself as applications becoming sluggish after buffer objects get evicted or after a resume from suspend or hibernation. If the bo supports placement in both VRAM and TT, and we are on DGFX, mark the TT placement as fallback. This means that it is tried only after VRAM + eviction. This flaw has probably been present since the xe module was upstreamed but use a Fixes: commit below where backporting is likely to be simple. For earlier versions we need to open- code the fallback algorithm in the driver. v2: - Remove check for dgfx. (Matthew Auld) - Update the xe_dma_buf kunit test for the new strategy (CI) - Allow dma-buf to pin in current placement (CI) - Make xe_bo_validate() for pinned bos a NOP. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5995 Fixes: a78a8da51b36 ("drm/ttm: replace busy placement with flags v6") Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.9+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> Reviewed-by: Matthew Auld <matthew.auld(a)intel.com> --- drivers/gpu/drm/xe/tests/xe_bo.c | 2 +- drivers/gpu/drm/xe/tests/xe_dma_buf.c | 10 +--------- drivers/gpu/drm/xe/xe_bo.c | 16 ++++++++++++---- drivers/gpu/drm/xe/xe_bo.h | 2 +- drivers/gpu/drm/xe/xe_dma_buf.c | 2 +- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/gpu/drm/xe/tests/xe_bo.c b/drivers/gpu/drm/xe/tests/xe_bo.c index bb469096d072..7b40cc8be1c9 100644 --- a/drivers/gpu/drm/xe/tests/xe_bo.c +++ b/drivers/gpu/drm/xe/tests/xe_bo.c @@ -236,7 +236,7 @@ static int evict_test_run_tile(struct xe_device *xe, struct xe_tile *tile, struc } xe_bo_lock(external, false); - err = xe_bo_pin_external(external); + err = xe_bo_pin_external(external, false); xe_bo_unlock(external); if (err) { KUNIT_FAIL(test, "external bo pin err=%pe\n", diff --git a/drivers/gpu/drm/xe/tests/xe_dma_buf.c b/drivers/gpu/drm/xe/tests/xe_dma_buf.c index cde9530bef8c..3f30d2cef917 100644 --- a/drivers/gpu/drm/xe/tests/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/tests/xe_dma_buf.c @@ -85,15 +85,7 @@ static void check_residency(struct kunit *test, struct xe_bo *exported, return; } - /* - * If on different devices, the exporter is kept in system if - * possible, saving a migration step as the transfer is just - * likely as fast from system memory. - */ - if (params->mem_mask & XE_BO_FLAG_SYSTEM) - KUNIT_EXPECT_TRUE(test, xe_bo_is_mem_type(exported, XE_PL_TT)); - else - KUNIT_EXPECT_TRUE(test, xe_bo_is_mem_type(exported, mem_type)); + KUNIT_EXPECT_TRUE(test, xe_bo_is_mem_type(exported, mem_type)); if (params->force_different_devices) KUNIT_EXPECT_TRUE(test, xe_bo_is_mem_type(imported, XE_PL_TT)); diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 4faf15d5fa6d..870f43347281 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -188,6 +188,8 @@ static void try_add_system(struct xe_device *xe, struct xe_bo *bo, bo->placements[*c] = (struct ttm_place) { .mem_type = XE_PL_TT, + .flags = (bo_flags & XE_BO_FLAG_VRAM_MASK) ? + TTM_PL_FLAG_FALLBACK : 0, }; *c += 1; } @@ -2322,6 +2324,7 @@ uint64_t vram_region_gpu_offset(struct ttm_resource *res) /** * xe_bo_pin_external - pin an external BO * @bo: buffer object to be pinned + * @in_place: Pin in current placement, don't attempt to migrate. * * Pin an external (not tied to a VM, can be exported via dma-buf / prime FD) * BO. Unique call compared to xe_bo_pin as this function has it own set of @@ -2329,7 +2332,7 @@ uint64_t vram_region_gpu_offset(struct ttm_resource *res) * * Returns 0 for success, negative error code otherwise. */ -int xe_bo_pin_external(struct xe_bo *bo) +int xe_bo_pin_external(struct xe_bo *bo, bool in_place) { struct xe_device *xe = xe_bo_device(bo); int err; @@ -2338,9 +2341,11 @@ int xe_bo_pin_external(struct xe_bo *bo) xe_assert(xe, xe_bo_is_user(bo)); if (!xe_bo_is_pinned(bo)) { - err = xe_bo_validate(bo, NULL, false); - if (err) - return err; + if (!in_place) { + err = xe_bo_validate(bo, NULL, false); + if (err) + return err; + } spin_lock(&xe->pinned.lock); list_add_tail(&bo->pinned_link, &xe->pinned.late.external); @@ -2493,6 +2498,9 @@ int xe_bo_validate(struct xe_bo *bo, struct xe_vm *vm, bool allow_res_evict) }; int ret; + if (xe_bo_is_pinned(bo)) + return 0; + if (vm) { lockdep_assert_held(&vm->lock); xe_vm_assert_held(vm); diff --git a/drivers/gpu/drm/xe/xe_bo.h b/drivers/gpu/drm/xe/xe_bo.h index 8cce413b5235..cfb1ec266a6d 100644 --- a/drivers/gpu/drm/xe/xe_bo.h +++ b/drivers/gpu/drm/xe/xe_bo.h @@ -200,7 +200,7 @@ static inline void xe_bo_unlock_vm_held(struct xe_bo *bo) } } -int xe_bo_pin_external(struct xe_bo *bo); +int xe_bo_pin_external(struct xe_bo *bo, bool in_place); int xe_bo_pin(struct xe_bo *bo); void xe_bo_unpin_external(struct xe_bo *bo); void xe_bo_unpin(struct xe_bo *bo); diff --git a/drivers/gpu/drm/xe/xe_dma_buf.c b/drivers/gpu/drm/xe/xe_dma_buf.c index 346f857f3837..af64baf872ef 100644 --- a/drivers/gpu/drm/xe/xe_dma_buf.c +++ b/drivers/gpu/drm/xe/xe_dma_buf.c @@ -72,7 +72,7 @@ static int xe_dma_buf_pin(struct dma_buf_attachment *attach) return ret; } - ret = xe_bo_pin_external(bo); + ret = xe_bo_pin_external(bo, true); xe_assert(xe, !ret); return 0; -- 2.50.1

1 week, 2 days

1
0
0 0

[PATCH] drm/xe: Attempt to bring bos back to VRAM after eviction

by Thomas Hellström

VRAM+TT bos that are evicted from VRAM to TT may remain in TT also after a revalidation following eviction or suspend. This manifests itself as applications becoming sluggish after buffer objects get evicted or after a resume from suspend or hibernation. If the bo supports placement in both VRAM and TT, and we are on DGFX, mark the TT placement as fallback. This means that it is tried only after VRAM + eviction. This flaw has probably been present since the xe module was upstreamed but use a Fixes: commit below where backporting is likely to be simple. For earlier versions we need to open- code the fallback algorithm in the driver. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/5995 Fixes: a78a8da51b36 ("drm/ttm: replace busy placement with flags v6") Cc: Matthew Brost <matthew.brost(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: <stable(a)vger.kernel.org> # v6.9+ Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com> --- drivers/gpu/drm/xe/xe_bo.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/xe/xe_bo.c b/drivers/gpu/drm/xe/xe_bo.c index 4faf15d5fa6d..64dea4e478bd 100644 --- a/drivers/gpu/drm/xe/xe_bo.c +++ b/drivers/gpu/drm/xe/xe_bo.c @@ -188,6 +188,8 @@ static void try_add_system(struct xe_device *xe, struct xe_bo *bo, bo->placements[*c] = (struct ttm_place) { .mem_type = XE_PL_TT, + .flags = (IS_DGFX(xe) && (bo_flags & XE_BO_FLAG_VRAM_MASK)) ? + TTM_PL_FLAG_FALLBACK : 0, }; *c += 1; } -- 2.50.1

1 week, 2 days

3
7
0 0

[PATCH rtw v3 2/5] wifi: rtw89: fix tx_wait initialization race

by Fedor Pchelkin

Now that nullfunc skbs are recycled in a separate work item in the driver, the following race during initialization and processing of those skbs might lead to noticeable bugs: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait = NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queue) rtw89_pci_tx_status() rtw89_core_tx_wait_complete() /* use incorrect skb_data->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ The value of skb_data->wait indicates whether skb is passed on to the core ieee80211 stack or released by the driver itself. So assure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated tx_wait-related data (in case it's needed). Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- drivers/net/wireless/realtek/rtw89/core.c | 30 ++++++++++++++--------- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 5c964283cd67..57f20559dfde 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1094,20 +1094,12 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk int qsel, unsigned int timeout) { struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; + struct rtw89_tx_wait_info *wait = skb_data->wait; unsigned long time_left; int ret = 0; lockdep_assert_wiphy(rtwdev->hw->wiphy); - wait = kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - rcu_assign_pointer(skb_data->wait, wait); wait->skb = skb; rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1172,10 +1164,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta = rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif = rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req = {}; int ret; @@ -1192,6 +1186,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); + rcu_assign_pointer(skb_data->wait, wait); + ret = rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1228,7 +1224,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, } } - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qsel, false, + NULL); } static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3426,6 +3423,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt struct ieee80211_vif *vif = rtwvif_link_to_vif(rtwvif_link); int link_id = ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3435,6 +3433,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt if (vif->type != NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; + wait = kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta = ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3459,7 +3463,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt goto out; } - ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true); + ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3472,6 +3477,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt timeout); out: rcu_read_unlock(); + kfree(wait); return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index 4e3034b44f56..cb9682f306a6 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, struct pci_dev *pdev = rtwpci->pdev; struct sk_buff *skb = tx_req->skb; struct rtw89_pci_tx_data *tx_data = RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); bool en_wd_info = desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.51.0

1 week, 2 days

2
1
0 0

[PATCH 1/2] drm/mediatek: fix potential OF node use-after-free

by Johan Hovold

The for_each_child_of_node() helper drops the reference it takes to each node as it iterates over children and an explicit of_node_put() is only needed when exiting the loop early. Drop the recently introduced bogus additional reference count decrement at each iteration that could potentially lead to a use-after-free. Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv") Cc: Ma Ke <make24(a)iscas.ac.cn> Cc: stable(a)vger.kernel.org Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 34131ae2c207..3b02ed0a16da 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -388,11 +388,11 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) of_id = of_match_node(mtk_drm_of_ids, node); if (!of_id) - goto next_put_node; + continue; pdev = of_find_device_by_node(node); if (!pdev) - goto next_put_node; + continue; drm_dev = device_find_child(&pdev->dev, NULL, mtk_drm_match); if (!drm_dev) @@ -418,11 +418,10 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) next_put_device_pdev_dev: put_device(&pdev->dev); -next_put_node: - of_node_put(node); - - if (cnt == MAX_CRTC) + if (cnt == MAX_CRTC) { + of_node_put(node); break; + } } if (drm_priv->data->mmsys_dev_num == cnt) { -- 2.49.1

1 week, 2 days

1
0
0 0

[PATCH] drm/mediatek: fix device leaks at bind

by Johan Hovold

Make sure to drop the references to the sibling platform devices and their child drm devices taken by of_find_device_by_node() and device_find_child() when initialising the driver data during bind(). Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support") Cc: stable(a)vger.kernel.org # 6.4 Cc: Nancy.Lin <nancy.lin(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index 7c0c12dde488..33b83576af7e 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -395,10 +395,12 @@ static bool mtk_drm_get_all_drm_priv(struct device *dev) continue; drm_dev = device_find_child(&pdev->dev, NULL, mtk_drm_match); + put_device(&pdev->dev); if (!drm_dev) continue; temp_drm_priv = dev_get_drvdata(drm_dev); + put_device(drm_dev); if (!temp_drm_priv) continue; -- 2.49.1

