Merge tag 'v6.18.7' into qcom-6.18.y #200
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ Upstream commit ebecca5 ] During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> Fixes: 02cbfba ("idpf: add ethtool callbacks") Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com> Reviewed-by: Emil Tantilov <emil.s.tantilov@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Samuel Salin <Samuel.salin@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 87b8ee6 ] Fix error handling to properly cleanup interrupts when idpf_vport_queue_ids_init() or idpf_rx_bufs_init_all() fail. Jump to 'intr_deinit' instead of 'queues_rel' to ensure interrupts are cleaned up before releasing other resources. Fixes: d4d5587 ("idpf: initialize interrupts and enable vport") Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com> Reviewed-by: Madhu Chittim <madhu.chittim@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Samuel Salin <Samuel.salin@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 086efe0 ] The HW only supports a maximum Rx buffer size of 16K-128. On systems using large pages, the libeth logic can configure the buffer size to be larger than this. The upper bound is PAGE_SIZE while the lower bound is MTU rounded up to the nearest power of 2. For example, ARM systems with a 64K page size and an mtu of 9000 will set the Rx buffer size to 16K, which will cause the config Rx queues message to fail. Initialize the bufq/fill queue buf_len field to the maximum supported size. This will trigger the libeth logic to cap the maximum Rx buffer size by reducing the upper bound. Fixes: 74d1412 ("idpf: use libeth Rx buffer management for payload buffer") Signed-off-by: Joshua Hay <joshua.a.hay@intel.com> Acked-by: Alexander Lobakin <aleksander.lobakin@intel.com> Reviewed-by: Madhu Chittim <madhu.chittim@intel.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Reviewed-by: David Decotigny <ddecotig@google.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4648fb2 ] If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport. This leads to kernel NULL pointer dereference in idpf_idc_vport_dev_down(), which references vdev_info for every vport regardless. Check, if vdev_info was ever allocated before unplugging aux device. Fixes: be91128 ("idpf: implement RDMA vport auxiliary dev create, init, and destroy") Reviewed-by: Madhu Chittim <madhu.chittim@intel.com> Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Tested-by: Krishneil Singh <krishneil.k.singh@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
…able" [ Upstream commit 7801edc ] This reverts commit 926eae6, which never could have produced the intended effect: https://lore.kernel.org/netdev/AM0PR06MB10396BBF8B568D77556FC46F8F7DEA@AM0PR06MB10396.eurprd06.prod.outlook.com/ The reason why it is broken beyond repair in this form is that the mv88e6xxx driver outsources its "tx-p2p-microvolt" property to the OF node of an external Ethernet PHY. This: (a) does not work if there is no external PHY (chip-to-chip connection, or SFP module) (b) pollutes the OF property namespace / bindings of said external PHY ("tx-p2p-microvolt" could have meaning for the Ethernet PHY's SerDes interface as well) We can revisit the idea of making SerDes amplitude configurable once we have proper bindings for the mv88e6xxx SerDes. Until then, remove the code that leaves us with unnecessary baggage. Fixes: 926eae6 ("dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable") Cc: Holger Brunck <holger.brunck@hitachienergy.com> Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260104093952.486606-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit e5c8eda ] Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue. Fixes: 6471658 ("udp: use skb_attempt_defer_free()") Reported-by: syzbot+3e68572cf2286ce5ebe9@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/695b83bd.050a0220.1c9965.002b.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260105093630.1976085-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
…cess [ Upstream commit 13ff3e7 ] We expect the SFP write accessors to return the number of written bytes. We fail to do so for single-byte smbus accesses, which may cause errors when setting a module's high-power state and for some cotsworks modules. Let's return the amount of written bytes, as expected. Fixes: 7662abf ("net: phy: sfp: Add support for SMBus module access") Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Link: https://patch.msgid.link/20260105151840.144552-1-maxime.chevallier@bootlin.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit adb25a4 ] syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. Fixes: 84a7d67 ("net/sched: acp_api: no longer acquire RTNL in tc_action_net_exit()") Link: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826 Reported-by: syzbot+8f1c492ffa4644ff3826@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826 Signed-off-by: Shivani Gupta <shivani07g@gmail.com> Link: https://patch.msgid.link/20260105005905.243423-1-shivani07g@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 353cfc0 ] The pp_alloc_fail.py test (which doesn't run in NIPA CI?) uses tool, add back the import. Resolves: ImportError: cannot import name 'tool' from 'lib.py' Fixes: 68a0522 ("selftests: drv-net: update remaining Python init files") Reviewed-by: Nimrod Oren <noren@nvidia.com> Signed-off-by: Gal Pressman <gal@nvidia.com> Link: https://patch.msgid.link/20260105163319.47619-1-gal@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d83dddf ] This patch fixes the edge case behavior on ifup/ifdown and linking/unlinking two netdevsim interfaces: 1. unlink two interfaces netdevsim1 and netdevsim2 2. ifdown netdevsim1 3. ifup netdevsim1 4. link two interfaces netdevsim1 and netdevsim2 5. (Now two interfaces are linked in terms of netdevsim peer, but carrier state of the two interfaces remains DOWN.) This inconsistent behavior is caused by the current implementation, which only cares about the "link, then ifup" order, not "ifup, then link" order. This patch fixes the inconsistency by calling netif_carrier_on() when two netdevsim interfaces are linked. This patch fixes buggy behavior on NetworkManager-based systems which causes the netdevsim test to fail with the following error: # timeout set to 600 # selftests: drivers/net/netdevsim: peer.sh # 2025/12/25 00:54:03 socat[9115] W address is opened in read-write mode but only supports read-only # 2025/12/25 00:56:17 socat[9115] W connect(7, AF=2 192.168.1.1:1234, 16): Connection timed out # 2025/12/25 00:56:17 socat[9115] E TCP:192.168.1.1:1234: Connection timed out # expected 3 bytes, got 0 # 2025/12/25 00:56:17 socat[9109] W exiting on signal 15 not ok 13 selftests: drivers/net/netdevsim: peer.sh # exit=1 This patch also solves timeout on TCP Fast Open (TFO) test in NetworkManager-based systems because it also depends on netdevsim's carrier consistency. Fixes: 1a8fed5 ("netdevsim: set the carrier when the device goes up") Signed-off-by: Yohei Kojima <yk@y-koj.net> Reviewed-by: Breno Leitao <leitao@debian.org> Link: https://patch.msgid.link/602c9e1ba5bb2ee1997bb38b1d866c9c3b807ae9.1767624906.git.yk@y-koj.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 6acd4ac ] nvme_set_app_tag() uses the app_tag value from the bio_integrity_payload of the struct request's first bio. This assumes all the request's bios have the same app_tag. However, it is possible for bios with different app_tag values to be merged into a single request. Add a check in blk_integrity_merge_{bio,rq}() to prevent the merging of bios/requests with different app_tag values if BIP_CHECK_APPTAG is set. Signed-off-by: Caleb Sander Mateos <csander@purestorage.com> Fixes: 3d8b5a2 ("block: add support to pass user meta buffer") Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1e2ed4b ] The ftrace_dump_on_oops string is not used outside of trace.c so make it static to avoid the export warning from sparse: kernel/trace/trace.c:141:6: warning: symbol 'ftrace_dump_on_oops' was not declared. Should it be static? Fixes: dd293df ("tracing: Move trace sysctls into trace.c") Link: https://patch.msgid.link/20260106231054.84270-1-ben.dooks@codethink.co.uk Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bdb3235 ] SPARC T5-2 dts describes some PCI BARs as 64-bit resources without the pref(etchable) bit (0x83... vs 0xc3... in assigned-addresses) for address ranges above the 4G threshold. Such resources cannot be placed into a non-prefetchable PCI bridge window that is capable only of 32-bit addressing. As such, it looks like the platform is improperly described by the dts. The kernel detects this problem (see the IORESOURCE_PREFETCH check in pci_find_parent_resource()) and fails to assign these BAR resources to the resource tree due to lack of a compatible bridge window. Prior to 754baba ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") SPARC arch code did not test whether device resources were successfully in the resource tree when enabling a device, effectively hiding the problem. After removing the arch-specific enable code, pci_enable_resources() refuses to enable the device when it finds not all mem resources are assigned, and therefore mpt3sas can't be enabled: pci 0001:04:00.0: reg 0x14: [mem 0x801110000000-0x80111000ffff 64bit] pci 0001:04:00.0: reg 0x1c: [mem 0x801110040000-0x80111007ffff 64bit] pci 0001:04:00.0: BAR 1 [mem 0x801110000000-0x80111000ffff 64bit]: can't claim; no compatible bridge window pci 0001:04:00.0: BAR 3 [mem 0x801110040000-0x80111007ffff 64bit]: can't claim; no compatible bridge window mpt3sas 0001:04:00.0: BAR 1 [mem size 0x00010000 64bit]: not assigned; can't enable device For clarity, this filtered log only shows failures for one mpt3sas device but other devices fail similarly. In the reported case, the end result with all the failures is an unbootable system. Things appeared to "work" before 754baba ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") because the resource tree is agnostic to whether PCI BAR resources are properly in the tree or not. So as long as there was a parent resource (e.g. a root bus resource) that contains the address range, the resource tree code just places resource request underneath it without any consideration to the intermediate BAR resource. While it worked, it's incorrect setup still. Add an OF fixup to set the IORESOURCE_PREFETCH flag for a 64-bit PCI resource that has the end address above 4G requiring placement into the prefetchable window. Also log the issue. Fixes: 754baba ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra") Reported-by: Nathaniel Roach <nroach44@gmail.com> Closes: sparclinux/issues#22 Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Tested-by: Nathaniel Roach <nroach44@gmail.com> Link: https://patch.msgid.link/20251124170411.3709-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c7fabe4 ] For years I wondered why the Apple Cinema Display driver would not just work for me. Turns out the hidraw driver instantly takes it over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver. Fixes: 069e8a6 ("Driver for Apple Cinema Display") Signed-off-by: René Rebe <rene@exactco.de> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 6abcf75 ] airoha_ppe_deinit() runs airoha_npu_ppe_deinit() in atomic context. airoha_npu_ppe_deinit routine allocates ppe_data buffer with GFP_KERNEL flag. Rely on rcu_replace_pointer in airoha_ppe_deinit routine in order to fix schedule while atomic issue in airoha_npu_ppe_deinit() since we do not need atomic context there. Fixes: 00a7678 ("net: airoha: Introduce flowtable offload support") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260105-airoha-fw-ethtool-v2-1-3b32b158cc31@kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3334188 ] The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. Fixes: a37a6f5 ("wifi: mac80211_hwsim: Add simulation support for NAN device") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260107143652.7dab2035836f.Iacbaf7bb94ed5c14a0928a625827e4137d8bfede@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
…te in qfq_reset [ Upstream commit c1d73b1 ] `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class's leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) - not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894) [ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1)) [ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686) [ 0.913077] ksys_write (fs/read_write.c:738) [ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) [ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) [ 0.913687] RIP: 0033:0x424c34 [ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9 Code starting with the faulting instruction =========================================== 0: 89 02 mov %eax,(%rdx) 2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax 9: eb bd jmp 0xffffffffffffffc8 b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 12: 00 00 00 15: 90 nop 16: f3 0f 1e fa endbr64 1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e 21: 74 13 je 0x36 23: b8 01 00 00 00 mov $0x1,%eax 28: 0f 05 syscall 2a: 09 .byte 0x9 [ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 [ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34 [ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003 [ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000 [ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28 [ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001 [ 0.917039] </TASK> [ 0.917158] Modules linked in: [ 0.917316] CR2: 0000000000000000 [ 0.917484] ---[ end trace 0000000000000000 ]--- [ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx ... [ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.922097] PKRU: 55555554 [ 0.922240] Kernel panic - not syncing: Fatal exception [ 0.922590] Kernel Offset: disabled Fixes: 0545a30 ("pkt_sched: QFQ - quick fair queue scheduler") Signed-off-by: Xiang Mei <xmei5@asu.edu> Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit afa2762 ] When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. Fixes: 323b349 ("drivers: net: usb: pegasus: fix control urb submission") Signed-off-by: Petko Manolov <petkan@nucleusys.com> Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4b5bdab ] The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will be greater than 0xFFFF, thus causing a build warning. This will not cause any practical issues because ENETC is currently only used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch is only for fixing the build warning that occurs when compiling ENETC drivers for other platforms. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/ Fixes: e59bc32 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE") Signed-off-by: Wei Fang <wei.fang@nxp.com> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c92510f ] arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. Fixes: db5b4e3 ("ip6_gre: make ip6gre_header() robust") Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f0d385f ] A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: - del_gendisk(ub->ub_disk) - ublk_detach_disk() sets ub->ub_disk = NULL - put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. Fixes: 7fc4da6 ("ublk: scan partition in async way") Reported-by: Ruikai Peng <ruikai@pwno.io> Signed-off-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1690eeb ] Kbuild bot (through sparse) reported that the ITTE read to carry out a valid check in gicv5_its_map_event() lacks proper endianness handling. Add the missing endianess conversion. Fixes: 57d7219 ("irqchip/gic-v5: Add GICv5 ITS support") Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Acked-by: Marc Zyngier <maz@kernel.org> Link: https://patch.msgid.link/20251222102250.435460-1-lpieralisi@kernel.org Closes: https://lore.kernel.org/oe-kbuild-all/202512131849.30ZRTBeR-lkp@intel.com/ Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 072a7c7 ] Previously, commit d53cd89 ("erofs: limit the level of fs stacking for file-backed mounts") bumped `s_stack_depth` by one to avoid kernel stack overflow when stacking an unlimited number of EROFS on top of each other. This fix breaks composefs mounts, which need EROFS+ovl^2 sometimes (and such setups are already used in production for quite a long time). One way to fix this regression is to bump FILESYSTEM_MAX_STACK_DEPTH from 2 to 3, but proving that this is safe in general is a high bar. After a long discussion on GitHub issues [1] about possible solutions, one conclusion is that there is no need to support nesting file-backed EROFS mounts on stacked filesystems, because there is always the option to use loopback devices as a fallback. As a quick fix for the composefs regression for this cycle, instead of bumping `s_stack_depth` for file backed EROFS mounts, we disallow nesting file-backed EROFS over EROFS and over filesystems with `s_stack_depth` > 0. This works for all known file-backed mount use cases (composefs, containerd, and Android APEX for some Android vendors), and the fix is self-contained. Essentially, we are allowing one extra unaccounted fs stacking level of EROFS below stacking filesystems, but EROFS can only be used in the read path (i.e. overlayfs lower layers), which typically has much lower stack usage than the write path. We can consider increasing FILESYSTEM_MAX_STACK_DEPTH later, after more stack usage analysis or using alternative approaches, such as splitting the `s_stack_depth` limitation according to different combinations of stacking. Fixes: d53cd89 ("erofs: limit the level of fs stacking for file-backed mounts") Reported-and-tested-by: Dusty Mabe <dusty@dustymabe.com> Reported-by: Timothée Ravier <tim@siosm.fr> Closes: coreos/fedora-coreos-tracker#2087 [1] Reported-by: "Alekséi Naidénov" <an@digitaltide.io> Closes: https://lore.kernel.org/r/CAFHtUiYv4+=+JP_-JjARWjo6OwcvBj1wtYN=z0QXwCpec9sXtg@mail.gmail.com Acked-by: Amir Goldstein <amir73il@gmail.com> Acked-by: Alexander Larsson <alexl@redhat.com> Reviewed-and-tested-by: Sheng Yong <shengyong1@xiaomi.com> Reviewed-by: Zhiguo Niu <zhiguo.niu@unisoc.com> Reviewed-by: Chao Yu <chao@kernel.org> Cc: Christian Brauner <brauner@kernel.org> Cc: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7893cc1 ] Sheng Yong reported [1] that Android APEX images didn't work with commit 072a7c7 ("erofs: don't bother with s_stack_depth increasing for now") because "EROFS-formatted APEX file images can be stored within an EROFS-formatted Android system partition." In response, I sent a quick fat-fingered [PATCH v3] to address the report. Unfortunately, the updated condition was incorrect: if (erofs_is_fileio_mode(sbi)) { - sb->s_stack_depth = - file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1; - if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) { - erofs_err(sb, "maximum fs stacking depth exceeded"); + inode = file_inode(sbi->dif0.file); + if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) || + inode->i_sb->s_stack_depth) { The condition `!sb->s_bdev` is always true for all file-backed EROFS mounts, making the check effectively a no-op. The real fix tested and confirmed by Sheng Yong [2] at that time was [PATCH v3 RESEND], which correctly ensures the following EROFS^2 setup works: EROFS (on a block device) + EROFS (file-backed mount) But sadly I screwed it up again by upstreaming the outdated [PATCH v3]. This patch applies the same logic as the delta between the upstream [PATCH v3] and the real fix [PATCH v3 RESEND]. Reported-by: Sheng Yong <shengyong1@xiaomi.com> Closes: https://lore.kernel.org/r/3acec686-4020-4609-aee4-5dae7b9b0093@gmail.com [1] Fixes: 072a7c7 ("erofs: don't bother with s_stack_depth increasing for now") Link: https://lore.kernel.org/r/243f57b8-246f-47e7-9fb1-27a771e8e9e8@gmail.com [2] Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 18de34d ] While running test case btrfs/192 from fstests with support for large folios (needs CONFIG_BTRFS_EXPERIMENTAL=y) I ended up getting very sporadic btrfs check failures reporting that csum items were missing. Looking into the issue it turned out that btrfs check searches for csum items of a file extent item with a range that spans beyond the i_size of a file and we don't have any, because the kernel's writeback code skips submitting bios for ranges beyond eof. It's not expected however to find a file extent item that crosses the rounded up (by the sector size) i_size value, but there is a short time window where we can end up with a transaction commit leaving this small inconsistency between the i_size and the last file extent item. Example btrfs check output when this happens: $ btrfs check /dev/sdc Opening filesystem to check... Checking filesystem on /dev/sdc UUID: 69642c61-5efb-4367-aa31-cdfd4067f713 [1/8] checking log skipped (none written) [2/8] checking root items [3/8] checking extents [4/8] checking free space tree [5/8] checking fs roots root 5 inode 332 errors 1000, some csum missing ERROR: errors found in fs roots (...) Looking at a tree dump of the fs tree (root 5) for inode 332 we have: $ btrfs inspect-internal dump-tree -t 5 /dev/sdc (...) item 28 key (332 INODE_ITEM 0) itemoff 2006 itemsize 160 generation 17 transid 19 size 610969 nbytes 86016 block group 0 mode 100666 links 1 uid 0 gid 0 rdev 0 sequence 11 flags 0x0(none) atime 1759851068.391327881 (2025-10-07 16:31:08) ctime 1759851068.410098267 (2025-10-07 16:31:08) mtime 1759851068.410098267 (2025-10-07 16:31:08) otime 1759851068.391327881 (2025-10-07 16:31:08) item 29 key (332 INODE_REF 340) itemoff 1993 itemsize 13 index 2 namelen 3 name: f1f item 30 key (332 EXTENT_DATA 589824) itemoff 1940 itemsize 53 generation 19 type 1 (regular) extent data disk byte 21745664 nr 65536 extent data offset 0 nr 65536 ram 65536 extent compression 0 (none) (...) We can see that the file extent item for file offset 589824 has a length of 64K and its number of bytes is 64K. Looking at the inode item we see that its i_size is 610969 bytes which falls within the range of that file extent item [589824, 655360[. Looking into the csum tree: $ btrfs inspect-internal dump-tree /dev/sdc (...) item 15 key (EXTENT_CSUM EXTENT_CSUM 21565440) itemoff 991 itemsize 200 range start 21565440 end 21770240 length 204800 item 16 key (EXTENT_CSUM EXTENT_CSUM 1104576512) itemoff 983 itemsize 8 range start 1104576512 end 1104584704 length 8192 (..) We see that the csum item number 15 covers the first 24K of the file extent item - it ends at offset 21770240 and the extent's disk_bytenr is 21745664, so we have: 21770240 - 21745664 = 24K We see that the next csum item (number 16) is completely outside the range, so the remaining 40K of the extent doesn't have csum items in the tree. If we round up the i_size to the sector size, we get: round_up(610969, 4096) = 614400 If we subtract from that the file offset for the extent item we get: 614400 - 589824 = 24K So the missing 40K corresponds to the end of the file extent item's range minus the rounded up i_size: 655360 - 614400 = 40K Normally we don't expect a file extent item to span over the rounded up i_size of an inode, since when truncating, doing hole punching and other operations that trim a file extent item, the number of bytes is adjusted. There is however a short time window where the kernel can end up, temporarily,persisting an inode with an i_size that falls in the middle of the last file extent item and the file extent item was not yet trimmed (its number of bytes reduced so that it doesn't cross i_size rounded up by the sector size). The steps (in the kernel) that lead to such scenario are the following: 1) We have inode I as an empty file, no allocated extents, i_size is 0; 2) A buffered write is done for file range [589824, 655360[ (length of 64K) and the i_size is updated to 655360. Note that we got a single large folio for the range (64K); 3) A truncate operation starts that reduces the inode's i_size down to 610969 bytes. The truncate sets the inode's new i_size at btrfs_setsize() by calling truncate_setsize() and before calling btrfs_truncate(); 4) At btrfs_truncate() we trigger writeback for the range starting at 610304 (which is the new i_size rounded down to the sector size) and ending at (u64)-1; 5) During the writeback, at extent_write_cache_pages(), we get from the call to filemap_get_folios_tag(), the 64K folio that starts at file offset 589824 since it contains the start offset of the writeback range (610304); 6) At writepage_delalloc() we find the whole range of the folio is dirty and therefore we run delalloc for that 64K range ([589824, 655360[), reserving a 64K extent, creating an ordered extent, etc; 7) At extent_writepage_io() we submit IO only for subrange [589824, 614400[ because the inode's i_size is 610969 bytes (rounded up by sector size is 614400). There, in the while loop we intentionally skip IO beyond i_size to avoid any unnecessay work and just call btrfs_mark_ordered_io_finished() for the range [614400, 655360[ (which has a 40K length); 8) Once the IO finishes we finish the ordered extent by ending up at btrfs_finish_one_ordered(), join transaction N, insert a file extent item in the inode's subvolume tree for file offset 589824 with a number of bytes of 64K, and update the inode's delayed inode item or directly the inode item with a call to btrfs_update_inode_fallback(), which results in storing the new i_size of 610969 bytes; 9) Transaction N is committed either by the transaction kthread or some other task committed it (in response to a sync or fsync for example). At this point we have inode I persisted with an i_size of 610969 bytes and file extent item that starts at file offset 589824 and has a number of bytes of 64K, ending at an offset of 655360 which is beyond the i_size rounded up to the sector size (614400). --> So after a crash or power failure here, the btrfs check program reports that error about missing checksum items for this inode, as it tries to lookup for checksums covering the whole range of the extent; 10) Only after transaction N is committed that at btrfs_truncate() the call to btrfs_start_transaction() starts a new transaction, N + 1, instead of joining transaction N. And it's with transaction N + 1 that it calls btrfs_truncate_inode_items() which updates the file extent item at file offset 589824 to reduce its number of bytes from 64K down to 24K, so that the file extent item's range ends at the i_size rounded up to the sector size (614400 bytes). Fix this by truncating the ordered extent at extent_writepage_io() when we skip writeback because the current offset in the folio is beyond i_size. This ensures we don't ever persist a file extent item with a number of bytes beyond the rounded up (by sector size) value of the i_size. Reviewed-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Anand Jain <asj@kernel.org> Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: e9e3b22 ("btrfs: fix beyond-EOF write handling") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 46a2390 ] Instead of repeating the expression "start + len" multiple times, store it in a variable and use it where needed. Reviewed-by: Qu Wenruo <wqu@suse.com> Reviewed-by: Anand Jain <asj@kernel.org> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: e9e3b22 ("btrfs: fix beyond-EOF write handling") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit e9e3b22 ] [BUG] For the following write sequence with 64K page size and 4K fs block size, it will lead to file extent items to be inserted without any data checksum: mkfs.btrfs -s 4k -f $dev > /dev/null mount $dev $mnt xfs_io -f -c "pwrite 0 16k" -c "pwrite 32k 4k" -c pwrite "60k 64K" \ -c "truncate 16k" $mnt/foobar umount $mnt This will result the following 2 file extent items to be inserted (extra trace point added to insert_ordered_extent_file_extent()): btrfs_finish_one_ordered: root=5 ino=257 file_off=61440 num_bytes=4096 csum_bytes=0 btrfs_finish_one_ordered: root=5 ino=257 file_off=0 num_bytes=16384 csum_bytes=16384 Note for file offset 60K, we're inserting a file extent without any data checksum. Also note that range [32K, 36K) didn't reach insert_ordered_extent_file_extent(), which is the correct behavior as that OE is fully truncated, should not result any file extent. Although file extent at 60K will be later dropped by btrfs_truncate(), if the transaction got committed after file extent inserted but before the file extent dropping, we will have a small window where we have a file extent beyond EOF and without any data checksum. That will cause "btrfs check" to report error. [CAUSE] The sequence happens like this: - Buffered write dirtied the page cache and updated isize Now the inode size is 64K, with the following page cache layout: 0 16K 32K 48K 64K |/////////////| |//| |//| - Truncate the inode to 16K Which will trigger writeback through: btrfs_setsize() |- truncate_setsize() | Now the inode size is set to 16K | |- btrfs_truncate() |- btrfs_wait_ordered_range() for [16K, u64(-1)] |- btrfs_fdatawrite_range() for [16K, u64(-1)} |- extent_writepage() for folio 0 |- writepage_delalloc() | Generated OE for [0, 16K), [32K, 36K] and [60K, 64K) | |- extent_writepage_io() Then inside extent_writepage_io(), the dirty fs blocks are handled differently: - Submit write for range [0, 16K) As they are still inside the inode size (16K). - Mark OE [32K, 36K) as truncated Since we only call btrfs_lookup_first_ordered_range() once, which returned the first OE after file offset 16K. - Mark all OEs inside range [16K, 64K) as finished Which will mark OE ranges [32K, 36K) and [60K, 64K) as finished. For OE [32K, 36K) since it's already marked as truncated, and its truncated length is 0, no file extent will be inserted. For OE [60K, 64K) it has never been submitted thus has no data checksum, and we insert the file extent as usual. This is the root cause of file extent at 60K to be inserted without any data checksum. - Clear dirty flags for range [16K, 64K) It is the function btrfs_folio_clear_dirty() which searches and clears any dirty blocks inside that range. [FIX] The bug itself was introduced a long time ago, way before subpage and large folio support. At that time, fs block size must match page size, thus the range [cur, end) is just one fs block. But later with subpage and large folios, the same range [cur, end) can have multiple blocks and ordered extents. Later commit 18de34d ("btrfs: truncate ordered extent when skipping writeback past i_size") was fixing a bug related to subpage/large folios, but it's still utilizing the old range [cur, end), meaning only the first OE will be marked as truncated. The proper fix here is to make EOF handling block-by-block, not trying to handle the whole range to @EnD. By this we always locate and truncate the OE for every dirty block. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Qu Wenruo <wqu@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 179ef11 ] When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. Signed-off-by: Mary Strodl <mstrodl@csh.rit.edu> Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Link: https://lore.kernel.org/r/20251014133530.3592716-3-mstrodl@csh.rit.edu Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Stable-dep-of: 1e876e5 ("gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f13b0f7 ] Builds out a facility for specifying compatible lines directions and labels for MPSSE-based devices. * dir_in/out are bitmask of lines that can go in/out. 1 means compatible, 0 means incompatible. * names is an array of line names which will be exposed to userspace. Also changes the chip label format to include some more useful information about the device to help identify it from userspace. Signed-off-by: Mary Strodl <mstrodl@csh.rit.edu> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Linus Walleij <linus.walleij@linaro.org> Link: https://lore.kernel.org/r/20251014133530.3592716-4-mstrodl@csh.rit.edu Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Stable-dep-of: 1e876e5 ("gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1e876e5 ] The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. Cc: stable@vger.kernel.org Fixes: c46a74f ("gpio: add support for FTDI's MPSSE as GPIO") Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in> Link: https://lore.kernel.org/r/20251226060414.20785-1-nihaal@cse.iitm.ac.in Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b18cd8b upstream. When fsl_edma_alloc_chan_resources() fails after clk_prepare_enable(), the error paths only free IRQs and destroy the TCD pool, but forget to call clk_disable_unprepare(). This causes the channel clock to remain enabled, leaking power and resources. Fix it by disabling the channel clock in the error unwind path. Fixes: d8d4355 ("dmaengine: fsl-edma: add i.MX8ULP edma support") Cc: stable@vger.kernel.org Suggested-by: Frank Li <Frank.Li@nxp.com> Signed-off-by: Zhen Ni <zhen.ni@easystack.cn> Reviewed-by: Frank Li <Frank.Li@nxp.com> Link: https://patch.msgid.link/20251014090522.827726-1-zhen.ni@easystack.cn Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 799900f upstream. Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. Fixes: 6e7f3ee ("dmaengine: idxd: move dsa_drv support to compatible mode") Cc: stable@vger.kernel.org # 5.15 Cc: Dave Jiang <dave.jiang@intel.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-7-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4d6305 upstream. Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: e5f4ae8 ("dmaengine: add driver for lpc18xx dmamux") Cc: stable@vger.kernel.org # 4.3 Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Vladimir Zapolskiy <vz@mleia.com> Link: https://patch.msgid.link/20251117161258.10679-8-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9847e6 upstream. Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: 5d318b5 ("dmaengine: Add dma router for pl08x in LPC32XX SoC") Cc: stable@vger.kernel.org # 6.12 Cc: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Vladimir Zapolskiy <vz@mleia.com> Link: https://patch.msgid.link/20251117161258.10679-9-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3f74700 upstream. Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. Fixes: 5d0c353 ("dmaengine: qcom: Add GPI dma driver") Cc: stable@vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Reviewed-by: Bjorn Andersson <andersson@kernel.org> Link: https://patch.msgid.link/20251029123421.91973-1-linmq006@gmail.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9fb4903 upstream. Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). Fixes: 7de8732 ("dmaengine: sh: rz-dmac: Add RZ/V2H(P) support") Cc: stable@vger.kernel.org # 6.16 Cc: Fabrizio Castro <fabrizio.castro.jz@renesas.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com> Link: https://patch.msgid.link/20251117161258.10679-10-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 747213b upstream. After audio full duplex testing, playing the recorded file contains a few playback frames from the previous time. The rz_dmac_terminate_all() does not reset all the hardware descriptors queued previously, leading to the wrong descriptor being picked up during the next DMA transfer. Fix the above issue by resetting all the descriptor headers for a channel in rz_dmac_terminate_all() as rz_dmac_lmdesc_recycle() points to the proper descriptor header filled by the rz_dmac_prepare_descs_for_slave_sg(). Cc: stable@kernel.org Fixes: 5000d37 ("dmaengine: sh: Add DMAC driver for RZ/G2L SoC") Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com> Link: https://patch.msgid.link/20251113195052.564338-1-biju.das.jz@bp.renesas.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd6e494 upstream. Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. Fixes: df7e762 ("dmaengine: Add STM32 DMAMUX driver") Cc: stable@vger.kernel.org # 4.15 Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com> Link: https://patch.msgid.link/20251117161258.10679-11-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b1b590a upstream. Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. Fixes: df7e762 ("dmaengine: Add STM32 DMAMUX driver") Cc: stable@vger.kernel.org # 4.15 Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com> Link: https://patch.msgid.link/20251117161258.10679-12-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dc7e44d upstream. Make sure to drop the reference taken when looking up the crossbar platform device during dra7x route allocation. Note that commit 615a4bf ("dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate") fixed the leak in the error paths but the reference is still leaking on successful allocation. Fixes: a074ae3 ("dmaengine: Add driver for TI DMA crossbar on DRA7x") Fixes: 615a4bf ("dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate") Cc: stable@vger.kernel.org # 4.2: 615a4bf Cc: Peter Ujfalusi <peter.ujfalusi@ti.com> Cc: Miaoqian Lin <linmq006@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-14-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4fc17b1 upstream. Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. Fixes: 42dbdcc ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx") Cc: stable@vger.kernel.org # 4.4 Cc: Peter Ujfalusi <peter.ujfalusi@ti.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-15-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 430f780 upstream. Make sure to drop the reference taken when looking up the UDMA platform device. Note that holding a reference to a platform device does not prevent its driver data from going away so there is no point in keeping the reference after the lookup helper returns. Fixes: d702419 ("dmaengine: ti: k3-udma: Add glue layer for non DMAengine users") Fixes: 1438cde ("dmaengine: ti: k3-udma: add missing put_device() call in of_xudma_dev_get()") Cc: stable@vger.kernel.org # 5.6: 1438cde Cc: Grygorii Strashko <grygorii.strashko@ti.com> Cc: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://patch.msgid.link/20251117161258.10679-17-johan@kernel.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 27bfafa upstream. The page tables used to map the kernel and userspace often have very different handling rules. There are frequently *_kernel() variants of functions just for kernel page tables. That's not great and has lead to code duplication. Instead of having completely separate call paths, allow a 'ptdesc' to be marked as being for kernel mappings. Introduce helpers to set and clear this status. Note: this uses the PG_referenced bit. Page flags are a great fit for this since it is truly a single bit of information. Use PG_referenced itself because it's a fairly benign flag (as opposed to things like PG_lock). It's also (according to Willy) unlikely to go away any time soon. PG_referenced is not in PAGE_FLAGS_CHECK_AT_FREE. It does not need to be cleared before freeing the page, and pages coming out of the allocator should have it cleared. Regardless, introduce an API to clear it anyway. Having symmetry in the API makes it easier to change the underlying implementation later, like if there was a need to move to a PAGE_FLAGS_CHECK_AT_FREE bit. Link: https://lkml.kernel.org/r/20251022082635.2462433-3-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9778705 upstream. Now that the API is in place, mark kernel page table pages just after they are allocated. Unmark them just before they are freed. Note: Unconditionally clearing the 'kernel' marking (via ptdesc_clear_kernel()) would be functionally identical to what is here. But having the if() makes it logically clear that this function can be used for kernel and non-kernel page tables. Link: https://lkml.kernel.org/r/20251022082635.2462433-4-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 412d000 upstream. There are a billion ways to refer to a physical memory address. One of the x86 PMD freeing code location chooses to use a 'pte_t *' to point to a PMD page and then call a PTE-specific freeing function for it. That's a bit wonky. Just use a 'struct ptdesc *' instead. Its entire purpose is to refer to page table pages. It also means being able to remove an explicit cast. Right now, pte_free_kernel() is a one-liner that calls pagetable_dtor_free(). Effectively, all this patch does is remove one superfluous __pa(__va(paddr)) conversion and then call pagetable_dtor_free() directly instead of through a helper. Link: https://lkml.kernel.org/r/20251022082635.2462433-5-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: David Hildenbrand <david@redhat.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0189429 upstream. The pages used for ptdescs are currently freed back to the allocator in a single location. They will shortly be freed from a second location. Create a simple helper that just frees them back to the allocator. Link: https://lkml.kernel.org/r/20251022082635.2462433-6-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bf9e4e3 upstream. The kernel's memory management subsystem provides a dedicated interface, pagetable_free(), for freeing page table pages. Updates two call sites to use pagetable_free() instead of the lower-level __free_page() or free_pages(). This improves code consistency and clarity, and ensures the correct freeing mechanism is used. Link: https://lkml.kernel.org/r/20251022082635.2462433-7-baolu.lu@linux.intel.com Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@intel.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Kevin Tian <kevin.tian@intel.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5ba2f0a upstream. This introduces a conditional asynchronous mechanism, enabled by CONFIG_ASYNC_KERNEL_PGTABLE_FREE. When enabled, this mechanism defers the freeing of pages that are used as page tables for kernel address mappings. These pages are now queued to a work struct instead of being freed immediately. This deferred freeing allows for batch-freeing of page tables, providing a safe context for performing a single expensive operation (TLB flush) for a batch of kernel page tables instead of performing that expensive operation for each page table. Link: https://lkml.kernel.org/r/20251022082635.2462433-8-baolu.lu@linux.intel.com Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Acked-by: David Hildenbrand <david@redhat.com> Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jann Horn <jannh@google.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e37d5a2 upstream. Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code that manages combined user and kernel page tables, specifically before any kernel page table page is freed and reused. This addresses the main issue with vfree() which is a common occurrence and can be triggered by unprivileged users. While this resolves the primary problem, it doesn't address some extremely rare case related to memory unplug of memory that was present as reserved memory at boot, which cannot be triggered by unprivileged users. The discussion can be found at the link below. Enable SVA on x86 architecture since the IOMMU can now receive notification to flush the paging cache before freeing the CPU kernel page table pages. Link: https://lkml.kernel.org/r/20251022082635.2462433-9-baolu.lu@linux.intel.com Link: https://lore.kernel.org/linux-iommu/04983c62-3b1d-40d4-93ae-34ca04b827e5@intel.com/ Co-developed-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Suggested-by: Jann Horn <jannh@google.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Reviewed-by: Vasant Hegde <vasant.hegde@amd.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Cc: Alistair Popple <apopple@nvidia.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Betkov <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: David Hildenbrand <david@redhat.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jean-Philippe Brucker <jean-philippe@linaro.org> Cc: Joerg Roedel <joro@8bytes.org> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Michal Hocko <mhocko@kernel.org> Cc: Mike Rapoport (Microsoft) <rppt@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Robin Murohy <robin.murphy@arm.com> Cc: Thomas Gleinxer <tglx@linutronix.de> Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com> Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Cc: Yi Lai <yi1.lai@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…e blocking commit 0d30dae upstream. During suspend/resume tests with S2IDLE, some ISH functional failures were observed because of delay in executing ISH resume handler. Here schedule_work() is used from resume handler to do actual work. schedule_work() uses system_wq, which is a per CPU work queue. Although the queuing is not bound to a CPU, but it prefers local CPU of the caller, unless prohibited. Users of this work queue are not supposed to queue long running work. But in practice, there are scenarios where long running work items are queued on other unbound workqueues, occupying the CPU. As a result, the ISH resume handler may not get a chance to execute in a timely manner. In one scenario, one of the ish_resume_handler() executions was delayed nearly 1 second because another work item on an unbound workqueue occupied the same CPU. This delay causes ISH functionality failures. A similar issue was previously observed where the ISH HID driver timed out while getting the HID descriptor during S4 resume in the recovery kernel, likely caused by the same workqueue contention problem. Create dedicated unbound workqueues for all ISH operations to allow work items to execute on any available CPU, eliminating CPU-specific bottlenecks and improving resume reliability under varying system loads. Also ISH has three different components, a bus driver which implements ISH protocols, a PCI interface layer and HID interface. Use one dedicated work queue for all of them. Signed-off-by: Zhang Lixu <lixu.zhang@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…oc_workqueue() commit 3644f44 upstream. Clang warns (or errors with CONFIG_WERROR=y / W=e): drivers/hid/intel-ish-hid/ipc/ipc.c:935:36: error: cast from 'void (*)(struct workqueue_struct *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict] 935 | if (devm_add_action_or_reset(dev, (void (*)(void *))destroy_workqueue, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/device/devres.h:168:34: note: expanded from macro 'devm_add_action_or_reset' 168 | __devm_add_action_or_ireset(dev, action, data, #action) | ^~~~~~ This warning is pointing out a kernel control flow integrity (kCFI / CONFIG_CFI=y) violation will occur due to this function cast when the destroy_workqueue() is indirectly called via devm_action_release() because the prototype of destroy_workqueue() does not match the prototype of (*action)(). Use a local function with the correct prototype to wrap destroy_workqueue() to resolve the warning and CFI violation. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202510190103.qTZvfdjj-lkp@intel.com/ Closes: ClangBuiltLinux/linux#2139 Fixes: 0d30dae ("HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking") Signed-off-by: Nathan Chancellor <nathan@kernel.org> Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Reviewed-by: Zhang Lixu <lixu.zhang@intel.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…n type commit 5037b34 upstream. When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B's pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B's pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Robbie Ko <robbieko@synology.com> Signed-off-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Cc: Motiejus Jakštys <motiejus@jakstys.lt> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0acc67c upstream. Patch series "mm/page_alloc: Batch callers of free_pcppages_bulk", v5. Motivation & Approach ===================== While testing workloads with high sustained memory pressure on large machines in the Meta fleet (1Tb memory, 316 CPUs), we saw an unexpectedly high number of softlockups. Further investigation showed that the zone lock in free_pcppages_bulk was being held for a long time, and was called to free 2k+ pages over 100 times just during boot. This causes starvation in other processes for the zone lock, which can lead to the system stalling as multiple threads cannot make progress without the locks. We can see these issues manifesting as warnings: [ 4512.591979] rcu: INFO: rcu_sched self-detected stall on CPU [ 4512.604370] rcu: 20-....: (9312 ticks this GP) idle=a654/1/0x4000000000000000 softirq=309340/309344 fqs=5426 [ 4512.626401] rcu: hardirqs softirqs csw/system [ 4512.638793] rcu: number: 0 145 0 [ 4512.651177] rcu: cputime: 30 10410 174 ==> 10558(ms) [ 4512.666657] rcu: (t=21077 jiffies g=783665 q=1242213 ncpus=316) While these warnings don't indicate a crash or a kernel panic, they do point to the underlying issue of lock contention. To prevent starvation in both locks, batch the freeing of pages using pcp->batch. Because free_pcppages_bulk is called with the pcp lock and acquires the zone lock, relinquishing and reacquiring the locks are only effective when both of them are broken together (unless the system was built with queued spinlocks). Thus, instead of modifying free_pcppages_bulk to break both locks, batch the freeing from its callers instead. A similar fix has been implemented in the Meta fleet, and we have seen significantly less softlockups. Testing ======= The following are a few synthetic benchmarks, made on three machines. The first is a large machine with 754GiB memory and 316 processors. The second is a relatively smaller machine with 251GiB memory and 176 processors. The third and final is the smallest of the three, which has 62GiB memory and 36 processors. On all machines, I kick off a kernel build with -j$(nproc). Negative delta is better (faster compilation). Large machine (754GiB memory, 316 processors) make -j$(nproc) +------------+---------------+-----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+-----------+ | real | 0.8070 | - 1.4865 | | user | 0.2823 | + 0.4081 | | sys | 5.0267 | -11.8737 | +------------+---------------+-----------+ Medium machine (251GiB memory, 176 processors) make -j$(nproc) +------------+---------------+----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+----------+ | real | 0.2806 | +0.0351 | | user | 0.0994 | +0.3170 | | sys | 0.6229 | -0.6277 | +------------+---------------+----------+ Small machine (62GiB memory, 36 processors) make -j$(nproc) +------------+---------------+----------+ | Metric (s) | Variation (%) | Delta(%) | +------------+---------------+----------+ | real | 0.1503 | -2.6585 | | user | 0.0431 | -2.2984 | | sys | 0.1870 | -3.2013 | +------------+---------------+----------+ Here, variation is the coefficient of variation, i.e. standard deviation / mean. Based on these results, it seems like there are varying degrees to how much lock contention this reduces. For the largest and smallest machines that I ran the tests on, it seems like there is quite some significant reduction. There is also some performance increases visible from userspace. Interestingly, the performance gains don't scale with the size of the machine, but rather there seems to be a dip in the gain there is for the medium-sized machine. One possible theory is that because the high watermark depends on both memory and the number of local CPUs, what impacts zone contention the most is not these individual values, but rather the ratio of mem:processors. This patch (of 5): Currently, refresh_cpu_vm_stats returns an int, indicating how many changes were made during its updates. Using this information, callers like vmstat_update can heuristically determine if more work will be done in the future. However, all of refresh_cpu_vm_stats's callers either (a) ignore the result, only caring about performing the updates, or (b) only care about whether changes were made, but not *how many* changes were made. Simplify the code by returning a bool instead to indicate if updates were made. In addition, simplify fold_diff and decay_pcp_high to return a bool for the same reason. Link: https://lkml.kernel.org/r/20251014145011.3427205-1-joshua.hahnjy@gmail.com Link: https://lkml.kernel.org/r/20251014145011.3427205-2-joshua.hahnjy@gmail.com Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Reviewed-by: SeongJae Park <sj@kernel.org> Cc: Brendan Jackman <jackmanb@google.com> Cc: Chris Mason <clm@fb.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: "Kirill A. Shutemov" <kirill@shutemov.name> Cc: Michal Hocko <mhocko@suse.com> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 038a102 ("mm/page_alloc: prevent pcp corruption with SMP=n") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fc4b909 upstream. It is possible for pcp->count - pcp->high to exceed pcp->batch by a lot. When this happens, we should perform batching to ensure that free_pcppages_bulk isn't called with too many pages to free at once and starve out other threads that need the pcp or zone lock. Since we are still only freeing the difference between the initial pcp->count and pcp->high values, there should be no change to how many pages are freed. Link: https://lkml.kernel.org/r/20251014145011.3427205-3-joshua.hahnjy@gmail.com Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com> Suggested-by: Chris Mason <clm@fb.com> Suggested-by: Andrew Morton <akpm@linux-foundation.org> Co-developed-by: Johannes Weiner <hannes@cmpxchg.org> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Brendan Jackman <jackmanb@google.com> Cc: "Kirill A. Shutemov" <kirill@shutemov.name> Cc: Michal Hocko <mhocko@suse.com> Cc: SeongJae Park <sj@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 038a102 ("mm/page_alloc: prevent pcp corruption with SMP=n") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 038a102 upstream. The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] Link: https://lkml.kernel.org/r/20260105-fix-pcp-up-v1-1-5579662d2071@suse.cz Fixes: 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations") Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202512101320.e2f2dd6f-lkp@intel.com Analyzed-by: Matthew Wilcox <willy@infradead.org> Link: https://lore.kernel.org/all/aUW05pyc9nZkvY-1@casper.infradead.org/ Acked-by: Mel Gorman <mgorman@techsingularity.net> Cc: Brendan Jackman <jackmanb@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit b49c766 which is commit e5bf5ee upstream. It has been reported to cause test problems in Android devices. As the other functionfs changes were not also backported at the same time, something is out of sync. So just revert this one for now and it can come back in the future as a patch series if it is tested. Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4b5c493 upstream. A call to mmu_notifier_arch_invalidate_secondary_tlbs() was introduced in commit e37d5a2 ("iommu/sva: invalidate stale IOTLB entries for kernel address space") but without explicitly adding its corresponding header file <linux/mmu_notifier.h>. This was evidenced while trying to enable compile testing support for IOMMU_SVA: config IOMMU_SVA select IOMMU_MM_DATA - bool + bool "Shared Virtual Addressing" if COMPILE_TEST The thing is for certain architectures this header file is indirectly included via <asm/tlbflush.h>. However, for others such as 32-bit arm the header is missing and it results in a build failure: $ make ARCH=arm allmodconfig [...] drivers/iommu/iommu-sva.c:340:3: error: call to undeclared function 'mmu_notifier_arch_invalidate_secondary_tlbs' [...] 340 | mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end); | ^ Fix this by including the appropriate header file. Link: https://lkml.kernel.org/r/20260105190747.625082-1-cmllamas@google.com Fixes: e37d5a2 ("iommu/sva: invalidate stale IOTLB entries for kernel address space") Signed-off-by: Carlos Llamas <cmllamas@google.com> Cc: Baolu Lu <baolu.lu@linux.intel.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Joerg Roedel <joro@8bytes.org> Cc: Kevin Tian <kevin.tian@intel.com> Cc: Robin Murphy <robin.murphy@arm.com> Cc: Vasant Hegde <vasant.hegde@amd.com> Cc: Will Deacon <will@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20260121181418.537774329@linuxfoundation.org Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Ronald Warsow <rwarsow@gmx.de> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Justin M. Forbes <jforbes@fedoraproject.org> Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Brett Mastbergen <bmastbergen@ciq.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is the 6.18.7 stable release
* tag 'v6.18.7':
Linux 6.18.7
iommu/sva: include mmu_notifier.h header
Revert "functionfs: fix the open/removal races"
mm/page_alloc: prevent pcp corruption with SMP=n
mm/page_alloc: batch page freeing in decay_pcp_high
mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue()
HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking
iommu/sva: invalidate stale IOTLB entries for kernel address space
mm: introduce deferred freeing for kernel page tables
x86/mm: use pagetable_free()
mm: introduce pure page table freeing function
x86/mm: use 'ptdesc' when freeing PMD pages
mm: actually mark kernel page table pages
mm: add a ptdesc flag to mark kernel page tables
dmaengine: ti: k3-udma: fix device leak on udma lookup
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
dmaengine: stm32: dmamux: fix device leak on route allocation
dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
dmaengine: sh: rz-dmac: fix device leak on probe failure
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
dmaengine: lpc32xx-dmamux: fix device leak on route allocation
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
dmaengine: idxd: fix device leaks on compat bind and unbind
dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
dmaengine: cv1800b-dmamux: fix device leak on route allocation
dmaengine: bcm-sba-raid: fix device leak on probe
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
dmaengine: apple-admac: Add "apple,t8103-admac" compatible
LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells
LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names
LoongArch: dts: loongson-2k1000: Add default interrupt controller address cells
LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells
drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
drm/sysfb: Remove duplicate declarations
drm/panel: simple: restore connector_type fallback
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
drm/amdkfd: fix a memory leak in device_queue_manager_init()
drm/amdgpu: make sure userqs are enabled in userq IOCTLs
drm/amdgpu: Fix gfx9 update PTE mtype flag
drm/amd: Clean up kfd node on surprise disconnect
drm/amd/display: Initialise backlight level values from hw
drm/amd/display: Bump the HDMI clock to 340MHz
LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended
LoongArch: Fix PMU counter allocation for mixed-type event groups
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure
mm/damon/core: remove call_control in inactive contexts
mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
mm/zswap: fix error pointer free in zswap_cpu_comp_prepare()
mm: numa,memblock: include <asm/numa.h> for 'numa_nodes_parsed'
mm: kmsan: fix poisoning of high-order non-compound pages
nvme: fix PCIe subsystem reset controller state transition
x86/resctrl: Fix memory bandwidth counter width for Hygon
x86/resctrl: Add missing resctrl initialization for Hygon
i2c: riic: Move suspend handling to NOIRQ phase
tcpm: allow looking for role_sw device in the main node
EDAC/i3200: Fix a resource leak in i3200_probe1()
EDAC/x38: Fix a resource leak in x38_probe1()
hrtimer: Fix softirq base check in update_needs_ipi()
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
ext4: fix ext4_tune_sb_params padding
ASoC: codecs: wsa881x: fix unnecessary initialisation
nvme-pci: disable secondary temp for Wodposit WPBSNM8
USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
USB: serial: option: add Telit LE910 MBIM composition
USB: OHCI/UHCI: Add soft dependencies on ehci_platform
usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor
usb: dwc3: Check for USB4 IP_NAME
usb: gadget: uvc: fix req_payload_size calculation
usb: gadget: uvc: fix interval_duration calculation
xhci: sideband: don't dereference freed ring when removing sideband endpoint
usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs
phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
phy: fsl-imx8mq-usb: fix typec orientation switch when built as module
phy: rockchip: inno-usb2: fix disconnection in gadget mode
phy: freescale: imx8m-pcie: assert phy reset during power on
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
phy: ti: gmii-sel: fix regmap leak on probe failure
phy: rockchip: inno-usb2: fix communication disruption in gadget mode
x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
lib/buildid: use __kernel_read() for sleepable context
virtio-net: don't schedule delayed refill worker
xfs: Fix the return value of xfs_rtcopy_summary()
xfs: set max_agbno to allow sparse alloc of last full inode chunk
ftrace: Do not over-allocate ftrace memory
tools/testing/selftests: fix gup_longterm for unknown fs
tools/testing/selftests: add forked (un)/faulted VMA merge tests
tools/testing/selftests: add tests for !tgt, src mremap() merges
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit.
