- Linux-stable-mirror - lists.linaro.org

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.12.44 release. There are 322 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu, 28 Aug 2025 11:08:26 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.44-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.12.44-rc1 Al Viro <viro(a)zeniv.linux.org.uk> alloc_fdtable(): change calling conventions. Florian Westphal <fw(a)strlen.de> netfilter: nf_reject: don't leak dst refcount for loopback packets Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/hypfs: Enable limited access during lockdown Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/hypfs: Avoid unnecessary ioctl registration in debugfs Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Use correct sub-type for UAC3 feature unit validation Armen Ratner <armeng(a)nvidia.com> net/mlx5e: Preserve shared buffer capacity during headroom updates Alexei Lazar <alazar(a)nvidia.com> net/mlx5e: Query FW for buffer ownership Oren Sidi <osidi(a)nvidia.com> net/mlx5: Add IFC bits and enums for buf_ownership Shahar Shitrit <shshitrit(a)nvidia.com> net/mlx5: Relocate function declarations from port.h to mlx5_core.h Daniel Jurgens <danielj(a)nvidia.com> net/mlx5: Base ECVF devlink port attrs from 0 Hariprasad Kelam <hkelam(a)marvell.com> Octeontx2-af: Skip overlap check for SPI field Hangbin Liu <liuhangbin(a)gmail.com> bonding: send LACPDUs periodically in passive mode after receiving partner's LACPDU Hangbin Liu <liuhangbin(a)gmail.com> bonding: update LACP activity flag after setting lacp_active Dewei Meng <mengdewei(a)cqsoftware.com.cn> ALSA: timer: fix ida_free call while not allocated William Liu <will(a)willsroot.io> net/sched: Remove unnecessary WARNING condition for empty child qdisc in htb_activate William Liu <will(a)willsroot.io> net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit Tristram Ha <tristram.ha(a)microchip.com> net: dsa: microchip: Fix KSZ9477 HSR port setup issue ValdikSS <iam(a)valdikss.org.ru> igc: fix disabling L1.2 PCI-E link substate on I226 on init Jason Xing <kernelxing(a)tencent.com> ixgbe: xsk: resolve the negative overflow of budget in ixgbe_xmit_zc Heiko Carstens <hca(a)linux.ibm.com> s390/mm: Do not map lowcore with identity mapping Kanglong Wang <wangkanglong(a)loongson.cn> LoongArch: Optimize module load time by optimizing PLT/GOT counting Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com> microchip: lan865x: fix missing Timer Increment config for Rev.B0/B1 Parthiban Veerasooran <parthiban.veerasooran(a)microchip.com> microchip: lan865x: fix missing netif_start_queue() call on device open D. Wythe <alibuda(a)linux.alibaba.com> net/smc: fix UAF on smcsk after smc_listen_out() Jordan Rhee <jordanrhee(a)google.com> gve: prevent ethtool ops after shutdown Yuichiro Tsuji <yuichtsu(a)amazon.com> net: usb: asix_devices: Fix PHY address mask in MDIO bus initialization Horatiu Vultur <horatiu.vultur(a)microchip.com> phy: mscc: Fix timestamping for vsc8584 David Howells <dhowells(a)redhat.com> cifs: Fix oops due to uninitialised variable MD Danish Anwar <danishanwar(a)ti.com> net: ti: icssg-prueth: Fix HSR and switch offload Enablement during firwmare reload. Qingfang Deng <dqfext(a)gmail.com> ppp: fix race conditions in ppp_fill_forward_path Qingfang Deng <dqfext(a)gmail.com> net: ethernet: mtk_ppe: add RCU lock around dev_fill_forward_path Minhong He <heminhong(a)kylinos.cn> ipv6: sr: validate HMAC algorithm ID in seg6_hmac_info_add Jakub Ramaseuski <jramaseu(a)redhat.com> net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't print errors for nonexistent connectors Chenyuan Yang <chenyuan0y(a)gmail.com> drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() Dan Carpenter <dan.carpenter(a)linaro.org> ALSA: usb-audio: Fix size validation in convert_chmap_v3() Baihan Li <libaihan(a)huawei.com> drm/hisilicon/hibmc: fix the hibmc loaded failed bug Baihan Li <libaihan(a)huawei.com> drm/hisilicon/hibmc: fix the i2c device resource leak when vdac init failed Baihan Li <libaihan(a)huawei.com> drm/hisilicon/hibmc: refactored struct hibmc_drm_private Miguel Ojeda <ojeda(a)kernel.org> rust: alloc: fix `rusttest` by providing `Cmalloc::aligned_layout` too Ido Schimmel <idosch(a)nvidia.com> mlxsw: spectrum: Forward packets with an IPv4 link-local source IP Sergey Shtylyov <s.shtylyov(a)omp.ru> Bluetooth: hci_conn: do return error from hci_enhanced_setup_sync() Pauli Virtanen <pav(a)iki.fi> Bluetooth: hci_event: fix MTU for BN == 0 in CIS Established Yang Li <yang.li(a)amlogic.com> Bluetooth: hci_sync: Prevent unintended PA sync when SID is 0xFF Jiande Lu <jiande.lu(a)mediatek.com> Bluetooth: btmtk: Fix wait_on_bit_timeout interruption during shutdown Luiz Augusto von Dentz <luiz.von.dentz(a)intel.com> Bluetooth: hci_sync: Fix scan state after PA Sync has been established Kees Cook <kees(a)kernel.org> iommu/amd: Avoid stack buffer overflow from kernel cmdline Dan Carpenter <dan.carpenter(a)linaro.org> scsi: qla4xxx: Prevent a potential error pointer dereference Justin Lai <justinlai0215(a)realtek.com> rtase: Fix Rx descriptor CRC error bit definition Wang Liang <wangliang74(a)huawei.com> net: bridge: fix soft lockup in br_multicast_query_expired() Suraj Gupta <suraj.gupta2(a)amd.com> net: xilinx: axienet: Fix RX skb ring management in DMAengine mode Junxian Huang <huangjunxian6(a)hisilicon.com> RDMA/hns: Fix dip entries leak on devices newer than hip09 Anantha Prabhu <anantha.prabhu(a)broadcom.com> RDMA/bnxt_re: Fix to initialize the PBL array Kalesh AP <kalesh-anakkur.purayil(a)broadcom.com> RDMA/bnxt_re: Fix a possible memory leak in the driver Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Fix to remove workload check in SRQ limit path Kashyap Desai <kashyap.desai(a)broadcom.com> RDMA/bnxt_re: Fix to do SRQ armena by default wenglianfa <wenglianfa(a)huawei.com> RDMA/hns: Fix querying wrong SCC context for DIP algorithm Boshi Yu <boshiyu(a)linux.alibaba.com> RDMA/erdma: Fix ignored return value of init_kernel_qp Danilo Krummrich <dakr(a)kernel.org> rust: alloc: replace aligned_size() with Kmalloc::aligned_layout() Nitin Gote <nitin.r.gote(a)intel.com> iosys-map: Fix undefined behavior in iosys_map_clear() José Expósito <jose.exposito89(a)gmail.com> drm/tests: Fix drm_test_fb_xrgb8888_to_xrgb2101010() on big-endian Thomas Zimmermann <tzimmermann(a)suse.de> drm/tests: Do not use drm_fb_blit() in format-helper tests Thomas Zimmermann <tzimmermann(a)suse.de> drm/format-helper: Add generic conversion to 32-bit formats Thomas Zimmermann <tzimmermann(a)suse.de> drm/format-helper: Move helpers for pixel conversion to header file Kerem Karabay <kekrby(a)gmail.com> drm/format-helper: Add conversion from XRGB8888 to BGR888 Jocelyn Falempe <jfalempe(a)redhat.com> drm/panic: Move drawing functions to drm_draw José Expósito <jose.exposito89(a)gmail.com> drm/tests: Fix endian warning Waiman Long <longman(a)redhat.com> cgroup/cpuset: Fix a partition error with CPU hotplug Waiman Long <longman(a)redhat.com> cgroup/cpuset: Use static_branch_enable_cpuslocked() on cpusets_insane_config_key Fanhua Li <lifanhua5(a)huawei.com> drm/nouveau/nvif: Fix potential memory leak in nvif_vmm_ctor(). Stefan Wahren <wahrenst(a)gmx.net> spi: spi-fsl-lpspi: Clamp too high speed_hz Tianxiang Peng <txpeng(a)tencent.com> x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper Jean-Baptiste Maneyrol <jean-baptiste.maneyrol(a)tdk.com> iio: imu: inv_icm42600: change invalid data error to -EBUSY Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> iio: imu: inv_icm42600: Convert to uXX and sXX integer types David Lechner <dlechner(a)baylibre.com> iio: imu: inv_icm42600: use = { } instead of memset() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: imu: inv_icm42600: switch timestamp type from int64_t __aligned(8) to aligned_s64 Jakub Kicinski <kuba(a)kernel.org> tls: fix handling of zero-length records on the rx_list Michal Suchanek <msuchanek(a)suse.de> powerpc/boot: Fix build with gcc 15 NeilBrown <neil(a)brown.name> ovl: use I_MUTEX_PARENT when locking parent in ovl_create_temp() Imre Deak <imre.deak(a)intel.com> drm/i915/icl+/tc: Cache the max lane count value Jan Beulich <jbeulich(a)suse.com> compiler: remove __ADDRESSABLE_ASM{_STR,}() again Imre Deak <imre.deak(a)intel.com> drm/i915/icl+/tc: Convert AUX powered WARN to a debug message Pu Lehui <pulehui(a)huawei.com> tracing: Limit access to parser->buffer when trace_get_user failed Steven Rostedt <rostedt(a)goodmis.org> tracing: Remove unneeded goto out logic David Lechner <dlechner(a)baylibre.com> iio: temperature: maxim_thermocouple: use DMA-safe buffer for spi_read() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: light: as73211: Ensure buffer holes are zeroed Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: light: Use aligned_s64 instead of open coding alignment. Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: dwc3: pci: add support for the Intel Wildcat Lake Selvarasu Ganesan <selvarasu.g(a)samsung.com> usb: dwc3: Remove WARN_ON for device endpoint command timeouts Kuen-Han Tsai <khtsai(a)google.com> usb: dwc3: Ignore late xferNotReady event to prevent halt timeout Weitao Wang <WeitaoWang-oc(a)zhaoxin.com> usb: xhci: Fix slot_id resource race conflict Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: maxim_contaminant: re-enable cc toggle if cc is open and port is clean Amit Sunil Dhamne <amitsd(a)google.com> usb: typec: maxim_contaminant: disable low power mode when reading comparator values Zenm Chen <zenmchen(a)gmail.com> USB: storage: Ignore driver CD mode for Realtek multi-mode Wi-Fi dongles Thorsten Blum <thorsten.blum(a)linux.dev> usb: storage: realtek_cr: Use correct byte order for bcs->Residue Mael GUERIN <mael.guerin(a)murena.io> USB: storage: Add unusual-devs entry for Novatek NTK96550-based camera Marek Vasut <marek.vasut+renesas(a)mailbox.org> usb: renesas-xhci: Fix External ROM access timeouts Xu Yang <xu.yang_2(a)nxp.com> usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test Ian Abbott <abbotti(a)mev.co.uk> comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() Edward Adam Davis <eadavis(a)qq.com> comedi: pcl726: Prevent invalid irq number Ian Abbott <abbotti(a)mev.co.uk> comedi: Make insn_rw_emulate_bits() do insn->n samples Miao Li <limiao(a)kylinos.cn> usb: quirks: Add DELAY_INIT quick for another SanDisk 3.2Gen1 Flash Drive Thorsten Blum <thorsten.blum(a)linux.dev> cdx: Fix off-by-one error in cdx_rpmsg_probe() Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> kcov, usb: Don't disable interrupts in kcov_remote_start_usb_softirq() Miaoqian Lin <linmq006(a)gmail.com> most: core: Drop device reference after usage in get_channel() David Lechner <dlechner(a)baylibre.com> iio: proximity: isl29501: fix buffered read on big-endian systems Salah Triki <salah.triki(a)gmail.com> iio: pressure: bmp280: Use IS_ERR() in bmp280_common_probe() Steven Rostedt <rostedt(a)goodmis.org> ftrace: Also allocate and copy hash for reading of filter files Xu Yilun <yilun.xu(a)linux.intel.com> fpga: zynq_fpga: Fix the wrong usage of dma_map_sgtable() Judith Mendez <jm(a)ti.com> mmc: sdhci_am654: Disable HS400 for AM62P SR1.0 and SR1.1 Imre Deak <imre.deak(a)intel.com> drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpuidle: governors: menu: Avoid selecting states with too much latency Christian Loehle <christian.loehle(a)arm.com> cpuidle: menu: Remove iowait influence Al Viro <viro(a)zeniv.linux.org.uk> use uniform permission checks for all mount propagation changes Ye Bin <yebin10(a)huawei.com> fs/buffer: fix use-after-free when call bh_read() helper Stefan Metzmacher <metze(a)samba.org> smb: server: split ksmbd_rdma_stop_listening() out of ksmbd_rdma_destroy() Charalampos Mitrodimas <charmitro(a)posteo.net> debugfs: fix mount options not being applied Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62*: Move eMMC pinmux to top level board file Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am6*: Remove disable-wp for eMMC Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62*: Add non-removable flag for eMMC Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am6*: Add boot phase flag to support MMC boot Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: subpage: keep TOWRITE tag until folio is cleaned Baokun Li <libaokun1(a)huawei.com> ext4: preserve SB_I_VERSION on remount Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers David Lechner <dlechner(a)baylibre.com> iio: adc: ad7173: fix setting ODR in probe Geraldo Nascimento <geraldogabriel(a)gmail.com> PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining Geraldo Nascimento <geraldogabriel(a)gmail.com> PCI: rockchip: Use standard PCIe definitions Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Add IMX8MQ_EP third 64-bit BAR in epc_features Frank Li <Frank.Li(a)nxp.com> PCI: imx6: Add i.MX8Q PCIe Endpoint (EP) support Simon Richter <Simon.Richter(a)hogyros.de> Mark xe driver as BROKEN if kernel page size is not 4kB Geliang Tang <geliang(a)kernel.org> mptcp: disable add_addr retransmission when timeout is 0 Geliang Tang <geliang(a)kernel.org> mptcp: remove duplicate sk_reset_timer call Dan Carpenter <dan.carpenter(a)linaro.org> soc: qcom: mdt_loader: Fix error return values in mdt_header_valid() Mike Christie <michael.christie(a)oracle.com> scsi: core: Fix command pass through retry regression Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fill display clock and vblank time in dce110_fill_display_configs Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Find first CRTC and its line time in dce110_fill_display_configs Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix DP audio DTO1 clock source on DCE 6. Tom Chung <chiahsuan.chung(a)amd.com> drm/amd/display: Fix Xorg desktop unresponsive on Replay panel Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Fix fractional fb divider in set_pixel_clock_v3 Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't overclock DCE 6 by 15% Mario Limonciello <mario.limonciello(a)amd.com> drm/amd/display: Avoid a NULL pointer dereference Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/swm14: Update power limit logic Thorsten Blum <thorsten.blum(a)linux.dev> accel/habanalabs/gaudi2: Use kvfree() for memory allocated with kvcalloc() Keith Busch <kbusch(a)kernel.org> kvm: retry nx_huge_page_recovery_thread creation Srinivas Pandruvada <srinivas.pandruvada(a)linux.intel.com> platform/x86/intel-uncore-freq: Check write blocked for ELC Peter Oberparleiter <oberpar(a)linux.ibm.com> s390/sclp: Fix SCCB present check Zhu Yanjun <yanjun.zhu(a)linux.dev> RDMA/rxe: Flush delayed SKBs while releasing RXE resources Evgeniy Harchenko <evgeniyharchenko.dev(a)gmail.com> ALSA: hda/realtek: Add support for HP EliteBook x360 830 G6 and EliteBook 830 G6 Jinjiang Tu <tujinjiang(a)huawei.com> mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn Herton R. Krzesinski <herton(a)redhat.com> mm/debug_vm_pgtable: clear page table entries at destroy_args() Phillip Lougher <phillip(a)squashfs.org.uk> squashfs: fix memory leak in squashfs_fill_super Trond Myklebust <trond.myklebust(a)hammerspace.com> NFS: Fix a race when updating an existing write Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9763e: Rename the gli_set_gl9763e() for consistency Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER Jiayi Li <lijiayi(a)kylinos.cn> memstick: Fix deadlock by moving removing flag earlier Victor Shih <victor.shih(a)genesyslogic.com.tw> mmc: sdhci-pci-gli: Add a new function to simplify the code Nicolin Chen <nicolinc(a)nvidia.com> iommu/arm-smmu-v3: Fix smmu_domain->nr_ats_masters decrement Dominique Martinet <asmadeus(a)codewreck.org> iov_iter: iterate_folioq: fix handling of offset >= folio size Jens Axboe <axboe(a)kernel.dk> io_uring/futex: ensure io_futex_wait() cleans up properly on failure Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "can: ti_hecc: fix -Woverflow compiler warning" Andrea Righi <arighi(a)nvidia.com> sched_ext: initialize built-in idle state before ops.init() Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Return aborted command when missing sense and result TF Jens Axboe <axboe(a)kernel.dk> io_uring/net: commit partial buffers on retry David Howells <dhowells(a)redhat.com> netfs: Fix unbuffered write error handling Filipe Manana <fdmanana(a)suse.com> btrfs: send: make fs_path_len() inline and constify its argument Filipe Manana <fdmanana(a)suse.com> btrfs: send: use fallocate for hole punching with send stream v2 Filipe Manana <fdmanana(a)suse.com> btrfs: send: avoid path allocation for the current inode when issuing commands Filipe Manana <fdmanana(a)suse.com> btrfs: send: keep the current inode's path cached Filipe Manana <fdmanana(a)suse.com> btrfs: send: add and use helper to rename current inode when processing refs Filipe Manana <fdmanana(a)suse.com> btrfs: send: only use boolean variables at process_recorded_refs() Filipe Manana <fdmanana(a)suse.com> btrfs: send: factor out common logic when sending xattrs Christoph Hellwig <hch(a)lst.de> xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: requeue to unused block group list if zone finish failed Boris Burkov <boris(a)bur.io> btrfs: codify pattern for adding block_group to bg_list Boris Burkov <boris(a)bur.io> btrfs: explicitly ref count block_group on new_bgs list Filipe Manana <fdmanana(a)suse.com> btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() Filipe Manana <fdmanana(a)suse.com> btrfs: always abort transaction on failure to add block group to free space tree David Sterba <dsterba(a)suse.com> btrfs: move transaction aborts to the error site in add_block_group_free_space() Filipe Manana <fdmanana(a)suse.com> btrfs: qgroup: fix race between quota disable and quota rescan ioctl David Sterba <dsterba(a)suse.com> btrfs: qgroup: drop unused parameter fs_info from __del_qgroup_rb() Sebastian Reichel <sebastian.reichel(a)collabora.com> usb: typec: fusb302: cache PD RX state Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> USB: typec: Use str_enable_disable-like helpers Tom Lendacky <thomas.lendacky(a)amd.com> x86/sev: Ensure SVSM reserved fields in a page validation entry are initialized to zero SeongJae Park <sj(a)kernel.org> mm/damon/ops-common: ignore migration request to invalid nodes Matthieu Baerts (NGI0) <matttbe(a)kernel.org> selftests: mptcp: pm: check flush