1 week, 2 days

3
5
0 0

[PATCH rtw v3 1/5] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

by Fedor Pchelkin

There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Suggested-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v3: - decrease waiting timeout in rtw89_tx_wait_work() (Zong-Zhe) - clear tx_waits list from rtw89_hci_reset(), too (Zong-Zhe) - keep RCU updating for skb_data->wait (Zong-Zhe) - keep the old order of calls in rtw89_pci_tx_status() (Zong-Zhe) - drop wait->finished as complete_all() would make the completion be done permanently (me) v2: - use a work function to manage release of tx_waits and associated skbs (Zong-Zhe) FWIW, I think RCU locking becomes unnecessary after the next patch [PATCH rtw v3 2/5] wifi: rtw89: fix tx_wait initialization race but let's keep it if you feel that's more safe. drivers/net/wireless/realtek/rtw89/core.c | 28 ++++++++++++++--- drivers/net/wireless/realtek/rtw89/core.h | 38 +++++++++++++++++++++-- drivers/net/wireless/realtek/rtw89/pci.c | 3 +- drivers/net/wireless/realtek/rtw89/ser.c | 2 ++ 4 files changed, 63 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 57590f5577a3..5c964283cd67 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1073,6 +1073,14 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtwdev, } } +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) +{ + struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, + tx_wait_work); + + rtw89_tx_wait_list_clear(rtwdev); +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1090,6 +1098,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk unsigned long time_left; int ret = 0; + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait = kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1098,17 +1108,22 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk init_completion(&wait->completion); rcu_assign_pointer(skb_data->wait, wait); + wait->skb = skb; rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left == 0) + + if (time_left == 0) { ret = -ETIMEDOUT; - else if (!wait->tx_done) - ret = -EAGAIN; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work); - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + } else { + if (!wait->tx_done) + ret = -EAGAIN; + rtw89_tx_wait_release(&wait->rcu_head); + } return ret; } @@ -4972,6 +4987,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) clear_bit(RTW89_FLAG_RUNNING, rtwdev->flags); wiphy_work_cancel(wiphy, &rtwdev->c2h_work); + wiphy_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_work_cancel(wiphy, &rtwdev->cancel_6ghz_probe_work); wiphy_work_cancel(wiphy, &btc->eapol_notify_work); wiphy_work_cancel(wiphy, &btc->arp_notify_work); @@ -5203,6 +5219,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); @@ -5233,6 +5250,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_work_init(&rtwdev->c2h_work, rtw89_fw_c2h_work); wiphy_work_init(&rtwdev->ips_work, rtw89_ips_work); wiphy_work_init(&rtwdev->cancel_6ghz_probe_work, rtw89_cancel_6ghz_probe_work); + wiphy_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_WORK(&rtwdev->load_firmware_work, rtw89_load_firmware_work); skb_queue_head_init(&rtwdev->c2h_queue); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index 43e10278e14d..9b22bb116af9 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3506,9 +3506,12 @@ struct rtw89_phy_rate_pattern { bool enable; }; +#define RTW89_TX_WAIT_DEFAULT_TIMEOUT 10 struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; bool tx_done; }; @@ -5925,6 +5928,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; + struct list_head tx_waits; + struct wiphy_work tx_wait_work; + struct rtw89_cam_info cam_info; struct sk_buff_head c2h_queue; @@ -6181,6 +6187,30 @@ rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid) list_first_entry_or_null(&p->dlink_pool, typeof(*p->links_inst), dlink_schd); \ }) +static inline void rtw89_tx_wait_release(struct rcu_head *rcu_head) +{ + struct rtw89_tx_wait_info *wait = + container_of(rcu_head, struct rtw89_tx_wait_info, rcu_head); + + dev_kfree_skb_any(wait->skb); + kfree(wait); +} + +static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev) +{ + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(rtwdev->hw->wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!wait_for_completion_timeout(&wait->completion, + RTW89_TX_WAIT_DEFAULT_TIMEOUT)) + continue; + list_del(&wait->list); + call_rcu(&wait->rcu_head, rtw89_tx_wait_release); + } +} + static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, struct rtw89_core_tx_request *tx_req) { @@ -6190,6 +6220,7 @@ static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev, static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev) { rtwdev->hci.ops->reset(rtwdev); + rtw89_tx_wait_list_clear(rtwdev); } static inline int rtw89_hci_start(struct rtw89_dev *rtwdev) @@ -7258,11 +7289,12 @@ static inline struct sk_buff *rtw89_alloc_skb_for_rx(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; + bool ret = false; rcu_read_lock(); @@ -7270,11 +7302,13 @@ static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, if (!wait) goto out; + ret = true; wait->tx_done = tx_done; - complete(&wait->completion); + complete_all(&wait->completion); out: rcu_read_unlock(); + return ret; } static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index a669f2f843aa..4e3034b44f56 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,7 +464,8 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) + return; info = IEEE80211_SKB_CB(skb); ieee80211_tx_info_clear_status(info); diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c index bb39fdbcba0d..fe7beff8c424 100644 --- a/drivers/net/wireless/realtek/rtw89/ser.c +++ b/drivers/net/wireless/realtek/rtw89/ser.c @@ -502,7 +502,9 @@ static void ser_reset_trx_st_hdl(struct rtw89_ser *ser, u8 evt) } drv_stop_rx(ser); + wiphy_lock(wiphy); drv_trx_reset(ser); + wiphy_unlock(wiphy); /* wait m3 */ hal_send_m2_event(ser); -- 2.51.0

