August 2025 - Linux-stable-mirror

by Greg Kroah-Hartman

I'm announcing the release of the 6.1.148 kernel. All users of the 6.1 kernel series must upgrade. The updated 6.1.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.1.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/filesystems/f2fs.rst | 6 Makefile | 2 arch/arm/boot/dts/am335x-boneblack.dts | 2 arch/arm/boot/dts/imx6ul-kontron-bl-common.dtsi | 1 arch/arm/boot/dts/vfxxx.dtsi | 2 arch/arm/crypto/aes-neonbs-glue.c | 2 arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 arch/m68k/Kconfig.debug | 2 arch/m68k/kernel/early_printk.c | 42 - arch/m68k/kernel/head.S | 8 arch/mips/mm/tlb-r4k.c | 56 + arch/powerpc/configs/ppc6xx_defconfig | 1 arch/powerpc/kernel/eeh.c | 1 arch/powerpc/kernel/eeh_driver.c | 48 + arch/powerpc/kernel/eeh_pe.c | 11 arch/powerpc/kernel/pci-hotplug.c | 3 arch/sh/Makefile | 10 arch/sh/boot/compressed/Makefile | 4 arch/sh/boot/romimage/Makefile | 4 arch/um/drivers/rtc_user.c | 2 arch/x86/boot/compressed/sev.c | 7 arch/x86/boot/cpuflags.c | 13 arch/x86/hyperv/irqdomain.c | 4 arch/x86/include/asm/cpufeatures.h | 1 arch/x86/kernel/cpu/amd.c | 2 arch/x86/kernel/cpu/scattered.c | 1 arch/x86/kernel/sev-shared.c | 18 arch/x86/kernel/sev.c | 11 arch/x86/mm/extable.c | 5 drivers/base/regmap/regmap.c | 2 drivers/block/ublk_drv.c | 4 drivers/bus/fsl-mc/fsl-mc-bus.c | 19 drivers/char/hw_random/mtk-rng.c | 4 drivers/clk/clk-axi-clkgen.c | 2 drivers/clk/davinci/psc.c | 5 drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 drivers/clk/xilinx/xlnx_vcu.c | 4 drivers/comedi/drivers/comedi_test.c | 2 drivers/cpufreq/cpufreq.c | 21 drivers/cpufreq/intel_pstate.c | 4 drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 drivers/crypto/ccp/ccp-debugfs.c | 3 drivers/crypto/img-hash.c | 2 drivers/crypto/inside-secure/safexcel_hash.c | 8 drivers/crypto/keembay/keembay-ocs-hcu-core.c | 8 drivers/crypto/marvell/cesa/cipher.c | 4 drivers/crypto/marvell/cesa/hash.c | 5 drivers/crypto/qat/qat_common/adf_transport_debug.c | 4 drivers/devfreq/devfreq.c | 10 drivers/dma/mv_xor.c | 21 drivers/dma/nbpfaxi.c | 13 drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 47 - drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 drivers/gpu/drm/i915/display/intel_dp.c | 6 drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 drivers/i2c/busses/i2c-qup.c | 4 drivers/i2c/busses/i2c-tegra.c | 24 drivers/i2c/busses/i2c-virtio.c | 15 drivers/iio/adc/ad7949.c | 7 drivers/infiniband/core/cache.c | 4 drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 15 drivers/infiniband/hw/mlx5/dm.c | 2 drivers/input/keyboard/gpio_keys.c | 4 drivers/interconnect/qcom/sc7280.c | 1 drivers/interconnect/qcom/sc8180x.c | 6 drivers/interconnect/qcom/sc8280xp.c | 1 drivers/irqchip/Kconfig | 1 drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 drivers/mtd/ftl.c | 2 drivers/mtd/nand/raw/atmel/nand-controller.c | 2 drivers/mtd/nand/raw/atmel/pmecc.c | 6 drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 drivers/net/can/dev/dev.c | 31 - drivers/net/can/dev/netlink.c | 12 drivers/net/can/kvaser_pciefd.c | 1 drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 drivers/net/ethernet/emulex/benet/be_cmds.c | 2 drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 drivers/net/ethernet/freescale/dpaa2/dpaa2-switch.c | 15 drivers/net/ethernet/google/gve/gve_main.c | 67 +- drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 36 - drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_ptp.c | 9 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 6 drivers/net/ethernet/intel/e1000e/defines.h | 3 drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 drivers/net/ethernet/intel/e1000e/nvm.c | 6 drivers/net/ethernet/intel/fm10k/fm10k.h | 3 drivers/net/ethernet/intel/i40e/i40e.h | 2 drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 drivers/net/ethernet/intel/i40e/i40e_main.c | 18 drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 8 drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 1 drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 drivers/net/phy/mscc/mscc_ptp.c | 1 drivers/net/phy/mscc/mscc_ptp.h | 1 drivers/net/ppp/pptp.c | 18 drivers/net/usb/usbnet.c | 11 drivers/net/vrf.c | 2 drivers/net/wireless/ath/ath11k/hal.c | 4 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 8 drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 drivers/net/wireless/marvell/mwl8k.c | 4 drivers/net/wireless/purelifi/plfxlc/mac.c | 11 drivers/net/wireless/purelifi/plfxlc/mac.h | 2 drivers/net/wireless/purelifi/plfxlc/usb.c | 29 drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 drivers/pci/controller/pcie-rockchip-host.c | 2 drivers/pci/endpoint/functions/pci-epf-vntb.c | 4 drivers/pci/hotplug/pnv_php.c | 233 +++++++ drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 drivers/platform/x86/ideapad-laptop.c | 2 drivers/power/supply/cpcap-charger.c | 5 drivers/power/supply/max14577_charger.c | 4 drivers/powercap/dtpm_cpu.c | 2 drivers/pps/pps.c | 11 drivers/regulator/core.c | 1 drivers/rtc/rtc-ds1307.c | 2 drivers/rtc/rtc-hym8563.c | 2 drivers/rtc/rtc-nct3018y.c | 2 drivers/rtc/rtc-pcf85063.c | 2 drivers/rtc/rtc-pcf8563.c | 2 drivers/rtc/rtc-rv3028.c | 2 drivers/scsi/elx/efct/efct_lio.c | 2 drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 drivers/scsi/isci/request.c | 2 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 drivers/scsi/mvsas/mv_sas.c | 4 drivers/scsi/scsi_transport_iscsi.c | 2 drivers/scsi/sd.c | 4 drivers/soc/qcom/qmi_encdec.c | 46 + drivers/soc/tegra/cbb/tegra234-cbb.c | 2 drivers/soundwire/stream.c | 2 drivers/staging/fbtft/fbtft-core.c | 1 drivers/staging/nvec/nvec_power.c | 2 drivers/staging/vc04_services/bcm2835-audio/bcm2835-vchiq.c | 4 drivers/staging/vc04_services/include/linux/raspberrypi/vchiq.h | 2 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 79 +- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 172 ++--- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_dev.c | 36 - drivers/staging/vc04_services/vchiq-mmal/mmal-vchiq.c | 4 drivers/ufs/core/ufshcd.c | 10 drivers/usb/chipidea/ci.h | 18 drivers/usb/chipidea/udc.c | 10 drivers/usb/early/xhci-dbc.c | 4 drivers/usb/gadget/composite.c | 5 drivers/usb/host/xhci-plat.c | 2 drivers/usb/misc/apple-mfi-fastcharge.c | 24 drivers/usb/phy/phy-mxs-usb.c | 4 drivers/usb/serial/option.c | 2 drivers/usb/typec/tcpm/tcpm.c | 64 +- drivers/vfio/pci/vfio_pci_core.c | 2 drivers/vhost/scsi.c | 4 drivers/video/fbdev/core/fbcon.c | 4 drivers/video/fbdev/imxfb.c | 9 drivers/watchdog/ziirave_wdt.c | 3 drivers/xen/gntdev-common.h | 4 drivers/xen/gntdev.c | 71 +- fs/erofs/decompressor.c | 23 fs/erofs/dir.c | 17 fs/erofs/inode.c | 3 fs/erofs/internal.h | 2 fs/erofs/namei.c | 9 fs/erofs/zdata.c | 56 - fs/erofs/zmap.c | 3 fs/f2fs/data.c | 2 fs/f2fs/extent_cache.c | 2 fs/f2fs/f2fs.h | 2 fs/f2fs/inode.c | 21 fs/f2fs/segment.h | 5 fs/hfsplus/extents.c | 3 fs/jfs/jfs_dmap.c | 4 fs/jfs/jfs_imap.c | 13 fs/nfs/dir.c | 4 fs/nfs/export.c | 11 fs/nfs/flexfilelayout/flexfilelayout.c | 26 fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 fs/nfs/internal.h | 9 fs/nfs/nfs4proc.c | 10 fs/nilfs2/inode.c | 9 fs/ntfs3/file.c | 5 fs/orangefs/orangefs-debugfs.c | 6 fs/proc/generic.c | 2 fs/proc/inode.c | 2 fs/proc/internal.h | 5 fs/smb/client/smbdirect.c | 14 fs/smb/server/connection.h | 1 fs/smb/server/smb2pdu.c | 22 fs/smb/server/smb_common.c | 2 fs/smb/server/transport_rdma.c | 97 +-- fs/smb/server/transport_tcp.c | 17 fs/smb/server/vfs.c | 3 include/linux/fs_context.h | 2 include/linux/moduleparam.h | 5 include/linux/pps_kernel.h | 1 include/linux/proc_fs.h | 1 include/linux/skbuff.h | 23 include/linux/usb/usbnet.h | 1 include/linux/wait_bit.h | 60 ++ include/net/tc_act/tc_ctinfo.h | 6 include/net/udp.h | 24 kernel/bpf/preload/Kconfig | 1 kernel/events/core.c | 20 kernel/kcsan/kcsan_test.c | 2 kernel/trace/preemptirq_delay_test.c | 13 kernel/ucount.c | 2 mm/hmm.c | 2 mm/kasan/report.c | 4 mm/khugepaged.c | 4 mm/zsmalloc.c | 3 net/appletalk/aarp.c | 24 net/caif/cfctrl.c | 294 ++++------ net/core/filter.c | 3 net/core/netpoll.c | 7 net/core/skmsg.c | 7 net/ipv4/tcp_input.c | 3 net/ipv6/ip6_fib.c | 24 net/ipv6/ip6_offload.c | 4 net/ipv6/ip6mr.c | 3 net/ipv6/route.c | 56 + net/mac80211/tdls.c | 2 net/mac80211/tx.c | 14 net/netfilter/nf_tables_api.c | 4 net/netfilter/xt_nfacct.c | 4 net/packet/af_packet.c | 12 net/sched/act_ctinfo.c | 19 net/sched/sch_netem.c | 40 + net/sched/sch_qfq.c | 7 net/tls/tls_sw.c | 13 net/vmw_vsock/af_vsock.c | 3 net/xfrm/xfrm_interface_core.c | 7 samples/mei/mei-amt-version.c | 2 scripts/kconfig/qconf.cc | 2 security/apparmor/include/match.h | 3 security/apparmor/match.c | 1 sound/pci/hda/hda_tegra.c | 51 + sound/pci/hda/patch_ca0132.c | 5 sound/pci/hda/patch_hdmi.c | 20 sound/pci/hda/patch_realtek.c | 1 sound/soc/amd/yc/acp6x-mach.c | 7 sound/soc/intel/boards/Kconfig | 2 sound/soc/soc-dai.c | 16 sound/soc/soc-ops.c | 26 sound/usb/mixer_scarlett2.c | 7 sound/x86/intel_hdmi_audio.c | 2 tools/bpf/bpftool/net.c | 15 tools/perf/builtin-sched.c | 39 + tools/perf/tests/bp_account.c | 1 tools/perf/util/evsel.c | 11 tools/perf/util/evsel.h | 2 tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 tools/testing/selftests/ftrace/test.d/event/subsystem-enable.tc | 28 tools/testing/selftests/net/mptcp/Makefile | 3 tools/testing/selftests/net/mptcp/mptcp_connect_checksum.sh | 5 tools/testing/selftests/net/mptcp/mptcp_connect_mmap.sh | 5 tools/testing/selftests/net/mptcp/mptcp_connect_sendfile.sh | 5 tools/testing/selftests/net/rtnetlink.sh | 6 tools/testing/selftests/perf_events/.gitignore | 1 tools/testing/selftests/perf_events/Makefile | 2 tools/testing/selftests/perf_events/mmap.c | 236 ++++++++ tools/testing/selftests/syscall_user_dispatch/sud_test.c | 50 - 271 files changed, 2444 insertions(+), 1165 deletions(-) Abdun Nihaal (2): regmap: fix potential memory leak of regmap_bus staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Abinash Singh (1): f2fs: fix KMSAN uninit-value in extent_info usage Adam Ford (2): arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed Adam Queler (1): ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx Akhil R (1): i2c: tegra: Fix reset error handling with ACPI Albin Törnqvist (1): arm: dts: ti: omap: Fixup pinheader typo Alessandro Carminati (1): regulator: core: fix NULL dereference on unbind due to stale coupling data Alex Williamson (1): vfio/pci: Separate SR-IOV VF dev_set Alexander Wetzel (2): wifi: mac80211: Do not schedule stopped TXQs wifi: mac80211: Don't call fq_flow_idx() for management frames Alexander Wilhelm (1): soc: qcom: QMI encoding/decoding for big endian Alok Tiwari (1): staging: nvec: Fix incorrect null termination of battery manufacturer Ammar Faizi (1): net: usbnet: Fix the wrong netif_carrier_on() call Andy Shevchenko (1): mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Andy Yan (1): drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Annette Kobou (1): ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Arnd Bergmann (7): ethernet: intel: fix building with large NR_CPUS ASoC: Intel: fix SND_SOC_SOF dependencies ASoC: ops: dynamically allocate struct snd_ctl_elem_value caif: reduce stack size, again crypto: arm/aes-neonbs - work around gcc-15 warning kernel: trace: preemptirq_delay_test: use offstack cpu mask irqchip: Build IMX_MU_MSI only on ARM Balamanikandan Gunasundar (1): mtd: rawnand: atmel: set pmecc data setup time Bard Liao (1): soundwire: stream: restore params when prepare ports fail Ben Hutchings (1): sh: Do not use hyphen in exported variable name Benjamin Coddington (1): NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY Brahmajit Das (1): samples: mei: Fix building on musl libc Brian Masney (6): rtc: ds1307: fix incorrect maximum clock rate handling rtc: hym8563: fix incorrect maximum clock rate handling rtc: nct3018y: fix incorrect maximum clock rate handling rtc: pcf85063: fix incorrect maximum clock rate handling rtc: pcf8563: fix incorrect maximum clock rate handling rtc: rv3028: fix incorrect maximum clock rate handling Budimir Markovic (1): vsock: Do not allow binding to VMADDR_PORT_ANY Caleb Sander Mateos (1): ublk: use vmalloc for ublk_device's __queues Chao Yu (6): f2fs: doc: fix wrong quota mount option description f2fs: fix to avoid UAF in f2fs_sync_inode_meta() f2fs: fix to avoid panic in f2fs_evict_inode f2fs: fix to avoid out-of-boundary access in devs.path f2fs: fix to update upper_p in __get_secs_required() correctly f2fs: fix to calculate dirty data during has_not_enough_free_secs() Charalampos Mitrodimas (1): usb: misc: apple-mfi-fastcharge: Make power supply names unique Charles Han (2): power: supply: cpcap-charger: Fix null check for power_supply_get_by_name power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Chenyuan Yang (1): fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Chiara Meiohas (1): net/mlx5: Fix memory leak in cmd_exec() Christoph Paasch (1): net/mlx5: Correctly set gso_segs when LRO is used Dan Carpenter (2): watchdog: ziirave_wdt: check record length in ziirave_firm_verify() fs/orangefs: Allow 2 more characters in do_c_string() Daniel Dadap (1): ALSA: hda: Add missing NVIDIA HDA codec IDs Daniil Dulov (1): wifi: rtl818x: Kill URBs before clearing tx status queue Dave