doesn't reset limits Matthieu Baerts (NGI0) <matttbe(a)kernel.org> mptcp: pm: kernel: flush: do not reset ADD_ADDR limit Christoph Paasch <cpaasch(a)openai.com> mptcp: drop skb if MPTCP skb extension allocation fails Chen Yu <yu.c.chen(a)intel.com> ACPI: pfr_update: Fix the driver update version check Eric Biggers <ebiggers(a)kernel.org> ipv6: sr: Fix MAC comparison to be constant-time Andrea Righi <arighi(a)nvidia.com> sched/ext: Fix invalid task state transitions on class switch Jakub Acs <acsjakub(a)amazon.de> net, hsr: reject HSR frame if skb can't hold tag Bibo Mao <maobibo(a)loongson.cn> LoongArch: KVM: Make function kvm_own_lbt() robust Timur Kristóf <timur.kristof(a)gmail.com> drm/amd/display: Don't overwrite dce60_clk_mgr Siyang Liu <Security(a)tencent.com> drm/amd/display: fix a Null pointer dereference vulnerability Michel Dänzer <mdaenzer(a)redhat.com> drm/amd/display: Add primary plane to commits for correct VRR handling Amber Lin <Amber.Lin(a)amd.com> drm/amdkfd: Destroy KFD debugfs after destroy KFD wq Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update mmhub 4.1.0 client id mappings Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu: update mmhub 3.0.1 client id mappings Lijo Lazar <lijo.lazar(a)amd.com> drm/amdgpu: Update external revid for GC v9.5.0 Nathan Chancellor <nathan(a)kernel.org> drm/amdgpu: Initialize data to NULL in imu_v12_0_program_rlc_ram() Peter Shkenev <mustela(a)erminea.space> drm/amdgpu: check if hubbub is NULL in debugfs/amdgpu_dm_capabilities Gang Ba <Gang.Ba(a)amd.com> drm/amdgpu: Avoid extra evict-restore process. Mario Limonciello <mario.limonciello(a)amd.com> drm/amd: Restore cached power limit during resume Alex Deucher <alexander.deucher(a)amd.com> drm/amdgpu/discovery: fix fw based ip discovery Ricardo Ribalda <ribalda(a)chromium.org> media: venus: venc: Clamp param smaller than 1fps and bigger than 240 Ricardo Ribalda <ribalda(a)chromium.org> media: venus: vdec: Clamp param smaller than 1fps and bigger than 240. Jorge Ramirez-Ortiz <jorge.ramirez(a)oss.qualcomm.com> media: venus: protect against spurious interrupts during probe Jorge Ramirez-Ortiz <jorge.ramirez(a)oss.qualcomm.com> media: venus: hfi: explicitly release IRQ during teardown Konrad Dybcio <konrad.dybcio(a)oss.qualcomm.com> media: venus: Fix MSM8998 frequency table Vedang Nagar <quic_vnagar(a)quicinc.com> media: venus: Add a check for packet size after reading from shared memory Vladimir Zapolskiy <vladimir.zapolskiy(a)linaro.org> media: qcom: camss: cleanup media device allocated resource on error path Hans de Goede <hansg(a)kernel.org> media: ivsc: Fix crash at shutdown due to missing mei_cldev_disable() calls Mathis Foerst <mathis.foerst(a)mt.com> media: mt9m114: Fix deadlock in get_frame_interval/set_frame_interval Zhang Shurong <zhang_shurong(a)foxmail.com> media: ov2659: Fix memory leaks in ov2659_probe() Jacopo Mondi <jacopo.mondi(a)ideasonboard.com> media: pisp_be: Fix pm_runtime underrun in probe Gui-Dong Han <hanguidong02(a)gmail.com> media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt() Ludwig Disterhof <ludwig(a)disterhof.eu> media: usbtv: Lock resolution while streaming Sakari Ailus <sakari.ailus(a)linux.intel.com> media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free() Nicolas Dufresne <nicolas.dufresne(a)collabora.com> media: verisilicon: Fix AV1 decoder clock frequency Hans Verkuil <hverkuil(a)xs4all.nl> media: vivid: fix wrong pixel_array control size Sakari Ailus <sakari.ailus(a)linux.intel.com> media: ipu6: isys: Use correct pads for xlate_streams() Haoxiang Li <haoxiang_li2024(a)163.com> media: imx: fix a potential memory leak in imx_media_csc_scaler_device_init() Bingbu Cao <bingbu.cao(a)intel.com> media: hi556: correct the test pattern configuration Dan Carpenter <dan.carpenter(a)linaro.org> media: gspca: Add bounds checking to firmware parser John David Anglin <dave.anglin(a)bell.net> parisc: Update comments in make_insert_tlb John David Anglin <dave.anglin(a)bell.net> parisc: Try to fixup kernel exception in bad_area_nosemaphore path of do_page_fault() John David Anglin <dave.anglin(a)bell.net> parisc: Revise gateway LWS calls to probe user read access John David Anglin <dave.anglin(a)bell.net> parisc: Revise __get_user() to probe user read access John David Anglin <dave.anglin(a)bell.net> parisc: Rename pte_needs_flush() to pte_needs_cache_flush() in cache.c Randy Dunlap <rdunlap(a)infradead.org> parisc: Makefile: explain that 64BIT requires both 32-bit and 64-bit compilers John David Anglin <dave.anglin(a)bell.net> parisc: Drop WARN_ON_ONCE() from flush_cache_vmap John David Anglin <dave.anglin(a)bell.net> parisc: Define and use set_pte_at() John David Anglin <dave.anglin(a)bell.net> parisc: Check region is readable by user in raw_copy_from_user() Jon Hunter <jonathanh(a)nvidia.com> soc/tegra: pmc: Ensure power-domains are in a known state Thomas Weißschuh <thomas.weissschuh(a)linutronix.de> kbuild: userprogs: use correct linker when mixing clang and GNU ld Baokun Li <libaokun1(a)huawei.com> jbd2: prevent softlockup in jbd2_log_do_checkpoint() Chao Yu <chao(a)kernel.org> f2fs: fix to avoid out-of-boundary access in dnode page Muhammad Usama Anjum <usama.anjum(a)collabora.com> ASoC: SOF: amd: acp-loader: Use GFP_KERNEL for DMA allocations in resume context Xaver Hugl <xaver.hugl(a)kde.org> amdgpu/amdgpu_discovery: increase timeout limit for IFWI init Kathiravan Thirumoorthy <kathiravan.thirumoorthy(a)oss.qualcomm.com> phy: qcom: phy-qcom-m31: Update IPQ5332 M31 USB phy initialization sequence Will Deacon <will(a)kernel.org> vhost/vsock: Avoid allocating arbitrarily-sized SKBs Will Deacon <will(a)kernel.org> vsock/virtio: Validate length in packet header before skb_put() Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Delay link start until configfs 'start' written Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Remove apps_reset toggling from imx_pcie_{assert/deassert}_core_reset Richard Zhu <hongxing.zhu(a)nxp.com> PCI: imx6: Add IMX8MM_EP and IMX8MP_EP fixed 256-byte BAR 4 in epc_features Damien Le Moal <dlemoal(a)kernel.org> PCI: endpoint: Fix configfs group removal on driver teardown Damien Le Moal <dlemoal(a)kernel.org> PCI: endpoint: Fix configfs group list head handling Lukas Wunner <lukas(a)wunner.de> PCI/portdrv: Use is_pciehp instead of is_hotplug_bridge Chi Zhiling <chizhiling(a)kylinos.cn> readahead: fix return value of page_cache_next_miss() when no hole is found Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: renesas: Add missing check after DMA map Thomas Fourier <fourier.thomas(a)gmail.com> mtd: rawnand: fsmc: Add missing check after DMA map Gabor Juhos <j4g8y7(a)gmail.com> mtd: spinand: propagate spinand_wait() errors from spinand_write_page() Michael Walle <mwalle(a)kernel.org> mtd: spi-nor: Fix spi_nor_try_unlock_all() Tim Harvey <tharvey(a)gateworks.com> hwmon: (gsc-hwmon) fix fan pwm setpoint show functions Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Fix duty and period setting Uwe Kleine-König <u.kleine-koenig(a)baylibre.com> pwm: mediatek: Handle hardware enable and clock enable separately Laurentiu Mihalcea <laurentiu.mihalcea(a)nxp.com> pwm: imx-tpm: Reset counter if CMOD is 0 Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix dest ring-buffer corruption when ring is full Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix source ring-buffer corruption Johan Hovold <johan+linaro(a)kernel.org> wifi: ath11k: fix dest ring-buffer corruption Johan Hovold <johan+linaro(a)kernel.org> wifi: ath12k: fix dest ring-buffer corruption when ring is full Johan Hovold <johan+linaro(a)kernel.org> wifi: ath12k: fix source ring-buffer corruption Johan Hovold <johan+linaro(a)kernel.org> wifi: ath12k: fix dest ring-buffer corruption Nathan Chancellor <nathan(a)kernel.org> wifi: brcmsmac: Remove const from tbl_ptr parameter in wlc_lcnphy_common_read_table() David Lechner <dlechner(a)baylibre.com> iio: adc: ad_sigma_delta: change to buffer predisable David Lechner <dlechner(a)baylibre.com> iio: imu: bno055: fix OOB access of hw_xlate array Marek Szyprowski <m.szyprowski(a)samsung.com> zynq_fpga: use sgtable-based scatterlist wrappers Bjorn Andersson <bjorn.andersson(a)oss.qualcomm.com> soc: qcom: mdt_loader: Ensure we don't read past the ELF header Igor Pylypiv <ipylypiv(a)google.com> ata: libata-scsi: Fix CDL control Adrian Hunter <adrian.hunter(a)intel.com> scsi: ufs: ufs-pci: Fix default runtime and system PM levels Archana Patni <archana.patni(a)intel.com> scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Fix ata_to_sense_error() status handling Ranjan Kumar <ranjan.kumar(a)broadcom.com> scsi: mpi3mr: Fix race between config read submit and interrupt completion André Draszik <andre.draszik(a)linaro.org> scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE Macpaul Lin <macpaul.lin(a)mediatek.com> scsi: dt-bindings: mediatek,ufs: Add ufs-disable-mcq flag for UFS host Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints Helge Deller <deller(a)gmx.de> apparmor: Fix 8-byte alignment for initial dfa blob streams Emanuele Ghidoli <emanuele.ghidoli(a)toradex.com> arm64: dts: ti: k3-am62-verdin: Enable pull-ups