1 week, 2 days

2
1
0 0

[PATCH 6.1 000/482] 6.1.149-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.1.149 release. There are 482 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 28 Aug 2025 11:08:22 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.1.149-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.1.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.1.149-rc1 Florian Westphal <fw(a)strlen.de> netfilter: nf_reject: don't leak dst refcount for loopback packets Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/hypfs: Enable limited access during lockdown Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/hypfs: Avoid unnecessary ioctl registration in debugfs Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Hangbin Liu <liuhangbin(a)gmail.com> bonding: send LACPDUs periodically in passive mode after receiving partner's LACPDU Aahil Awatramani <aahila(a)google.com> bonding: Add independent control state machine Hangbin Liu <liuhangbin(a)gmail.com> bonding: update LACP activity flag after setting lacp_active William Liu <will(a)willsroot.io> net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate William Liu <will(a)willsroot.io> net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit ValdikSS <iam(a)valdikss.org.ru> igc: fix disabling L1.2 PCI-E link substate on I226 on init Jason Xing <kernelxing(a)tencent.com> ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Jordan Rhee <jordanrhee(a)google.com> gve: prevent ethtool ops after shutdown Yuichiro Tsuji <yuichtsu(a)amazon.com> net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Fix timestamping for vsc8584 Qingfang Deng <dqfext(a)gmail.com> ppp: fix race conditions in ppp_fill_forward_path Qingfang Deng <dqfext(a)gmail.com> net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path Minhong He <heminhong(a)kylinos.cn> ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Jakub Ramaseuski <jramaseu(a)redhat.com> net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM Chenyuan Yang <chenyuan0y(a)gmail.com> drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Dan Carpenter <dan.carpenter(a)linaro.org> ALSA: usb-audio: Fix size validation in convert_chmap_v3() Baihan Li <libaihan(a)huawei.com> drm/hisilicon/hibmc: fix the hibmc loaded failed bug Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Sergey Shtylyov <s.shtylyov(a)omp.ru> Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() Kees Cook <kees(a)kernel.org> iommu/amd: Avoid stack buffer overflow from kernel cmdline Dan Carpenter <dan.carpenter(a)linaro.org> scsi: qla4xxx: Prevent a potential error pointer dereference Wang Liang <wangliang74(a)huawei.com> net: bridge: fix soft lockup in br_multicast_query_expired() Anantha Prabhu <anantha.prabhu(a)broadcom.com> RDMA/bnxt_re: Fix to initialize the PBL array Boshi Yu <boshiyu(a)linux.alibaba.com> RDMA/erdma: Fix ignored return value of init_kernel_qp Nitin Gote <nitin.r.gote(a)intel.com> iosys-map: Fix undefined behavior in iosys_map_clear() Waiman Long <longman(a)redhat.com> cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Tianxiang Peng <txpeng(a)tencent.com> x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Jan Beulich <jbeulich(a)suse.com> compiler: remove __ADDRESSABLE_ASM{_STR,}() again David Lechner <dlechner(a)baylibre.com> iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: light: as73211: Ensure buffer holes are zeroed Pu Lehui <pulehui(a)huawei.com> tracing: Limit access to parser->buffer when trace_get_user failed Steven Rostedt <rostedt(a)goodmis.org> tracing: Remove unneeded goto out logic Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: change invalid data error to -EBUSY Jakub Kicinski <kuba(a)kernel.org> tls: fix handling of zero-length records on the rx_list Mikhail Lobanov <m.lobanov(a)rosa.ru> wifi: mac80211: check basic rates validity in sta_link_apply_parameters Benjamin Berg <benjamin.berg(a)intel.com> wifi: mac80211: avoid lockdep checking when removing deflink Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: pm: check flush doesn't reset limits Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't overclock DCE 6 by 15% Jinjiang Tu <tujinjiang(a)huawei.com> mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: Add a new function to simplify the code Bjorn Helgaas <bhelgaas(a)google.com> mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Geliang Tang <tanggeliang(a)kylinos.cn> mptcp: disable add_addr retransmission when timeout is 0 Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-boundary access in dnode page Chao Yu <chao(a)kernel.org> f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Ensure we don't read past the ELF header Gokul krishna Krishnakumar <quic_gokukris(a)quicinc.com> soc: qcom: mdt_loader: Enhance split binary detection Geraldo Nascimento <geraldogabriel(a)gmail.com> PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining Geraldo Nascimento <geraldogabriel(a)gmail.com> PCI: rockchip: Use standard PCIe definitions Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers Baokun Li <libaokun1(a)huawei.com> ext4: preserve SB_I_VERSION on remount André Draszik <andre.draszik(a)linaro.org> scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: Remove WARN_ON for device endpoint command timeouts Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Zenm Chen <zenmchen(a)gmail.com> USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Thorsten Blum <thorsten.blum(a)linux.dev> usb: storage: realtek_cr: Use correct byte order for bcs->Residue Mael GUERIN <mael.guerin(a)murena.io> USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Marek Vasut <marek.vasut+renesas(a)mailbox.org> usb: renesas-xhci: Fix External ROM access timeouts Xu Yang <xu.yang_2(a)nxp.com> usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Edward Adam Davis <eadavis(a)qq.com> comedi: pcl726: Prevent invalid irq number Ian Abbott <abbotti(a)mev.co.uk> comedi: Make insn_rw_emulate_bits() do insn->n samples Miao Li <limiao(a)kylinos.cn> usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Miaoqian Lin <linmq006(a)gmail.com> most: core: Drop device reference after usage in get_channel() David Lechner <dlechner(a)baylibre.com> iio: proximity: isl29501: fix buffered read on big-endian systems Salah Triki <salah.triki(a)gmail.com> iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Steven Rostedt <rostedt(a)goodmis.org> ftrace: Also allocate and copy hash for reading of filter files Xu Yilun <yilun.xu(a)linux.intel.com> fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Al Viro <viro(a)zeniv.linux.org.uk> use uniform permission checks for all mount propagation changes Ye Bin <yebin10(a)huawei.com> fs/buffer: fix use-after-free when call bh_read() helper Stefan Metzmacher <metze(a)samba.org> smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix DP audio DTO1 clock source on DCE 6. Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Avoid a NULL pointer dereference Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/sclp: Fix SCCB present check Evgeniy Harchenko <evgeniyharchenko.dev(a)gmail.com> ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Herton R. Krzesinski <herton(a)redhat.com> mm/debug_vm_pgtable: clear page table entries at destroy_args() Phillip Lougher <phillip(a)squashfs.org.uk> squashfs: fix memory leak in squashfs_fill_super Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Jiayi Li <lijiayi(a)kylinos.cn> memstick: Fix deadlock by moving removing flag earlier Will Deacon <will(a)kernel.org> KVM: arm64: Fix kernel BUG() due to bad backport of FPSIMD/SVE/SME fix Chao Gao <chao.gao(a)intel.com> KVM: VMX: Flush shadow VMCS on emergency reboot Sean Christopherson <seanjc(a)google.com> x86/reboot: KVM: Handle VMXOFF in KVM's reboot callback Sean Christopherson <seanjc(a)google.com> x86/reboot: Harden virtualization hooks for emergency reboot Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: use correct linker when mixing clang and GNU ld Sumanth Gavini <sumanth.gavini(a)yahoo.com> Bluetooth: hci_sync: Fix UAF on hci_abort_conn_sync Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> selftests/memfd: add test for mapping write-sealed memfd read-only Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> mm: reinstate ability to map write-sealed memfd mappings read-only Lorenzo Stoakes <lstoakes(a)gmail.com> mm: update memfd seal write check to include F_SEAL_WRITE Lorenzo Stoakes <lstoakes(a)gmail.com> mm: drop the assumption that VM_SHARED always implies writable Paolo Abeni <pabeni(a)redhat.com> mptcp: reset fallback status gracefully at disconnect() time Paolo Abeni <pabeni(a)redhat.com> mptcp: plug races between subflow fail and subflow creation Paolo Abeni <pabeni(a)redhat.com> mptcp: make fallback action and fallback decision atomic Sean Christopherson <seanjc(a)google.com> KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Nianyao Tang <tangnianyao(a)huawei.com> arm64/cpufeatures/kvm: Add ARMv8.9 FEAT_ECBHB bits in ID_AA64MMFR1 register Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix ring to service map for QAT GEN4 Sabrina Dubroca <sd(a)queasysnail.net> tls: separate no-async decryption request handling from async Qu Wenruo <wqu(a)suse.com> btrfs: populate otime when logging an inode item Damien Le Moal <dlemoal(a)kernel.org> ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Johan Hovold <johan(a)kernel.org> usb: dwc3: imx8mp: fix device leak at unbind Tzung-Bi Shih <tzungbi(a)kernel.org> platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Tzung-Bi Shih <tzungbi(a)kernel.org> platform/chrome: cros_ec: remove unneeded label and if-condition Chen-Yu Tsai <wenst(a)chromium.org> platform/chrome: cros_ec: Use per-device lockdep key Johan Hovold <johan(a)kernel.org> usb: musb: omap2430: fix device leak at unbind Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> usb: musb: omap2430: Convert to platform remove callback returning void Vedang Nagar <quic_vnagar(a)quicinc.com> media: venus: Fix OOB read due to missing payload bound check Konrad Dybcio <konrad.dybcio(a)linaro.org> media: venus: Introduce accessors for remapped hfi_buffer_reqs members Anshuman Khandual <anshuman.khandual(a)arm.com> mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd() Davide Caratti <dcaratti(a)redhat.com> net/sched: ets: use old 'nbands' while purging unused classes Eric Dumazet <edumazet(a)google.com> net_sched: sch_ets: implement lockless ets_dump() Filipe Manana <fdmanana(a)suse.com> btrfs: send: use fallocate for hole punching with send stream v2 Christoph Hellwig <hch(a)lst.de> xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() Filipe Manana <fdmanana(a)suse.com> btrfs: qgroup: fix race between quota disable and quota rescan ioctl Sebastian Reichel <sebastian.reichel(a)collabora.com> usb: typec: fusb302: cache PD RX state Shyam Prasad N <sprasad(a)microsoft.com> cifs: reset iface weights when we cannot find a candidate Lukas Wunner <lukas(a)wunner.de> PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports Damien Le Moal <dlemoal(a)kernel.org> block: Make REQ_OP_ZONE_FINISH a write operation Christoph Hellwig <hch(a)lst.de> block: reject invalid operation in submit_bio_noacct Eric Biggers <ebiggers(a)kernel.org> fscrypt: Don't use problematic non-inline crypto engines Johan Hovold <johan(a)kernel.org> net: enetc: fix device and OF node leak at probe Lin.Cao <lincao12(a)amd.com> drm/sched: Remove optimization that causes hang when killing dependent jobs Ada Couprie Diaz <ada.coupriediaz(a)arm.com> arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() Nathan Chancellor <nathan(a)kernel.org> ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS Filipe Manana <fdmanana(a)suse.com> btrfs: fix qgroup reservation leak on failure to allocate ordered extent Eric Dumazet <edumazet(a)google.com> net: add netdev_lockdep_set_classes() to virtual drivers Yazen Ghannam <yazen.ghannam(a)amd.com> x86/mce/amd: Add default names for MCA banks and blocks Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel: Fix crash in icl_update_topdown_event() Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: Fix incorrect OFFSET calculation Zhang Lixu <lixu.zhang(a)intel.com> iio: hid-sensor-prox: Restore lost scale assignments Chao Yu <chao(a)kernel.org> f2fs: fix to do sanity check on ino and xnid Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Christoph Paasch <cpaasch(a)openai.com> mptcp: drop skb if MPTCP skb extension allocation fails Chen Yu <yu.c.chen(a)intel.com> ACPI: pfr_update: Fix the driver update version check Eric Biggers <ebiggers(a)kernel.org> ipv6: sr: Fix MAC comparison to be constant-time Jakub Acs <acsjakub(a)amazon.de> net, hsr: reject HSR frame if skb can't hold tag Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't overwrite dce60_clk_mgr Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update mmhub 3.0.1 client id mappings Gang Ba <Gang.Ba(a)amd.com> drm/amdgpu: Avoid extra evict-restore process. Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Restore cached power limit during resume Ricardo Ribalda <ribalda(a)chromium.org> media: venus: venc: Clamp param smaller than 1fps and bigger than 240 Ricardo Ribalda <ribalda(a)chromium.org> media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. Jorge Ramirez-Ortiz <jorge.ramirez(a)oss.qualcomm.com> media: venus: protect against spurious interrupts during probe Jorge Ramirez-Ortiz <jorge.ramirez(a)oss.qualcomm.com> media: venus: hfi: explicitly release IRQ during teardown Vedang Nagar <quic_vnagar(a)quicinc.com> media: venus: Add a check for packet size after reading from shared memory Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> media: qcom: camss: cleanup media device allocated resource on error path Zhang Shurong <zhang_shurong(a)foxmail.com> media: ov2659: Fix memory leaks in ov2659_probe() Gui-Dong Han <hanguidong02(a)gmail.com> media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Ludwig Disterhof <ludwig(a)disterhof.eu> media: usbtv: Lock resolution while streaming Sakari Ailus <sakari.ailus(a)linux.intel.com> media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() Hans Verkuil <hverkuil(a)xs4all.nl> media: vivid: fix wrong pixel_array control size Haoxiang Li <haoxiang_li2024(a)163.com> media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Bingbu Cao <bingbu.cao(a)intel.com> media: hi556: correct the test pattern configuration Dan Carpenter <dan.carpenter(a)linaro.org> media: gspca: Add bounds checking to firmware parser John David Anglin <dave.anglin(a)bell.net> parisc: Update comments in make_insert_tlb John David Anglin <dave.anglin(a)bell.net> parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() John David Anglin <dave.anglin(a)bell.net> parisc: Revise gateway LWS calls to probe user read access John David Anglin <dave.anglin(a)bell.net> parisc: Revise __get_user() to probe user read access Randy Dunlap <rdunlap(a)infradead.org> parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers John David Anglin <dave.anglin(a)bell.net> parisc: Check region is readable by user in raw_copy_from_user() Jon Hunter <jonathanh(a)nvidia.com> soc/tegra: pmc: Ensure power-domains are in a known state Baokun Li <libaokun1(a)huawei.com> jbd2: prevent softlockup in jbd2_log_do_checkpoint() Will Deacon <will(a)kernel.org> vhost/vsock: Avoid allocating arbitrarily-sized SKBs Will Deacon <will(a)kernel.org> vsock/virtio: Validate length in packet header before skb_put() Damien Le Moal <dlemoal(a)kernel.org> PCI: endpoint: Fix configfs group removal on driver teardown Damien Le Moal <dlemoal(a)kernel.org> PCI: endpoint: Fix configfs group list head handling Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: renesas: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: fsmc: Add missing check after DMA map Gabor Juhos <j4g8y7(a)gmail.com> mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Michael Walle <mwalle(a)kernel.org> mtd: spi-nor: Fix spi_nor_try_unlock_all() Tim Harvey <tharvey(a)gateworks.com> hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Fix duty and period setting Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Handle hardware enable and clock enable separately Laurentiu Mihalcea <laurentiu.mihalcea(a)nxp.com> pwm: imx-tpm: Reset counter if CMOD is 0 Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix dest ring-buffer corruption when ring is full Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix source ring-buffer corruption Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix dest ring-buffer corruption Nathan Chancellor <nathan(a)kernel.org> wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() David Lechner <dlechner(a)baylibre.com> iio: adc: ad_sigma_delta: change to buffer predisable David Lechner <dlechner(a)baylibre.com> iio: imu: bno055: fix OOB access of hw_xlate array Marek Szyprowski <m.szyprowski(a)samsung.com> zynq_fpga: use sgtable-based scatterlist wrappers Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Fix default runtime and system PM levels Archana Patni <archana.patni(a)intel.com> scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_to_sense_error() status handling Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Fix race between config read submit and interrupt completion Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints Zhang Yi <yi.zhang(a)huawei.com> ext4: fix hole length calculation overflow in non-extent inodes Liao Yuanhong <liaoyuanhong(a)vivo.com> ext4: use kmalloc_array() for array space allocation Theodore Ts'o <tytso(a)mit.edu> ext4: don't try to clear the orphan_present feature block device is r/o Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: fix reserved gdt blocks handling in fsmap Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: fix fsmap end of range reporting with bigalloc Andreas Dilger <adilger(a)dilger.ca> ext4: check fast symlink for ea_inode correctly Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: extend the connection limiting mechanism to support IPv6 Helge Deller <deller(a)gmx.de> Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Eric Biggers <ebiggers(a)kernel.org> lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> vt: defkeymap: Map keycodes above 127 to K_HOLE Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> vt: keyboard: Don't process Unicode characters in K_OFF mode Youssef Samir <quic_yabdulra(a)quicinc.com> bus: mhi: host: Detect events pointing to unexpected TREs Alexander Wilhelm <alexander.wilhelm(a)westermo.com> bus: mhi: host: Fix endianness of BHI vector table Johan Hovold <johan(a)kernel.org> usb: dwc3: meson-g12a: fix device leaks at unbind Johan Hovold <johan(a)kernel.org> usb: gadget: udc: renesas_usb3: fix device leak at unbind Nathan Chancellor <nathan(a)kernel.org> usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Finn Thain <fthain(a)linux-m68k.org> m68k: Fix lost column on framebuffer debug console Dan Carpenter <dan.carpenter(a)linaro.org> cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Yunhui Cui <cuiyunhui(a)bytedance.com> serial: 8250: fix panic due to PSLVERR Aditya Garg <gargaditya08(a)live.com> HID: apple: avoid setting up battery timer for devices without battery Aditya Garg <gargaditya08(a)live.com> HID: magicmouse: avoid setting up battery timer when not needed Willy Tarreau <w(a)1wt.eu> tools/nolibc: fix spelling of FD_SETBITMASK in FD_* macros Ricardo Ribalda <ribalda(a)chromium.org> media: uvcvideo: Do not mark valid metadata as invalid Youngjun Lee <yjjuny.lee(a)samsung.com> media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() Breno Leitao <leitao(a)debian.org> mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock Waiman Long <longman(a)redhat.com> mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() Randy Dunlap <rdunlap(a)infradead.org> parisc: Makefile: fix a typo in palo.conf Haiyang Zhang <haiyangz(a)microsoft.com> hv_netvsc: Fix panic during namespace deletion with VF Sravan Kumar Gundu <sravankumarlpu(a)gmail.com> fbdev: Fix vmalloc out-of-bounds write in fast_imageblit Qu Wenruo <wqu(a)suse.com> btrfs: do not allow relocation of partially dropped subvolumes Filipe Manana <fdmanana(a)suse.com> btrfs: fix log tree replay failure due to file with 0 links and extents Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: do not remove unwritten non-data block group Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction during log replay if walk_log_tree() failed Johannes Thumshirn <johannes.thumshirn(a)wdc.com> btrfs: zoned: use filesystem size not disk size for reclaim decision Oliver Neukum <oneukum(a)suse.com> cdc-acm: fix race between initial clearing halt and open Eric Biggers <ebiggers(a)kernel.org> thunderbolt: Fix copy+paste error in match_service_id() Ian Abbott <abbotti(a)mev.co.uk> comedi: fix race between polling and detaching Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> usb: typec: ucsi: Update power_supply on power role change Ricky Wu <ricky_wu(a)realtek.com> misc: rtsx: usb: Ensure mmc child device is active when card is present Xinyu Liu <katieeliu(a)tencent.com> usb: core: config: Prevent OOB read in SS endpoint companion parsing Baokun Li <libaokun1(a)huawei.com> ext4: fix largest free orders lists corruption on mb_optimize_scan switch Baokun Li <libaokun1(a)huawei.com> ext4: fix zombie groups in average fragment size lists Jack Xiao <Jack.Xiao(a)amd.com> drm/amdgpu: fix incorrect vm flags to map bo Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: replace regmap_write with regmap_update_bits Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: fsl: merge DAI call back functions into ops Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai.h: merge DAI call back functions into ops Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai.c: add missing flag check at snd_soc_pcm_dai_probe() Jiasheng Jiang <jiashengjiangcool(a)gmail.com> scsi: lpfc: Remove redundant assignment to avoid memory leak Meagan Lloyd <meaganlloyd(a)linux.microsoft.com> rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe Sergey Bashirov <sergeybashirov(a)gmail.com> pNFS: Fix uninited ptr deref in block/scsi layout Sergey Bashirov <sergeybashirov(a)gmail.com> pNFS: Handle RPC size limit for layoutcommits Sergey Bashirov <sergeybashirov(a)gmail.com> pNFS: Fix disk addr range check in block/scsi layout Sergey Bashirov <sergeybashirov(a)gmail.com> pNFS: Fix stripe mapping in block/scsi layout John Garry <john.g.garry(a)oracle.com> block: avoid possible overflow for chunk_sectors check in blk_stack_limits() Cezary Rojewski <cezary.rojewski(a)intel.com> ASoC: Intel: avs: Fix uninitialized pointer error in probe() Buday Csaba <buday.csaba(a)prolan.hu> net: phy: smsc: add proper reset flags for LAN8710A Corey Minyard <corey(a)minyard.net> ipmi: Fix strcpy source and destination the same Yann E. MORIN <yann.morin.1998(a)free.fr> kconfig: lxdialog: fix 'space' to (de)select options Masahiro Yamada <masahiroy(a)kernel.org> kconfig: gconf: fix potential memory leak in renderer_edited() Masahiro Yamada <masahiroy(a)kernel.org> kconfig: gconf: avoid hardcoding model2 in on_treeview2_cursor_changed() Breno Leitao <leitao(a)debian.org> ipmi: Use dev_warn_ratelimited() for incorrect message warnings Artem Sadovnikov <a.sadovnikov(a)ispras.ru> vfio/mlx5: fix possible overflow in tracking max message size John Garry <john.g.garry(a)oracle.com> scsi: aacraid: Stop using PCI_IRQ_AFFINITY Maurizio Lombardi <mlombard(a)redhat.com> scsi: target: core: Generate correct identifiers for PR OUT transport IDs Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans Shankari Anand <shankari.ak0208(a)gmail.com> kconfig: nconf: Ensure null termination where strncpy is used Keith Busch <kbusch(a)kernel.org> vfio/type1: conditional rescheduling while pinning Suchit Karunakaran <suchitkarunakaran(a)gmail.com> kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c fangzhong.zhou <myth5(a)myth5.com> i2c: Force DLL0945 touchpad i2c freq to 100khz Mateusz Guzik <mjguzik(a)gmail.com> apparmor: use the condition in AA_BUG_FMT even with debug disabled Benjamin Marzinski <bmarzins(a)redhat.com> dm-table: fix checking for rq stackable devices Mikulas Patocka <mpatocka(a)redhat.com> dm-mpath: don't print the "loaded" message if registering fails Jorge Marques <jorge.marques(a)analog.com> i3c: master: Initialize ret in i3c_i2c_notifier_call() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i3c: don't fail if GETHDRCAP is unsupported Meagan Lloyd <meaganlloyd(a)linux.microsoft.com> rtc: ds1307: handle oscillator stop flag (OSF) for ds1341 Wolfram Sang <wsa+renesas(a)sang-engineering.com> i3c: add missing include to internal header Petr Pavlu <petr.pavlu(a)suse.com> module: Prevent silent truncation of module name in delete_module(2) Purva Yeshi <purvayeshi550(a)gmail.com> md: dm-zoned-target: Initialize return variable r to avoid uninitialized use Bharat Bhushan <bbhushan2(a)marvell.com> crypto: octeontx2 - add timeout for load_fvc completion poll chenchangcheng <chenchangcheng(a)kylinos.cn> media: uvcvideo: Fix bandwidth issue for Alcor camera Alex Guo <alexguo1023(a)gmail.com> media: dvb-frontends: w7090p: fix null-ptr-deref in w7090p_tuner_write_serpar and w7090p_tuner_read_serpar Alex Guo <alexguo1023(a)gmail.com> media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() Wolfram