Hansen (1): x86/fpu: Delay instruction pointer fixup until after warning David Lechner (1): iio: adc: ad7949: use spi_is_bpw_supported() Dawid Rezler (1): ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx Denis OSTERLAND-HEIM (1): pps: fix poll support Dennis Chen (1): i40e: report VF tx_dropped with tx_errors instead of tx_discards Dmitry Antipov (1): jfs: reject on-disk inodes of an unsupported type Dmitry Baryshkov (2): interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg interconnect: qcom: sc8180x: specify num_nodes Dmitry Vyukov (1): selftests: Fix errno checking in syscall_user_dispatch test Douglas Anderson (1): drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe() Eric Dumazet (7): net_sched: act_ctinfo: use atomic64_t for three counters ipv6: prevent infinite loop in rt6_nlmsg_size() ipv6: fix possible infinite loop in fib6_info_uses_dev() ipv6: annotate data-races around rt->fib6_nsiblings pptp: ensure minimal skb length in pptp_xmit() ipv6: reject malicious packets in ipv6_gso_segment() pptp: fix pptp_xmit() error path Eyal Birger (1): xfrm: interface: fix use-after-free after changing collect_md xfrm interface Fabrice Gasnier (1): Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT Fedor Pchelkin (2): drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value netfilter: nf_tables: adjust lockdep assertions handling Finn Thain (1): m68k: Don't unregister boot console needlessly Florian Westphal (1): netfilter: xt_nfacct: don't assume acct name is null-terminated Gao Xiang (5): erofs: get rid of debug_one_dentry() erofs: sunset erofs_dbg() erofs: drop z_erofs_page_mark_eio() erofs: simplify z_erofs_transform_plain() erofs: address D-cache aliasing Geoffrey D. Bennett (1): ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Giovanni Cabiddu (1): crypto: qat - fix seq_file position update in adf_ring_next() Gokul Sivakumar (1): wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Greg Kroah-Hartman (2): Revert "vmci: Prevent the dispatching of uninitialized payloads" Linux 6.1.148 Hans Zhang (1): PCI: rockchip-host: Fix "Unexpected Completion" log message Haoxiang Li (1): ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Harry Yoo (1): mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n Henry Martin (1): clk: davinci: Add NULL check in davinci_lpsc_clk_register() Herbert Xu (1): crypto: marvell/cesa - Fix engine load inaccuracy Horatiu Vultur (1): phy: mscc: Fix parsing of unicast frames Ian Abbott (1): comedi: comedi_test: Fix possible deletion of uninitialized timers Ivan Stepchenko (1): mtd: fix possible integer overflow in erase_xfer() Jacek Kowalski (2): e1000e: disregard NVM checksum on tgp when valid checksum bit is not set e1000e: ignore uninitialized checksum word on tgp Jakub Kicinski (1): netpoll: prevent hanging NAPI when netcons gets enabled James Cowgill (1): media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Jamie Bainbridge (1): i40e: When removing VF MAC filters, only check PF-set MAC Jan Prusakowski (1): f2fs: vm_unmap_ram() may be called from an invalid context Jerome Brunet (1): PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Jian Shen (2): net: hns3: fix concurrent setting vlan filter issue net: hns3: fixed vf get max channels bug Jiasheng Jiang (1): iwlwifi: Add missing check for alloc_ordered_workqueue Jiaxun Yang (1): MIPS: mm: tlb-r4k: Uniquify TLB entries on init Jiayuan Chen (2): bpf, sockmap: Fix psock incorrectly pointing to sk bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Jimmy Assarsson (2): can: kvaser_pciefd: Store device channel index can: kvaser_usb: Assign netdev.dev_port based on device channel index Johan Korsnes (1): arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX John Ernberg (1): net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Juergen Gross (1): xen/gntdev: remove struct gntdev_copy_batch from stack Junxian Huang (1): RDMA/hns: Fix -Wframe-larger-than issue Kito Xu (veritas501) (1): net: appletalk: Fix use-after-free in AARP proxy probe Konrad Dybcio (2): arm64: dts: qcom: sdm845: Expand IMEM region arm64: dts: qcom: sc7180: Expand IMEM region Konstantin Komarov (1): Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Krzysztof Kozlowski (1): ARM: dts: vfxxx: Correctly use two tuples for timer address Kuninori Morimoto (1): ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Leo Yan (1): perf tests bp_account: Fix leaked file descriptor Li Lingfeng (1): scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" Lifeng Zheng (3): PM / devfreq: Check governor before using governor->name cpufreq: Initialize cpufreq-based frequency-invariance later cpufreq: Init policy->rwsem before it may be possibly used Liu Shixin (1): mm: khugepaged: fix call hpage_collapse_scan_file() for anonymous vma Lizhi Xu (1): vmci: Prevent the dispatching of uninitialized payloads Lorenzo Stoakes (1): selftests/perf_events: Add a mmap() correctness test Lucas De Marchi (1): usb: early: xhci-dbc: Fix early_ioremap leak Ma Ke (3): bus: fsl-mc: Fix potential double device reference in fsl_mc_get_endpoint() dpaa2-eth: Fix device reference count leak in MAC endpoint handling dpaa2-switch: Fix device reference count leak in MAC endpoint handling Maciej W. Rozycki (1): powerpc/eeh: Rely on dev->link_active_reporting Manivannan Sadhasivam (1): PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Maor Gottlieb (1): RDMA/core: Rate limit GID cache warning messages Marc Kleine-Budde (3): can: dev: can_restart(): reverse logic to remove need for goto can: dev: can_restart(): move debug message and stats after successful restart can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Marco Elver (2): kasan: use vmalloc_dump_obj() for vmalloc error reports kcsan: test: Initialize dummy variable Mark Brown (1): kselftest/arm64: Fix check for setting new VLs in sve-ptrace Martin Kaistra (1): wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Masahiro Yamada (1): kconfig: qconf: fix ConfigList::updateListAllforAll() Matthieu Baerts (NGI0) (2): selftests: mptcp: connect: also cover alt modes selftests: mptcp: connect: also cover checksum Mengbiao Xiong (1): crypto: ccp - Fix crash when rebind ccp device for ccp.ko Michael Grzeschik (2): usb: typec: tcpm: allow to use sink in accessory mode usb: typec: tcpm: allow switching to mode accessory to mux properly Michael Zhivich (1): x86/bugs: Fix use of possibly uninit value in amd_check_tsa_microcode() Michal Schmidt (1): benet: fix BUG when creating VFs Mike Christie (1): vhost-scsi: Fix log flooding with target does not exist errors Mohan Kumar D (1): ALSA: hda/tegra: Add Tegra264 support Moon Hee Lee (1): wifi: mac80211: reject TDLS operations when station is not associated Murad Masimov (1): wifi: plfxlc: Fix error handling in usb driver probe Namhyung Kim (2): perf sched: Fix memory leaks for evsel->priv in timehist perf sched: Fix memory leaks in 'perf sched latency' Namjae Jeon (4): ksmbd: fix null pointer dereference error in generate_encryptionkey ksmbd: fix Preauh_HashValue race condition ksmbd: fix corrupted mtime and ctime in smb2_open ksmbd: limit repeated connections from clients with the same IP NeilBrown (1): sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() Nuno Das Neves (1): x86/hyperv: Fix usage of cpu_online_mask to get valid cpu Nuno Sá (1): clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Olga Kornievskaia (1): NFSv4.2: another fix for listxattr Ovidiu Panait (2): crypto: sun8i-ce - fix nents passed to dma_unmap_sg() hwrng: mtk - handle devm_pm_runtime_enable errors Paul Chaignon (1): bpf: Check flow_dissector ctx accesses are aligned Paul Kocialkowski (1): clk: sunxi-ng: v3s: Fix de clock definition Petr Machata (1): net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain Petr Pavlu (1): module: Restore the moduleparam prefix length check Philip Yang (1): drm/amdkfd: Don't call mmput from MMU notifier callback Praveen Kaligineedi (1): gve: Fix stuck TX queue for DQ queue format Quang Le (1): net/packet: fix a race in packet_set_ring() and packet_notifier() RD Babiera (1): usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach Rafael J. Wysocki (1): cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Remi Pommarel (2): wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Rohit Visavalia (1): clk: xilinx: vcu: unregister pll_post only if registered correctly Rong Zhang (1): platform/x86: ideapad-laptop: Fix kbd backlight not remembered among boots RubenKelevra (1): fs_context: fix parameter name in infofc() macro Ryan Lee (1): apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Ryusuke Konishi (1): nilfs2: reject invalid file types when reading inodes Salomon Dushimirimana (1): scsi: sd: Make sd shutdown issue START STOP UNIT appropriately Sergey Senozhatsky (1): wifi: ath11k: clear initialized flag for deinit-ed srng lists Seunghui Lee (1): scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Seungjin Bae (1): usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() Shixiong Ou (1): fbcon: Fix outdated registered_fb reference in comment Sivan Zohar-Kotzer (1): powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() Slark Xiao (1): USB: serial: option: add Foxconn T99W709 Stanislav Fomichev (1): vrf: Drop existing dst reference in vrf_ip6_input_dst Stav Aviram (1): net/mlx5: Check device memory pointer before usage Stefan Metzmacher (5): smb: server: remove separate empty_recvmsg_queue smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection smb: server: let recv_done() avoid touching data_transfer after cleanup/move smb: client: let recv_done() cleanup before notifying the callers. Stefan Wahren (1): staging: vchiq_arm: Make vchiq_shutdown never fail Stephane Grosjean (1): can: peak_usb: fix USB FD devices potential malfunction Steven Rostedt (1): selftests/tracing: Fix false failure of subsystem event test Sumit Gupta (1): soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS Takashi Iwai (1): ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Tao Xue (1): usb: gadget : fix use-after-free in composite_dev_cleanup() Thomas Fourier (12): mwl8k: Add missing check after DMA map crypto: inside-secure - Fix `dma_unmap_sg()` nents value scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value scsi: elx: efct: Fix dma_unmap_sg() nents value scsi: mvsas: Fix dma_unmap_sg() nents value scsi: isci: Fix dma_unmap_sg() nents value crypto: keembay - Fix dma_unmap_sg() nents value crypto: img-hash - Fix dma_unmap_sg() nents value dmaengine: mv_xor: Fix missing check after DMA map and missing unmap dmaengine: nbpfaxi: Add missing check after DMA map mtd: rawnand: atmel: Fix dma_mapping_error() address mtd: rawnand: rockchip: Add missing check after DMA map Thomas Gleixner (3): perf/core: Don't leak AUX buffer refcount on allocation failure perf/core: Exit early on perf_mmap() fail perf/core: Prevent VMA split of buffer mappings Thomas Weißschuh (1): bpf/preload: Don't select USERMODE_DRIVER Thorsten Blum (2): smb: server: Fix extension string in ksmbd_extract_shortname() ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Tigran Mkrtchyan (1): pNFS/flexfiles: don't attempt pnfs on fatal DS errors Timothy Pearson (5): PCI: pnv_php: Clean up allocated IRQs on unplug PCI: pnv_php: Work around switches with broken presence detection powerpc/eeh: Export eeh_unfreeze_pe() powerpc/eeh: Make EEH driver device hotplug safe PCI: pnv_php: Fix surprise plug detection and recovery Tiwei Bie (1): um: rtc: Avoid shadowing err in uml_rtc_start() Tom Lendacky (1): x86/sev: Evict cache lines during SNP memory validation Tomas Henzl (1): scsi: mpt3sas: Fix a fw_event memory leak Trond Myklebust (2): NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Umang Jain (3): staging: vc04_services: Drop VCHIQ_SUCCESS usage staging: vc04_services: Drop VCHIQ_ERROR usage staging: vc04_services: Drop VCHIQ_RETRY usage Uros Bizjak (1): ucount: fix atomic_long_inc_below() argument type Ville Syrjälä (1): drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x Viresh Kumar (1): i2c: virtio: Avoid hang by using interruptible completion wait Wang Liang (1): net: drop UFO packets in udp_rcv_segment() William Liu (1): net/sched: Restrict conditions for adding duplicating netems to qdisc tree Xiang Mei (1): net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class Xilin Wu (1): interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node Xiu Jianfeng (1): wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Xiumei Mu (1): selftests: rtnetlink.sh: remove esp4_offload after test Xu Yang (2): usb: chipidea: add USB PHY event usb: phy: mxs: disconnect line when USB charger is attached Yajun Deng (1): i40e: Add rx_missed_errors for buffer exhaustion Yang Xiwen (1): i2c: qup: jump out of the loop in case of timeout Yangtao Li (1): hfsplus: remove mutex_lock check in hfsplus_free_extents Yonglong Liu (1): net: hns3: disable interrupt when ptp init failed Yuan Chen (2): bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure pinctrl: sunxi: Fix memory leak on krealloc failure Zheng Yu (1): jfs: fix metapage reference count leak in dbAllocCtl wangzijie (1): proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al xin.guo (1): tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range