on I2C buses Hong Guan <hguan(a)ti.com> arm64: dts: ti: k3-am62a7-sk: fix pinmux for main_uart1 Peter Griffin <peter.griffin(a)linaro.org> arm64: dts: exynos: gs101: ufs: add dma-coherent property Alexander Sverdlin <alexander.sverdlin(a)siemens.com> arm64: dts: ti: k3-pinctrl: Enable Schmitt Trigger by default Judith Mendez <jm(a)ti.com> arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support Kyoji Ogasawara <sawara04.o(a)gmail.com> btrfs: fix printing of mount info messages for NODATACOW/NODATASUM Kyoji Ogasawara <sawara04.o(a)gmail.com> btrfs: restore mount option info messages during mount Kyoji Ogasawara <sawara04.o(a)gmail.com> btrfs: fix incorrect log message for nobarrier mount option Naohiro Aota <naohiro.aota(a)wdc.com> btrfs: zoned: fix write time activation failure for metadata block group Zhang Yi <yi.zhang(a)huawei.com> ext4: fix hole length calculation overflow in non-extent inodes Liao Yuanhong <liaoyuanhong(a)vivo.com> ext4: use kmalloc_array() for array space allocation Theodore Ts'o <tytso(a)mit.edu> ext4: don't try to clear the orphan_present feature block device is r/o Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: fix reserved gdt blocks handling in fsmap Ojaswin Mujoo <ojaswin(a)linux.ibm.com> ext4: fix fsmap end of range reporting with bigalloc Andreas Dilger <adilger(a)dilger.ca> ext4: check fast symlink for ea_inode correctly Masami Hiramatsu (Google) <mhiramat(a)kernel.org> tracing: fprobe-event: Sanitize wildcard for fprobe event name Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: extend the connection limiting mechanism to support IPv6 Ziyan Xu <ziyan(a)securitygossip.com> ksmbd: fix refcount leak causing resource not released Helge Deller <deller(a)gmx.de> Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()" Bharat Bhushan <bbhushan2(a)marvell.com> crypto: octeontx2 - Fix address alignment on CN10KB and CN10KA-B0 Bharat Bhushan <bbhushan2(a)marvell.com> crypto: octeontx2 - Fix address alignment on CN10K A0/A1 and OcteonTX2 Bharat Bhushan <bbhushan2(a)marvell.com> crypto: octeontx2 - Fix address alignment issue on ucode loading Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - flush misc workqueue during device shutdown John Ernberg <john.ernberg(a)actia.se> crypto: caam - Prevent crash on suspend with iMX8QM / iMX8ULP Giovanni Cabiddu <giovanni.cabiddu(a)intel.com> crypto: qat - lower priority for skcipher and aead algorithms Eric Biggers <ebiggers(a)kernel.org> lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> vt: defkeymap: Map keycodes above 127 to K_HOLE Myrrh Periwinkle <myrrhperiwinkle(a)qtmlabs.xyz> vt: keyboard: Don't process Unicode characters in K_OFF mode Youssef Samir <quic_yabdulra(a)quicinc.com> bus: mhi: host: Detect events pointing to unexpected TREs Alexander Wilhelm <alexander.wilhelm(a)westermo.com> bus: mhi: host: Fix endianness of BHI vector table Johan Hovold <johan(a)kernel.org> usb: dwc3: imx8mp: fix device leak at unbind Johan Hovold <johan(a)kernel.org> usb: dwc3: meson-g12a: fix device leaks at unbind Johan Hovold <johan(a)kernel.org> usb: musb: omap2430: fix device leak at unbind Johan Hovold <johan(a)kernel.org> usb: gadget: udc: renesas_usb3: fix device leak at unbind Nathan Chancellor <nathan(a)kernel.org> usb: atm: cxacru: Merge cxacru_upload_firmware() into cxacru_heavy_init() Finn Thain <fthain(a)linux-m68k.org> m68k: Fix lost column on framebuffer debug console Damien Le Moal <dlemoal(a)kernel.org> dm: Check for forbidden splitting of zone write operations Damien Le Moal <dlemoal(a)kernel.org> dm: dm-crypt: Do not partially accept write BIOs with zoned targets Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PM: runtime: Take active children into account in pm_runtime_get_if_in_use() Tzung-Bi Shih <tzungbi(a)kernel.org> platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister() Dan Carpenter <dan.carpenter(a)linaro.org> cpufreq: armada-8k: Fix off by one in armada_8k_cpufreq_free_table() Damien Le Moal <dlemoal(a)kernel.org> ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig Yunhui Cui <cuiyunhui(a)bytedance.com> serial: 8250: fix panic due to PSLVERR ------------- Diffstat: .../bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +- .../display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +- .../devicetree/bindings/ufs/mediatek,ufs.yaml | 4 + Documentation/networking/mptcp-sysctl.rst | 2 + Makefile | 6 +- arch/arm64/boot/dts/exynos/google/gs101.dtsi | 1 + arch/arm64/boot/dts/ti/k3-am62-lp-sk.dts | 36 ++ arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 - arch/arm64/boot/dts/ti/k3-am62-phycore-som.dtsi | 1 - arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 12 +- arch/arm64/boot/dts/ti/k3-am625-beagleplay.dts | 2 +- arch/arm64/boot/dts/ti/k3-am625-sk.dts | 24 ++ arch/arm64/boot/dts/ti/k3-am62a-phycore-som.dtsi | 1 - arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 7 +- arch/arm64/boot/dts/ti/k3-am62p5-sk.dts | 2 +- arch/arm64/boot/dts/ti/k3-am62x-sk-common.dtsi | 24 -- arch/arm64/boot/dts/ti/k3-am642-evm.dts | 1 - arch/arm64/boot/dts/ti/k3-am654-base-board.dts | 1 - .../dts/ti/k3-am6548-iot2050-advanced-common.dtsi | 1 - arch/arm64/boot/dts/ti/k3-am69-sk.dts | 1 - arch/arm64/boot/dts/ti/k3-pinctrl.h | 15 +- arch/loongarch/kernel/module-sections.c | 38 +-- arch/loongarch/kvm/vcpu.c | 8 +- arch/m68k/kernel/head.S | 31 +- arch/mips/crypto/chacha-core.S | 20 +- arch/parisc/Makefile | 4 +- arch/parisc/include/asm/pgtable.h | 7 +- arch/parisc/include/asm/special_insns.h | 28 ++ arch/parisc/include/asm/uaccess.h | 21 +- arch/parisc/kernel/cache.c | 6 +- arch/parisc/kernel/entry.S | 17 +- arch/parisc/kernel/syscall.S | 30 +- arch/parisc/lib/memcpy.c | 19 +- arch/parisc/mm/fault.c | 4 + arch/powerpc/boot/Makefile | 1 + arch/s390/boot/vmem.c | 3 + arch/s390/hypfs/hypfs_dbfs.c | 19 +- arch/x86/coco/sev/shared.c | 3 + arch/x86/include/asm/xen/hypercall.h | 5 +- arch/x86/kernel/cpu/hygon.c | 3 + arch/x86/kvm/mmu/mmu.c | 10 +- drivers/accel/habanalabs/gaudi2/gaudi2.c | 2 +- drivers/acpi/pfr_update.c | 2 +- drivers/ata/Kconfig | 32 +- drivers/ata/libata-scsi.c | 58 ++-- drivers/base/power/runtime.c | 27 +- drivers/bluetooth/btmtk.c | 7 +- drivers/bus/mhi/host/boot.c | 8 +- drivers/bus/mhi/host/internal.h | 4 +- drivers/bus/mhi/host/main.c | 12 +- drivers/cdx/controller/cdx_rpmsg.c | 3 +- drivers/comedi/comedi_fops.c | 5 + drivers/comedi/drivers.c | 27 +- drivers/comedi/drivers/pcl726.c | 3 +- drivers/cpufreq/armada-8k-cpufreq.c | 2 +- drivers/cpuidle/governors/menu.c | 101 ++---- drivers/crypto/caam/ctrl.c | 5 +- drivers/crypto/caam/intern.h | 1 + .../crypto/intel/qat/qat_common/adf_common_drv.h | 1 + drivers/crypto/intel/qat/qat_common/adf_init.c | 1 + drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 + drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 +- drivers/crypto/marvell/octeontx2/otx2_cpt_reqmgr.h | 125 +++++-- .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 35 +- drivers/fpga/zynq-fpga.c | 10 +- drivers/gpu/drm/Kconfig | 5 + drivers/gpu/drm/Makefile | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 76 +++-- drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +- drivers/gpu/drm/amd/amdgpu/imu_v12_0.c | 2 +- drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 57 ++-- drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c | 34 +- drivers/gpu/drm/amd/amdgpu/soc15.c | 2 + drivers/gpu/drm/amd/amdkfd/kfd_module.c | 2 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 + .../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 28 ++ .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 2 +- drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 5 +- .../gpu/drm/amd/display/dc/bios/command_table.c | 2 +- drivers/gpu/drm/amd/display/dc/clk_mgr/clk_mgr.c | 1 - .../amd/display/dc/clk_mgr/dce100/dce_clk_mgr.c | 2 - .../amd/display/dc/clk_mgr/dce110/dce110_clk_mgr.c | 40 ++- .../amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 31 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 34 +- .