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
null_blk: fix kmemleak by releasing references to fault configfs items
ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED
ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X
ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
selftests: kvm: try getting XFD and XSAVE state out of sync
selftests: kvm: replace numbered sync points with actions
scsi: core: Fix error handler encryption support
selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22
HID: usbhid: paper over wrong bNumDescriptor field
sched: Deadline has dynamic priority
sched/deadline: Avoid double update_rq_clock()
i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress
i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
soundwire: bus: fix off-by-one when allocating slave IDs
dmaengine: omap-dma: fix dma_pool resource leak in error paths
selftests/landlock: Properly close a file descriptor
phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
landlock: Fix wrong type usage
selftests/landlock: Remove invalid unix socket bind()
selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
landlock: Fix TCP handling of short AF_UNSPEC addresses
phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
phy: stm32-usphyc: Fix off by one in probe()
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing
dmaengine: tegra-adma: Fix use-after-free
dmaengine: xilinx: xdma: Fix regmap max_register
dmaengine: mmp_pdma: fix DMA mask handling
NFS: Fix size read races in truncate, fallocate and copy offload
drivers/dax: add some missing kerneldoc comment fields for struct dev_dax
mips: fix HIGHMEM initialization
mm, kfence: describe @slab parameter in __kfence_obj_info()
textsearch: describe @list member in ts_ops search
mm: describe @flags parameter in memalloc_flags_save()
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
drm/amdkfd: No need to suspend whole MES to evict process
drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
drm/amd/display: Show link name in PSR status message
drm/amdgpu: fix drm panic null pointer when driver not support atomic
ASoC: tlv320adcx140: fix word length
ASoC: tlv320adcx140: fix null pointer
ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
net/sched: sch_qfq: do not free existing class in qfq_change_class()
selftests: drv-net: fix RPS mask handling for high CPU numbers
ipv6: Fix use-after-free in inet6_addr_del().
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
net: hv_netvsc: reject RSS hash key programming without RX indirection table
ALSA: hda/cirrus_scodec_test: Fix test suite name
ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition
net: phy: motorcomm: fix duplex setting error for phy leds
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
btrfs: fix memory leaks in create_space_info() error paths
net/mlx5e: Restore destroying state bit after profile cleanup
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
net/mlx5e: Fix crash on profile change rollback failure
vsock/test: add a final full barrier after run all tests
ipv4: ip_gre: make ipgre_header() robust
block: zero non-PI portion of auto integrity buffer
macvlan: fix possible UAF in macvlan_forward_source()
net: update netdev_lock_{type,name}
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
net: bridge: annotate data-races around fdb->{updated,used}
Bluetooth: hci_sync: enable PA Sync Lost event
btrfs: send: check for inline extents in range_is_hole_in_parent()
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
cxl/port: Fix target list setup for multiple decoders sharing the same dport
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
can: etas_es58x: allow partial RX URB allocation to succeed
ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
PM: EM: Fix incorrect description of the cost field in struct em_perf_state
drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits
drm/rockchip: vop2: Add delay between poll registers
NFS/localio: Deal with page bases that are > PAGE_SIZE
drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
drm/vmwgfx: Fix KMS with 3D on HW version 10
drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
NFS: Fix a deadlock involving nfs_release_folio()
pNFS: Fix a deadlock when returning a delegation during open()
xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
io_uring: move local task_work in exit cancel loop
virtio_net: Fix misalignment bug in struct virtnet_info
drm/gud: fix NULL fb and crtc dereferences on USB disconnect
ASoC: codecs: wsa883x: fix unnecessary initialisation
ASoC: codecs: wsa884x: fix codec initialisation
rust: bitops: fix missing _find_* functions on 32-bit ARM
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
Revert "gfs2: Fix use of bio_chain"
nvme-apple: add "apple,t8103-nvme-ans2" as compatible
efi/cper: Fix cper_bits_to_str buffer handling and return value
firmware: imx: scu-irq: Set mu_resource_id before get handle
Linux 6.18.6
spi: cadence-quadspi: Prevent lost complete() call during indirect read
scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
ASoC: fsl_sai: Add missing registers to cache default
ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL
ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025
ALSA: usb-audio: Update for native DSD support quirks
block: validate pi_offset integrity limit
can: j1939: make j1939_session_activate() fail if device is no longer registered
drm/amdkfd: Fix improper NULL termination of queue restore SMI event string
spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ
drm/amd/display: Fix DP no audio issue
accel/amdxdna: Block running under a hypervisor
ata: libata-core: Disable LPM on ST2000DM008-2FR102
netfilter: nf_tables: avoid chain re-validation if possible
powercap: fix sscanf() error return value handling
powercap: fix race condition in register_control_type()
net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant
bpf: Fix reference count leak in bpf_prog_test_run_xdp()
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths
gpio: mpsse: add quirk support
gpio: mpsse: ensure worker is torn down
btrfs: fix beyond-EOF write handling
btrfs: use variable for end offset in extent_writepage_io()
btrfs: truncate ordered extent when skipping writeback past i_size
erofs: fix file-backed mounts no longer working on EROFS partitions
erofs: don't bother with s_stack_depth increasing for now
irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness
ublk: fix use-after-free in ublk_partition_scan_work
arp: do not assume dev_hard_header() does not change skb->head
net: enetc: fix build warning when PAGE_SIZE is greater than 128K
net: usb: pegasus: fix memory leak in update_eth_regs_async()
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
wifi: mac80211_hwsim: fix typo in frequency notification
net: airoha: Fix schedule while atomic in airoha_ppe_deinit()
HID: quirks: work around VID/PID conflict for appledisplay
sparc/PCI: Correct 64-bit non-pref -> pref BAR resources
trace: ftrace_dump_on_oops[] is not exported, make it static
block: don't merge bios with different app_tags
net: netdevsim: fix inconsistent carrier state after link/unlink
selftests: drv-net: Bring back tool() to driver __init__s
net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
net: sfp: return the number of written bytes for smbus single byte access
udp: call skb_orphan() before skb_attempt_defer_free()
Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable"
idpf: fix aux device unplugging when rdma is not supported by vport
idpf: cap maximum Rx buffer size
idpf: Fix error handling in idpf_vport_open()
idpf: Fix RSS LUT NULL ptr issue after soft reset
idpf: Fix RSS LUT configuration on down interfaces
idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
idpf: fix issue with ethtool -n command display
idpf: fix memory leak of flow steer list on rmmod
idpf: fix error handling in the init_task on load
idpf: fix memory leak in idpf_vc_core_deinit()
idpf: fix memory leak in idpf_vport_rel()
idpf: detach and close netdevs while handling a reset
idpf: convert vport state to bitmap
idpf: keep the netdev when a reset fails
PCI/VGA: Don't assume the only VGA device on a system is `boot_vga`
net: fix memory leak in skb_segment_list for GRO packets
riscv: pgtable: Cleanup useless VA_USER_XXX definitions
riscv: cpufeature: Fix Zk bundled extension missing Zknh
net: airoha: Fix npu rx DMA definitions
btrfs: fix NULL pointer dereference in do_abort_log_replay()
btrfs: only enforce free space tree if v1 cache is required for bs < ps cases
btrfs: release path before initializing extent tree in btrfs_read_locked_inode()
vsock: Make accept()ed sockets use custom setsockopt()
drm/amd/pm: force send pcie parmater on navi1x
drm/amd/pm: fix wrong pcie parameter on navi1x
perf: Ensure swevent hrtimer is properly destroyed
inet: frags: drop fraglist conntrack references
virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
bnxt_en: Fix potential data corruption with HW GRO/LRO
net: wwan: iosm: Fix memory leak in ipc_mux_deinit()
net/ena: fix missing lock when update devlink params
net/mlx5e: Dealloc forgotten PSP RX modify header
net/mlx5e: Don't print error message due to invalid module
net/mlx5e: Don't gate FEC histograms on ppcnt_statistical_group
net/mlx5: Lag, multipath, give priority for routes with smaller network prefix
netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
net: sock: fix hardened usercopy panic in sock_recv_errqueue
net: phy: mxl-86110: Add power management and soft reset support
inet: ping: Fix icmp out counting
net: mscc: ocelot: Fix crash when adding interface under a lag
bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
netfilter: nf_conncount: update last_gc only when GC has been performed
netfilter: nf_tables: fix memory leak in nf_tables_newrule()
gpio: pca953x: handle short interrupt pulses on PCAL devices
gpiolib: fix race condition for gdev->srcu
gpiolib: rename GPIO chip printk macros
gpiolib: remove unnecessary 'out of memory' messages
netfilter: nft_synproxy: avoid possible data-race on update operation
netfilter: nft_set_pipapo: fix range overlap detection
arm64: dts: mba8mx: Fix Ethernet PHY IRQ support
arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart
arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM
arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells
arm64: dts: freescale: moduline-display: fix compatible
ARM: dts: imx6q-ba16: fix RTC interrupt level
arm64: dts: add off-on-delay-us for usdhc2 regulator
arm64: dts: imx8qm-mek: correct the light sensor interrupt type to low level
crypto: qat - fix duplicate restarting msg during AER error
pinctrl: mediatek: mt8189: restore previous register base name array order
netfs: Fix early read unlock of page with EOF in middle
HID: Intel-thc-hid: Intel-thc: Fix wrong register reading
HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value
gpio: it87: balance superio enter/exit calls in error path
gpu: nova-core: select RUST_FW_LOADER_ABSTRACTIONS
arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema warnings
arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix schema warnings
arm64: dts: ti: k3-am642-phyboard-electra-peb-c-010: Fix icssg-prueth schema warning
of: unittest: Fix memory leak in unittest_data_add()
btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()
btrfs: fix NULL dereference on root when tracing inode eviction
btrfs: qgroup: update all parent qgroups when doing quick inherit
btrfs: fix qgroup_snapshot_quick_inherit() squota bug
scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed"
scsi: ufs: core: Fix EH failure after W-LUN resume error
scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1
smb/client: fix NT_STATUS_NO_DATA_DETECTED value
smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value
smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value
drm/amd/display: shrink struct members
ALSA: hda/realtek: Add support for ASUS UM3406GA
NFS: Fix up the automount fs_context to use the correct cred
ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again)
NFSv4: ensure the open stateid seqid doesn't go backwards
dm-snapshot: fix 'scheduling while atomic' on real-time kernels
dm-verity: disable recursive forward error correction
alpha: don't reference obsolete termio struct for TC* constants
ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
csky: fix csky_cmpxchg_fixup not working
ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback
ublk: reorder tag_set initialization before queue allocation
libceph: make calc_target() set t->paused, not just clear it
libceph: reset sparse-read state in osd_fault()
libceph: return the handler error from mon_handle_auth_done()
libceph: make free_choose_arg_map() resilient to partial allocation
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
libceph: prevent potential out-of-bounds reads in handle_auth_done()
wifi: mac80211: restore non-chanctx injection behaviour
wifi: avoid kernel-infoleak from struct iw_point
Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order"
PM: hibernate: Fix crash when freeing invalid crypto compressor
pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
PCI: meson: Report that link is up while in ASPM L0s and L1 states
io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic
gpio: rockchip: mark the GPIO controller as sleeping
drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[]
drm/tidss: Fix enable/disable order
drm/pl111: Fix error handling in pl111_amba_probe
drm/atomic-helper: Export and namespace some functions
drm/amdgpu: Fix query for VPE block_type and ip_count
drm/amd/display: Apply e4479aecf658 to dml
arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP
ALSA: hda/tas2781: properly initialize speaker_id for TAS2563
ALSA: ac97: fix a double free in snd_ac97_controller_register()
Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable"
nouveau: don't attempt fwsec on sb on newer platforms.
riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped
tracing: Add recursion protection in kernel stack trace recording
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
counter: 104-quad-8: Fix incorrect return value in IRQ handler
lib/crypto: aes: Fix missing MMU protection for AES S-box
rust_binder: remove spin_lock() in rust_shrink_free_page()
mei: me: add nova lake point S DID
btrfs: always detect conflicting inodes when logging inode refs
bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup
arm64: Fix cleared E0POE bit after cpu_suspend()/resume()
net: do not write to msg_get_inq in callee
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
atm: Fix dma_free_coherent() size
NFSD: Remove NFSERR_EAGAIN
NFSD: net ref data still needs to be freed even if net hasn't startup
nfsd: check that server is running in unlock_filesystem
nfsd: use correct loop termination in nfsd4_revoke_states()
nfsd: provide locking for v4_end_grace
NFSD: Fix permission check for read access to executable-only files
Linux 6.18.5
nfs/localio: fix regression due to out-of-order __put_cred
sched/fair: Proportional newidle balance
sched/fair: Small cleanup to update_newidle_cost()
sched/fair: Small cleanup to sched_balance_newidle()
mptcp: ensure context reset on disconnect()
Linux 6.18.4
Revert "gpio: swnode: don't use the swnode's name as the key for GPIO lookup"
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
vfio/pci: Disable qword access to the PCI ROM bar
LoongArch: BPF: Enhance the bpf_arch_text_poke() function
powercap: intel_rapl: Add support for Nova Lake processors
powercap: intel_rapl: Add support for Wildcat Lake platform
block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio()
erofs: fix unexpected EIO under memory pressure
drm/imagination: Disallow exporting of PM/FW protected objects
drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb
drm/pagemap, drm/xe: Ensure that the devmem allocation is idle before use
drm/xe/svm: Fix a debug printout
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
drm/msm: add PERFCTR_CNTL to ifpc_reglist
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
drm/xe: Drop preempt-fences when destroying imported dma-bufs.
drm/xe: Use usleep_range for accurate long-running workload timeslicing
drm/xe: Adjust long-running workload timeslices to reasonable values
drm/xe/eustall: Disallow 0 EU stall property values
drm/xe/oa: Disallow 0 OA property values
drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table
drm: Fix object leak in DRM_IOCTL_GEM_CHANGE_HANDLE
drm/mgag200: Fix big-endian support
drm/ttm: Avoid NULL pointer deref for evicted BOs
drm/tilcdc: Fix removal actions in case of failed probe
drm/i915: Fix format string truncation warning
drm/amdkfd: Trap handler support for expert scheduling mode
drm/amdkfd: bump minimum vgpr size for gfx1151
drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace
drm/nouveau/gsp: Allocate fwsec-sb at boot
drm/bridge: ti-sn65dsi83: ignore PLL_UNLOCK errors
drm/rockchip: vop2: Use OVL_LAYER_SEL configuration instead of use win_mask calculate used layers
drm/amd: Fix unbind/rebind for VCN 4.0.5
drm/mediatek: ovl_adaptor: Fix probe device leaks
drm/mediatek: mtk_hdmi: Fix probe device leaks
drm/mediatek: Fix probe device leaks
drm/mediatek: Fix probe memory leak
drm/mediatek: Fix probe resource leaks
drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse()
drm/rockchip: Set VOP for the DRM DMA device
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
drm/buddy: Separate clear and dirty free block trees
drm/buddy: Optimize free block management with RB tree
drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling
drm/amdgpu/sdma6: Update SDMA 6.0.3 FW version to include UMQ protected-fence fix
drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma
drm/amdgpu: Forward VMID reservation errors
drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling
Revert "drm/amd: Skip power ungate during suspend for VPE"
platform/x86: alienware-wmi-wmax: Add support for Alienware 16X Aurora
platform/x86: alienware-wmi-wmax: Add AWCC support for Alienware x16
platform/x86: alienware-wmi-wmax: Add support for new Area-51 laptops
platform/x86: samsung-galaxybook: Fix problematic pointer cast
net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration
net: usb: sr9700: fix incorrect command used to write single register
nfsd: Drop the client reference in client_states_open()
nfsd: use ATTR_DELEG in nfsd4_finalize_deleg_timestamps()
nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()
LoongArch: BPF: Adjust the jump offset of tail calls
LoongArch: BPF: Enable trampoline-based tracing for module functions
LoongArch: BPF: Save return address register ra to t0 before trampoline
LoongArch: BPF: Sign extend kfunc call arguments
LoongArch: BPF: Zero-extend bpf_tail_call() index
LoongArch: Refactor register restoration in ftrace_common_return
gve: defer interrupt enabling until NAPI registration
fjes: Add missing iounmap in fjes_hw_init()
erspan: Initialize options_len before referencing options.
e1000: fix OOB in e1000_tbi_should_accept()
wifi: mac80211: Discard Beacon frames to non-broadcast address
wifi: iwlwifi: Fix firmware version handling
RDMA/cm: Fix leaking the multicast GID table reference
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
rust: maple_tree: rcu_read_lock() in destructor to silence lockdep
samples/ftrace: Adjust LoongArch register restore order in direct calls
selftests/mm: fix thread state check in uffd-unit-tests
tools/mm/page_owner_sort: fix timestamp comparison for stable sorting
x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo
mm: consider non-anon swap cache folios in folio_expected_ref_count()
mm/page_owner: fix memory leak in page_owner_stack_fops->release()
mm/page_alloc: change all pageblocks migrate type on coalescing
idr: fix idr_alloc() returning an ID out of range
lockd: fix vfs_test_lock() calls
kernel/kexec: fix IMA when allocation happens in CMA area
kernel/kexec: change the prototype of kimage_map_segment()
kasan: unpoison vms[area] addresses with a common tag
kasan: refactor pcpu kasan vmalloc unpoison
mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN
mptcp: fallback earlier on simult connection
compiler_types.h: add "auto" as a macro for "__auto_type"
af_unix: don't post cmsg for SO_INQ unless explicitly asked for
pmdomain: imx: Fix reference count leak in imx_gpc_probe()
pmdomain: mtk-pm-domains: Fix spinlock recursion fix in probe
mm/damon/tests/core-kunit: handle alloc failure on damos_test_commit_filter()
mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs()
mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration()
mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out()
mm/damon/tests/core-kunit: handle alloc failures on damon_test_set_filters_default_reject()
mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result()
mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions()
mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter()
mm/damon/tests/core-kunit: fix memory leak in damon_test_set_filters_default_reject()
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets()
LoongArch: Use unsigned long for _end and _text
LoongArch: Use __pmd()/__pte() for swap entry conversions
LoongArch: Fix build errors for CONFIG_RANDSTRUCT
LoongArch: Fix arch_dup_task_struct() for CONFIG_RANDSTRUCT
LoongArch: Correct the calculation logic of thread_count
LoongArch: Add new PCI ID for pci_fixup_vgadev()
media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
media: mediatek: vcodec: Use spinlock for context list protection lock
media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio
media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
media: amphion: Cancel message work before releasing the VPU core
media: amphion: Remove vpu_vb_is_codecconfig
media: vpif_display: fix section mismatch
media: vpif_capture: fix section mismatch
media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
media: TDA1997x: Remove redundant cancel_delayed_work in probe
media: samsung: exynos4-is: fix potential ABBA deadlock on init
media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
media: platform: mtk-mdp3: fix device leaks at probe
media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
media: iris: Refine internal buffer reconfiguration logic for resolution change
media: cec: Fix debugfs leak on bus_register() failure
fbdev: tcx.c fix mem_map to correct smem_start offset
fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
fbdev: gbefb: fix to use physical address instead of dma address
dm pcache: fix segment info indexing
dm pcache: fix cache info indexing
dm-bufio: align write boundary on physical block size
dm-ebs: Mark full buffer dirty even on partial write
firmware: stratix10-svc: Add mutex in stratix10 memory management
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
power: supply: max77705: Fix potential IRQ chip conflict when probing two devices
perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error
PCI: meson: Fix parsing the DBI register region
PCI: brcmstb: Fix disabling L0s capability
parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
nvmet: pci-epf: move DMA initialization to EPC init callback
NFSD: Make FILE_SYNC WRITEs comply with spec
mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips
mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips
mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips
mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips
mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips
mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips
mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions
arm64: dts: qcom: sm6350: Fix wrong order of freq-table-hz for UFS
arm64: dts: st: Add memory-region-names property for stm32mp257f-ev1
arm64: dts: ti: k3-am62d2-evm: Fix PMIC padconfig
arm64: dts: ti: k3-am62d2-evm: Fix regulator properties
media: verisilicon: Fix CPU stalls on G2 bus error
media: rc: st_rc: Fix reset control resource leak
mfd: max77620: Fix potential IRQ chip conflict when probing two devices
mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
clk: qcom: Fix dependencies of QCS_{DISP,GPU,VIDEO}CC_615
clk: qcom: Fix SM_VIDEOCC_6350 dependencies
clk: qcom: mmcc-sdm660: Add missing MDSS reset
clk: samsung: exynos-clkout: Assign .num before accessing .hws
block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs
leds: leds-lp50xx: Enable chip before any communication
leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
leds: leds-lp50xx: Allow LED 0 to be added to module bank
leds: leds-cros_ec: Skip LEDs without color components
mm, swap: do not perform synchronous discard during allocation
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
powerpc, mm: Fix mprotect on book3s 32-bit
arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator
PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
fgraph: Check ftrace_pids_enabled on registration for early filtering
fgraph: Initialize ftrace_ops->private for function graph ops
hisi_acc_vfio_pci: Add .match_token_uuid callback in hisi_acc_vfio_pci_migrn_ops
HID: logitech-dj: Remove duplicate error logging
hwmon: (dell-smm) Fix off-by-one error in dell_smm_is_visible()
iommu: disable SVA when CONFIG_X86 is set
iommu/tegra: fix device leak on probe_device()
iommu/sun50i: fix device leak on of_xlate()
iommu/qcom: fix device leak on of_xlate()
iommu/omap: fix device leaks on probe_device()
iommu/mediatek: fix device leak on of_xlate()
iommu/mediatek-v1: fix device leaks on probe()
iommu/mediatek-v1: fix device leak on probe_device()
iommu/ipmmu-vmsa: fix device leak on of_xlate()
iommu/exynos: fix device leak on of_xlate()
iommu/apple-dart: fix device leak on of_xlate()
iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga()
iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
ASoC: qcom: q6adm: the the copp device only during last instance
ASoC: qcom: q6asm-dai: perform correct state check before closing
ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr
ASoC: codecs: Fix error handling in pm4125 audio codec driver
ASoC: cs35l41: Always return 0 when a subsystem ID is found
ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime
ASoC: codecs: lpass-tx-macro: fix SM6115 support