3 weeks, 5 days

1
1
0 0

[REGRESSION] 5.15.181 -> 5.15.189: kernel oops in drr_qlen_notify

by Thomas Jarosch

Hi, I'm seeing a reproducible kernel oops on my home router updating from 5.15.181 to 5.15.189: kernel BUG at lib/list_debug.c:50! invalid opcode: 0000 [#1] SMP NOPTI .. Call Trace: <TASK> drr_qlen_notify+0x11/0x50 [sch_drr] qdisc_tree_reduce_backlog+0x93/0xf0 drr_graft_class+0x109/0x220 [sch_drr] qdisc_graft+0xdd/0x510 ? qdisc_create+0x335/0x510 tc_modify_qdisc+0x53f/0x9d0 rtnetlink_rcv_msg+0x134/0x370 ? __getblk_gfp+0x22/0x230 ? rtnl_calcit.isra.38+0x130/0x130 netlink_rcv_skb+0x4f/0x100 rtnetlink_rcv+0x10/0x20 netlink_unicast+0x1d2/0x2a0 netlink_sendmsg+0x22a/0x480 ? netlink_broadcast+0x20/0x20 ____sys_sendmsg+0x25f/0x280 ? copy_msghdr_from_user+0x5b/0x90 ___sys_sendmsg+0x77/0xc0 ? __sys_recvmsg+0x5a/0xb0 ? do_filp_open+0xc3/0x120 __sys_sendmsg+0x5d/0xb0 __x64_sys_sendmsg+0x1a/0x20 x64_sys_call+0x17f1/0x1c80 do_syscall_64+0x53/0x80 ? exit_to_user_mode_prepare+0x2c/0x140 ? irqentry_exit_to_user_mode+0xe/0x20 ? irqentry_exit+0x1d/0x30 ? exc_page_fault+0x1e7/0x610 ? do_syscall_64+0x5f/0x80 entry_SYSCALL_64_after_hwframe+0x6c/0xd6 .. RIP: 0010:__list_del_entry_valid.cold.1+0xf/0x69 syzbot reported a similar looking thing here: [v5.15] BUG: unable to handle kernel paging request in drr_qlen_notify https://groups.google.com/g/syzkaller-lts-bugs/c/_QJHiMHwfRw/m/2j1nSU1hBgAJ and here: "[syzbot] [net?] general protection fault in drr_qlen_notify" https://www.spinics.net/lists/netdev/msg1105420.html syzboot bisected it to: **************************************** commit e269f29e9395527bc00c213c6b15da04ebb35070 Refs: v5.15.186-114-ge269f29e9395 Author: Lion Ackermann <nnamrec(a)gmail.com> AuthorDate: Mon Jun 30 15:27:30 2025 +0200 Commit: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CommitDate: Thu Jul 10 15:57:46 2025 +0200 net/sched: Always pass notifications when child class becomes empty [ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ] **************************************** The last line of the commit message mentions: "This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent." It looks like the "idempotent" patches are missing from the 5.15 stable series. Like this one: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/n… I've tried Ubuntu's backport for 5.15: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/jammy/co… It seems to be identical to: https://lore.kernel.org/stable/bcf9c70e9cf750363782816c21c69792f6c81cd9.175… While the kernel didn't oops anymore with the patch applied, the network traffic behaves erratic: TCP traffic works, ICMP seems "stuck". tcpdump showed no icmp traffic on the ppp device. Tomorrow I will try if I can reproduce the issue on a test VM. Anything else I should try? Thanks in advance, Thomas

3 weeks, 5 days

1
1
0 0

[PATCH V4] init: Handle bootloader identifier in kernel parameters

by Huacai Chen

BootLoader (Grub, LILO, etc) may pass an identifier such as "BOOT_IMAGE= /boot/vmlinuz-x.y.z" to kernel parameters. But these identifiers are not recognized by the kernel itself so will be passed to user space. However user space init program also doesn't recognized it. KEXEC/KDUMP (kexec-tools) may also pass an identifier such as "kexec" on some architectures. We cannot change BootLoader's behavior, because this behavior exists for many years, and there are already user space programs search BOOT_IMAGE= in /proc/cmdline to obtain the kernel image locations: https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/util.go (search getBootOptions) https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/main.go (search getKernelReleaseWithBootOption) So the the best way is handle (ignore) it by the kernel itself, which can avoid such boot warnings (if we use something like init=/bin/bash, bootloader identifier can even cause a crash): Kernel command line: BOOT_IMAGE=(hd0,1)/vmlinuz-6.x root=/dev/sda3 ro console=tty Unknown kernel command line parameters "BOOT_IMAGE=(hd0,1)/vmlinuz-6.x", will be passed to user space. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Update comments and commit messages. V3: Document bootloader identifiers. V4: Use strstarts() instead of strncmp(). init/main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/init/main.c b/init/main.c index 0ee0ee7b7c2c..9b5150166bcf 100644 --- a/init/main.c +++ b/init/main.c @@ -544,6 +544,12 @@ static int __init unknown_bootoption(char *param, char *val, const char *unused, void *arg) { size_t len = strlen(param); + /* + * Well-known bootloader identifiers: + * 1. LILO/Grub pass "BOOT_IMAGE=..."; + * 2. kexec/kdump (kexec-tools) pass "kexec". + */ + const char *bootloader[] = { "BOOT_IMAGE=", "kexec", NULL }; /* Handle params aliased to sysctls */ if (sysctl_is_alias(param)) @@ -551,6 +557,12 @@ static int __init unknown_bootoption(char *param, char *val, repair_env_string(param, val); + /* Handle bootloader identifier */ + for (int i = 0; bootloader[i]; i++) { + if (strstarts(param, bootloader[i])) + return 0; + } + /* Handle obsolete-style parameters */ if (obsolete_checksetup(param)) return 0; -- 2.47.3

3 weeks, 5 days

1
0
0 0

[PATCH V3] init: Handle bootloader identifier in kernel parameters

by Huacai Chen

BootLoader (Grub, LILO, etc) may pass an identifier such as "BOOT_IMAGE= /boot/vmlinuz-x.y.z" to kernel parameters. But these identifiers are not recognized by the kernel itself so will be passed to user space. However user space init program also doesn't recognized it. KEXEC/KDUMP (kexec-tools) may also pass an identifier such as "kexec" on some architectures. We cannot change BootLoader's behavior, because this behavior exists for many years, and there are already user space programs search BOOT_IMAGE= in /proc/cmdline to obtain the kernel image locations: https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/util.go (search getBootOptions) https://github.com/linuxdeepin/deepin-ab-recovery/blob/master/main.go (search getKernelReleaseWithBootOption) So the the best way is handle (ignore) it by the kernel itself, which can avoid such boot warnings (if we use something like init=/bin/bash, bootloader identifier can even cause a crash): Kernel command line: BOOT_IMAGE=(hd0,1)/vmlinuz-6.x root=/dev/sda3 ro console=tty Unknown kernel command line parameters "BOOT_IMAGE=(hd0,1)/vmlinuz-6.x", will be passed to user space. Cc: stable(a)vger.kernel.org Signed-off-by: Huacai Chen <chenhuacai(a)loongson.cn> --- V2: Update comments and commit messages. V3: Document bootloader identifiers. init/main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/init/main.c b/init/main.c index 225a58279acd..b25e7da5347a 100644 --- a/init/main.c +++ b/init/main.c @@ -545,6 +545,12 @@ static int __init unknown_bootoption(char *param, char *val, const char *unused, void *arg) { size_t len = strlen(param); + /* + * Well-known bootloader identifiers: + * 1. LILO/Grub pass "BOOT_IMAGE=..."; + * 2. kexec/kdump (kexec-tools) pass "kexec". + */ + const char *bootloader[] = { "BOOT_IMAGE=", "kexec", NULL }; /* Handle params aliased to sysctls */ if (sysctl_is_alias(param)) @@ -552,6 +558,12 @@ static int __init unknown_bootoption(char *param, char *val, repair_env_string(param, val); + /* Handle bootloader identifier */ + for (int i = 0; bootloader[i]; i++) { + if (!strncmp(param, bootloader[i], strlen(bootloader[i]))) + return 0; + } + /* Handle obsolete-style parameters */ if (obsolete_checksetup(param)) return 0; -- 2.47.3