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c | 3 + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 + .../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 30 +- drivers/gpu/drm/display/drm_dp_helper.c | 2 +- drivers/gpu/drm/drm_draw.c | 155 +++++++++ drivers/gpu/drm/drm_draw_internal.h | 56 ++++ drivers/gpu/drm/drm_format_helper.c | 234 +++++++++---- drivers/gpu/drm/drm_format_internal.h | 127 ++++++++ drivers/gpu/drm/drm_panic.c | 269 ++------------- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.c | 4 +- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_drv.h | 17 +- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_i2c.c | 42 +-- drivers/gpu/drm/hisilicon/hibmc/hibmc_drm_vdac.c | 29 +- drivers/gpu/drm/i915/display/intel_tc.c | 58 +++- drivers/gpu/drm/nouveau/nvif/vmm.c | 3 +- drivers/gpu/drm/tests/drm_format_helper_test.c | 176 +++++----- drivers/gpu/drm/xe/Kconfig | 1 + drivers/hwmon/gsc-hwmon.c | 4 +- drivers/iio/adc/ad7173.c | 3 +- drivers/iio/adc/ad_sigma_delta.c | 4 +- drivers/iio/imu/bno055/bno055.c | 11 +- drivers/iio/imu/inv_icm42600/inv_icm42600.h | 8 +- drivers/iio/imu/inv_icm42600/inv_icm42600_accel.c | 33 +- drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.c | 22 +- drivers/iio/imu/inv_icm42600/inv_icm42600_buffer.h | 10 +- drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 6 +- drivers/iio/imu/inv_icm42600/inv_icm42600_gyro.c | 43 ++- drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 12 +- drivers/iio/light/adjd_s311.c | 2 +- drivers/iio/light/as73211.c | 4 +- drivers/iio/light/bh1745.c | 2 +- drivers/iio/light/isl29125.c | 2 +- drivers/iio/light/ltr501.c | 2 +- drivers/iio/light/max44000.c | 2 +- drivers/iio/light/rohm-bu27034.c | 2 +- drivers/iio/light/rpr0521.c | 2 +- drivers/iio/light/st_uvis25.h | 2 +- drivers/iio/light/tcs3414.c | 2 +- drivers/iio/light/tcs3472.c | 2 +- drivers/iio/pressure/bmp280-core.c | 9 +- drivers/iio/proximity/isl29501.c | 14 +- drivers/iio/temperature/maxim_thermocouple.c | 26 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 8 +- drivers/infiniband/hw/bnxt_re/main.c | 23 ++ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 30 +- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 - drivers/infiniband/hw/bnxt_re/qplib_res.c | 2 + drivers/infiniband/hw/erdma/erdma_verbs.c | 4 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 6 +- drivers/infiniband/hw/hns/hns_roce_restrack.c | 9 +- drivers/infiniband/sw/rxe/rxe_net.c | 29 +- drivers/infiniband/sw/rxe/rxe_qp.c | 2 +- drivers/iommu/amd/init.c | 4 +- drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 2 +- drivers/md/dm-crypt.c | 47 ++- drivers/md/dm.c | 17 +- drivers/media/cec/usb/rainshadow/rainshadow-cec.c | 3 +- drivers/media/i2c/hi556.c | 26 +- drivers/media/i2c/mt9m114.c | 8 - drivers/media/i2c/ov2659.c | 3 +- drivers/media/pci/intel/ipu6/ipu6-isys-csi2.c | 12 +- drivers/media/pci/intel/ivsc/mei_ace.c | 2 + drivers/media/pci/intel/ivsc/mei_csi.c | 2 + drivers/media/platform/qcom/camss/camss.c | 4 +- drivers/media/platform/qcom/venus/core.c | 18 +- drivers/media/platform/qcom/venus/core.h | 2 + drivers/media/platform/qcom/venus/hfi_venus.c | 5 + drivers/media/platform/qcom/venus/vdec.c | 5 +- drivers/media/platform/qcom/venus/venc.c | 5 +- drivers/media/platform/raspberrypi/pisp_be/Kconfig | 1 + .../media/platform/raspberrypi/pisp_be/pisp_be.c | 5 +- .../media/platform/verisilicon/rockchip_vpu_hw.c | 9 - drivers/media/test-drivers/vivid/vivid-ctrls.c | 3 +- drivers/media/test-drivers/vivid/vivid-vid-cap.c | 4 +- drivers/media/usb/gspca/vicam.c | 10 +- drivers/media/usb/usbtv/usbtv-video.c | 4 + drivers/media/v4l2-core/v4l2-ctrls-core.c | 1 - drivers/memstick/core/memstick.c | 1 - drivers/memstick/host/rtsx_usb_ms.c | 1 + drivers/mmc/host/sdhci-pci-gli.c | 37 ++- drivers/mmc/host/sdhci_am654.c | 18 + drivers/most/core.c | 2 +- drivers/mtd/nand/raw/fsmc_nand.c | 2 + drivers/mtd/nand/raw/renesas-nand-controller.c | 6 + drivers/mtd/nand/spi/core.c | 5 +- drivers/mtd/spi-nor/swp.c | 19 +- drivers/net/bonding/bond_3ad.c | 67 +++- drivers/net/bonding/bond_options.c | 1 + drivers/net/can/ti_hecc.c | 2 +- drivers/net/dsa/microchip/ksz_common.c | 6 + drivers/net/ethernet/google/gve/gve_main.c | 2 + drivers/net/ethernet/intel/igc/igc_main.c | 14 +- drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 4 +- .../net/ethernet/marvell/octeontx2/af/rvu_npc_fs.c | 4 +- drivers/net/ethernet/mediatek/mtk_ppe_offload.c | 2 + drivers/net/ethernet/mellanox/mlx5/core/en/dcbnl.h | 1 - .../ethernet/mellanox/mlx5/core/en/port_buffer.c | 18 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 12 +- .../ethernet/mellanox/mlx5/core/esw/devlink_port.c | 4 +- .../net/ethernet/mellanox/mlx5/core/mlx5_core.h | 87 +++++ drivers/net/ethernet/mellanox/mlx5/core/port.c | 40 +-- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 + drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 + drivers/net/ethernet/microchip/lan865x/lan865x.c | 21 ++ drivers/net/ethernet/realtek/rtase/rtase.h | 2 +- drivers/net/ethernet/ti/icssg/icssg_prueth.c | 72 ++-- drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 8 +- drivers/net/phy/mscc/mscc.h | 12 + drivers/net/phy/mscc/mscc_main.c | 12 + drivers/net/phy/mscc/mscc_ptp.c | 49 ++- drivers/net/ppp/ppp_generic.c | 17 +- drivers/net/usb/asix_devices.c | 2 +- drivers/net/wireless/ath/ath11k/ce.c | 3 - drivers/net/wireless/ath/ath11k/dp_rx.c | 3 - drivers/net/wireless/ath/ath11k/hal.c | 33 +- drivers/net/wireless/ath/ath12k/ce.c | 3 - drivers/net/wireless/ath/ath12k/hal.c | 38 ++- .../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 2 +- drivers/pci/controller/dwc/pci-imx6.c | 32 +- drivers/pci/controller/pcie-rockchip-host.c | 49 +-- drivers/pci/controller/pcie-rockchip.h | 11 +- drivers/pci/endpoint/pci-ep-cfs.c | 1 + drivers/pci/endpoint/pci-epf-core.c | 2 +- drivers/pci/pcie/portdrv.c | 2 +- drivers/phy/qualcomm/phy-qcom-m31.c | 14 +- drivers/platform/chrome/cros_ec.c | 3 + .../intel/uncore-frequency/uncore-frequency-tpmi.c | 5 + drivers/pwm/pwm-imx-tpm.c | 9 + drivers/pwm/pwm-mediatek.c | 71 ++-- drivers/s390/char/sclp.c | 11 +- drivers/scsi/mpi3mr/mpi3mr.h | 6 +- drivers/scsi/mpi3mr/mpi3mr_fw.c | 17 +- drivers/scsi/mpi3mr/mpi3mr_os.c | 2 + drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/scsi_lib.c | 3 + drivers/soc/qcom/mdt_loader.c | 43 +++ drivers/soc/tegra/pmc.c | 51 +-- drivers/spi/spi-fsl-lpspi.c | 8 +- drivers/staging/media/imx/imx-media-csc-scaler.c | 2 +- drivers/tty/serial/8250/8250_port.c | 3 +- drivers/tty/vt/defkeymap.c_shipped | 112 +++++++ drivers/tty/vt/keyboard.c | 2 +- drivers/ufs/host/ufs-exynos.c | 4 +- drivers/ufs/host/ufshcd-pci.c | 42 ++- drivers/usb/atm/cxacru.c | 172 +++++----- drivers/usb/core/hcd.c | 20 +- drivers/usb/core/quirks.c | 1 + drivers/usb/dwc3/dwc3-imx8mp.c | 7 +- drivers/usb/dwc3/dwc3-meson-g12a.c | 3 + drivers/usb/dwc3/dwc3-pci.c | 2 + drivers/usb/dwc3/ep0.c | 20 +- drivers/usb/dwc3/gadget.c | 19 +- drivers/usb/gadget/udc/renesas_usb3.c | 1 + drivers/usb/host/xhci-hub.c | 3 +- drivers/usb/host/xhci-mem.c | 22 +- drivers/usb/host/xhci-pci-renesas.c | 7 +- drivers/usb/host/xhci-ring.c | 9 +- drivers/usb/host/xhci.c | 21 +- drivers/usb/host/xhci.h | 3 +- drivers/usb/musb/omap2430.c | 14 +- drivers/usb/storage/realtek_cr.c | 2 +- drivers/usb/storage/unusual_devs.h | 29 ++ drivers/usb/typec/class.c | 7 +- drivers/usb/typec/tcpm/fusb302.c | 32 +- drivers/usb/typec/tcpm/maxim_contaminant.c | 58 ++++ .../usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 3 +- .../typec/tcpm/qcom/qcom_pmic_typec_pdphy_stub.c | 3 +- drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_port.c | 4 +- drivers/usb/typec/tcpm/tcpci_maxim.h | 1 + drivers/usb/typec/tcpm/tcpm.c | 7 +- drivers/vhost/vsock.c | 6 +- drivers/video/console/vgacon.c | 2 +- fs/btrfs/block-group.c | 59 ++-- fs/btrfs/ctree.c | 9 +- fs/btrfs/free-space-tree.c | 17 +- fs/btrfs/qgroup.c | 38 ++- fs/btrfs/send.c | 361 ++++++++++++--------- fs/btrfs/subpage.c | 19 +- fs/btrfs/super.c | 13 +- fs/btrfs/transaction.c | 1 + fs/btrfs/zoned.c | 13 +- fs/buffer.c | 2 +- fs/debugfs/inode.c | 11 +- fs/ext4/fsmap.c | 23 +- fs/ext4/indirect.c | 4 +- fs/ext4/inode.c | 2 +- fs/ext4/orphan.c | 5 +- fs/ext4/super.c | 8 +- fs/f2fs/node.c | 10 + fs/file.c | 75 ++--- fs/jbd2/checkpoint.c | 1 + fs/namespace.c | 34 +- fs/netfs/write_collect.c | 10 +- fs/netfs/write_issue.c | 4 +- fs/nfs/pagelist.c | 9 +- fs/nfs/write.c | 29 +- fs/overlayfs/copy_up.c | 2 +- fs/smb/client/smb2ops.c | 2 +- fs/smb/server/connection.c | 3 +- fs/smb/server/connection.h | 7 +- fs/smb/server/oplock.c | 13 +- fs/smb/server/transport_rdma.c | 5 +- fs/smb/server/transport_rdma.h | 4 +- fs/smb/server/transport_tcp.c | 26 +- fs/splice.c | 3 + fs/squashfs/super.c | 14 +- fs/xfs/xfs_itable.c | 6 +- include/drm/drm_format_helper.h | 12 + include/linux/call_once.h | 43 ++- include/linux/compiler.h | 8 - include/linux/iosys-map.h | 7 +- include/linux/iov_iter.h | 20 +- include/linux/kcov.h | 47 +-- include/linux/mlx5/mlx5_ifc.h | 14 +- include/linux/mlx5/port.h | 83 ----- include/linux/netfs.h | 1 + include/linux/nfs_page.h | 1 + include/net/bond_3ad.h | 1 + include/uapi/linux/pfrut.h | 1 + io_uring/futex.c | 3 + io_uring/net.c | 27 +- kernel/cgroup/cpuset.c | 9 +- kernel/sched/ext.c | 18 +- kernel/trace/ftrace.c | 19 +- kernel/trace/trace.c | 34 +- kernel/trace/trace.h | 10 +- mm/damon/paddr.c | 4 + mm/debug_vm_pgtable.c | 9 +- mm/filemap.c | 3 +- mm/memory-failure.c | 8 + net/bluetooth/hci_conn.c | 3 +- net/bluetooth/hci_event.c | 8 +- net/bluetooth/hci_sync.c | 19 +- net/bridge/br_multicast.c | 16 + net/bridge/br_private.h | 2 + net/core/dev.c | 12 + net/hsr/hsr_slave.c | 8 +- net/ipv4/netfilter/nf_reject_ipv4.c | 6 +- net/ipv6/netfilter/nf_reject_ipv6.c | 5 +- net/ipv6/seg6_hmac.c | 6 +- net/mptcp/options.c | 6 +- net/mptcp/pm_netlink.c | 19 +- net/sched/sch_cake.c | 14 +- net/sched/sch_htb.c | 2 +- net/smc/af_smc.c | 3 +- net/tls/tls_sw.c | 7 +- net/vmw_vsock/virtio_transport.c | 12 +- rust/kernel/alloc/allocator.rs | 30 +- rust/kernel/alloc/allocator_test.rs | 11 + security/apparmor/lsm.c | 4 +- sound/core/timer.c | 4 +- sound/pci/hda/patch_realtek.c | 2 + sound/soc/sof/amd/acp-loader.c | 6 +- sound/usb/stream.c | 2 +- sound/usb/validate.c | 2 +- tools/testing/selftests/net/mptcp/pm_netlink.sh | 1 + 341 files changed, 3816 insertions(+), 2245 deletions(-)