Sang <wsa+renesas(a)sang-engineering.com> media: usb: hdpvr: disable zero-length read messages Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: tc358743: Increase FIFO trigger level to 374 Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: tc358743: Return an appropriate colorspace from tc358743_set_fmt Dave Stevenson <dave.stevenson(a)raspberrypi.com> media: tc358743: Check I2C succeeded during probe Cheick Traore <cheick.traore(a)foss.st.com> pinctrl: stm32: Manage irq affinity settings Damien Le Moal <dlemoal(a)kernel.org> scsi: mpi3mr: Correctly handle ATA device errors Damien Le Moal <dlemoal(a)kernel.org> scsi: mpt3sas: Correctly handle ATA device errors Justin Tee <justin.tee(a)broadcom.com> scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure Arnd Bergmann <arnd(a)arndb.de> RDMA/core: reduce stack using in nldev_stat_get_doit() Yury Norov [NVIDIA] <yury.norov(a)gmail.com> RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask() Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-dma: configure next sg only if there are more than 2 sgs Johan Adolfsson <johan.adolfsson(a)axis.com> leds: leds-lp50xx: Handle reg to get correct multi_index Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ control Shiji Yang <yangshiji66(a)outlook.com> MIPS: lantiq: falcon: sysctrl: fix request memory check logic Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Arnaud Lecomte <contact(a)arnaud-lcm.com> jfs: upper bound check of tree index in dbAllocAG Edward Adam Davis <eadavis(a)qq.com> jfs: Regular file corruption check Lizhi Xu <lizhi.xu(a)windriver.com> jfs: truncate good inode pages when hard link is 0 jackysliu <1972843537(a)qq.com> scsi: bfa: Double-free fix Ziyan Fu <fuzy5(a)lenovo.com> watchdog: iTCO_wdt: Report error if timeout configuration fails Shiji Yang <yangshiji66(a)outlook.com> MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free} Florin Leotescu <florin.leotescu(a)nxp.com> hwmon: (emc2305) Set initial PWM minimum value during probe based on thermal state Sebastian Reichel <sebastian.reichel(a)collabora.com> watchdog: dw_wdt: Fix default timeout Amir Mohammad Jahangirzad <a.jahangirzad(a)gmail.com> fs/orangefs: use snprintf() instead of sprintf() Showrya M N <showrya(a)chelsio.com> scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated Theodore Ts'o <tytso(a)mit.edu> ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr Zhiqi Song <songzhiqi1(a)huawei.com> crypto: hisilicon/hpre - fix dma unmap sequence Yongzhen Zhang <zhangyongzhen(a)kylinos.cn> fbdev: fix potential buffer overflow in do_register_framebuffer() Pali Rohár <pali(a)kernel.org> cifs: Fix calling CIFSFindFirst() for root path without msearch Aaron Plattner <aplattner(a)nvidia.com> watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race condition Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Only finalize atomic_obj if it was initialized Jason Wang <jasowang(a)redhat.com> vhost: fail early when __vhost_add_used() fails Will Deacon <will(a)kernel.org> vsock/virtio: Resize receive buffers so that each SKB fits in a 4K page Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325 Tvrtko Ursulin <tvrtko.ursulin(a)igalia.com> drm/ttm: Respect the shrinker core free target Yonghong Song <yonghong.song(a)linux.dev> selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size Jakub Kicinski <kuba(a)kernel.org> uapi: in6: restore visibility of most IPv6 socket options Emily Deng <Emily.Deng(a)amd.com> drm/ttm: Should to return the evict error Hari Kalavakunta <kalavakunta.hari.prasad(a)gmail.com> net: ncsi: Fix buffer overflow in fetching version id Shannon Nelson <shannon.nelson(a)amd.com> ionic: clean dbpage in de-init Thomas Fourier <fourier.thomas(a)gmail.com> wifi: rtlwifi: fix possible skb memory leak in _rtl_pci_init_one_rxdesc() Breno Leitao <leitao(a)debian.org> ptp: Use ratelimite for freerun error message Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: prevent SWITCH_CTRL access on BCM5325 Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: prevent DIS_LEARNING access on BCM5325 Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325 Álvaro Fernández Rojas <noltari(a)gmail.com> net: dsa: b53: fix b53_imp_vlan_setup for BCM5325 Alok Tiwari <alok.a.tiwari(a)oracle.com> gve: Return error for unknown admin queue command Gal Pressman <gal(a)nvidia.com> net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to manual Heiner Kallweit <hkallweit1(a)gmail.com> dpaa_eth: don't use fixed_phy_change_carrier Nicolas Escande <nico.escande(a)gmail.com> neighbour: add support for NUD_PERMANENT proxy entries Stanislaw Gruszka <stf_xl(a)wp.pl> wifi: iwlegacy: Check rate_idx range after addition Mina Almasry <almasrymina(a)google.com> netmem: fix skb_frag_address_safe with unreadable skbs Thomas Fourier <fourier.thomas(a)gmail.com> powerpc: floppy: Add missing checks after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> wifi: rtlwifi: fix possible skb memory leak in `_rtl_pci_rx_interrupt()`. Ramya Gnanasekar <ramya.gnanasekar(a)oss.qualcomm.com> wifi: mac80211: update radar_required in channel context after channel switch Wen Chen <Wen.Chen3(a)amd.com> drm/amd/display: Fix 'failed to blank crtc!' Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu(a)intel.com> wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect Rand Deeb <rand.sec96(a)gmail.com> wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd() Ilya Bakoulin <Ilya.Bakoulin(a)amd.com> drm/amd/display: Separate set_gsl from set_gsl_source_select Jonas Rebmann <jre(a)pengutronix.de> net: fec: allow disable coalescing Eric Work <work.eric(a)gmail.com> net: atlantic: add set_power to fw_ops for atl2 to fix wol zhangjianrong <zhangjianrong5(a)huawei.com> net: thunderbolt: Fix the parameter passing of tb_xdomain_enable_paths()/tb_xdomain_disable_paths() zhangjianrong <zhangjianrong5(a)huawei.com> net: thunderbolt: Enable end-to-end flow control also in transmit Mark Brown <broonie(a)kernel.org> kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw89: Disable deep power saving for USB/SDIO Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw89: Fix rtw89_mac_power_switch() for USB Rob Clark <robdclark(a)chromium.org> drm/msm: use trylock for debugfs Kuniyuki Iwashima <kuniyu(a)google.com> ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in __ipv6_dev_mc_inc(). Thomas Fourier <fourier.thomas(a)gmail.com> (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized pointer Johannes Berg <johannes.berg(a)intel.com> wifi: mac80211: don't complete management TX on SAE commit Chris Mason <clm(a)fb.com> sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails Sven Schnelle <svens(a)linux.ibm.com> s390/stp: Remove udelay from stp_sync_clock() Avraham Stern <avraham.stern(a)intel.com> wifi: iwlwifi: mvm: fix scan request validation Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> um: Re-evaluate thread flags repeatedly Alok Tiwari <alok.a.tiwari(a)oracle.com> net: thunderx: Fix format-truncation warning in bgx_acpi_match_id() Oscar Maes <oscmaes92(a)gmail.com> net: ipv4: fix incorrect MTU in broadcast routes Ilan Peer <ilan.peer(a)intel.com> wifi: cfg80211: Fix interface type validation Matt Johnston <matt(a)codeconstruct.com.au> net: mctp: Prevent duplicate binds Paul E. McKenney <paulmck(a)kernel.org> rcu: Protect ->defer_qs_iw_pending from data race Breno Leitao <leitao(a)debian.org> arm64: Mark kernel as tainted on SAE and SError panic Leon Romanovsky <leon(a)kernel.org> net/mlx5e: Properly access RCU protected qdisc_sleeping variable Thomas Fourier <fourier.thomas(a)gmail.com> net: ag71xx: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> et131x: Add missing check after DMA map Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB Alok Tiwari <alok.a.tiwari(a)oracle.com> be2net: Use correct byte order and format string for TCP seq and ack_seq Sven Schnelle <svens(a)linux.ibm.com> s390/time: Use monotonic clock in get_cycles() Johannes Berg <johannes.berg(a)intel.com> wifi: cfg80211: reject HTC bit for management frames Steven Rostedt <rostedt(a)goodmis.org> ktest.pl: Prevent recursion of default variable options Oliver Neukum <oneukum(a)suse.com> net: usb: cdc-ncm: check for filtering capability Anthoine Bourgeois <anthoine.bourgeois(a)vates.tech> xen/netfront: Fix TX response spurious interrupts Xinxin Wan <xinxin.wan(a)intel.com> ASoC: codecs: rt5640: Retry DEVICE_ID verification Jonathan Santos <Jonathan.Santos(a)analog.com> iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement Cristian Ciocaltea <cristian.ciocaltea(a)collabora.com> ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros Christophe Leroy <christophe.leroy(a)csgroup.eu> ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop Lucy Thrun <lucy.thrun(a)digital-rabbithole.de> ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control Tomasz Michalec <tmichalec(a)google.com> platform/chrome: cros_ec_typec: Defer probe on missing EC parent Kees Cook <kees(a)kernel.org> platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches Gautham R. Shenoy <gautham.shenoy(a)amd.com> pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in mperf_stop() Oliver Neukum <oneukum(a)suse.com> usb: core: usb_submit_urb: downgrade type check Tomasz Michalec <tmichalec(a)google.com> usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present Peter Ujfalusi <peter.ujfalusi(a)linux.intel.com> ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime() Alok Tiwari <alok.a.tiwari(a)oracle.com> ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4 Mark Brown <broonie(a)kernel.org> ASoC: hdac_hdmi: Rate limit logging on connection and disconnection Pawan Gupta <pawan.kumar.gupta(a)linux.intel.com> x86/bugs: Avoid warning when overriding return thunk Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Disable jack polling at shutdown Takashi Iwai <tiwai(a)suse.de> ALSA: hda: Handle the jack polling always via a work Ulf Hansson <ulf.hansson(a)linaro.org> mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode() Hans de Goede <hansg(a)kernel.org> mei: bus: Check for still connected devices in mei_cl_bus_dev_release() Peter Robinson <pbrobinson(a)gmail.com> reset: brcmstb: Enable reset drivers for ARCH_BCM2835 Eliav Farber <farbere(a)amazon.com> pps: clients: gpio: fix interrupt handling order in remove path Breno Leitao <leitao(a)debian.org> ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path Sarthak Garg <quic_sartgarg(a)quicinc.com> mmc: sdhci-msm: Ensure SD card power isn't ON when card removed Sebastian Ott <sebott(a)redhat.com> ACPI: processor: fix acpi_object initialization tuhaowen <tuhaowen(a)uniontech.com> PM: sleep: console: Fix the black screen issue Hsin-Te Yuan <yuanhsinte(a)chromium.org> thermal: sysfs: Return ENODATA instead of EAGAIN for reads Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit() Zhu Qiyu <qiyuzhu2(a)amd.com> ACPI: PRM: Reduce unnecessary printing to avoid user confusion Masami Hiramatsu (Google) <mhiramat(a)kernel.org> selftests: tracing: Use mutex_unlock for testing glob filter Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> tools/build: Fix s390(x) cross-compilation with clang Aaron Kling <webgeek1234(a)gmail.com> ARM: tegra: Use I/O memcpy to write to IRAM Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: tps65912: check the return value of regmap_update_bits() David Lechner <dlechner(a)baylibre.com> iio: adc: ad_sigma_delta: don't overallocate scan buffer Thomas Weißschuh <linux(a)weissschuh.net> tools/nolibc: define time_t in terms of __kernel_old_time_t David Collins <david.collins(a)oss.qualcomm.com> thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when required Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was successed Shubhrajyoti Datta <shubhrajyoti.datta(a)amd.com> EDAC/synopsys: Clear the ECC counters on init Lifeng Zheng <zhenglifeng1(a)huawei.com> PM / devfreq: governor: Replace sscanf() with kstrtoul() in set_freq_store() Alexander Kochetkov <al.kochet(a)gmail.com> ARM: rockchip: fix kernel hang during smp initialization Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Exit governor when failed to start old governor Bartosz Golaszewski <bartosz.golaszewski(a)linaro.org> gpio: wcd934x: check the return value of regmap_update_bits() Hiago De Franco <hiago.franco(a)toradex.com> remoteproc: imx_rproc: skip clock enable when M-core is managed by the SCU Mario Limonciello <mario.limonciello(a)amd.com> usb: xhci: Avoid showing errors during surprise removal Jay Chen <shawn2000100(a)gmail.com> usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command Mario Limonciello <mario.limonciello(a)amd.com> usb: xhci: Avoid showing warnings for dying controller Benson Leung <bleung(a)chromium.org> usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and Default Cynthia Huang <cynthia(a)andestech.com> selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit time_t Prashant Malani <pmalani(a)google.com> cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag Su Hui <suhui(a)nfschina.com> usb: xhci: print xhci->xhc_state when queue_command failed Al Viro <viro(a)zeniv.linux.org.uk> securityfs: don't pin dentries twice, once is enough... Al Viro <viro(a)zeniv.linux.org.uk> fix locking in efi_secret_unlink() Wei Gao <wegao(a)suse.com> ext2: Handle fiemap on empty files to prevent EINVAL Rong Zhang <ulin0208(a)gmail.com> fs/ntfs3: correctly create symlink for relative path Lizhi Xu <lizhi.xu(a)windriver.com> fs/ntfs3: Add sanity check for file name Damien Le Moal <dlemoal(a)kernel.org> ata: libata-sata: Disallow changing LPM state if not supported Al Viro <viro(a)zeniv.linux.org.uk> better lockdep annotations for simple_recursive_removal() Viacheslav Dubeyko <slava(a)dubeyko.com> hfs: fix not erasing deleted b-tree node issue Sarah Newman <srn(a)prgmr.com> drbd: add missing kref_get in handle_write_conflicts Jan Kara <jack(a)suse.cz> udf: Verify partition map count NeilBrown <neil(a)brown.name> smb/server: avoid deadlock when linking with ReplaceIfExists Kees Cook <kees(a)kernel.org> arm64: Handle KCOV __init vs inline mismatches Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() Viacheslav Dubeyko <slava(a)dubeyko.com> hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() Viacheslav Dubeyko <slava(a)dubeyko.com> hfs: fix slab-out-of-bounds in hfs_bnode_read() Florian Westphal <fw(a)strlen.de> netfilter: ctnetlink: fix refcount leak on table dump Sabrina Dubroca <sd(a)queasysnail.net> udp: also consider secpath when evaluating ipsec use for checksumming Maxim Levitsky <mlevitsk(a)redhat.com> KVM: VMX: Preserve host's DEBUGCTLMSR_FREEZE_IN_SMM while running the guest Maxim Levitsky <mlevitsk(a)redhat.com> KVM: VMX: Wrap all accesses to IA32_DEBUGCTL with getter/setter APIs Maxim Levitsky <mlevitsk(a)redhat.com> KVM: nVMX: Check vmcs12->guest_ia32_debugctl on nested VM-Enter Sean Christopherson <seanjc(a)google.com> KVM: VMX: Extract checking of guest's DEBUGCTL into helper Sean Christopherson <seanjc(a)google.com> KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported Sean Christopherson <seanjc(a)google.com> KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag Sean Christopherson <seanjc(a)google.com> KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap Sean Christopherson <seanjc(a)google.com> KVM: x86: Fully defer to vendor code to decide how to force immediate exit Sean Christopherson <seanjc(a)google.com> KVM: VMX: Handle KVM-induced preemption timer exits in fastpath for L2 Sean Christopherson <seanjc(a)google.com> KVM: x86: Move handling of is_guest_mode() into fastpath exit handlers Sean Christopherson <seanjc(a)google.com> KVM: VMX: Handle forced exit due to preemption timer in fastpath Sean Christopherson <seanjc(a)google.com> KVM: VMX: Re-enter guest in fastpath for "spurious" preemption timer exits Sean Christopherson <seanjc(a)google.com> KVM: x86: Plumb "force_immediate_exit" into kvm_entry() tracepoint Sean Christopherson <seanjc(a)google.com> KVM: x86/pmu: Gate all "unimplemented MSR" prints on report_ignored_msrs Sean Christopherson <seanjc(a)google.com> KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs Sean Christopherson <seanjc(a)google.com> KVM: x86: Snapshot the host's DEBUGCTL in common x86 Chao Gao <chao.gao(a)intel.com> KVM: nVMX: Defer SVI update to vmcs01 on EOI when L2 is active w/o VID Sean Christopherson <seanjc(a)google.com> KVM: x86: Plumb in the vCPU to kvm_x86_ops.hwapic_isr_update() Sean Christopherson <seanjc(a)google.com> KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC) Sean Christopherson <seanjc(a)google.com> KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> ACPI: processor: perflib: Move problematic pr->performance check Jiayi Li <lijiayi(a)kylinos.cn> ACPI: processor: perflib: Fix initial _PPC limit application Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Documentation: ACPI: Fix parent device references Jann Horn <jannh(a)google.com> eventpoll: Fix semi-unbounded recursion Sasha Levin <sashal(a)kernel.org> fs: Prevent file descriptor table allocations exceeding INT_MAX Ma Ke <make24(a)iscas.ac.cn> sunvdc: Balance device refcount in vdc_port_mpgroup_check Haoran Jiang <jianghaoran(a)kylinos.cn> LoongArch: BPF: Fix jump offset calculation in tailcall Huacai Chen <chenhuacai(a)kernel.org> PCI: Extend isolated function probing to LoongArch Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix the setting of capabilities when automounting a new filesystem Dai Ngo <dai.ngo(a)oracle.com> NFSD: detect mismatch of file handle and delegation stateid in OPEN op Jeff Layton <jlayton(a)kernel.org> nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm() Xu Yang <xu.yang_2(a)nxp.com> net: usb: asix_devices: add phy_mask for ax88772 mdio bus Johan Hovold <johan(a)kernel.org> net: dpaa: fix device leak when querying time stamp info Johan Hovold <johan(a)kernel.org> net: mtk_eth_soc: fix device leak at probe Johan Hovold <johan(a)kernel.org> net: gianfar: fix device leak when querying time stamp info Florian Larysch <fl(a)n621.de> net: phy: micrel: fix KSZ8081/KSZ8091 cable test Fedor Pchelkin <pchelkin(a)ispras.ru> netlink: avoid infinite retry looping in netlink_unicast() David Thompson <davthompson(a)nvidia.com> gpio: mlxbf2: use platform_get_irq_optional() Harald Mommer <harald.mommer(a)oss.qualcomm.com> gpio: virtio: Fix config space reading. Wang Zhaolong <wangzhaolong(a)huaweicloud.com> smb: client: remove redundant lstrp update in negotiate protocol Steve French <stfrench(a)microsoft.com> smb3: fix for slab out of bounds on mount to ksmbd Christopher Eby <kreed(a)kreed.org> ALSA: hda/realtek: Add Framework Laptop 13 (AMD Ryzen AI 300) to quirks Vasiliy Kovalev <kovalev(a)altlinux.org> ALSA: hda/realtek: Fix headset mic on HONOR BRB-X Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Validate UAC3 cluster segment descriptors Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Validate UAC3 power domain descriptors, too Pavel Begunkov <asml.silence(a)gmail.com> io_uring: don't use int for ABI ------------- Diffstat: .../bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +- .../display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +- Documentation/firmware-guide/acpi/i2c-muxes.rst | 8 +- Documentation/networking/bonding.rst | 12 ++ Documentation/networking/mptcp-sysctl.rst | 2 + Makefile | 6 +- arch/arm/Makefile | 2 +- arch/arm/mach-rockchip/platsmp.c | 15 +- arch/arm/mach-tegra/reset.c | 2 +- arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 - arch/arm64/include/asm/acpi.h | 2 +- arch/arm64/kernel/cpufeature.c | 1 + arch/arm64/kernel/entry.S | 6 + arch/arm64/kernel/fpsimd.c | 4 +- arch/arm64/kernel/traps.c | 1 + arch/arm64/mm/fault.c | 1 + arch/arm64/mm/ptdump_debugfs.c | 3 - arch/loongarch/net/bpf_jit.c | 21 +- arch/m68k/kernel/head.S | 31 ++- arch/mips/crypto/chacha-core.S | 20 +- arch/mips/include/asm/vpe.h | 8 + arch/mips/kernel/process.c | 16 +- arch/mips/lantiq/falcon/sysctrl.c | 23 +-- arch/parisc/Makefile | 6 +- arch/parisc/include/asm/special_insns.h | 28 +++ arch/parisc/include/asm/uaccess.h | 21 +- arch/parisc/kernel/entry.S | 17 +- arch/parisc/kernel/syscall.S | 30 ++- arch/parisc/lib/memcpy.c | 19 +- arch/parisc/mm/fault.c | 4 + arch/powerpc/include/asm/floppy.h | 5 +- arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 +- arch/s390/hypfs/hypfs_dbfs.c | 19 +- arch/s390/include/asm/timex.h | 13 +- arch/s390/kernel/time.c | 2 +- arch/s390/mm/dump_pagetables.c | 2 - arch/um/include/asm/thread_info.h | 4 + arch/um/kernel/process.c | 18 +- arch/x86/events/intel/core.c | 2 +- arch/x86/include/asm/kvm-x86-ops.h | 2 - arch/x86/include/asm/kvm_host.h | 24 ++- arch/x86/include/asm/msr-index.h | 1 + arch/x86/include/asm/reboot.h | 5 +- arch/x86/include/asm/virtext.h | 10 - arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/cpu/bugs.c | 5 +- arch/x86/kernel/cpu/hygon.c | 3 + arch/x86/kernel/cpu/mce/amd.c | 13 +- arch/x86/kernel/reboot.c | 43 ++-- arch/x86/kvm/hyperv.c | 10 +- arch/x86/kvm/lapic.c | 61 ++++-- arch/x86/kvm/lapic.h | 1 + arch/x86/kvm/svm/svm.c | 49 +++-- arch/x86/kvm/svm/vmenter.S | 9 +- arch/x86/kvm/trace.h | 9 +- arch/x86/kvm/vmx/nested.c | 26 ++- arch/x86/kvm/vmx/pmu_intel.c | 8 +- arch/x86/kvm/vmx/vmx.c | 183 +++++++++++------ arch/x86/kvm/vmx/vmx.h | 31 ++- arch/x86/kvm/x86.c | 65 +++--- arch/x86/kvm/x86.h | 12 ++ block/blk-core.c | 26 ++- block/blk-settings.c | 2 +- drivers/acpi/acpi_processor.c | 2 +- drivers/acpi/apei/ghes.c | 2 + drivers/acpi/pfr_update.c | 2 +- drivers/acpi/prmt.c | 26 ++- drivers/acpi/processor_perflib.c | 11 + drivers/ata/Kconfig | 35 +++- drivers/ata/libata-sata.c | 5 + drivers/ata/libata-scsi.c | 20 +- drivers/base/power/runtime.c | 5 + drivers/block/drbd/drbd_receiver.c | 6 +- drivers/block/sunvdc.c | 4 +- drivers/bus/mhi/host/boot.c | 8 +- drivers/bus/mhi/host/internal.h | 4 +- drivers/bus/mhi/host/main.c | 12 +- drivers/char/ipmi/ipmi_msghandler.c | 8 +- drivers/char/ipmi/ipmi_watchdog.c | 59 ++++-- drivers/comedi/comedi_fops.c | 38 +++- drivers/comedi/comedi_internal.h | 1 + drivers/comedi/drivers.c | 40 ++-- drivers/comedi/drivers/pcl726.c | 3 +- drivers/cpufreq/armada-8k-cpufreq.c | 2 +- drivers/cpufreq/cppc_cpufreq.c | 2 +- drivers/cpufreq/cpufreq.c | 8 +- drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 +- .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 +- drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 13 ++ drivers/crypto/qat/qat_common/adf_accel_devices.h | 1 + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 6 + drivers/crypto/qat/qat_common/adf_init.c | 3 + drivers/devfreq/governor_userspace.c | 6 +- drivers/dma/stm32-dma.c | 2 +- drivers/edac/synopsys_edac.c | 93 ++++----- drivers/fpga/zynq-fpga.c | 10 +- drivers/gpio/gpio-mlxbf2.c | 2 +- drivers/gpio/gpio-tps65912.c | 7 +- drivers/gpio/gpio-virtio.c | 9 +- drivers/gpio/gpio-wcd934x.c | 7 +- drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 57 +++--- drivers/gpu/drm/amd/amdkfd/kfd_module.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +- .../gpu/drm/amd/display/dc/bios/command_table.c | 2 +- drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 - .../amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 - .../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 40 ++-- .../amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 31 +-- drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 11 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 + drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++-- drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 +- drivers/gpu/drm/msm/msm_gem.c | 3 +- drivers/gpu/drm/msm/msm_gem.h | 6 + drivers/gpu/drm/scheduler/sched_entity.c | 21 +- drivers/gpu/drm/ttm/ttm_pool.c | 8 +- drivers/gpu/drm/ttm/ttm_resource.c | 3 + drivers/hid/hid-apple.c | 13 +- drivers/hid/hid-magicmouse.c | 56 ++++-- drivers/hwmon/emc2305.c | 10 +- drivers/hwmon/gsc-hwmon.c | 4 +- drivers/i2c/i2c-core-acpi.c | 1 + drivers/i3c/internals.h | 1 + drivers/i3c/master.c | 4 +- drivers/iio/adc/ad7768-1.c | 23 ++- drivers/iio/adc/ad_sigma_delta.c | 6 +- drivers/iio/imu/bno055/bno055.c | 11 +- drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 6 +- drivers/iio/light/as73211.c | 2 +- drivers/iio/light/hid-sensor-prox.c | 8 +- drivers/iio/pressure/bmp280-core.c | 9 +- drivers/iio/proximity/isl29501.c | 14 +- drivers/iio/temperature/maxim_thermocouple.c | 26 ++- drivers/infiniband/core/nldev.c | 22 +- drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 + drivers/infiniband/hw/erdma/erdma_verbs.c | 4 +- drivers/infiniband/hw/hfi1/affinity.c | 44 ++-- drivers/iommu/amd/init.c | 4 +- drivers/leds/leds-lp50xx.c | 11 +- drivers/md/dm-ps-historical-service-time.c | 4 +- drivers/md/dm-ps-queue-length.c | 4 +- drivers/md/dm-ps-round-robin.c | 4 +- drivers/md/dm-ps-service-time.c | 4 +- drivers/md/dm-table.c | 10 +- drivers/md/dm-zoned-target.c | 2 +- drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 +- drivers/media/dvb-frontends/dib7000p.c | 8 + drivers/media/i2c/hi556.c | 26 +-- drivers/media/i2c/ov2659.c | 3 +- drivers/media/i2c/tc358743.c | 86 +++++--- drivers/media/platform/qcom/camss/camss.c | 4 +- drivers/media/platform/qcom/venus/core.c | 8 +- drivers/media/platform/qcom/venus/core.h | 2 + drivers/media/platform/qcom/venus/helpers.c | 2 +- drivers/media/platform/qcom/venus/hfi_helper.h | 61 +++++- drivers/media/platform/qcom/venus/hfi_msgs.c | 85 +++++--- drivers/media/platform/qcom/venus/hfi_venus.c | 5 + drivers/media/platform/qcom/venus/vdec.c | 13 +- drivers/media/platform/qcom/venus/vdec_ctrls.c | 2 +- drivers/media/platform/qcom/venus/venc.c | 9 +- drivers/media/platform/qcom/venus/venc_ctrls.c | 2 +- drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 +- drivers/media/usb/gspca/vicam.c | 10 +- drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 + drivers/media/usb/usbtv/usbtv-video.c | 4 + drivers/media/usb/uvc/uvc_driver.c | 3 + drivers/media/usb/uvc/uvc_video.c | 21 +- drivers/media/v4l2-core/v4l2-common.c | 8 +- drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 - drivers/memstick/core/memstick.c | 1 - drivers/memstick/host/rtsx_usb_ms.c | 1 + drivers/misc/cardreader/rtsx_usb.c | 16 +- drivers/misc/mei/bus.c | 6 + drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +- drivers/mmc/host/sdhci-msm.c | 14 ++ drivers/mmc/host/sdhci-pci-gli.c | 33 +-- drivers/most/core.c | 2 +- drivers/mtd/nand/raw/fsmc_nand.c | 2 + drivers/mtd/nand/raw/renesas-nand-controller.c | 6 + drivers/mtd/nand/spi/core.c | 5 +- drivers/mtd/spi-nor/swp.c | 19 +- drivers/net/bonding/bond_3ad.c | 224 ++++++++++++++++++--- drivers/net/bonding/bond_main.c | 1 + drivers/net/bonding/bond_netlink.c | 16 ++ drivers/net/bonding/bond_options.c | 29 ++- drivers/net/dsa/b53/b53_common.c | 63 ++++-- drivers/net/dsa/b53/b53_regs.h | 2 + drivers/net/dummy.c | 1 + drivers/net/ethernet/agere/et131x.c | 36 ++++ drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 + .../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 ++++ drivers/net/ethernet/atheros/ag71xx.c | 9 + drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 +- drivers/net/ethernet/emulex/benet/be_main.c | 8 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 - drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 4 +- drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 +- drivers/net/ethernet/freescale/fec_main.c | 34 ++-- drivers/net/ethernet/freescale/gianfar_ethtool.c | 4 +- drivers/net/ethernet/google/gve/gve_adminq.c | 1 + drivers/net/ethernet/google/gve/gve_main.c | 2 + drivers/net/ethernet/intel/igc/igc_main.c | 14 +- drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +- drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 2 + drivers/net/ethernet/mediatek/mtk_wed.c | 1 - drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 + drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 +- drivers/net/geneve.c | 1 + drivers/net/hyperv/hyperv_net.h | 3 + drivers/net/hyperv/netvsc_drv.c | 29 ++- drivers/net/loopback.c | 1 + drivers/net/phy/micrel.c | 2 + drivers/net/phy/mscc/mscc.h | 12 ++ drivers/net/phy/mscc/mscc_main.c | 12 ++ drivers/net/phy/mscc/mscc_ptp.c | 49 +++-- drivers/net/phy/smsc.c | 1 + drivers/net/ppp/ppp_generic.c | 17 +- drivers/net/thunderbolt.c | 21 +- drivers/net/usb/asix_devices.c | 1 + drivers/net/usb/cdc_ncm.c | 20 +- drivers/net/veth.c | 1 + drivers/net/vxlan/vxlan_core.c | 1 + drivers/net/wireless/ath/ath11k/ce.c | 3 - drivers/net/wireless/ath/ath11k/dp_rx.c | 3 - drivers/net/wireless/ath/ath11k/hal.c | 33 ++- .../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +- drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 +- drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +- drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 +- drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 23 ++- drivers/net/wireless/realtek/rtw89/core.c | 3 + drivers/net/wireless/realtek/rtw89/fw.c | 9 +- drivers/net/wireless/realtek/rtw89/fw.h | 2 + drivers/net/wireless/realtek/rtw89/mac.c | 19 ++ drivers/net/wireless/realtek/rtw89/reg.h | 1 + drivers/net/xen-netfront.c | 5 - drivers/pci/controller/pcie-rockchip-host.c | 49 +++-- drivers/pci/controller/pcie-rockchip.h | 11 +- drivers/pci/endpoint/pci-ep-cfs.c | 1 + drivers/pci/endpoint/pci-epf-core.c | 2 +- drivers/pci/pci-acpi.c | 4 +- drivers/pci/pci.c | 8 +- drivers/pci/probe.c | 2 +- drivers/pinctrl/stm32/pinctrl-stm32.c | 1 + drivers/platform/chrome/cros_ec.c | 19 +- drivers/platform/chrome/cros_ec_typec.c | 4 +- drivers/platform/x86/thinkpad_acpi.c | 4 +- drivers/pps/clients/pps-gpio.c | 5 +- drivers/ptp/ptp_clock.c | 2 +- drivers/pwm/pwm-imx-tpm.c | 9 + drivers/pwm/pwm-mediatek.c | 71 +++---- drivers/remoteproc/imx_rproc.c | 4 +- drivers/reset/Kconfig | 10 +- drivers/rtc/rtc-ds1307.c | 15 +- drivers/s390/char/sclp.c | 11 +- drivers/scsi/aacraid/comminit.c | 3 +- drivers/scsi/bfa/bfad_im.c | 1 + drivers/scsi/libiscsi.c | 3 +- drivers/scsi/lpfc/lpfc_debugfs.c | 1 - drivers/scsi/lpfc/lpfc_scsi.c | 4 + drivers/scsi/mpi3mr/mpi3mr.h | 6 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 17 +- drivers/scsi/mpi3mr/mpi3mr_os.c | 22 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 ++ drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/scsi_scan.c | 2 +- drivers/scsi/scsi_transport_sas.c | 62 ++++-- drivers/soc/qcom/mdt_loader.c | 68 ++++++- drivers/soc/tegra/pmc.c | 51 +++-- drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- drivers/target/target_core_fabric_lib.c | 65 ++++-- drivers/target/target_core_internal.h | 4 +- drivers/target/target_core_pr.c | 18 +- drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 +++- drivers/thermal/thermal_sysfs.c | 9 +- drivers/thunderbolt/domain.c | 2 +- drivers/tty/serial/8250/8250_port.c | 3 +- drivers/tty/vt/defkeymap.c_shipped | 112 +++++++++++ drivers/tty/vt/keyboard.c | 2 +- drivers/ufs/host/ufs-exynos.c | 4 +- drivers/ufs/host/ufshcd-pci.c | 42 +++- drivers/usb/atm/cxacru.c | 172 ++++++++-------- drivers/usb/class/cdc-acm.c | 11 +- drivers/usb/core/config.c | 10 +- drivers/usb/core/hcd.c | 8 +- drivers/usb/core/quirks.c | 1 + drivers/usb/core/urb.c | 2 +- drivers/usb/dwc3/dwc3-imx8mp.c | 6 +- drivers/usb/dwc3/dwc3-meson-g12a.c | 3 + drivers/usb/dwc3/ep0.c | 20 +- drivers/usb/dwc3/gadget.c | 19 +- drivers/usb/gadget/udc/renesas_usb3.c | 1 + drivers/usb/host/xhci-mem.c | 2 + drivers/usb/host/xhci-pci-renesas.c | 7 +- drivers/usb/host/xhci-ring.c | 10 +- drivers/usb/host/xhci.c | 6 +- drivers/usb/musb/omap2430.c | 20 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/usb/storage/unusual_devs.h | 29 +++ drivers/usb/typec/mux/intel_pmc_mux.c | 2 +- drivers/usb/typec/tcpm/fusb302.c | 8 + drivers/usb/typec/ucsi/psy.c | 2 +- drivers/usb/typec/ucsi/ucsi.c | 1 + drivers/usb/typec/ucsi/ucsi.h | 7 +- drivers/vfio/pci/mlx5/cmd.c | 4 +- drivers/vfio/vfio_iommu_type1.c | 7 + drivers/vhost/vhost.c | 3 + drivers/vhost/vsock.c | 6 +- drivers/video/console/vgacon.c | 2 +- drivers/video/fbdev/core/fbcon.c | 9 +- drivers/video/fbdev/core/fbmem.c | 3 + drivers/virt/coco/efi_secret/efi_secret.c | 10 +- drivers/watchdog/dw_wdt.c | 2 + drivers/watchdog/iTCO_wdt.c | 6 +- drivers/watchdog/sbsa_gwdt.c | 50 ++++- fs/btrfs/block-group.c | 27 ++- fs/btrfs/ctree.c | 9 +- fs/btrfs/ordered-data.c | 12 +- fs/btrfs/qgroup.c | 31 ++- fs/btrfs/relocation.c | 19 ++ fs/btrfs/send.c | 39 ++++ fs/btrfs/tree-log.c | 60 ++++-- fs/btrfs/zoned.c | 3 +- fs/buffer.c | 2 +- fs/crypto/fscrypt_private.h | 17 ++ fs/crypto/hkdf.c | 2 +- fs/crypto/keysetup.c | 3 +- fs/crypto/keysetup_v1.c | 3 +- fs/eventpoll.c | 60 ++++-- fs/ext2/inode.c | 12 +- fs/ext4/fsmap.c | 23 ++- fs/ext4/indirect.c | 4 +- fs/ext4/inline.c | 19 +- fs/ext4/inode.c | 2 +- fs/ext4/mballoc.c | 69 +++---- fs/ext4/orphan.c | 5 +- fs/ext4/super.c | 8 +- fs/f2fs/data.c | 2 + fs/f2fs/f2fs.h | 1 - fs/f2fs/inode.c | 7 + fs/f2fs/node.c | 10 + fs/file.c | 15 ++ fs/hfs/bnode.c | 93 +++++++++ fs/hfsplus/bnode.c | 92 +++++++++ fs/hfsplus/unicode.c | 7 + fs/hfsplus/xattr.c | 6 +- fs/hugetlbfs/inode.c | 2 +- fs/jbd2/checkpoint.c | 1 + fs/jfs/file.c | 3 + fs/jfs/inode.c | 2 +- fs/jfs/jfs_dmap.c | 6 + fs/libfs.c | 4 +- fs/namespace.c | 34 ++-- fs/nfs/blocklayout/blocklayout.c | 4 +- fs/nfs/blocklayout/dev.c | 5 +- fs/nfs/blocklayout/extent_tree.c | 20 +- fs/nfs/client.c | 44 +++- fs/nfs/internal.h | 2 +- fs/nfs/nfs4client.c | 20 +- fs/nfs/nfs4proc.c | 2 +- fs/nfs/pnfs.c | 11 +- fs/nfsd/nfs4state.c | 34 +++- fs/ntfs3/dir.c | 3 + fs/ntfs3/inode.c | 31 +-- fs/orangefs/orangefs-debugfs.c | 2 +- fs/smb/client/cifssmb.c | 10 + fs/smb/client/connect.c | 1 - fs/smb/client/sess.c | 9 + fs/smb/client/smb2ops.c | 11 +- fs/smb/server/connection.c | 3 +- fs/smb/server/connection.h | 7 +- fs/smb/server/smb2pdu.c | 16 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/transport_rdma.h | 4 +- fs/smb/server/transport_tcp.c | 26 ++- fs/squashfs/super.c | 14 +- fs/udf/super.c | 13 +- fs/xfs/xfs_itable.c | 6 +- include/linux/blk_types.h | 6 +- include/linux/compiler.h | 8 - include/linux/fs.h | 4 +- include/linux/hypervisor.h | 3 + include/linux/if_vlan.h | 6 +- include/linux/iosys-map.h | 7 +- include/linux/memfd.h | 14 ++ include/linux/mm.h | 76 +++++-- include/linux/pci.h | 10 +- include/linux/platform_data/cros_ec_proto.h | 4 + include/linux/skbuff.h | 8 +- include/linux/usb/cdc_ncm.h | 1 + include/linux/virtio_vsock.h | 7 +- include/net/bond_3ad.h | 3 + include/net/bond_options.h | 1 + include/net/bonding.h | 23 +++ include/net/cfg80211.h | 2 +- include/net/mac80211.h | 2 + include/net/neighbour.h | 1 + include/sound/soc-dai.h | 13 ++ include/uapi/linux/if_link.h | 1 + include/uapi/linux/in6.h | 4 +- include/uapi/linux/io_uring.h | 2 +- include/uapi/linux/pfrut.h | 1 + kernel/cgroup/cpuset.c | 2 +- kernel/fork.c | 2 +- kernel/module/main.c | 10 +- kernel/power/console.c | 7 +- kernel/rcu/tree_plugin.h | 3 + kernel/sched/fair.c | 19 +- kernel/trace/ftrace.c | 19 +- kernel/trace/trace.c | 33 ++- kernel/trace/trace.h | 8 +- mm/debug_vm_pgtable.c | 9 +- mm/filemap.c | 2 +- mm/kmemleak.c | 10 +- mm/madvise.c | 2 +- mm/memfd.c | 2 +- mm/memory-failure.c | 8 + mm/mmap.c | 12 +- mm/ptdump.c | 2 + mm/shmem.c | 2 +- net/bluetooth/hci_conn.c | 3 +- net/bluetooth/hci_sync.c | 43 ++-- net/bridge/br_multicast.c | 16 ++ net/bridge/br_private.h | 2 + net/core/dev.c | 12 ++ net/core/neighbour.c | 12 +- net/hsr/hsr_slave.c | 8 +- net/ipv4/ip_tunnel.c | 1 + net/ipv4/netfilter/nf_reject_ipv4.c | 6 +- net/ipv4/route.c | 1 - net/ipv4/udp_offload.c | 2 +- net/ipv6/addrconf.c | 7 +- net/ipv6/ip6_gre.c | 2 + net/ipv6/ip6_tunnel.c | 1 + net/ipv6/ip6_vti.c | 1 + net/ipv6/mcast.c | 11 +- net/ipv6/netfilter/nf_reject_ipv6.c | 5 +- net/ipv6/seg6_hmac.c | 6 +- net/ipv6/sit.c | 1 + net/mac80211/cfg.c | 12 +- net/mac80211/chan.c | 1 + net/mac80211/mlme.c | 9 +- net/mac80211/sta_info.c | 5 +- net/mctp/af_mctp.c | 28 ++- net/mptcp/options.c | 9 +- net/mptcp/pm.c | 8 +- net/mptcp/pm_netlink.c | 19 +- net/mptcp/protocol.c | 55 ++++- net/mptcp/protocol.h | 27 ++- net/mptcp/subflow.c | 30 ++- net/ncsi/internal.h | 2 +- net/ncsi/ncsi-rsp.c | 1 + net/netfilter/nf_conntrack_netlink.c | 24 ++- net/netlink/af_netlink.c | 2 +- net/sched/sch_cake.c | 14 +- net/sched/sch_ets.c | 36 ++-- net/sched/sch_htb.c | 2 +- net/tls/tls_sw.c | 16 +- net/vmw_vsock/virtio_transport.c | 14 +- net/wireless/mlme.c | 3 +- scripts/kconfig/gconf.c | 8 +- scripts/kconfig/lxdialog/inputbox.c | 6 +- scripts/kconfig/lxdialog/menubox.c | 2 +- scripts/kconfig/nconf.c | 2 + scripts/kconfig/nconf.gui.c | 1 + security/apparmor/include/lib.h | 6 +- security/inode.c | 2 - sound/core/pcm_native.c | 19 +- sound/pci/hda/hda_codec.c | 44 ++-- sound/pci/hda/patch_ca0132.c | 2 +- sound/pci/hda/patch_realtek.c | 4 + sound/pci/intel8x0.c | 2 +- sound/soc/codecs/hdac_hdmi.c | 10 +- sound/soc/codecs/rt5640.c | 5 + sound/soc/fsl/fsl_asrc.c | 16 +- sound/soc/fsl/fsl_aud2htx.c | 10 +- sound/soc/fsl/fsl_easrc.c | 16 +- sound/soc/fsl/fsl_esai.c | 20 +- sound/soc/fsl/fsl_micfil.c | 14 +- sound/soc/fsl/fsl_sai.c | 44 ++-- sound/soc/fsl/fsl_spdif.c | 17 +- sound/soc/fsl/fsl_ssi.c | 3 +- sound/soc/fsl/fsl_xcvr.c | 16 +- sound/soc/generic/audio-graph-card.c | 2 +- sound/soc/intel/avs/core.c | 3 +- sound/soc/soc-core.c | 28 +++ sound/soc/soc-dai.c | 43 ++-- sound/soc/soc-dapm.c | 4 + sound/usb/mixer_quirks.c | 14 +- sound/usb/stream.c | 25 ++- sound/usb/validate.c | 14 +- tools/include/nolibc/std.h | 4 +- tools/include/nolibc/types.h | 4 +- tools/include/uapi/linux/if_link.h | 1 + .../cpupower/utils/idle_monitor/mperf_monitor.c | 4 +- tools/scripts/Makefile.include | 4 +- tools/testing/ktest/ktest.pl | 5 +- tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 +- .../selftests/bpf/prog_tests/user_ringbuf.c | 10 +- .../ftrace/test.d/ftrace/func-filter-glob.tc | 2 +- tools/testing/selftests/futex/include/futextest.h | 11 + tools/testing/selftests/memfd/memfd_test.c | 43 ++++ tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 + 511 files changed, 4945 insertions(+), 1976 deletions(-)