3 weeks, 5 days

3
3
0 0

[PATCH 6.12 000/369] 6.12.42-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.42 release. There are 369 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 14 Aug 2025 17:27:11 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.42-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.42-rc1 Tao Xue <xuetao09(a)huawei.com> usb: gadget : fix use-after-free in composite_dev_cleanup() Yuhao Jiang <danisjiang(a)gmail.com> USB: gadget: f_hid: Fix memory leak in hidg_bind error path Qasim Ijaz <qasdev00(a)gmail.com> HID: apple: validate feature-report field count to prevent NULL pointer dereference Julien Massot <julien.massot(a)collabora.com> media: ti: j721e-csi2rx: fix list_del corruption Robin Murphy <robin.murphy(a)arm.com> perf/arm-ni: Set initial IRQ affinity Kemeng Shi <shikemeng(a)huaweicloud.com> mm: swap: fix potential buffer overflow in setup_clusters() Kemeng Shi <shikemeng(a)huaweicloud.com> mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: mm: tlb-r4k: Uniquify TLB entries on init Gerald Schaefer <gerald.schaefer(a)linux.ibm.com> s390/mm: Remove possible false-positive warning in pte_free_defer() Dave Hansen <dave.hansen(a)linux.intel.com> x86/fpu: Delay instruction pointer fixup until after warning Michael J. Ruhl <michael.j.ruhl(a)intel.com> platform/x86/intel/pmt: fix a crashlog NULL pointer access Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26) Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx Edip Hazuri <edip(a)medip.dev> ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx Geoffrey D. Bennett <g(a)b4.vu> ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx() Thorsten Blum <thorsten.blum(a)linux.dev> ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe() Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Evict cache lines during SNP memory validation Ammar Faizi <ammarfaizi2(a)gnuweeb.org> net: usbnet: Fix the wrong netif_carrier_on() call John Ernberg <john.ernberg(a)actia.se> net: usbnet: Avoid potential RCU stall on LINK_CHANGE event Zenm Chen <zenmchen(a)gmail.com> Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano Ilpo Järvinen <ilpo.jarvinen(a)linux.intel.com> PCI/ASPM: Fix L1SS saving Jian-Hong Pan <jhp(a)endlessos.org> PCI/ASPM: Save parent L1SS config in pci_save_aspm_l1ss_state() Slark Xiao <slark_xiao(a)163.com> USB: serial: option: add Foxconn T99W709 Thorsten Blum <thorsten.blum(a)linux.dev> smb: server: Fix extension string in ksmbd_extract_shortname() Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: limit repeated connections from clients with the same IP Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix corrupted mtime and ctime in smb2_open Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix Preauh_HashValue race condition Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: fix null pointer dereference error in generate_encryptionkey Jani Nikula <jani.nikula(a)intel.com> drm/i915/ddi: only call shutdown hooks for valid encoders Jani Nikula <jani.nikula(a)intel.com> drm/i915/display: add intel_encoder_is_hdmi() Jani Nikula <jani.nikula(a)intel.com> drm/i915/ddi: gracefully handle errors from intel_ddi_init_hdmi_connector() Jani Nikula <jani.nikula(a)intel.com> drm/i915/hdmi: add error handling in g4x_hdmi_init() Jani Nikula <jani.nikula(a)intel.com> drm/i915/hdmi: propagate errors from intel_hdmi_init_connector() Jani Nikula <jani.nikula(a)intel.com> drm/i915/ddi: change intel_ddi_init_{dp, hdmi}_connector() return type Alexei Starovoitov <ast(a)kernel.org> selftests/bpf: Fix build error with llvm 19 Alexei Starovoitov <ast(a)kernel.org> selftests/bpf: Add a test for arena range tree algorithm Anton Nadezhdin <anton.nadezhdin(a)intel.com> ice/ptp: fix crosstimestamp reporting Kuan-Wei Chiu <visitorckw(a)gmail.com> Revert "bcache: remove heap-related macros and switch to generic min_heap" Andrzej Kacprowski <Andrzej.Kacprowski(a)intel.com> accel/ivpu: Fix reset_engine debugfs file logic Budimir Markovic <markovicbudimir(a)gmail.com> vsock: Do not allow binding to VMADDR_PORT_ANY Quang Le <quanglex97(a)gmail.com> net/packet: fix a race in packet_set_ring() and packet_notifier() Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> selftests/perf_events: Add a mmap() correctness test Thomas Gleixner <tglx(a)linutronix.de> perf/core: Prevent VMA split of buffer mappings Thomas Gleixner <tglx(a)linutronix.de> perf/core: Exit early on perf_mmap() fail Thomas Gleixner <tglx(a)linutronix.de> perf/core: Don't leak AUX buffer refcount on allocation failure Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix handling of server side tls alerts Stefan Metzmacher <metze(a)samba.org> smb: client: return an error if rdma_connect does not return within 5 seconds Eric Dumazet <edumazet(a)google.com> pptp: fix pptp_xmit() error path Mohamed Khalfella <mkhalfella(a)purestorage.com> nvmet: exit debugfs after discovery subsystem exits Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done() avoid touching data_transfer after cleanup/move Stefan Metzmacher <metze(a)samba.org> smb: client: let recv_done() cleanup before notifying the callers. Stefan Metzmacher <metze(a)samba.org> smb: client: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: client: remove separate empty_packet_queue Stefan Metzmacher <metze(a)samba.org> smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection() Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() avoid touching data_transfer after cleanup/move Stefan Metzmacher <metze(a)samba.org> smb: server: let recv_done() consistently call put_recvmsg/smb_direct_disconnect_rdma_connection Stefan Metzmacher <metze(a)samba.org> smb: server: make sure we call ib_dma_unmap_single() only if we called ib_dma_map_single already Stefan Metzmacher <metze(a)samba.org> smb: server: remove separate empty_recvmsg_queue Takashi Iwai <tiwai(a)suse.de> ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out() Arnd Bergmann <arnd(a)arndb.de> irqchip: Build IMX_MU_MSI only on ARM Jakub Kicinski <kuba(a)kernel.org> eth: fbnic: remove the debugging trick of super high page bias Sumanth Korikkar <sumanthk(a)linux.ibm.com> s390/mm: Allocate page table with PAGE_SIZE granularity Maher Azzouzi <maherazz04(a)gmail.com> net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing Michal Schmidt <mschmidt(a)redhat.com> benet: fix BUG when creating VFs Thomas Gleixner <tglx(a)linutronix.de> x86/irq: Plug vector setup race Olga Kornievskaia <okorniev(a)redhat.com> sunrpc: fix client side handling of tls alerts Takamitsu Iwai <takamitz(a)amazon.co.jp> net/sched: taprio: enforce minimum value for picos_per_byte Wang Liang <wangliang74(a)huawei.com> net: drop UFO packets in udp_rcv_segment() Florian Fainelli <florian.fainelli(a)broadcom.com> net: mdio: mdio-bcm-unimac: Correct rate fallback logic Eric Dumazet <edumazet(a)google.com> ipv6: reject malicious packets in ipv6_gso_segment() Christoph Paasch <cpaasch(a)openai.com> net/mlx5: Correctly set gso_segs when LRO is used Simon Trimmer <simont(a)opensource.cirrus.com> spi: cs42l43: Property entry should be a null-terminated array Baojun Xu <baojun.xu(a)ti.com> ASoC: tas2781: Fix the wrong step for TLV on tas2781 Christoph Hellwig <hch(a)lst.de> block: ensure discard_granularity is zero when discard is not supported Guenter Roeck <linux(a)roeck-us.net> block: Fix default IO priority if there is no IO context Jakub Kicinski <kuba(a)kernel.org> netlink: specs: ethtool: fix module EEPROM input/output arguments Harald Freudenberger <freude(a)linux.ibm.com> s390/ap: Unmask SLCF bit in card and queue ap functions sysfs Mohamed Khalfella <mkhalfella(a)purestorage.com> nvmet: initialize discovery subsys after debugfs is initialized Eric Dumazet <edumazet(a)google.com> pptp: ensure minimal skb length in pptp_xmit() Luca Weiss <luca.weiss(a)fairphone.com> net: ipa: add IPA v5.1 and v5.5 to ipa_version_string() Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Fix parsing of unicast frames Jakub Kicinski <kuba(a)kernel.org> netpoll: prevent hanging NAPI when netcons gets enabled Heming Zhao <heming.zhao(a)suse.com> md/md-cluster: handle REMOVE message earlier Benjamin Coddington <bcodding(a)redhat.com> NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY Olga Kornievskaia <okorniev(a)redhat.com> NFSv4.2: another fix for listxattr Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix filehandle bounds checking in nfs_fh_to_dentry() Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate() NeilBrown <neilb(a)suse.de> sched: Add test_and_clear_wake_up_bit() and atomic_dec_and_wake_up() Tigran Mkrtchyan <tigran.mkrtchyan(a)desy.de> pNFS/flexfiles: don't attempt pnfs on fatal DS errors Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Fix surprise plug detection and recovery Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Make EEH driver device hotplug safe Timothy Pearson <tpearson(a)raptorengineering.com> powerpc/eeh: Export eeh_unfreeze_pe() Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Work around switches with broken presence detection Timothy Pearson <tpearson(a)raptorengineering.com> PCI: pnv_php: Clean up allocated IRQs on unplug Peter Zijlstra <peterz(a)infradead.org> sched/psi: Fix psi_seq initialization Masahiro Yamada <masahiroy(a)kernel.org> kconfig: qconf: fix ConfigList::updateListAllforAll() Salomon Dushimirimana <salomondush(a)google.com> scsi: sd: Make sd shutdown issue START STOP UNIT appropriately Seunghui Lee <sh043.lee(a)samsung.com> scsi: ufs: core: Use link recovery when h8 exit fails during runtime resume Li Lingfeng <lilingfeng3(a)huawei.com> scsi: Revert "scsi: iscsi: Fix HW conn removal use after free" Tomas Henzl <thenzl(a)redhat.com> scsi: mpt3sas: Fix a fw_event memory leak Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Separate SR-IOV VF dev_set Brett Creeley <brett.creeley(a)amd.com> vfio/pds: Fix missing detach_ioas op Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Prevent open_count decrement to negative Jacob Pan <jacob.pan(a)linux.microsoft.com> vfio: Fix unbalanced vfio_df_close call in no-iommu mode Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe() Zhengxu Zhang <zhengxu.zhang(a)unisoc.com> exfat: fdatasync flag should be same like generic_write_sync() Chao Yu <chao(a)kernel.org> f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode Chao Yu <chao(a)kernel.org> f2fs: fix to calculate dirty data during has_not_enough_free_secs() Chao Yu <chao(a)kernel.org> f2fs: fix to update upper_p in __get_secs_required() correctly Jan Prusakowski <jprusakowski(a)google.com> f2fs: vm_unmap_ram() may be called from an invalid context Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-boundary access in devs.path Chao Yu <chao(a)kernel.org> f2fs: fix to avoid panic in f2fs_evict_inode Chao Yu <chao(a)kernel.org> f2fs: fix to avoid UAF in f2fs_sync_inode_meta() Chao Yu <chao(a)kernel.org> f2fs: doc: fix wrong quota mount option description Chao Yu <chao(a)kernel.org> f2fs: fix to check upper boundary for gc_no_zoned_gc_percent Chao Yu <chao(a)kernel.org> f2fs: fix to check upper boundary for gc_valid_thresh_ratio yohan.joung <yohan.joung(a)sk.com> f2fs: fix to check upper boundary for value of gc_boost_zoned_gc_percent Abinash Singh <abinashlalotra(a)gmail.com> f2fs: fix KMSAN uninit-value in extent_info usage Sheng Yong <shengyong1(a)xiaomi.com> f2fs: fix bio memleak when committing super block Daeho Jeong <daehojeong(a)google.com> f2fs: turn off one_time when forcibly set to foreground GC Brian Masney <bmasney(a)redhat.com> rtc: rv3028: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: pcf85063: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: nct3018y: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: hym8563: fix incorrect maximum clock rate handling Brian Masney <bmasney(a)redhat.com> rtc: ds1307: fix incorrect maximum clock rate handling Uros Bizjak <ubizjak(a)gmail.com> ucount: fix atomic_long_inc_below() argument type Petr Pavlu <petr.pavlu(a)suse.com> module: Restore the moduleparam prefix length check Helge Deller <deller(a)gmx.de> apparmor: Fix unaligned memory accesses in KUnit test Ryan Lee <ryan.lee(a)canonical.com> apparmor: fix loop detection used in conflicting attachment resolution Ryan Lee <ryan.lee(a)canonical.com> apparmor: ensure WB_HISTORY_SIZE value is a power of 2 Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check netfilter ctx accesses are aligned Paul Chaignon <paul.chaignon(a)gmail.com> bpf: Check flow_dissector ctx accesses are aligned Cindy Lu <lulu(a)redhat.com> vhost: Reintroduce kthread API and add mode selection Anders Roxell <anders.roxell(a)linaro.org> vdpa: Fix IDR memory leak in VDUSE module exit Dragos Tatulea <dtatulea(a)nvidia.com> vdpa/mlx5: Fix release of uninitialized resources on error path Mike Christie <michael.christie(a)oracle.com> vhost-scsi: Fix log flooding with target does not exist errors Dragos Tatulea <dtatulea(a)nvidia.com> vdpa/mlx5: Fix needs_teardown flag calculation Namhyung Kim <namhyung(a)kernel.org> perf record: Cache build-ID of hit DSOs only WangYuli <wangyuli(a)uniontech.com> selftests: ALSA: fix memory leak in utimer test Lukasz Laguna <lukasz.laguna(a)intel.com> drm/xe/vf: Disable CSC support on VF Balamanikandan Gunasundar <balamanikandan.gunasundar(a)microchip.com> mtd: rawnand: atmel: set pmecc data setup time Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: rockchip: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: atmel: Fix dma_mapping_error() address Zheng Yu <zheng.yu(a)northwestern.edu> jfs: fix metapage reference count leak in dbAllocCtl Chenyuan Yang <chenyuan0y(a)gmail.com> fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix seq_file position update in adf_ring_next() Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - fix DMA direction for compression on GEN2 devices Chen Pei <cp0613(a)linux.alibaba.com> perf tools: Remove libtraceevent in .gitignore Ben Hutchings <benh(a)debian.org> sh: Do not use hyphen in exported variable name Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_xcvr: get channel status data when PHY is not exists Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: nbpfaxi: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> dmaengine: mv_xor: Fix missing check after DMA map and missing unmap Dan Carpenter <dan.carpenter(a)linaro.org> fs/orangefs: Allow 2 more characters in do_c_string() Tanmay Shah <tanmay.shah(a)amd.com> remoteproc: xlnx: Disable unsupported features Laurentiu Palcu <laurentiu.palcu(a)oss.nxp.com> clk: imx95-blk-ctl: Fix synchronous abort Manivannan Sadhasivam <mani(a)kernel.org> PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem attribute Bard Liao <yung-chuan.liao(a)linux.intel.com> soundwire: stream: restore params when prepare ports fail Bairavi Alagappan <bairavix.alagappan(a)intel.com> crypto: qat - disable ZUC-256 capability for QAT GEN5 Thomas Fourier <fourier.thomas(a)gmail.com> crypto: img-hash - Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> crypto: keembay - Fix dma_unmap_sg() nents value Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> hwrng: mtk - handle devm_pm_runtime_enable errors Varshini Rajendran <varshini.rajendran(a)microchip.com> clk: at91: sam9x7: update pll clk ranges Jan Kara <jack(a)suse.cz> ext4: Make sure BH_New bit is cleared in ->write_end handler Dan Carpenter <dan.carpenter(a)linaro.org> watchdog: ziirave_wdt: check record length in ziirave_firm_verify() Thomas Fourier <fourier.thomas(a)gmail.com> scsi: isci: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: mvsas: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: elx: efct: Fix dma_unmap_sg() nents value Thomas Fourier <fourier.thomas(a)gmail.com> scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value Paul Kocialkowski <paulk(a)sys-base.io> clk: sunxi-ng: v3s: Fix de clock definition Yao Zi <ziyao(a)disroot.org> clk: thead: th1520-ap: Correctly refer the parent of osc_12m Shiraz Saleem <shirazsaleem(a)microsoft.com> RDMA/mana_ib: Fix DSCP value in modify QP Leo Yan <leo.yan(a)arm.com> perf tests bp_account: Fix leaked file descriptor Mukesh Ojha <mukesh.ojha(a)oss.qualcomm.com> pinmux: fix race causing mux_owner NULL with active mux_usecount wangzijie <wangzijie1(a)honor.com> proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Arnd Bergmann <arnd(a)arndb.de> kernel: trace: preemptirq_delay_test: use offstack cpu mask Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix -Wframe-larger-than issue Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Drop GFP_NOWARN Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix accessing uninitialized resources Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Get message length of ack_req from FW Mengbiao Xiong <xisme1998(a)gmail.com> crypto: ccp - Fix crash when rebind ccp device for ccp.ko Thomas Fourier <fourier.thomas(a)gmail.com> crypto: inside-secure - Fix `dma_unmap_sg()` nents value Alexey Kardashevskiy <aik(a)amd.com> crypto: ccp - Fix locking on alloc failure handling wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix HW configurations not cleared in error flow wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix double destruction of rsv_qp Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks in 'perf sched latency' Namhyung Kim <namhyung(a)kernel.org> perf sched: Use RC_CHK_EQUAL() to compare pointers Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks for evsel->priv in timehist Namhyung Kim <namhyung(a)kernel.org> perf sched: Fix memory leaks in 'perf sched map' Namhyung Kim <namhyung(a)kernel.org> perf sched: Free thread->priv using priv_destructor Namhyung Kim <namhyung(a)kernel.org> perf sched: Make sure it frees the usage string Takahiro Kuwano <Takahiro.Kuwano(a)infineon.com> mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER Ian Rogers <irogers(a)google.com> perf dso: Add missed dso__put to dso__load_kcore Namhyung Kim <namhyung(a)kernel.org> perf tools: Fix use-after-free in help_unknown_cmd() Thomas Fourier <fourier.thomas(a)gmail.com> Fix dma_unmap_sg() nents value Nuno Sá <nuno.sa(a)analog.com> clk: clk-axi-clkgen: fix fpfd_max frequency for zynq Amir Goldstein <amir73il(a)gmail.com> fanotify: sanitize handle_type values when reporting fid Luca Weiss <luca.weiss(a)fairphone.com> phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning Yuan Chen <chenyuan(a)kylinos.cn> pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state() Yuan Chen <chenyuan(a)kylinos.cn> pinctrl: sunxi: Fix memory leak on krealloc failure Jerome Brunet <jbrunet(a)baylibre.com> PCI: endpoint: pci-epf-vntb: Return -ENOENT if pci_epc_get_next_free_bar() fails Arnd Bergmann <arnd(a)arndb.de> crypto: arm/aes-neonbs - work around gcc-15 warning Charles Han <hanchunchao(a)inspur.com> power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set Charles Han <hanchunchao(a)inspur.com> power: supply: cpcap-charger: Fix null check for power_supply_get_by_name Rohit Visavalia <rohit.visavalia(a)amd.com> clk: xilinx: vcu: unregister pll_post only if registered correctly James Cowgill <james.cowgill(a)blaize.com> media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check Henry Martin <bsdhenrymartin(a)gmail.com> clk: davinci: Add NULL check in davinci_lpsc_clk_register() Ivan Stepchenko <sid(a)itb.spb.ru> mtd: fix possible integer overflow in erase_xfer() Svyatoslav Pankratov <svyatoslav.pankratov(a)intel.com> crypto: qat - fix state restore for banks with exceptions Ahsan Atta <ahsan.atta(a)intel.com> crypto: qat - allow enabling VFs in the absence of IOMMU Herbert Xu <herbert(a)gondor.apana.org.au> crypto: marvell/cesa - Fix engine load inaccuracy Suman Kumar Chakraborty <suman.kumar.chakraborty(a)intel.com> crypto: qat - use unmanaged allocation for dc_data Ovidiu Panait <ovidiu.panait.oss(a)gmail.com> crypto: sun8i-ce - fix nents passed to dma_unmap_sg() Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv clocks Hans Zhang <18255117159(a)163.com> PCI: rockchip-host: Fix "Unexpected Completion" log message Kees Cook <kees(a)kernel.org> fortify: Fix incorrect reporting of read buffer size Kees Cook <kees(a)kernel.org> staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() Puranjay Mohan <puranjay(a)kernel.org> bpf, arm64: Fix fp initialization for exception boundary Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> bpf/preload: Don't select USERMODE_DRIVER Eric Dumazet <edumazet(a)google.com> ipv6: annotate data-races around rt->fib6_nsiblings Eric Dumazet <edumazet(a)google.com> ipv6: fix possible infinite loop in fib6_info_uses_dev() Eric Dumazet <edumazet(a)google.com> ipv6: prevent infinite loop in rt6_nlmsg_size() Stanislav Fomichev <sdf(a)fomichev.me> vrf: Drop existing dst reference in vrf_ip6_input_dst Xiumei Mu <xmu(a)redhat.com> selftests: rtnetlink.sh: remove esp4_offload after test Jason Xing <kernelxing(a)tencent.com> stmmac: xsk: fix negative overflow of budget in zerocopy mode Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix wrong rx drop MIB counter for KSZ8863 Jianbo Liu <jianbol(a)nvidia.com> net/mlx5e: Remove skb secpath if xfrm state is not found Alexei Lazar <alazar(a)nvidia.com> net/mlx5e: Clear Read-Only port buffer size in PBMC before update Florian Westphal <fw(a)strlen.de> netfilter: xt_nfacct: don't assume acct name is null-terminated Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Assign netdev.dev_port based on device channel index Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_pciefd: Store device channel index Stephane Grosjean <stephane.grosjean(a)hms-networks.com> can: peak_usb: fix USB FD devices potential malfunction Gal Pressman <gal(a)nvidia.com> selftests: drv-net: Fix remote command checking in require_cmd() Gabriele Monaco <gmonaco(a)redhat.com> tools/rv: Do not skip idle in trace Kuniyuki Iwashima <kuniyu(a)google.com> bpf: Disable migration in nf_hook_run_bpf(). Chris Down <chris(a)chrisdown.name> Bluetooth: hci_event: Mask data status from LE ext adv reports Arseniy Krasnov <avkrasnov(a)salutedevices.com> Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Matthew Wilcox (Oracle) <willy(a)infradead.org> memcg_slabinfo: Fix use of PG_slab Marco Elver <elver(a)google.com> kcsan: test: Initialize dummy variable Steven Rostedt <rostedt(a)goodmis.org> ring-buffer: Remove ring_buffer_read_prepare_sync() Kees Cook <kees(a)kernel.org> wifi: nl80211: Set num_sub_specs before looping through sub_specs Kees Cook <kees(a)kernel.org> wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon() Gokul Sivakumar <gokulkumar.sivakumar(a)infineon.com> wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P IE Tamizh Chelvam Raja <tamizh.raja(a)oss.qualcomm.com> wifi: ath12k: fix endianness handling while accessing wmi service bit Remi Pommarel <repk(a)triplefau.lt> Reapply "wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()" Remi Pommarel <repk(a)triplefau.lt> wifi: mac80211: Check 802.11 encaps offloading in ieee80211_tx_h_select_key() Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Don't call fq_flow_idx() for management frames Alexander Wetzel <Alexander(a)wetzel-home.de> wifi: mac80211: Do not schedule stopped TXQs Murad Masimov <m.masimov(a)mt-integration.ru> wifi: plfxlc: Fix error handling in usb driver probe Moon Hee Lee <moonhee.lee.ca(a)gmail.com> wifi: mac80211: reject TDLS operations when station is not associated Tze-nan Wu <Tze-nan.Wu(a)mediatek.com> rcu: Fix delayed execution of hurry callbacks Jason Gunthorpe <jgg(a)ziepe.ca> iommu/amd: Fix geometry.aperture_end for V2 tables Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx10: fix kiq locking in KCQ reset Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/gfx9: fix kiq locking in KCQ reset Baochen Qiang <quic_bqiang(a)quicinc.com> wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() Thomas Fourier <fourier.thomas(a)gmail.com> mwl8k: Add missing check after DMA map Bitterblue Smith <rtl8821cerfe2(a)gmail.com> wifi: rtw88: Fix macid assigned to TDLS station Martin Kaistra <martin.kaistra(a)linutronix.de> wifi: rtl8xxxu: Fix RX skb size for aggregation disabled Eric Dumazet <edumazet(a)google.com> tcp: call tcp_measure_rcv_mss() for ooo packets Juergen Gross <jgross(a)suse.com> xen/gntdev: remove struct gntdev_copy_batch from stack Al Viro <viro(a)zeniv.linux.org.uk> xen: fix UAF in dmabuf_exp_from_pages() Edward Srouji <edwards(a)nvidia.com> RDMA/mlx5: Fix UMR modifying of mkey page size Eric Dumazet <edumazet(a)google.com> net_sched: act_ctinfo: use atomic64_t for three counters William Liu <will(a)willsroot.io> net/sched: Restrict conditions for adding duplicating netems to qdisc tree Easwar Hariharan <eahariha(a)linux.microsoft.com> iommu/amd: Enable PASID and ATS capabilities in the correct order Tiwei Bie <tiwei.btw(a)antgroup.com> um: rtc: Avoid shadowing err in uml_rtc_start() Johan Korsnes <johan.korsnes(a)gmail.com> arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX Fedor Pchelkin <pchelkin(a)ispras.ru> netfilter: nf_tables: adjust lockdep assertions handling Phil Sutter <phil(a)nwl.cc> netfilter: nf_tables: Drop dead code from fill_*_info routines Shixiong Ou <oushixiong(a)kylinos.cn> fbcon: Fix outdated registered_fb reference in comment Peter Zijlstra <peterz(a)infradead.org> sched/psi: Optimize psi_group_change() cpu_clock() usage Fedor Pchelkin <pchelkin(a)ispras.ru> drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value Artem Sadovnikov <a.sadovnikov(a)ispras.ru> refscale: Check that nreaders and loops multiplication doesn't overflow Finn Thain <fthain(a)linux-m68k.org> m68k: Don't unregister boot console needlessly Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> drm/msm/dpu: Fill in min_prefill_lines for SC8180X Kumar Kartikeya Dwivedi <memxor(a)gmail.com> bpf: Ensure RCU lock is held around bpf_prog_ksym_find Mark Brown <broonie(a)kernel.org> kselftest/arm64: Fix check for setting new VLs in sve-ptrace Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->output Eric Dumazet <edumazet(a)google.com> net: dst: annotate data-races around dst->input Stav Aviram <saviram(a)nvidia.com> net/mlx5: Check device memory pointer before usage xin.guo <guoxin0309(a)gmail.com> tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range Sergey Senozhatsky <senozhatsky(a)chromium.org> wifi: ath11k: clear initialized flag for deinit-ed srng lists Jiasheng Jiang <jiasheng(a)iscas.ac.cn> iwlwifi: Add missing check for alloc_ordered_workqueue Xiu Jianfeng <xiujianfeng(a)huawei.com> wifi: iwlwifi: Fix memory leak in iwl_mvm_init() Daniil Dulov <d.dulov(a)aladdin.ru> wifi: rtl818x: Kill URBs before clearing tx status queue Zong-Zhe Yang <kevin_yang(a)realtek.com> wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band Arnd Bergmann <arnd(a)arndb.de> caif: reduce stack size, again Haren Myneni <haren(a)linux.ibm.com> powerpc/pseries/dlpar: Search DRC index from ibm,drc-indexes for IO add Yuan Chen <chenyuan(a)kylinos.cn> bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Remove nbiov7.9 replay count reporting Ian Forbes <ian.forbes(a)broadcom.com> drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel Petr Machata <petrm(a)nvidia.com> net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain Mykyta Yatsenko <yatsenko(a)meta.com> selftests/bpf: Fix unintentional switch case fall through Fushuai Wang <wangfushuai(a)baidu.com> selftests/bpf: fix signedness bug in redir_partial() Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls Jiayuan Chen <jiayuan.chen(a)linux.dev> bpf, sockmap: Fix psock incorrectly pointing to sk Boris Brezillon <boris.brezillon(a)collabora.com> drm/panthor: Add missing explicit padding in drm_panthor_gpu_info Adrián Larumbe <adrian.larumbe(a)collabora.com> drm/panfrost: Fix panfrost device variable name in devfreq Andy Yan <andy.yan(a)rock-chips.com> drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed Steven Rostedt <rostedt(a)goodmis.org> selftests/tracing: Fix false failure of subsystem event test Alok Tiwari <alok.a.tiwari(a)oracle.com> staging: nvec: Fix incorrect null termination of battery manufacturer Slark Xiao <slark_xiao(a)163.com> bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640 Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8180x: specify num_nodes Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg Johan Hovold <johan(a)kernel.org> soc: qcom: pmic_glink: fix OF node leak Brahmajit Das <listout(a)listout.xyz> samples: mei: Fix building on musl libc Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> staging: greybus: gbphy: fix up const issue with the match callback Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Init policy->rwsem before it may be possibly used Lifeng Zheng <zhenglifeng1(a)huawei.com> cpufreq: Initialize cpufreq-based frequency-invariance later Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode Chanwoo Choi <cw00.choi(a)samsung.com> PM / devfreq: Fix a index typo in trans_stat Lifeng Zheng <zhenglifeng1(a)huawei.com> PM / devfreq: Check governor before using governor->name Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed Adam Ford <aford173(a)gmail.com> arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed Annette Kobou <annette.kobou(a)kontron.de> ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface Moon Hee Lee <moonhee.lee.ca(a)gmail.com> selftests: breakpoints: use suspend_stats to reliably check suspend success Patrick Delaunay <patrick.delaunay(a)foss.st.com> arm64: dts: st: fix timer used for ticks Sumit Gupta <sumitg(a)nvidia.com> soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS Albin Törnqvist <albin.tornqvist(a)codiax.se> arm: dts: ti: omap: Fixup pinheader typo Lucas De Marchi <lucas.demarchi(a)intel.com> usb: early: xhci-dbc: Fix early_ioremap leak Sivan Zohar-Kotzer <sivany32(a)gmail.com> powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "vmci: Prevent the dispatching of uninitialized payloads" Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> selftests: vDSO: chacha: Correctly skip test if necessary Denis OSTERLAND-HEIM <denis.osterland(a)diehl.com> pps: fix poll support Lizhi Xu <lizhi.xu(a)windriver.com> vmci: Prevent the dispatching of uninitialized payloads Abdun Nihaal <abdun.nihaal(a)gmail.com> staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() Clément Le Goffic <clement.legoffic(a)foss.st.com> spi: stm32: Check for cfg availability in stm32_spi_probe Hans de Goede <hansg(a)kernel.org> mei: vsc: Unset the event callback on remove and probe errors Hans de Goede <hansg(a)kernel.org> mei: vsc: Event notifier fixes Hans de Goede <hansg(a)kernel.org> mei: vsc: Destroy mutex after freeing the IRQ Dmitry Baryshkov <dmitry.baryshkov(a)oss.qualcomm.com> usb: typec: ucsi: yoga-c630: fix error and remove paths Sibi Sankar <quic_sibis(a)quicinc.com> firmware: arm_scmi: Fix up turbo frequencies selection Arnd Bergmann <arnd(a)arndb.de> cpufreq: armada-8k: make both cpu masks static Michael Walle <mwalle(a)kernel.org> arm64: dts: ti: k3-am62p-j722s: fix pinctrl-single size Wadim Egorov <w.egorov(a)phytec.de> arm64: dts: ti: k3-am642-phyboard-electra: Fix PRU-ICSSG Ethernet ports Charalampos Mitrodimas <charmitro(a)posteo.net> usb: misc: apple-mfi-fastcharge: Make power supply names unique Seungjin Bae <eeodqql09(a)gmail.com> usb: host: xhci-plat: fix incorrect type for of_match variable in xhci_plat_probe() Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> ARM: dts: vfxxx: Correctly use two tuples for timer address André Apitzsch <git(a)apitzsch.eu> arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely Lijuan Gao <lijuan.gao(a)oss.qualcomm.com> arm64: dts: qcom: sa8775p: Correct the interrupt for remoteproc Will Deacon <willdeacon(a)google.com> arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sc7180: Expand IMEM region Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> arm64: dts: qcom: sdm845: Expand IMEM region Alexander Wilhelm <alexander.wilhelm(a)westermo.com> soc: qcom: QMI encoding/decoding for big endian Dmitry Vyukov <dvyukov(a)google.com> selftests: Fix errno checking in syscall_user_dispatch test Alexander Stein <alexander.stein(a)ew.tq-group.com> arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV Chen-Yu Tsai <wenst(a)chromium.org> ASoC: mediatek: use reserved memory or enable buffer pre-allocation Arnd Bergmann <arnd(a)arndb.de> ASoC: ops: dynamically allocate struct snd_ctl_elem_value Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask() Randy Dunlap <rdunlap(a)infradead.org> io_uring: fix breakage in EXPERT menu Andreas Gruenbacher <agruenba(a)redhat.com> gfs2: No more self recovery Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Revert "fs/ntfs3: Replace inode_trylock with inode_lock" Yangtao Li <frank.li(a)vivo.com> hfsplus: remove mutex_lock check in hfsplus_free_extents Yangtao Li <frank.li(a)vivo.com> hfs: make splice write available again Yangtao Li <frank.li(a)vivo.com> hfsplus: make splice write available again Caleb Sander Mateos <csander(a)purestorage.com> ublk: use vmalloc for ublk_device's __queues Edward Adam Davis <eadavis(a)qq.com> fs/ntfs3: cancle set bad inode after removing name fails RubenKelevra <rubenkelevra(a)gmail.com> fs_context: fix parameter name in infofc() macro Al Viro <viro(a)zeniv.linux.org.uk> parse_longname(): strrchr() expects NUL-terminated string Richard Guy Briggs <rgb(a)redhat.com> audit,module: restore audit logging in load failure case Alexandru Andries <alex.andries.aa(a)gmail.com> ASoC: amd: yc: add DMI quirk for ASUS M6501RM Arnd Bergmann <arnd(a)arndb.de> ASoC: Intel: fix SND_SOC_SOF dependencies Richard Fitzgerald <rf(a)opensource.cirrus.com> ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX Adam Queler <queler(a)gmail.com> ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx Arnd Bergmann <arnd(a)arndb.de> ethernet: intel: fix building with large NR_CPUS Lane Odenbach <laodenbach(a)gmail.com> ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx ------------- Diffstat: Documentation/filesystems/f2fs.rst | 6 +- Documentation/netlink/specs/ethtool.yaml | 6 +- Makefile | 4 +- .../boot/dts/nxp/imx/imx6ul-kontron-bl-common.dtsi | 1 - arch/arm/boot/dts/nxp/vf/vfxxx.dtsi | 2 +- arch/arm/boot/dts/ti/omap/am335x-boneblack.dts | 2 +- arch/arm/crypto/aes-neonbs-glue.c | 2 +- arch/arm64/boot/dts/exynos/google/gs101.dtsi | 3 + .../boot/dts/freescale/imx8mm-beacon-som.dtsi | 2 + .../boot/dts/freescale/imx8mn-beacon-som.dtsi | 2 + arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi | 6 +- arch/arm64/boot/dts/qcom/msm8976.dtsi | 2 + arch/arm64/boot/dts/qcom/sa8775p.dtsi | 10 +- arch/arm64/boot/dts/qcom/sc7180.dtsi | 10 +- arch/arm64/boot/dts/qcom/sdm845.dtsi | 10 +- arch/arm64/boot/dts/st/stm32mp251.dtsi | 2 +- .../boot/dts/ti/k3-am62p-j722s-common-main.dtsi | 2 +- .../boot/dts/ti/k3-am642-phyboard-electra-rdk.dts | 2 + arch/arm64/net/bpf_jit_comp.c | 1 + arch/m68k/Kconfig.debug | 2 +- arch/m68k/kernel/early_printk.c | 42 +-- arch/m68k/kernel/head.S | 8 +- arch/mips/mm/tlb-r4k.c | 56 +++- arch/powerpc/configs/ppc6xx_defconfig | 1 - arch/powerpc/kernel/eeh.c | 1 + arch/powerpc/kernel/eeh_driver.c | 48 ++-- arch/powerpc/kernel/eeh_pe.c | 10 +- arch/powerpc/kernel/pci-hotplug.c | 3 + arch/powerpc/platforms/pseries/dlpar.c | 52 +++- arch/s390/include/asm/ap.h | 2 +- arch/s390/mm/pgalloc.c | 5 - arch/s390/mm/vmem.c | 5 +- arch/sh/Makefile | 10 +- arch/sh/boot/compressed/Makefile | 4 +- arch/sh/boot/romimage/Makefile | 4 +- arch/um/drivers/rtc_user.c | 2 +- arch/x86/boot/cpuflags.c | 13 + arch/x86/coco/sev/shared.c | 46 ++++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/hw_irq.h | 12 +- arch/x86/kernel/cpu/scattered.c | 1 + arch/x86/kernel/irq.c | 63 +++-- arch/x86/mm/extable.c | 5 +- block/blk-settings.c | 13 +- drivers/accel/ivpu/ivpu_debugfs.c | 42 +-- drivers/block/ublk_drv.c | 4 +- drivers/bluetooth/btusb.c | 4 + drivers/bus/mhi/host/pci_generic.c | 8 +- drivers/char/hw_random/mtk-rng.c | 4 +- drivers/clk/at91/sam9x7.c | 20 +- drivers/clk/clk-axi-clkgen.c | 2 +- drivers/clk/davinci/psc.c | 5 + drivers/clk/imx/clk-imx95-blk-ctl.c | 13 +- drivers/clk/renesas/rzv2h-cpg.c | 1 + drivers/clk/sunxi-ng/ccu-sun8i-v3s.c | 3 +- drivers/clk/thead/clk-th1520-ap.c | 9 +- drivers/clk/xilinx/xlnx_vcu.c | 4 +- drivers/cpufreq/armada-8k-cpufreq.c | 3 +- drivers/cpufreq/cpufreq.c | 21 +- drivers/cpufreq/intel_pstate.c | 4 +- .../crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 4 +- drivers/crypto/ccp/ccp-debugfs.c | 3 + drivers/crypto/ccp/sev-dev.c | 8 +- drivers/crypto/img-hash.c | 2 +- drivers/crypto/inside-secure/safexcel_hash.c | 8 +- .../crypto/intel/keembay/keembay-ocs-hcu-core.c | 8 +- .../crypto/intel/qat/qat_420xx/adf_420xx_hw_data.c | 9 +- .../crypto/intel/qat/qat_common/adf_gen4_hw_data.c | 29 +- drivers/crypto/intel/qat/qat_common/adf_sriov.c | 1 - .../intel/qat/qat_common/adf_transport_debug.c | 4 +- drivers/crypto/intel/qat/qat_common/qat_bl.c | 6 +- .../crypto/intel/qat/qat_common/qat_compression.c | 8 +- drivers/crypto/marvell/cesa/cipher.c | 4 +- drivers/crypto/marvell/cesa/hash.c | 5 +- drivers/devfreq/devfreq.c | 12 +- drivers/dma/mmp_tdma.c | 2 +- drivers/dma/mv_xor.c | 21 +- drivers/dma/nbpfaxi.c | 13 + drivers/firmware/arm_scmi/perf.