1 week

12
334
0 0

[PATCH RFC] riscv: Do not handle break traps from kernel as nmi

by Alexandre Ghiti

kprobe has been broken on riscv for quite some time. There is an attempt [1] to fix that which actually works. This patch works because it enables ARCH_HAVE_NMI_SAFE_CMPXCHG and that makes the ring buffer allocation succeed when handling a kprobe because we handle *all* kprobes in nmi context. We do so because Peter advised us to treat all kernel traps as nmi [2]. But that does not seem right for kprobe handling, so instead, treat break traps from kernel as non-nmi. Link: https://lore.kernel.org/linux-riscv/20250711090443.1688404-1-pulehui@huawei… [1] Link: https://lore.kernel.org/linux-riscv/20250422094419.GC14170@noisy.programmin… [2] Fixes: f0bddf50586d ("riscv: entry: Convert to generic entry") Cc: stable(a)vger.kernel.org Signed-off-by: Alexandre Ghiti <alexghiti(a)rivosinc.com> --- This is clearly an RFC and this is likely not the right way to go, it is just a way to trigger a discussion about if handling kprobes in an nmi context is the right way or not. --- arch/riscv/kernel/traps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/traps.c b/arch/riscv/kernel/traps.c index 80230de167def3c33db5bc190347ec5f87dbb6e3..90f36bb9b12d4ba0db0f084f87899156e3c7dc6f 100644 --- a/arch/riscv/kernel/traps.c +++ b/arch/riscv/kernel/traps.c @@ -315,11 +315,11 @@ asmlinkage __visible __trap_section void do_trap_break(struct pt_regs *regs) local_irq_disable(); irqentry_exit_to_user_mode(regs); } else { - irqentry_state_t state = irqentry_nmi_enter(regs); + irqentry_state_t state = irqentry_enter(regs); handle_break(regs); - irqentry_nmi_exit(regs, state); + irqentry_exit(regs, state); } } --- base-commit: ae9a687664d965b13eeab276111b2f97dd02e090 change-id: 20250903-dev-alex-break_nmi_v1-57c5321f3e80 Best regards, -- Alexandre Ghiti <alexghiti(a)rivosinc.com>

1 week

3
2
0 0

[PATCH v2] nvmem: layouts: fix automatic module loading

by Michael Walle

To support loading of a layout module automatically the MODALIAS variable in the uevent is needed. Add it. Fixes: fc29fd821d9a ("nvmem: core: Rework layouts to become regular devices") Cc: stable(a)vger.kernel.org Signed-off-by: Michael Walle <mwalle(a)kernel.org> --- I'm still not sure if the sysfs modalias file is required or not. It seems to work without it. I could't find any documentation about it. v2: - add Cc: stable --- drivers/nvmem/layouts.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/nvmem/layouts.c b/drivers/nvmem/layouts.c index 65d39e19f6ec..f381ce1e84bd 100644 --- a/drivers/nvmem/layouts.c +++ b/drivers/nvmem/layouts.c @@ -45,11 +45,24 @@ static void nvmem_layout_bus_remove(struct device *dev) return drv->remove(layout); } +static int nvmem_layout_bus_uevent(const struct device *dev, + struct kobj_uevent_env *env) +{ + int ret; + + ret = of_device_uevent_modalias(dev, env); + if (ret != ENODEV) + return ret; + + return 0; +} + static const struct bus_type nvmem_layout_bus_type = { .name = "nvmem-layout", .match = nvmem_layout_bus_match, .probe = nvmem_layout_bus_probe, .remove = nvmem_layout_bus_remove, + .uevent = nvmem_layout_bus_uevent, }; int __nvmem_layout_driver_register(struct nvmem_layout_driver *drv, -- 2.39.5

1 week

3
2
0 0

[PATCH 6.6 1/2] Revert "spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"

by jinfeng.wang.cn＠windriver.com

From: Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> This reverts commit 1af6d1696ca40b2d22889b4b8bbea616f94aaa84. There is cadence-qspi ff8d2000.spi: Unbalanced pm_runtime_enable! error without this revert. After reverting commit cdfb20e4b34a ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 1af6d1696ca4 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"), Unbalanced pm_runtime_enable! error does not appear. These two commits are backported from upstream commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 04a8ff1bc351 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"). The commit 04a8ff1bc351 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths") fix commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance"). The commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") fix commit 86401132d7bb ("spi: spi-cadence-quadspi: Fix missing unwind goto warnings"). The commit 86401132d7bb ("spi: spi-cadence-quadspi: Fix missing unwind goto warnings") fix commit 0578a6dbfe75 ("spi: spi-cadence-quadspi: add runtime pm support"). 6.6.y only backport commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 04a8ff1bc351 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"), but does not backport commit 0578a6dbfe75 ("spi: spi-cadence-quadspi: add runtime pm support") and commit 86401132d7bb ("spi: spi-cadence-quadspi: Fix missing unwind goto warnings"). And the backport of commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") differs with the original patch. So there is Unbalanced pm_runtime_enable error. If revert the backport for commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 04a8ff1bc351 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"), there is no error. If backport commit 0578a6dbfe75 ("spi: spi-cadence-quadspi: add runtime pm support") and commit 86401132d7bb ("spi: spi-cadence-quadspi: Fix missing unwind goto warnings"), there is hang during booting. I didn't find the cause of the hang. Since commit 0578a6dbfe75 ("spi: spi-cadence-quadspi: add runtime pm support") and commit 86401132d7bb ("spi: spi-cadence-quadspi: Fix missing unwind goto warnings") are not backported, commit b07f349d1864 ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 04a8ff1bc351 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths") are not needed. So revert commits commit cdfb20e4b34a ("spi: spi-cadence-quadspi: Fix pm runtime unbalance") and commit 1af6d1696ca4 ("spi: cadence-quadspi: fix cleanup of rx_chan on failure paths"). Signed-off-by: Jinfeng Wang <jinfeng.wang.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Kernel builds successfully with patch. Test enviroment overview: Branch linux-6.6.y Tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Hardware: compiled on X86 machine GCC: gcc version 11.4.0 (Ubuntu~20.04) commands: make clean;make allyesconfig; no building error is seen gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04.2) Hardware: compiled on socfpga stratix10 board verified by check the dmesg log and bind/unbind spi and no Unbalanced pm_runtime_enable! error is seen any more. cmds: dmesg | grep "Unbalanced pm_runtime_enable" echo ff8d2000.spi > /sys/bus/platform/drivers/cadence-qspi/unbind echo ff8d2000.spi > /sys/bus/platform/drivers/cadence-qspi/bind --- drivers/spi/spi-cadence-quadspi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c index 7c17b8c0425e..9285a683324f 100644 --- a/drivers/spi/spi-cadence-quadspi.c +++ b/drivers/spi/spi-cadence-quadspi.c @@ -1870,6 +1870,11 @@ static int cqspi_probe(struct platform_device *pdev) pm_runtime_enable(dev); + if (cqspi->rx_chan) { + dma_release_channel(cqspi->rx_chan); + goto probe_setup_failed; + } + ret = spi_register_controller(host); if (ret) { dev_err(&pdev->dev, "failed to register SPI ctlr %d\n", ret); -- 2.25.1