1 week, 2 days

10
491
0 0

[PATCH rtw v2 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

by Fedor Pchelkin

There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable(a)vger.kernel.org Suggested-by: Zong-Zhe Yang <kevin_yang(a)realtek.com> Signed-off-by: Fedor Pchelkin <pchelkin(a)ispras.ru> --- v2: use a work function to manage release of tx_waits and associated skbs (Zong-Zhe) The interesting part is how rtw89_tx_wait_work() should wait for completion - based on timeout or without it, or just check status with a call to completion_done(). Simply waiting with wait_for_completion() may become a bottleneck if for any reason the completion is delayed significantly, and we are holding a wiphy lock here. I _suspect_ rtw89_pci_tx_status() should be called either by napi polling handler or in other cases e.g. by rtw89_hci_reset() but it's hard to deduce for any possible scenario that it will be called in some time. Anyway, the current and the next patch try to make sure that when rtw89_core_tx_wait_complete() is called, skbdata->wait is properly initialized so that there should be no buggy situations when tx_wait skb is not recognized and invalidly passed to ieee80211 stack, also without signaling a completion. If rtw89_core_tx_wait_complete() is not called at all, this should indicate a bug elsewhere. drivers/net/wireless/realtek/rtw89/core.c | 42 +++++++++++++++++++---- drivers/net/wireless/realtek/rtw89/core.h | 22 +++++++----- drivers/net/wireless/realtek/rtw89/pci.c | 9 ++--- 3 files changed, 54 insertions(+), 19 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 57590f5577a3..48aa02d6abd4 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1073,6 +1073,26 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtwdev, } } +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work) +{ + struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev, + tx_wait_work); + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!wait->finished) { + unsigned long tmo = msecs_to_jiffies(wait->timeout); + if (!wait_for_completion_timeout(&wait->completion, tmo)) + continue; + } + list_del(&wait->list); + dev_kfree_skb_any(wait->skb); + kfree(wait); + } +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1090,6 +1110,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk unsigned long time_left; int ret = 0; + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait = kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1097,18 +1119,23 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev *rtwdev, struct sk_buff *sk } init_completion(&wait->completion); - rcu_assign_pointer(skb_data->wait, wait); + skb_data->wait = wait; rtw89_core_tx_kick_off(rtwdev, qsel); time_left = wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left == 0) + if (time_left == 0) { ret = -ETIMEDOUT; - else if (!wait->tx_done) - ret = -EAGAIN; + } else { + wait->finished = true; + if (!wait->tx_done) + ret = -EAGAIN; + } - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + wait->skb = skb; + wait->timeout = timeout; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work); return ret; } @@ -4972,6 +4999,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) clear_bit(RTW89_FLAG_RUNNING, rtwdev->flags); wiphy_work_cancel(wiphy, &rtwdev->c2h_work); + wiphy_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_work_cancel(wiphy, &rtwdev->cancel_6ghz_probe_work); wiphy_work_cancel(wiphy, &btc->eapol_notify_work); wiphy_work_cancel(wiphy, &btc->arp_notify_work); @@ -5203,6 +5231,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work); @@ -5233,6 +5262,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_work_init(&rtwdev->c2h_work, rtw89_fw_c2h_work); wiphy_work_init(&rtwdev->ips_work, rtw89_ips_work); wiphy_work_init(&rtwdev->cancel_6ghz_probe_work, rtw89_cancel_6ghz_probe_work); + wiphy_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_WORK(&rtwdev->load_firmware_work, rtw89_load_firmware_work); skb_queue_head_init(&rtwdev->c2h_queue); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h index 43e10278e14d..06f7d82a8d18 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3508,12 +3508,16 @@ struct rtw89_phy_rate_pattern { struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; + unsigned int timeout; bool tx_done; + bool finished; }; struct rtw89_tx_skb_data { - struct rtw89_tx_wait_info __rcu *wait; + struct rtw89_tx_wait_info *wait; u8 hci_priv[]; }; @@ -5925,6 +5929,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; + struct list_head tx_waits; + struct wiphy_work tx_wait_work; + struct rtw89_cam_info cam_info; struct sk_buff_head c2h_queue; @@ -7258,23 +7265,20 @@ static inline struct sk_buff *rtw89_alloc_skb_for_rx(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; - rcu_read_lock(); - - wait = rcu_dereference(skb_data->wait); + wait = skb_data->wait; if (!wait) - goto out; + return false; wait->tx_done = tx_done; - complete(&wait->completion); + complete_all(&wait->completion); -out: - rcu_read_unlock(); + return true; } static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c index a669f2f843aa..6356c2c224c5 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,10 +464,7 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE); - info = IEEE80211_SKB_CB(skb); - ieee80211_tx_info_clear_status(info); if (info->flags & IEEE80211_TX_CTL_NO_ACK) info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED; @@ -494,6 +491,10 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev, } } + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE)) + return; + + ieee80211_tx_info_clear_status(info); ieee80211_tx_status_ni(rtwdev->hw, skb); } @@ -1387,7 +1388,7 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rtwdev, } tx_data->dma = dma; - rcu_assign_pointer(skb_data->wait, NULL); + skb_data->wait = NULL; txwp_len = sizeof(*txwp_info); txwd_len = chip->txwd_body_size; -- 2.50.1

1 week, 2 days

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2025