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 6 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c | 3 +- drivers/gpu/drm/amd/amdgpu/nbio_v7_9.c | 20 -- .../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.c | 2 +- drivers/gpu/drm/i915/display/g4x_hdmi.c | 35 ++- drivers/gpu/drm/i915/display/g4x_hdmi.h | 5 +- drivers/gpu/drm/i915/display/intel_ddi.c | 37 ++- drivers/gpu/drm/i915/display/intel_display_types.h | 13 + drivers/gpu/drm/i915/display/intel_hdmi.c | 10 +- drivers/gpu/drm/i915/display/intel_hdmi.h | 2 +- .../drm/msm/disp/dpu1/catalog/dpu_5_1_sc8180x.h | 1 + drivers/gpu/drm/panfrost/panfrost_devfreq.c | 4 +- drivers/gpu/drm/rockchip/rockchip_drm_fb.c | 9 +- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 2 +- drivers/gpu/drm/xe/xe_device.c | 1 + drivers/hid/hid-apple.c | 3 +- drivers/i2c/muxes/i2c-mux-mule.c | 3 +- drivers/infiniband/hw/erdma/erdma_verbs.c | 3 +- drivers/infiniband/hw/hns/hns_roce_device.h | 1 + drivers/infiniband/hw/hns/hns_roce_hem.c | 18 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 87 ++++-- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 8 +- drivers/infiniband/hw/hns/hns_roce_main.c | 22 +- drivers/infiniband/hw/mana/qp.c | 2 +- drivers/infiniband/hw/mlx5/dm.c | 2 +- drivers/infiniband/hw/mlx5/umr.c | 6 +- drivers/interconnect/qcom/sc8180x.c | 6 + drivers/interconnect/qcom/sc8280xp.c | 1 + drivers/iommu/amd/iommu.c | 19 +- drivers/irqchip/Kconfig | 1 + drivers/md/bcache/alloc.c | 64 ++--- drivers/md/bcache/bcache.h | 2 +- drivers/md/bcache/bset.c | 124 ++++----- drivers/md/bcache/bset.h | 40 +-- drivers/md/bcache/btree.c | 69 ++--- drivers/md/bcache/extents.c | 51 ++-- drivers/md/bcache/movinggc.c | 41 +-- drivers/md/bcache/super.c | 3 +- drivers/md/bcache/sysfs.c | 4 +- drivers/md/bcache/util.h | 67 ++++- drivers/md/bcache/writeback.c | 13 +- drivers/md/md.c | 9 +- .../media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 + drivers/media/v4l2-core/v4l2-ctrls-core.c | 8 +- drivers/misc/mei/platform-vsc.c | 5 + drivers/misc/mei/vsc-tp.c | 20 +- drivers/mtd/ftl.c | 2 +- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- drivers/mtd/nand/raw/atmel/pmecc.c | 6 + drivers/mtd/nand/raw/rockchip-nand-controller.c | 15 ++ drivers/mtd/spi-nor/spansion.c | 31 +++ drivers/net/can/kvaser_pciefd.c | 1 + drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 + drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 17 +- drivers/net/dsa/microchip/ksz8.c | 3 + drivers/net/dsa/microchip/ksz8_reg.h | 4 +- drivers/net/ethernet/emulex/benet/be_cmds.c | 2 +- drivers/net/ethernet/intel/fm10k/fm10k.h | 3 +- drivers/net/ethernet/intel/i40e/i40e.h | 2 +- drivers/net/ethernet/intel/ice/ice_ptp.c | 1 + drivers/net/ethernet/intel/ixgbe/ixgbe.h | 3 +- .../ethernet/mellanox/mlx5/core/en/port_buffer.c | 3 + .../mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 4 + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 - drivers/net/ethernet/meta/fbnic/fbnic_txrx.c | 4 +- drivers/net/ethernet/meta/fbnic/fbnic_txrx.h | 6 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- drivers/net/ipa/ipa_sysfs.c | 6 +- drivers/net/mdio/mdio-bcm-unimac.c | 5 +- drivers/net/phy/mscc/mscc_ptp.c | 1 + drivers/net/phy/mscc/mscc_ptp.h | 1 + drivers/net/ppp/pptp.c | 18 +- drivers/net/usb/usbnet.c | 11 +- drivers/net/vrf.c | 2 + drivers/net/wireless/ath/ath11k/hal.c | 4 + drivers/net/wireless/ath/ath11k/mac.c | 12 +- drivers/net/wireless/ath/ath12k/wmi.c | 12 +- .../broadcom/brcm80211/brcmfmac/cfg80211.c | 8 +- drivers/net/wireless/intel/iwlwifi/dvm/main.c | 11 +- drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 4 +- drivers/net/wireless/marvell/mwl8k.c | 4 + drivers/net/wireless/purelifi/plfxlc/mac.c | 11 +- drivers/net/wireless/purelifi/plfxlc/mac.h | 2 +- drivers/net/wireless/purelifi/plfxlc/usb.c | 29 +- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 +- drivers/net/wireless/realtek/rtl8xxxu/core.c | 2 +- drivers/net/wireless/realtek/rtw88/main.c | 4 +- drivers/net/wireless/realtek/rtw89/core.c | 5 + drivers/nvme/target/core.c | 18 +- drivers/pci/controller/pcie-rockchip-host.c | 2 +- drivers/pci/endpoint/functions/pci-epf-vntb.c | 4 +- drivers/pci/hotplug/pnv_php.c | 235 ++++++++++++++-- drivers/pci/pcie/aspm.c | 32 ++- drivers/perf/arm-ni.c | 2 + drivers/phy/qualcomm/phy-qcom-eusb2-repeater.c | 83 +++--- drivers/pinctrl/berlin/berlin.c | 8 +- drivers/pinctrl/pinmux.c | 20 +- drivers/pinctrl/sunxi/pinctrl-sunxi.c | 11 +- drivers/platform/x86/intel/pmt/class.c | 3 +- drivers/platform/x86/intel/pmt/class.h | 1 + drivers/power/supply/cpcap-charger.c | 5 +- drivers/power/supply/max14577_charger.c | 4 +- drivers/powercap/dtpm_cpu.c | 2 + drivers/pps/pps.c | 11 +- drivers/remoteproc/xlnx_r5_remoteproc.c | 2 + drivers/rtc/rtc-ds1307.c | 2 +- drivers/rtc/rtc-hym8563.c | 2 +- drivers/rtc/rtc-nct3018y.c | 2 +- drivers/rtc/rtc-pcf85063.c | 2 +- drivers/rtc/rtc-pcf8563.c | 2 +- drivers/rtc/rtc-rv3028.c | 2 +- drivers/s390/crypto/ap_bus.h | 2 +- drivers/scsi/elx/efct/efct_lio.c | 2 +- drivers/scsi/ibmvscsi_tgt/libsrp.c | 6 +- drivers/scsi/isci/request.c | 2 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 3 +- drivers/scsi/mvsas/mv_sas.c | 4 +- drivers/scsi/scsi_transport_iscsi.c | 2 + drivers/scsi/sd.c | 4 +- drivers/soc/qcom/pmic_glink.c | 9 +- drivers/soc/qcom/qmi_encdec.c | 46 +++- drivers/soc/tegra/cbb/tegra234-cbb.c | 2 + drivers/soundwire/stream.c | 2 +- drivers/spi/spi-cs42l43.c | 2 +- drivers/spi/spi-stm32.c | 8 +- drivers/staging/fbtft/fbtft-core.c | 1 + drivers/staging/greybus/gbphy.c | 6 +- .../media/atomisp/pci/atomisp_gmin_platform.c | 9 +- drivers/staging/nvec/nvec_power.c | 2 +- drivers/ufs/core/ufshcd.c | 10 +- drivers/usb/early/xhci-dbc.c | 4 + drivers/usb/gadget/composite.c | 5 + drivers/usb/gadget/function/f_hid.c | 7 +- drivers/usb/host/xhci-plat.c | 2 +- drivers/usb/misc/apple-mfi-fastcharge.c | 24 +- drivers/usb/serial/option.c | 2 + drivers/usb/typec/ucsi/ucsi_yoga_c630.c | 19 +- drivers/vdpa/mlx5/core/mr.c | 3 + drivers/vdpa/mlx5/net/mlx5_vnet.c | 12 +- drivers/vdpa/vdpa_user/vduse_dev.c | 1 + drivers/vfio/group.c | 7 +- drivers/vfio/iommufd.c | 4 + drivers/vfio/pci/pds/vfio_dev.c | 1 + drivers/vfio/pci/vfio_pci_core.c | 2 +- drivers/vfio/vfio_main.c | 3 +- drivers/vhost/Kconfig | 18 ++ drivers/vhost/scsi.c | 4 +- drivers/vhost/vhost.c | 244 +++++++++++++++-- drivers/vhost/vhost.h | 22 ++ drivers/video/fbdev/core/fbcon.c | 4 +- drivers/video/fbdev/imxfb.c | 9 +- drivers/watchdog/ziirave_wdt.c | 3 + drivers/xen/gntdev-common.h | 4 + drivers/xen/gntdev-dmabuf.c | 28 +- drivers/xen/gntdev.c | 71 +++-- fs/ceph/crypto.c | 31 +-- fs/exfat/file.c | 5 +- fs/ext4/inline.c | 2 + fs/ext4/inode.c | 3 +- fs/f2fs/data.c | 7 +- fs/f2fs/extent_cache.c | 2 +- fs/f2fs/f2fs.h | 2 +- fs/f2fs/gc.c | 1 + fs/f2fs/inode.c | 21 +- fs/f2fs/segment.h | 5 +- fs/f2fs/super.c | 1 + fs/f2fs/sysfs.c | 21 ++ fs/gfs2/util.c | 37 +-- fs/hfs/inode.c | 1 + fs/hfsplus/extents.c | 3 - fs/hfsplus/inode.c | 1 + fs/jfs/jfs_dmap.c | 4 +- fs/nfs/dir.c | 4 +- fs/nfs/export.c | 11 +- fs/nfs/flexfilelayout/flexfilelayout.c | 26 +- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 6 +- fs/nfs/internal.h | 9 +- fs/nfs/nfs4proc.c | 10 +- fs/notify/fanotify/fanotify.c | 8 +- fs/ntfs3/file.c | 5 +- fs/ntfs3/frecord.c | 7 +- fs/ntfs3/namei.c | 10 +- fs/ntfs3/ntfs_fs.h | 3 +- fs/orangefs/orangefs-debugfs.c | 6 +- fs/proc/generic.c | 2 + fs/proc/inode.c | 2 +- fs/proc/internal.h | 5 + fs/smb/client/cifs_debug.c | 6 +- fs/smb/client/smbdirect.c | 130 +++------ fs/smb/client/smbdirect.h | 4 - fs/smb/server/connection.h | 1 + fs/smb/server/smb2pdu.c | 22 +- fs/smb/server/smb_common.c | 2 +- fs/smb/server/transport_rdma.c | 97 +++---- fs/smb/server/transport_tcp.c | 17 ++ fs/smb/server/vfs.c | 3 +- include/linux/audit.h | 9 +- include/linux/fortify-string.h | 2 +- include/linux/fs_context.h | 2 +- include/linux/ioprio.h | 3 +- include/linux/mlx5/device.h | 1 + include/linux/moduleparam.h | 5 +- include/linux/pps_kernel.h | 1 + include/linux/proc_fs.h | 1 + include/linux/psi_types.h | 6 +- include/linux/ring_buffer.h | 4 +- include/linux/skbuff.h | 23 ++ include/linux/usb/usbnet.h | 1 + include/linux/wait_bit.h | 60 +++++ include/net/bluetooth/hci.h | 1 + include/net/bluetooth/hci_core.h | 6 + include/net/dst.h | 4 +- include/net/lwtunnel.h | 8 +- include/net/tc_act/tc_ctinfo.h | 6 +- include/net/udp.h | 24 +- include/sound/tas2781-tlv.h | 2 +- include/uapi/drm/panthor_drm.h | 3 + include/uapi/linux/vhost.h | 29 ++ init/Kconfig | 2 +- kernel/audit.h | 2 +- kernel/auditsc.c | 2 +- kernel/bpf/core.c | 5 +- kernel/bpf/helpers.c | 11 +- kernel/bpf/preload/Kconfig | 1 - kernel/events/core.c | 20 +- kernel/kcsan/kcsan_test.c | 2 +- kernel/module/main.c | 6 +- kernel/rcu/refscale.c | 10 +- kernel/rcu/tree_nocb.h | 2 +- kernel/sched/psi.c | 123 +++++---- kernel/trace/preemptirq_delay_test.c | 13 +- kernel/trace/ring_buffer.c | 63 +---- kernel/trace/trace.c | 14 +- kernel/trace/trace_kdb.c | 8 +- kernel/ucount.c | 2 +- mm/hmm.c | 2 +- mm/swapfile.c | 63 ++--- net/bluetooth/hci_event.c | 8 +- net/caif/cfctrl.c | 294 ++++++++++----------- net/core/dst.c | 4 +- net/core/filter.c | 3 + net/core/netpoll.c | 7 + net/core/skmsg.c | 7 + net/ipv4/route.c | 4 +- net/ipv4/tcp_input.c | 4 +- net/ipv6/ip6_fib.c | 24 +- net/ipv6/ip6_offload.c | 4 +- net/ipv6/ip6mr.c | 3 +- net/ipv6/route.c | 60 +++-- net/mac80211/cfg.c | 2 +- net/mac80211/tdls.c | 2 +- net/mac80211/tx.c | 14 +- net/netfilter/nf_bpf_link.c | 5 +- net/netfilter/nf_tables_api.c | 29 +- net/netfilter/xt_nfacct.c | 4 +- net/packet/af_packet.c | 12 +- net/sched/act_ctinfo.c | 19 +- net/sched/sch_mqprio.c | 2 +- net/sched/sch_netem.c | 40 +++ net/sched/sch_taprio.c | 21 +- net/sunrpc/svcsock.c | 43 ++- net/sunrpc/xprtsock.c | 40 ++- net/tls/tls_sw.c | 13 + net/vmw_vsock/af_vsock.c | 3 +- net/wireless/nl80211.c | 1 + samples/mei/mei-amt-version.c | 2 +- scripts/kconfig/qconf.cc | 2 +- security/apparmor/include/match.h | 8 +- security/apparmor/match.c | 23 +- security/apparmor/policy_unpack_test.c | 6 +- sound/pci/hda/cs35l56_hda.c | 114 +++++--- sound/pci/hda/patch_ca0132.c | 5 +- sound/pci/hda/patch_realtek.c | 3 + sound/soc/amd/yc/acp6x-mach.c | 21 ++ sound/soc/fsl/fsl_xcvr.c | 20 ++ sound/soc/intel/boards/Kconfig | 2 +- .../soc/mediatek/common/mtk-afe-platform-driver.c | 4 +- sound/soc/mediatek/common/mtk-base-afe.h | 1 + sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 7 + sound/soc/mediatek/mt8183/mt8183-afe-pcm.c | 7 + sound/soc/mediatek/mt8186/mt8186-afe-pcm.c | 7 + sound/soc/mediatek/mt8192/mt8192-afe-pcm.c | 7 + sound/soc/soc-dai.c | 16 +- sound/soc/soc-ops.c | 28 +- sound/usb/mixer_scarlett2.c | 7 + sound/x86/intel_hdmi_audio.c | 2 +- tools/bpf/bpftool/net.c | 15 +- tools/cgroup/memcg_slabinfo.py | 4 +- tools/lib/subcmd/help.c | 12 +- tools/perf/.gitignore | 2 - tools/perf/builtin-sched.c | 99 +++++-- tools/perf/tests/bp_account.c | 1 + tools/perf/util/build-id.c | 2 +- tools/perf/util/evsel.c | 11 + tools/perf/util/evsel.h | 2 + tools/perf/util/symbol.c | 1 + tools/testing/selftests/alsa/utimer-test.c | 1 + tools/testing/selftests/arm64/fp/sve-ptrace.c | 2 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 2 + .../selftests/bpf/progs/verifier_arena_large.c | 110 +++++++- tools/testing/selftests/bpf/veristat.c | 1 + .../breakpoints/step_after_suspend_test.c | 41 ++- tools/testing/selftests/drivers/net/lib/py/env.py | 2 +- .../ftrace/test.d/event/subsystem-enable.tc | 28 +- tools/testing/selftests/net/rtnetlink.sh | 6 + tools/testing/selftests/perf_events/.gitignore | 1 + tools/testing/selftests/perf_events/Makefile | 2 +- tools/testing/selftests/perf_events/mmap.c | 236 +++++++++++++++++ .../selftests/syscall_user_dispatch/sud_test.c | 50 ++-- tools/testing/selftests/vDSO/vdso_test_chacha.c | 3 +- tools/verification/rv/src/in_kernel.c | 4 +- 393 files changed, 3781 insertions(+), 1906 deletions(-)

3 weeks, 5 days

15
384
0 0

[PATCH 0/2] Fixes for maxim tcpc contaminant detection logic

by Amit Sunil Dhamne via B4 Relay

Add fixes to the CC contaminant/connection detection logic to improve reliability and stability of the maxim tcpc driver. --- Amit Sunil Dhamne (2): usb: typec: maxim_contaminant: disable low power mode when reading comparator values usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean drivers/usb/typec/tcpm/maxim_contaminant.c | 58 ++++++++++++++++++++++++++++++ drivers/usb/typec/tcpm/tcpci_maxim.h | 1 + 2 files changed, 59 insertions(+) --- base-commit: 89be9a83ccf1f88522317ce02f854f30d6115c41 change-id: 20250802-fix-upstream-contaminant-16910e2762ca Best regards, -- Amit Sunil Dhamne <amitsd(a)google.com>

3 weeks, 5 days

3
4
0 0

[PATCH v3] wifi: mwifiex: Initialize the chan_stats array to zero

by Qianfeng Rong

The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak. Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc(). Cc: stable(a)vger.kernel.org Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") Suggested-by: Dan Carpenter <dan.carpenter(a)linaro.org> Signed-off-by: Qianfeng Rong <rongqianfeng(a)vivo.com> --- v2: Change vmalloc_array/vfree to kcalloc/kfree. v3: Improved commit message. --- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c index 3498743d5ec0..4c8c7a5fdf23 100644 --- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c +++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c @@ -4673,8 +4673,9 @@ int mwifiex_init_channel_scan_gap(struct mwifiex_adapter *adapter) * additional active scan request for hidden SSIDs on passive channels. */ adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); - adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), - adapter->num_in_chan_stats)); + adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, + sizeof(*adapter->chan_stats), + GFP_KERNEL); if (!adapter->chan_stats) return -ENOMEM; diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c index 7b50a88a18e5..1ec069bc8ea1 100644 --- a/drivers/net/wireless/marvell/mwifiex/main.c +++ b/drivers/net/wireless/marvell/mwifiex/main.c @@ -642,7 +642,7 @@ static int _mwifiex_fw_dpc(const struct firmware *firmware, void *context) goto done; err_add_intf: - vfree(adapter->chan_stats); + kfree(adapter->chan_stats); err_init_chan_scan: wiphy_unregister(adapter->wiphy); wiphy_free(adapter->wiphy); @@ -1485,7 +1485,7 @@ static void mwifiex_uninit_sw(struct mwifiex_adapter *adapter) wiphy_free(adapter->wiphy); adapter->wiphy = NULL; - vfree(adapter->chan_stats); + kfree(adapter->chan_stats); mwifiex_free_cmd_buffers(adapter); } -- 2.34.1

3 weeks, 5 days

2
1
0 0

[PATCH] xen/events: Fix Global and Domain VIRQ tracking

by Jason Andryuk

VIRQs come in 3 flavors, per-VPU, per-domain, and global. The existing tracking of VIRQs is handled by per-cpu variables virq_to_irq. The issue is that bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time - typically CPU 0. Later, the interrupt can migrate, and info->cpu is updated. When calling unbind_from_irq(), the per-cpu virq_to_irq is cleared for a different cpu. If bind_virq_to_irq() is called again with CPU 0, the stale irq is returned. Change the virq_to_irq tracking to use CPU 0 for per-domain and global VIRQs. As there can be at most one of each, there is no need for per-vcpu tracking. Also, per-domain and global VIRQs need to be registered on CPU 0 and can later move, so this matches the expectation. Fixes: e46cdb66c8fc ("xen: event channels") Cc: stable(a)vger.kernel.org Signed-off-by: Jason Andryuk <jason.andryuk(a)amd.com> --- Fixes is the introduction of the virq_to_irq per-cpu array. This was found with the out-of-tree argo driver during suspend/resume. On suspend, the per-domain VIRQ_ARGO is unbound. On resume, the driver attempts to bind VIRQ_ARGO. The stale irq is returned, but the WARN_ON(info == NULL || info->type != IRQT_VIRQ) in bind_virq_to_irq() triggers for NULL info. The bind fails and execution continues with the driver trying to clean up by unbinding. This eventually faults over the NULL info. --- drivers/xen/events/events_base.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c index 41309d38f78c..a27e4d7f061e 100644 --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -159,7 +159,19 @@ static DEFINE_MUTEX(irq_mapping_update_lock); static LIST_HEAD(xen_irq_list_head); -/* IRQ <-> VIRQ mapping. */ +static bool is_per_vcpu_virq(int virq) { + switch (virq) { + case VIRQ_TIMER: + case VIRQ_DEBUG: + case VIRQ_XENOPROF: + case VIRQ_XENPMU: + return true; + default: + return false; + } +} + +/* IRQ <-> VIRQ mapping. Global/Domain virqs are tracked in cpu 0. */ static DEFINE_PER_CPU(int [NR_VIRQS], virq_to_irq) = {[0 ... NR_VIRQS-1] = -1}; /* IRQ <-> IPI mapping */ @@ -974,6 +986,9 @@ static void __unbind_from_irq(struct irq_info *info, unsigned int irq) switch (info->type) { case IRQT_VIRQ: + if (!is_per_vcpu_virq(virq_from_irq(info))) + cpu = 0; + per_cpu(virq_to_irq, cpu)[virq_from_irq(info)] = -1; break; case IRQT_IPI: -- 2.50.1

3 weeks, 5 days

3
6
0 0

[PATCH] net: 9p: fix double req put in p9_fd_cancelled

by Nalivayko Sergey

Syzkaller reports a KASAN issue as below: general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f] CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__list_del include/linux/list.h:114 [inline] RIP: 0010:__list_del_entry include/linux/list.h:137 [inline] RIP: 0010:list_del include/linux/list.h:148 [inline] RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734 Call Trace: <TASK> p9_client_flush+0x351/0x440 net/9p/client.c:614 p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734 p9_client_version net/9p/client.c:920 [inline] p9_client_create+0xb51/0x1240 net/9p/client.c:1027 v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408 v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126 legacy_get_tree+0x108/0x220 fs/fs_context.c:632 vfs_get_tree+0x8e/0x300 fs/super.c:1573 do_new_mount fs/namespace.c:3056 [inline] path_mount+0x6a6/0x1e90 fs/namespace.c:3386 do_mount fs/namespace.c:3399 [inline] __do_sys_mount fs/namespace.c:3607 [inline] __se_sys_mount fs/namespace.c:3584 [inline] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 This happens because of a race condition between: - The 9p client sending an invalid flush request and later cleaning it up; - The 9p client in p9_read_work() canceled all pending requests. Thread 1 Thread 2 ... p9_client_create() ... p9_fd_create() ... p9_conn_create() ... // start Thread 2 INIT_WORK(&m->rq, p9_read_work); p9_read_work() ... p9_client_rpc() ... ... p9_conn_cancel() ... spin_lock(&m->req_lock); ... p9_fd_cancelled() ... ... spin_unlock(&m->req_lock); // status rewrite p9_client_cb(m->client, req, REQ_STATUS_ERROR) // first remove list_del(&req->req_list); ... spin_lock(&m->req_lock) ... // second remove list_del(&req->req_list); spin_unlock(&m->req_lock) ... Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem client where the req_list could be deleted simultaneously by both p9_read_work and p9_fd_cancelled functions, but for the case where req->status equals REQ_STATUS_RCVD. Add an explicit check for REQ_STATUS_ERROR in p9_fd_cancelled before processing the request. Skip processing if the request is already in the error state, as it has been removed and its resources cleaned up. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: afd8d6541155 ("9P: Add cancelled() to the transport functions.") Cc: stable(a)vger.kernel.org Signed-off-by: Nalivayko Sergey <Sergey.Nalivayko(a)kaspersky.com> --- net/9p/trans_fd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a69422366a23..a6054a392a90 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -721,9 +721,9 @@ static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req) spin_lock(&m->req_lock); /* Ignore cancelled request if message has been received - * before lock. - */ - if (req->status == REQ_STATUS_RCVD) { + * or cancelled with error before lock. + */ + if (req->status == REQ_STATUS_RCVD || req->status == REQ_STATUS_ERROR) { spin_unlock(&m->req_lock); return 0; } -- 2.30.2

3 weeks, 5 days

2
2
1 0

[PATCH 2/5] HID: apple: validate feature-report field count to prevent NULL pointer dereference

by malepudileep.111＠gmail.com

From: Qasim Ijaz <qasdev00(a)gmail.com> commit 1bb3363da862e0464ec050eea2fb5472a36ad86b upstream. A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_magic_backlight_report_set() becomes invalid since field[1] will be NULL. An example of a minimal descriptor which can cause the crash is something like the following where the report with ID 3 (power report) only references a single 1-byte field. When hid core parses the descriptor it will encounter the final feature tag, allocate a hid_report (all members of field[] will be zeroed out), create field structure and populate it, increasing the maxfield to 1. The subsequent field[1] access and dereference causes the crash. Usage Page (Vendor Defined 0xFF00) Usage (0x0F) Collection (Application) Report ID (1) Usage (0x01) Logical Minimum (0) Logical Maximum (255) Report Size (8) Report Count (1) Feature (Data,Var,Abs) Usage (0x02) Logical Maximum (32767) Report Size (16) Report Count (1) Feature (Data,Var,Abs) Report ID (3) Usage (0x03) Logical Minimum (0) Logical Maximum (1) Report Size (8) Report Count (1) Feature (Data,Var,Abs) End Collection Here we see the KASAN splat when the kernel dereferences the NULL pointer and crashes: [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Call Trace: [ 15.165691] <TASK> [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] To fix this issue we should validate the number of fields that the backlight and power reports have and if they do not have the required number of fields then bail. Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs") Cc: stable(a)vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00(a)gmail.com> Reviewed-by: Orlando Chamberlain <orlandoch.dev(a)gmail.com> Tested-by: Aditya Garg <gargaditya08(a)live.com> Link: https://patch.msgid.link/20250713233008.15131-1-qasdev00@gmail.com Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/hid/hid-apple.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index d900dd05c335..c00ce5bfec4a 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -890,7 +890,8 @@ static int apple_magic_backlight_init(struct hid_device *hdev) backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS]; backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER]; - if (!backlight->brightness || !backlight->power) + if (!backlight->brightness || backlight->brightness->maxfield < 2 || + !backlight->power || backlight->power->maxfield < 2) return -ENODEV; backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT; -- 2.43.0

3 weeks, 5 days

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror August 2025