1 week

3
3
0 0

[PATCH] drivers/misc/amd-sbi/Kconfig: select REGMAP_I2C

by Max Kellermann

Without CONFIG_REGMAP, rmi-i2c.c fails to build because struct regmap_config is not defined: drivers/misc/amd-sbi/rmi-i2c.c: In function ‘sbrmi_i2c_probe’: drivers/misc/amd-sbi/rmi-i2c.c:57:16: error: variable ‘sbrmi_i2c_regmap_config’ has initializer but incomplete type 57 | struct regmap_config sbrmi_i2c_regmap_config = { | ^~~~~~~~~~~~~ Additionally, CONFIG_REGMAP_I2C is needed for devm_regmap_init_i2c(): ld: drivers/misc/amd-sbi/rmi-i2c.o: in function `sbrmi_i2c_probe': drivers/misc/amd-sbi/rmi-i2c.c:69:(.text+0x1c0): undefined reference to `__devm_regmap_init_i2c' Fixes: 013f7e7131bd ("misc: amd-sbi: Use regmap subsystem") Cc: stable(a)vger.kernel.org Signed-off-by: Max Kellermann <max.kellermann(a)ionos.com> --- drivers/misc/amd-sbi/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/misc/amd-sbi/Kconfig b/drivers/misc/amd-sbi/Kconfig index 4840831c84ca..4aae0733d0fc 100644 --- a/drivers/misc/amd-sbi/Kconfig +++ b/drivers/misc/amd-sbi/Kconfig @@ -2,6 +2,7 @@ config AMD_SBRMI_I2C tristate "AMD side band RMI support" depends on I2C + select REGMAP_I2C help Side band RMI over I2C support for AMD out of band management. -- 2.47.2

1 week

2
1
0 0

[PATCH v2 RESEND] media: as102: fix to not free memory after the device is registered in as102_usb_probe()

by Jeongjun Park

In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... usb_register_dev(); open("/path/to/dev"); // open as102 dev .... usb_deregister_dev(); .... kfree(); // free as102_dev_t .... close(fd); as102_release() // UAF!! as102_usb_release() kfree(); // DFB!! ``` When a USB character device registered with usb_register_dev() is later unregistered (via usb_deregister_dev() or disconnect), the device node is removed so new open() calls fail. However, file descriptors that are already open do not go away immediately: they remain valid until the last reference is dropped and the driver's .release() is invoked. In as102, as102_usb_probe() calls usb_register_dev() and then, on an error path, does usb_deregister_dev() and frees as102_dev_t right away. If userspace raced a successful open() before the deregistration, that open FD will later hit as102_release() --> as102_usb_release() and access or free as102_dev_t again, occur a race to use-after-free and double-free vuln. The fix is to never kfree(as102_dev_t) directly once usb_register_dev() has succeeded. After deregistration, defer freeing memory to .release(). In other words, let release() perform the last kfree when the final open FD is closed. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+47321e8fd5a4c84088db(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db Fixes: cd19f7d3e39b ("[media] as102: fix leaks at failure paths in as102_usb_probe()") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- v2: Fix incorrect patch description style and CC stable mailing list - Link to v1: https://lore.kernel.org/all/20250822143539.1157329-1-aha310510@gmail.com/ --- drivers/media/usb/as102/as102_usb_drv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/usb/as102/as102_usb_drv.c b/drivers/media/usb/as102/as102_usb_drv.c index e0ef66a522e2..abde5666b2ee 100644 --- a/drivers/media/usb/as102/as102_usb_drv.c +++ b/drivers/media/usb/as102/as102_usb_drv.c @@ -404,6 +404,7 @@ static int as102_usb_probe(struct usb_interface *intf, as102_free_usb_stream_buffer(as102_dev); failed_stream: usb_deregister_dev(intf, &as102_usb_class_driver); + return ret; failed: usb_put_dev(as102_dev->bus_adap.usb_dev); usb_set_intfdata(intf, NULL); --

1 week

1
0
0 0

[PATCH v2 RESEND] media: hackrf: fix to not free memory after the device is registered in hackrf_probe()

by Jeongjun Park

In hackrf driver, the following race condition occurs: ``` CPU0 CPU1 hackrf_probe() kzalloc(); // alloc hackrf_dev .... v4l2_device_register(); .... open("/path/to/dev"); // open hackrf dev .... v4l2_device_unregister(); .... kfree(); // free hackrf_dev .... ioctl(fd, ...); v4l2_ioctl(); video_is_registered() // UAF!! .... close(fd); v4l2_release() // UAF!! hackrf_video_release() kfree(); // DFB!! ``` When a V4L2 or video device is unregistered, the device node is removed so new open() calls are blocked. However, file descriptors that are already open-and any in-flight I/O-do not terminate immediately; they remain valid until the last reference is dropped and the driver's release() is invoked. Therefore, freeing device memory on the error path after hackrf_probe() has registered dev it will lead to a race to use-after-free vuln, since those already-open handles haven't been released yet. And since release() free memory too, race to use-after-free and double-free vuln occur. To prevent this, if device is registered from probe(), it should be modified to free memory only through release() rather than calling kfree() directly. Cc: <stable(a)vger.kernel.org> Reported-by: syzbot+6ffd76b5405c006a46b7(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6ffd76b5405c006a46b7 Reported-by: syzbot+f1b20958f93d2d250727(a)syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f1b20958f93d2d250727 Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter") Signed-off-by: Jeongjun Park <aha310510(a)gmail.com> --- v2: Fix incorrect patch description style and CC stable mailing list - Link to v1: https://lore.kernel.org/all/20250822142729.1156816-1-aha310510@gmail.com/ --- drivers/media/usb/hackrf/hackrf.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/media/usb/hackrf/hackrf.c b/drivers/media/usb/hackrf/hackrf.c index 0b50de8775a3..d7a84422193d 100644 --- a/drivers/media/usb/hackrf/hackrf.c +++ b/drivers/media/usb/hackrf/hackrf.c @@ -1515,6 +1515,8 @@ static int hackrf_probe(struct usb_interface *intf, video_unregister_device(&dev->rx_vdev); err_v4l2_device_unregister: v4l2_device_unregister(&dev->v4l2_dev); + dev_dbg(&intf->dev, "failed=%d\n", ret); + return ret; err_v4l2_ctrl_handler_free_tx: v4l2_ctrl_handler_free(&dev->tx_ctrl_handler); err_v4l2_ctrl_handler_free_rx: --

1 week

1
0
0 0

[PATCH] perf/x86/intel: Fix KASAN global-out-of-bounds warning

by Dapeng Mi

When running "perf mem record" command on CWF, the below KASAN global-out-of-bounds warning is seen. 196.273657] ================================================================== [ 196.273662] BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 [ 196.273669] Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 [ 196.273676] CPU: 126 UID: 0 PID: 9850 Comm: dtlb Kdump: loaded Not tainted 6.17.0-rc3-2025-08-29-intel-next-34160-g316938187eb0 #1 PREEMPT(none) [ 196.273680] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.IPC.3544.P83.2507110208 07/11/2025 [ 196.273682] Call Trace: [ 196.273683] <NMI> [ 196.273684] dump_stack_lvl+0x55/0x70 [ 196.273689] print_address_description.constprop.0+0x2c/0x3d0 [ 196.273694] ? cmt_latency_data+0x176/0x1b0 [ 196.273696] print_report+0xb4/0x270 [ 196.273699] ? kasan_addr_to_slab+0xd/0xa0 [ 196.273702] kasan_report+0xb8/0xf0 [ 196.273705] ? cmt_latency_data+0x176/0x1b0 [ 196.273707] cmt_latency_data+0x176/0x1b0 [ 196.273710] setup_arch_pebs_sample_data+0xf49/0x2560 [ 196.273713] intel_pmu_drain_arch_pebs+0x577/0xb00 [ 196.273716] ? __pfx_intel_pmu_drain_arch_pebs+0x10/0x10 [ 196.273719] ? perf_output_begin+0x3e4/0xa10 [ 196.273724] ? intel_pmu_drain_bts_buffer+0xc2/0x6a0 [ 196.273727] ? __pfx_intel_pmu_drain_bts_buffer+0x10/0x10 [ 196.273730] handle_pmi_common+0x6c4/0xc80 [ 196.273734] ? __pfx_handle_pmi_common+0x10/0x10 [ 196.273738] ? intel_bts_interrupt+0xd3/0x4d0 [ 196.273740] ? __pfx_intel_bts_interrupt+0x10/0x10 [ 196.273742] ? intel_pmu_lbr_enable_all+0x25/0x150 [ 196.273745] intel_pmu_handle_irq+0x388/0x700 [ 196.273748] perf_event_nmi_handler+0xff/0x150 [ 196.273751] nmi_handle.part.0+0xa8/0x2d0 [ 196.273755] ? perf_output_begin+0x3e9/0xa10 [ 196.273757] default_do_nmi+0x79/0x1a0 [ 196.273760] fred_exc_nmi+0x40/0x90 [ 196.273762] asm_fred_entrypoint_kernel+0x45/0x60 [ 196.273765] RIP: 0010:perf_output_begin+0x3e9/0xa10 [ 196.273768] Code: 54 24 1c 85 d2 0f 85 19 03 00 00 48 8b 44 24 18 48 c1 e8 03 42 0f b6 04 28 84 c0 74 08 3c 03 0f 8e 25 05 00 00 41 8b 44 24 18 <c1> e0 0c 48 98 48 83 e8 01 80 7c 24 2a 00 0f 85 f9 02 00 00 4c 29 [ 196.273770] RSP: 0018:ffffc9001cf575e8 EFLAGS: 00000246 [ 196.273774] RAX: 0000000000000080 RBX: ffff88c1a0f95028 RCX: 0000000000000004 [ 196.273775] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88c08c8f9408 [ 196.273777] RBP: 0000000000000028 R08: 0000000000000000 R09: ffffed18341f2a05 [ 196.273778] R10: ffff88c1a0f9502f R11: ffff88c1a0dbe1b8 R12: ffff88c1a0f95000 [ 196.273779] R13: dffffc0000000000 R14: 0000000000000000 R15: ffffc9001cf577e0 [ 196.273782] </NMI> The issue is caused by below code in __grt_latency_data(). The code tries to access x86_hybrid_pmu structure which doesn't exist on non-hybrid platform like CWF. WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) So add is_hybrid() check before calling this WARN_ON_ONCE to fix the global-out-of-bounds access issue. Reported-by: Xudong Hao <xudong.hao(a)intel.com> Cc: stable(a)vger.kernel.org Fixes: 090262439f66 ("perf/x86/intel: Rename model-specific pebs_latency_data functions") Signed-off-by: Dapeng Mi <dapeng1.mi(a)linux.intel.com> --- arch/x86/events/intel/ds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c index c0b7ac1c7594..d1ac1f1ceee9 100644 --- a/arch/x86/events/intel/ds.c +++ b/arch/x86/events/intel/ds.c @@ -317,7 +317,7 @@ static u64 __grt_latency_data(struct perf_event *event, u64 status, { u64 val; - WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big); + WARN_ON_ONCE(is_hybrid() && hybrid_pmu(event->pmu)->pmu_type == hybrid_big); dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK; val = hybrid_var(event->pmu, pebs_data_source)[dse]; base-commit: 16ed389227651330879e17bd83d43bd234006722 -- 2.34.1