ASoC: codecs: pm4125: Remove irq_chip on component unbind
ASoC: codecs: pm4125: Fix potential conflict when probing two devices
ASoC: codecs: wcd937x: Fix error handling in wcd937x codec driver
ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width
ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode
ASoC: stm32: sai: fix OF node leak on probe
ASoC: stm32: sai: fix clk prepare imbalance on probe failure
ASoC: stm32: sai: fix device leak on probe
ASoC: codecs: wcd939x: fix regmap leak on probe failure
ntfs: Do not overwrite uptodate pages
block: handle zone management operations completions
selftests/ftrace: traceonoff_triggers: strip off names
blk-mq: skip CPU offline notify on unmapped hctx
RDMA/bnxt_re: fix dma_free_coherent() pointer
RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
IB/rxe: Fix missing umem_odp->umem_mutex unlock on error path
ksmbd: Fix memory leak in get_file_all_info()
drm/xe/guc: READ/WRITE_ONCE g2h_fence->done
ublk: scan partition in async way
ublk: implement NUMA-aware memory allocation
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
md: Fix static checker warning in analyze_sbs
RDMA/bnxt_re: Fix to use correct page size for PDE table
kunit: Enforce task execution in {soft,hard}irq contexts
RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats()
RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
drm/gem-shmem: Fix the MODULE_LICENSE() string
RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
RDMA/efa: Remove possible negative shift
RDMA/irdma: avoid invalid read in irdma_net_event
RDMA/mana_ib: check cqe length for kernel CQs
RDMA/irdma: Fix irdma_alloc_ucontext_resp padding
RDMA/ucma: Fix rdma_ucm_query_ib_service_resp struct padding
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
net: rose: fix invalid array index in rose_kill_by_device()
net: fib: restore ECMP balance from loopback
ipv4: Fix reference count leak when using error routes with nexthop objects
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
net: stmmac: fix the crash issue for zero copy XDP_TX action
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
platform/x86/intel/pmt/discovery: use valid device pointer in dev_err_probe
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
vfio/pds: Fix memory leak in pds_vfio_dirty_enable()
tools/sched_ext: fix scx_show_state.py for scx_root change
net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
net: usb: asix: validate PHY address before use
net: mdio: rtl9300: use scoped for loops
mcb: Add missing modpost build support
kbuild: fix compilation of dtb specified on command-line without make rule
net: dsa: b53: skip multicast entries for fdb_dump()
bng_en: update module description
firewire: nosy: Fix dma_free_coherent() size
genalloc.h: fix htmldocs warning
smc91x: fix broken irq-context in PREEMPT_RT
platform/x86/intel/pmt: Fix kobject memory leak on init failure
net: wangxun: move PHYLINK dependency
selftests: net: fix "buffer overflow detected" for tap.c
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
selftests: drv-net: psp: fix test names in ipver_test_builder()
selftests: drv-net: psp: fix templated test names in psp_ip_ver_test_builder()
amd-xgbe: reset retries and mode on RX adapt failures
net: dsa: fix missing put_device() in dsa_tree_find_first_conduit()
net: dsa: properly keep track of conduit reference
net: airoha: Move net_devs registration in a dedicated routine
team: fix check for port enabled in team_queue_override_port_prio_changed()
platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
platform/x86: msi-laptop: add missing sysfs_remove_group()
platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names
powerpc/tools: drop `-o pipefail` in gcc check scripts
ip6_gre: make ip6gre_header() robust
net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
net: mdio: aspeed: add dummy read to avoid read-after-write issue
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Bluetooth: MGMT: report BIS capability flags in supported settings
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
cpuset: fix warning when disabling remote partition
idpf: reduce mbx_task schedule delay to 300us
idpf: fix LAN memory regions command on some NVMs
iavf: fix off-by-one issues in iavf_config_rss_reg()
i40e: validate ring_len parameter against hardware-specific values
i40e: fix scheduling in set_rx_mode
sched_ext: fix uninitialized ret on alloc_percpu() failure
wifi: mac80211: do not use old MBSSID elements
wifi: cfg80211: sme: store capped length in __cfg80211_connect_result()
wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
wifi: rtw88: limit indirect IO under powered off for RTL8822CS
drm/amdgpu: don't attach the tlb fence for SI
drm/displayid: add quirk to ignore DisplayID checksum errors
drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident
KVM: s390: Fix gmap_helper_zap_one_page() again
mm/huge_memory: merge uniform_split_supported() and non_uniform_split_supported()
sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks
sched/eevdf: Fix min_vruntime vs avg_vruntime
sched/core: Add comment explaining force-idle vruntime snapshots
x86/microcode/AMD: Select which microcode patch to load
drm: nova: depend on CONFIG_64BIT
sched/proxy: Yield the donor task
Linux 6.18.3
fuse: missing copy_finish in fuse-over-io-uring argument copies
fuse: fix readahead reclaim deadlock
fuse: fix io-uring list corruption for terminated non-committed requests
iommu/mediatek: fix use-after-free on probe deferral
block: freeze queue when updating zone resources
ARM: dts: microchip: sama7g5: fix uart fifo size to 32
ARM: dts: microchip: sama7d65: fix uart fifo size to 32
ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
hwmon: (max6697) fix regmap leak on probe failure
hwmon: (max16065) Use local variable to avoid TOCTOU
io_uring/rsrc: fix lost entries after cloned range
interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes
i2c: amd-mp2: fix reference leak in MP2 PCI device
lib/crypto: riscv: Depend on RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS
platform/x86: intel: chtwc_int33fe: don't dereference swnode args
pwm: rzg2l-gpt: Allow checking period_tick cache value only if sibling channel is enabled
rpmsg: glink: fix rpmsg device leak
rtla/timerlat_bpf: Stop tracing on user latency
soc: amlogic: canvas: fix device leak on lookup
soc: apple: mailbox: fix device leak on lookup
soc: qcom: ocmem: fix device leak on lookup
soc: qcom: pbs: fix device leak on lookup
soc: samsung: exynos-pmu: fix device leak on regmap lookup
tracing: Fix fixed array of synthetic event
vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd()
virtio: vdpa: Fix reference count leak in octep_sriov_enable()
zloop: make the write pointer of full zones invalid
zloop: fail zone append operations that are targeting full zones
amba: tegra-ahb: Fix device leak on SMMU enable
crypto: arm64/ghash - Fix incorrect output from ghash-neon
crypto: caam - Add check for kcalloc() in test_len()
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets
dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets
drm/displayid: pass iter to drm_find_displayid_extension()
drm/amd/display: Fix scratch registers offsets for DCN351
drm/amd/display: Fix scratch registers offsets for DCN35
drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
Revert "drm/amd/display: Fix pbn to kbps Conversion"
gpio: loongson: Switch 2K2000/3000 GPIO to BYTE_CTRL_MODE
gpiolib: acpi: Add quirk for Dell Precision 7780
gpio: regmap: Fix memleak in error path in gpio_regmap_register()
s390/ipl: Clear SBP flag when bootprog is set
cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
powerpc/kexec: Enable SMT before waking offline CPUs
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
svcrdma: use rc_pageoff for memcpy byte offset
svcrdma: return 0 on success from svc_rdma_copy_inline_range
nfsd: Mark variable __maybe_unused to avoid W=1 build break
svcrdma: bound check rq_pages index in inline path
ASoC: SOF: ipc4-topology: Convert FLOAT to S32 during blob selection
NFSD: Clear TIME_DELEG in the suppattr_exclcreat bitmap
ALSA: hda/realtek: Add Asus quirk for TAS amplifiers
ASoC: SOF: ipc4-topology: Prefer 32-bit DMIC blobs for 8-bit formats as well
NFSD: NFSv4 file creation neglects setting ACL
NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
net/handshake: restore destructor on submit failure
fsnotify: do not generate ACCESS/MODIFY events on child for special files
net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write
r8169: fix RTL8117 Wake-on-Lan in DASH mode
lib/crypto: riscv: Add poly1305-core.S to .gitignore
arm64/gcs: Flush the GCS locking state on exec
PM: runtime: Do not clear needs_force_resume with enabled runtime PM
tracing: Do not register unsupported perf events
xfs: validate that zoned RT devices are zone aligned
xfs: fix a UAF problem in xattr repair
xfs: fix the zoned RT growfs check for zone alignment
xfs: fix stupid compiler warning
xfs: fix a memory leak in xfs_buf_item_init()
KVM: selftests: Add missing "break" in rseq_test's param parsing
KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2}
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
KVM: TDX: Explicitly set user-return MSRs that *may* be clobbered by the TDX-Module
KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
KVM: Fix last_boosted_vcpu index assignment bug
KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
KVM: selftests: Forcefully override ARCH from x86_64 to x86
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf()
libceph: make decode_pool() more resilient against corrupted osdmaps
lib/crypto: riscv/chacha: Avoid s0/fp register
dm-pcache: advance slot index before writing slot
parisc: Do not reprogram affinitiy on ASP chip
scs: fix a wrong parameter in __scs_magic
media: iris: Add sanity check for stop streaming
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on #SMI)
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
media: vidtv: initialize local pointers upon transfer of memory ownership
mm/slub: reset KASAN tag in defer_free() before accessing freed memory
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
pinctrl: renesas: rzg2l: Fix ISEL restore on resume
tools/testing/nvdimm: Use per-DIMM device handle
f2fs: fix return value of f2fs_recover_fsync_data()
f2fs: fix to not account invalid blocks in get_left_section_blocks()
f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
f2fs: fix uninitialized one_time_gc in victim_sel_policy
f2fs: fix age extent cache insertion skip on counter overflow
f2fs: use global inline_xattr_slab instead of per-sb slab cache
f2fs: invalidate dentry cache on failed whiteout creation
f2fs: fix to avoid updating zero-sized extent in extent cache
f2fs: fix to propagate error from f2fs_enable_checkpoint()
f2fs: fix to avoid potential deadlock
f2fs: fix to avoid updating compression context during writeback
f2fs: ensure node page reads complete before f2fs_put_super() finishes
scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow
scsi: target: Reset t_task_cdb pointer in error case
NFSD: use correct reservation type in nfsd4_scsi_fence_client
scsi: aic94xx: fix use-after-free in device removal path
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
cpufreq: nforce2: fix reference count leak in nforce2
cpuidle: governors: teo: Drop misguided target residency check
serial: sh-sci: Check that the DMA cookie is valid
serial: xilinx_uartps: fix rs485 delay_rts_after_send
serial: core: Fix serial device initialization
serial: core: Restore sysfs fwnode information
mei: gsc: add dependency on Xe driver
mei: Fix error handling in mei_register
intel_th: Fix error handling in intel_th_output_open
dt-bindings: slimbus: fix warning from example
char: applicom: fix NULL pointer dereference in ac_ioctl
xhci: dbgtty: fix device unregister: fixup
usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
usb: dwc3: keep susphy enabled during exit to avoid controller faults
usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
usb: gadget: lpc32xx_udc: fix clock imbalance in error path
usb: phy: isp1301: fix non-OF device reference imbalance
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
USB: lpc32xx_udc: Fix error handling in probe
usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe()
usb: typec: ucsi: huawei-gaokin: add DRM dependency
usb: ohci-nxp: fix device leak on probe failure
phy: broadcom: bcm63xx-usbh: fix section mismatches
media: pvrusb2: Fix incorrect variable used in trace message
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
mptcp: avoid deadlock on fallback while reinjecting
mptcp: schedule rtx timer only after pushing data
selftests: mptcp: pm: ensure unknown flags are ignored
mptcp: pm: ignore unknown endpoint flags
mm/slab: introduce kvfree_rcu_barrier_on_cache() for cache destruction
dma-mapping: Fix DMA_BIT_MASK() macro being broken
crash: let architecture decide crash memory export to iomem_resource
tpm2-sessions: Fix tpm2_read_public range checks
tpm2-sessions: Fix out of range indexing in name_size
mm/huge_memory: add pmd folio to ds_queue in do_huge_zero_wp_pmd()
media: v4l2-mem2mem: Fix outdated documentation
mm/ksm: fix exec/fork inheritance support for prctl
block: Remove queue freezing from several sysfs store callbacks
jbd2: use a weaker annotation in journal handling
jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
ext4: align max orphan file size with e2fsprogs limit
ext4: fix incorrect group number assertion in mb_check_buddy
ext4: clear i_state_flags when alloc inode
ext4: xattr: fix null pointer deref in ext4_raw_inode()
ext4: check if mount_opts is NUL-terminated in ext4_ioctl_set_tune_sb()
ext4: fix string copying in parse_apply_sb_mount_options()
printk: Avoid irq_work for printk_deferred() on suspend
printk: Allow printk_trigger_flush() to flush all types
fs: PM: Fix reverse check in filesystems_freeze_callback()
tpm: Cap the number of PCR banks
ktest.pl: Fix uninitialized var in config-bisect.pl
fs/ntfs3: fix mount failure for sparse runs in run_unpack()
kallsyms: Fix wrong "big" kernel symbol type read from procfs
crypto: scatterwalk - Fix memcpy_sglist() to always succeed
floppy: fix for PAGE_SIZE != 4KB
jbd2: fix the inconsistency between checksum and data in memory for journal sb
block: rate-limit capacity change info log
gfs2: fix freeze error handling
btrfs: don't rewrite ret from inode_permission
wifi: mt76: Fix DTS power-limits on little endian systems
s390/dasd: Fix gendisk parent after copy pair swap
lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister()
efi: Add missing static initializer for efi_mm::cpus_allowed_lock
phy: exynos5-usbdrd: fix clock prepare imbalance
dt-bindings: clock: mmcc-sdm660: Add missing MDSS reset
mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems
sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq()
sched_ext: Fix bypass depth leak on scx_enable() failure
sched_ext: Fix the memleak for sch->helper objects
sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue()
printk: Avoid scheduling irq_work on suspend
io_uring: fix filename leak in __io_openat_prep()
io_uring: fix min_wait wakeups for SQPOLL
io_uring/poll: correctly handle io_poll_add() return value on update
clk: keystone: syscon-clk: fix regmap leak on probe failure
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
rust: io: add typedef for phys_addr_t
rust: io: move ResourceSize to top-level io module
rust: io: define ResourceSize as resource_size_t
samples: rust: fix endianness issue in rust_driver_pci
rust: dma: add helpers for architectures without CONFIG_HAS_DMA
rust_binder: avoid mem::take on delivered_deaths
rust/drm/gem: Fix missing header in `Object` rustdoc
cifs: Fix memory and information leak in smb3_reconfigure()
vhost/vsock: improve RCU read sections around vhost_vsock_get()
block: rnbd-clt: Fix signedness bug in init_dev()
ublk: clean up user copy references on ublk server exit
drm/msm/a6xx: move preempt_prepare_postamble after error check
drm/msm: adreno: fix deferencing ifpc_reglist when not declared
scsi: scsi_debug: Fix atomic write enable module param description
MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt
nvme-fabrics: add ENOKEY to no retry criteria for authentication failures
hwmon: (emc2305) fix device node refcount leak in error path
nvme-fc: don't hold rport lock when putting ctrl
platform/x86: wmi-gamezone: Add Legion Go 2 Quirks
i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware
clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src
libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
usb: xhci: Don't unchain link TRBs on quirky HCs
usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
usb: xhci: limit run_graceperiod for only usb 3.0 devices
iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains
usb: typec: ucsi: Handle incorrect num_connectors capability
usbip: Fix locking bug in RT-enabled kernels
exfat: zero out post-EOF page cache on file extension
exfat: fix remount failure in different process environments
reset: fix BIT macro reference
functionfs: fix the open/removal races
via_wdt: fix critical boot hang due to unnamed resource allocation
fuse: Invalidate the page cache after FOPEN_DIRECT_IO write
fuse: Always flush the page cache before FOPEN_DIRECT_IO write
scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
powerpc/addnote: Fix overflow on 32-bit builds
clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI
scsi: smartpqi: Add support for Hurray Data new controller PCI device
ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
um: init cpu_tasks[] earlier
firmware: imx: scu-irq: Init workqueue before request mbox channel
scsi: ufs: host: mediatek: Fix shutdown/suspend race condition
ipmi: Fix __scan_channels() failing to rescan channels
ipmi: Fix the race between __scan_channels() and deliver_response()
ASoC: ops: fix snd_soc_get_volsw for sx controls
ASoC: SDCA: support Q7.8 volume format
nfsd: fix memory leak in nfsd_create_serv error paths
ASoC: ak4458: remove the reset operation in probe and remove
ALSA: usb-mixer: us16x08: validate meter packet indices
ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
ASoC: fsl_sai: Constrain sample rates from audio PLLs only in master mode
x86/mm/tlb/trace: Export the TLB_REMOTE_WRONG_CPU enum in <trace/events/tlb.h>
x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures
x86/msi: Make irq_retrigger() functional for posted MSI
x86/bug: Fix old GCC compile fails
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds
mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
spi: fsl-cpm: Check length parity before switching to 16 bit mode
ACPI: CPPC: Fix missing PCC check for guaranteed_perf
ACPI: PCC: Fix race condition by removing static qualifier
platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak
soc/tegra: fuse: Do not register SoC device on ACPI boot
can: gs_usb: gs_can_open(): fix error handling
xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails
Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
Input: alps - fix use-after-free bugs caused by dev3_register_work
Input: lkkbd - disable pending work before freeing device
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Input: xpad - add support for CRKD Guitars
Input: apple_z2 - fix reading incorrect reports after exiting sleep
HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
ksmbd: fix buffer validation by including null terminator size in EA length
ksmbd: Fix refcount leak when invalid session is found on session lookup
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
hwmon: (ltc4282): Fix reset_history file permissions
arm64: dts: mediatek: Apply mt8395-radxa DT overlay at build time
amd/iommu: Preserve domain ids inside the kdump kernel
drm/xe/oa: Always set OAG_OAGLBCTXCTRL_COUNTER_RESUME
drm/xe/oa: Limit num_syncs to prevent oversized allocations
drm/xe: Limit num_syncs to prevent oversized allocations
block: rnbd-clt: Fix leaked ID in init_dev()
ublk: fix deadlock when reading partition table
ublk: refactor auto buffer register in ublk_dispatch_req()
ublk: add `union ublk_io_buf` with improved naming
ublk: add parameter `struct io_uring_cmd *` to ublk_prep_auto_buf_reg()
io_uring: fix nr_segs calculation in io_import_kbuf
spi: cadence-quadspi: Fix clock disable on probe failure path
drm/amdgpu: fix a job->pasid access race in gpu recovery
arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder
x86/xen: Fix sparse warning in enlighten_pv.c
drm/panel: sony-td4353-jdi: Enable prepare_prev_first
MIPS: Fix a reference leak bug in ip22_check_gio()
drm/xe: Restore engine registers before restarting schedulers after GT reset
drm/xe: Increase TDF timeout
drm/me/gsc: mei interrupt top half should be in irq disabled context
drm/xe: fix drm_gpusvm_init() arguments
drm/xe: Apply Wa_14020316580 in xe_gt_idle_enable_pg()
drm/xe: Fix freq kobject leak on sysfs_create_files failure
hwmon: (tmp401) fix overflow caused by default conversion rate value
hwmon: (ibmpex) fix use-after-free in high/low store
hwmon: (dell-smm) Limit fan multiplier to avoid overflow
spi: mpfs: Fix an error handling path in mpfs_spi_probe()
spi: microchip: rename driver file and internal identifiers
block: fix race between wbt_enable_default and IO submission
block: use {alloc|free}_sched data methods
block: introduce alloc_sched_data and free_sched_data elevator methods
block: move elevator tags into struct elevator_resources
block: unify elevator tags and type xarrays into struct elv_change_ctx
selftests: ublk: fix overflow in ublk_queue_auto_zc_fallback()
drm/tests: Handle EDEADLK in set_up_atomic_state()
drm/tests: Handle EDEADLK in drm_test_check_valid_clones()
drm/tests: hdmi: Handle drm_kunit_helper_enable_crtc_connector() returning EDEADLK
net: hns3: add VLAN id validation before using
net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
net: hns3: using the num_tqps in the vf driver to apply for resources
net: enetc: do not transmit redirected XDP frames when the link is down
net/handshake: duplicate handshake cancellations leak socket
net/mlx5e: Don't include PSP in the hard MTU calculations
net/mlx5e: Trigger neighbor resolution for unresolved destinations
net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init
net/mlx5: Serialize firmware reset with devlink
net/mlx5: fw_tracer, Handle escaped percent properly
net/mlx5: fw_tracer, Validate format string parameters
net/mlx5: Drain firmware reset in shutdown callback
net/mlx5: fw reset, clear reset requested on drain_fw_reset
ethtool: Avoid overflowing userspace buffer on stats query
can: j1939: make j1939_sk_bind() fail if device is no longer registered
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
iommufd/selftest: Make it clearer to gcc that the access is not out of bounds
selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel
netfilter: nf_tables: remove redundant chain validation on register store
netfilter: nf_nat: remove bogus direction check
nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
net/sched: ets: Remove drr class from the active list if it changes to strict
caif: fix integer underflow in cffrml_receive()
selftests: netfilter: prefer xfail in case race wasn't triggered
ipvs: fix ipv4 null-ptr-deref in route error path
netfilter: nf_conncount: fix leaked ct in error paths
inet: frags: flush pending skbs in fqdir_pre_exit()
inet: frags: add inet_frag_queue_flush()
inet: frags: avoid theoretical race in ip_frag_reinit()
selftests: net: tfo: Fix build warning
selftests: net: Fix build warnings
selftest: af_unix: Support compilers without flex-array-member-not-at-end support
broadcom: b44: prevent uninitialized value usage
net: ti: icssg-prueth: add PTP_1588_CLOCK_OPTIONAL dependency
net: openvswitch: fix middle attribute validation in push_nsh() action
bnxt_en: Fix XDP_TX path
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
mlxsw: spectrum_router: Fix neighbour use-after-free
mlxsw: spectrum_router: Fix possible neighbour reference count leak
net/mlx5: Fix double unregister of HCA_PORTS component
ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
net: phy: RTL8211FVD: Restore disabling of PHY-mode EEE
net: phy: realtek: create rtl8211f_config_phy_eee() helper
net: phy: realtek: eliminate priv->phycr1 variable
net: phy: realtek: allow CLKOUT to be disabled on RTL8211F(D)(I)-VD-CG
net: phy: realtek: eliminate has_phycr2 variable
net: phy: realtek: eliminate priv->phycr2 variable
net/mlx5e: Av…
shashim-quic
approved these changes
Jan 27, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge tag 'v6.18.7' into qcom-6.18.y