1 week

1
0
0 0

[merged mm-hotfixes-stable] mm-memory-failure-fix-redundant-updates-for-already-poisoned-pages.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: mm/memory-failure: fix redundant updates for already poisoned pages has been removed from the -mm tree. Its filename was mm-memory-failure-fix-redundant-updates-for-already-poisoned-pages.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Kyle Meyer <kyle.meyer(a)hpe.com> Subject: mm/memory-failure: fix redundant updates for already poisoned pages Date: Thu, 28 Aug 2025 13:38:20 -0500 Duplicate memory errors can be reported by multiple sources. Passing an already poisoned page to action_result() causes issues: * The amount of hardware corrupted memory is incorrectly updated. * Per NUMA node MF stats are incorrectly updated. * Redundant "already poisoned" messages are printed. Avoid those issues by: * Skipping hardware corrupted memory updates for already poisoned pages. * Skipping per NUMA node MF stats updates for already poisoned pages. * Dropping redundant "already poisoned" messages. Make MF_MSG_ALREADY_POISONED consistent with other action_page_types and make calls to action_result() consistent for already poisoned normal pages and huge pages. Link: https://lkml.kernel.org/r/aLCiHMy12Ck3ouwC@hpe.com Fixes: b8b9488d50b7 ("mm/memory-failure: improve memory failure action_result messages") Signed-off-by: Kyle Meyer <kyle.meyer(a)hpe.com> Reviewed-by: Jiaqi Yan <jiaqiyan(a)google.com> Acked-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Jane Chu <jane.chu(a)oracle.com> Acked-by: Miaohe Lin <linmiaohe(a)huawei.com> Cc: Borislav Betkov <bp(a)alien8.de> Cc: Kyle Meyer <kyle.meyer(a)hpe.com> Cc: Liam Howlett <liam.howlett(a)oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes(a)oracle.com> Cc: "Luck, Tony" <tony.luck(a)intel.com> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)kernel.org> Cc: Naoya Horiguchi <nao.horiguchi(a)gmail.com> Cc: Oscar Salvador <osalvador(a)suse.de> Cc: Russ Anderson <russ.anderson(a)hpe.com> Cc: Suren Baghdasaryan <surenb(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory-failure.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) --- a/mm/memory-failure.c~mm-memory-failure-fix-redundant-updates-for-already-poisoned-pages +++ a/mm/memory-failure.c @@ -956,7 +956,7 @@ static const char * const action_page_ty [MF_MSG_BUDDY] = "free buddy page", [MF_MSG_DAX] = "dax page", [MF_MSG_UNSPLIT_THP] = "unsplit thp", - [MF_MSG_ALREADY_POISONED] = "already poisoned", + [MF_MSG_ALREADY_POISONED] = "already poisoned page", [MF_MSG_UNKNOWN] = "unknown page", }; @@ -1349,9 +1349,10 @@ static int action_result(unsigned long p { trace_memory_failure_event(pfn, type, result); - num_poisoned_pages_inc(pfn); - - update_per_node_mf_stats(pfn, result); + if (type != MF_MSG_ALREADY_POISONED) { + num_poisoned_pages_inc(pfn); + update_per_node_mf_stats(pfn, result); + } pr_err("%#lx: recovery action for %s: %s\n", pfn, action_page_types[type], action_name[result]); @@ -2094,12 +2095,11 @@ retry: *hugetlb = 0; return 0; } else if (res == -EHWPOISON) { - pr_err("%#lx: already hardware poisoned\n", pfn); if (flags & MF_ACTION_REQUIRED) { folio = page_folio(p); res = kill_accessing_process(current, folio_pfn(folio), flags); - action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); } + action_result(pfn, MF_MSG_ALREADY_POISONED, MF_FAILED); return res; } else if (res == -EBUSY) { if (!(flags & MF_NO_RETRY)) { @@ -2285,7 +2285,6 @@ try_again: goto unlock_mutex; if (TestSetPageHWPoison(p)) { - pr_err("%#lx: already hardware poisoned\n", pfn); res = -EHWPOISON; if (flags & MF_ACTION_REQUIRED) res = kill_accessing_process(current, pfn, flags); _ Patches currently in -mm which might be from kyle.meyer(a)hpe.com are

1 week

1
0
0 0

[merged mm-hotfixes-stable] s390-kexec-initialize-kexec_buf-struct.patch removed from -mm tree

by Andrew Morton

The quilt patch titled Subject: s390: kexec: initialize kexec_buf struct has been removed from the -mm tree. Its filename was s390-kexec-initialize-kexec_buf-struct.patch This patch was dropped because it was merged into the mm-hotfixes-stable branch of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm ------------------------------------------------------ From: Breno Leitao <leitao(a)debian.org> Subject: s390: kexec: initialize kexec_buf struct Date: Wed, 27 Aug 2025 03:42:23 -0700 The kexec_buf structure was previously declared without initialization. commit bf454ec31add ("kexec_file: allow to place kexec_buf randomly") added a field that is always read but not consistently populated by all architectures. This un-initialized field will contain garbage. This is also triggering a UBSAN warning when the uninitialized data was accessed: ------------[ cut here ]------------ UBSAN: invalid-load in ./include/linux/kexec.h:210:10 load of value 252 is not a valid value for type '_Bool' Zero-initializing kexec_buf at declaration ensures all fields are cleanly set, preventing future instances of uninitialized memory being used. Link: https://lkml.kernel.org/r/20250827-kbuf_all-v1-3-1df9882bb01a@debian.org Fixes: bf454ec31add ("kexec_file: allow to place kexec_buf randomly") Signed-off-by: Breno Leitao <leitao(a)debian.org> Cc: Albert Ou <aou(a)eecs.berkeley.edu> Cc: Alexander Gordeev <agordeev(a)linux.ibm.com> Cc: Alexandre Ghiti <alex(a)ghiti.fr> Cc: Baoquan He <bhe(a)redhat.com> Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Christian Borntraeger <borntraeger(a)linux.ibm.com> Cc: Coiby Xu <coxu(a)redhat.com> Cc: Heiko Carstens <hca(a)linux.ibm.com> Cc: Palmer Dabbelt <palmer(a)dabbelt.com> Cc: Paul Walmsley <paul.walmsley(a)sifive.com> Cc: Sven Schnelle <svens(a)linux.ibm.com> Cc: Vasily Gorbik <gor(a)linux.ibm.com> Cc: Will Deacon <will(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/s390/kernel/kexec_elf.c | 2 +- arch/s390/kernel/kexec_image.c | 2 +- arch/s390/kernel/machine_kexec_file.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) --- a/arch/s390/kernel/kexec_elf.c~s390-kexec-initialize-kexec_buf-struct +++ a/arch/s390/kernel/kexec_elf.c @@ -16,7 +16,7 @@ static int kexec_file_add_kernel_elf(struct kimage *image, struct s390_load_data *data) { - struct kexec_buf buf; + struct kexec_buf buf = {}; const Elf_Ehdr *ehdr; const Elf_Phdr *phdr; Elf_Addr entry; --- a/arch/s390/kernel/kexec_image.c~s390-kexec-initialize-kexec_buf-struct +++ a/arch/s390/kernel/kexec_image.c @@ -16,7 +16,7 @@ static int kexec_file_add_kernel_image(struct kimage *image, struct s390_load_data *data) { - struct kexec_buf buf; + struct kexec_buf buf = {}; buf.image = image; --- a/arch/s390/kernel/machine_kexec_file.c~s390-kexec-initialize-kexec_buf-struct +++ a/arch/s390/kernel/machine_kexec_file.c @@ -129,7 +129,7 @@ static int kexec_file_update_purgatory(s static int kexec_file_add_purgatory(struct kimage *image, struct s390_load_data *data) { - struct kexec_buf buf; + struct kexec_buf buf = {}; int ret; buf.image = image; @@ -152,7 +152,7 @@ static int kexec_file_add_purgatory(stru static int kexec_file_add_initrd(struct kimage *image, struct s390_load_data *data) { - struct kexec_buf buf; + struct kexec_buf buf = {}; int ret; buf.image = image; @@ -184,7 +184,7 @@ static int kexec_file_add_ipl_report(str { __u32 *lc_ipl_parmblock_ptr; unsigned int len, ncerts; - struct kexec_buf buf; + struct kexec_buf buf = {}; unsigned long addr; void *ptr, *end; int ret; _ Patches currently in -mm which might be from leitao(a)debian.org are

1 week

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror