[Deepin-Kernel-SIG] [linux 6.18.y] [Upstream] Update kernel base to 6.18.8#1495
Merged
opsiff merged 228 commits intodeepin-community:linux-6.18.yfrom Feb 10, 2026
Merged
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @opsiff, your pull request is larger than the review limit of 150000 diff characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Pull request overview
Updates the stable kernel base from 6.18.7 to 6.18.8, pulling in upstream fixes across networking, drivers, memory management, tracing, and selftests.
Changes:
- Bump kernel version to 6.18.8 and sync in upstream stable fixes across subsystems.
- Update/extend multiple drivers and core subsystems (e.g., net/rxrpc, USB audio, IRQ, mm, DRM, storage) with correctness and race/leak fixes.
- Adjust and harden several selftests and tooling scripts.
Reviewed changes
Copilot reviewed 249 out of 249 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Kernel sublevel bump to 6.18.8. |
| net/netrom/nr_route.c | Routing path change to avoid double-free, but introduces a potential skb leak on send failure (see PR comment). |
| drivers/gpu/drm/xe/xe_pm.c | Comment/doc wording updates; contains minor grammatical typos (see PR comment). |
| tools/testing/selftests/net/amt.sh | Selftest robustness tweaks (wait for listener before sending multicast). |
| tools/testing/selftests/ublk/kublk.c | Selftest daemon/start handling and debug output fixes. |
| sound/usb/mixer.c | USB mixer cleanup ordering and warning threshold adjustments. |
| net/rxrpc/* | Peer TX timestamping and recvmsg requeue/peek behavior adjustments. |
| drivers/gpio/gpiolib-cdev.c | Error-path cleanup fixes to avoid leaks and improve error codes. |
| drivers/spi/spi-sprd-adi.c | Convert to devm-managed allocations and simplify probe error paths. |
| fs/fs-writeback.c | Skip waiting on writeback for mappings marked as having no data-integrity semantics. |
| fs/fuse/file.c | Mark mappings as no-data-integrity under writeback cache mode. |
| Documentation/netlink/specs/fou.yaml | Add minimum check for ipproto. |
| net/ipv4/fou_nl.c | Enforce non-zero IP protocol via netlink policy. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
822
to
845
| @@ -837,6 +839,9 @@ int nr_route_frame(struct sk_buff *skb, ax25_cb *ax25) | |||
| nr_node_unlock(nr_node); | |||
| nr_node_put(nr_node); | |||
|
|
|||
| if (ret) | |||
| kfree_skb(oskb); | |||
|
|
|||
| return ret; | |||
There was a problem hiding this comment.
When ax25_send_frame() fails (returns NULL), the newly allocated skb copy (nskb) is not freed. Callers free the original skb when nr_route_frame() returns 0, so this leaks the copied skb on failure. Free the copied skb before returning when ret is false (and only free the original skb on success as you do now).
Comment on lines
+664
to
+668
| * When possible, scope-based runtime PM (through guard(xe_pm_runtime)) is | ||
| * be preferred over direct usage of this function. Manual get/put handling | ||
| * should only be used when the function contains goto-based logic which | ||
| * can break scope-based handling, or when the lifetime of the runtime PM | ||
| * reference does not match a specific scope (e.g., runtime PM obtained in one |
There was a problem hiding this comment.
The kerneldoc comment has grammatical typos (e.g., "is be preferred"), which makes the guidance harder to read. Please adjust phrasing (e.g., "should be preferred" / "is preferred").
[ Upstream commit 868b979c5328b867c95a6d5a93ba13ad0d3cd2f1 ] To make sure that power rail is voted for, wire it up to its consumers. Fixes: 152d1fa ("arm64: dts: qcom: add SC8280XP platform") Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-3-46cdf47a829e@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 27357b61522f7c06e81ab71cc20329f695f8f346) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9dbc9bed01837717b8ab755cf5067a6f8d35b00f ] With W=1, the following error comes up: Warning (avoid_unnecessary_addr_size): /soc@0/usb@a600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" or "ranges" property This is because the child node being removed during flattening and moving to latest bindings. Fixes: 3345087 ("arm64: dts: qcom: sm8550: Flatten the USB nodes") Signed-off-by: Krishna Kurapati <krishna.kurapati@oss.qualcomm.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20251203144856.2711440-2-krishna.kurapati@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0e5ad343afa303d09655b1a97ba4395e0773fcc8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1f6ca557088eb96c8c554f853eb7c60862f8a0a8 ] With W=1, the following error comes up: Warning (avoid_unnecessary_addr_size): /soc@0/usb@a600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" or "ranges" property This is because the child node being removed during flattening and moving to latest bindings. Fixes: 77e1f16 ("arm64: dts: qcom: sm8650: Flatten the USB nodes") Signed-off-by: Krishna Kurapati <krishna.kurapati@oss.qualcomm.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://lore.kernel.org/r/20251203144856.2711440-3-krishna.kurapati@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2d73b3ed28be1096402ead62e8bce73a83212753) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 955b263c421c6fe5075369c52199f278289ec8c4 ] According to RK3576 TRM part1 Table 1-1 Address Mapping, the size of the GPU registers is 128 KB. The current mapping incorrectly includes the addresses of multiple following IP like the eInk interface at 0x27900000. This has not been detected by the DT tooling as none of the extra mapped IP is described in the upstream RK3576 DT so far. Fixes: 57b1ce9 ("arm64: dts: rockchip: Add rk3576 SoC base DT") Signed-off-by: Chaoyi Chen <chaoyi.chen@rock-chips.com> Reviewed-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com> Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com> Link: https://patch.msgid.link/20260106071513.209-1-kernel@airkyi.com Signed-off-by: Heiko Stuebner <heiko@sntech.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 83eeeb8c1acb763b6f633678eb3dbf553208bcf6) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1eb217ab2e737609f8a861b517649e82e7236d05 ] If evsel__new_idx() returns NULL, the function currently jumps to label 'out_err'. Here, references to `cpus` and `pmu_cpus` are dropped. Also, resources held by evsel->name and evsel->metric_id are freed. But if evsel__new_idx() returns NULL, it can lead to NULL pointer dereference. Fixes: cd63c22 ("perf parse-events: Minor __add_event refactoring") Signed-off-by: Faisal Bukhari <faisalbukhari523@gmail.com> Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Namhyung Kim <namhyung@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4f6884288e4b78efcd64c679973598c201d1db93) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 49f49d47af67f8a7b221db1d758fc634242dc91a ] hv_kmsg_dump() currently skips the panic notification entirely if it doesn't get any message bytes to pass to Hyper-V due to an error from kmsg_dump_get_buffer(). Skipping the notification is undesirable because it leaves the Hyper-V host uncertain about the state of a panic'ed guest. Fix this by always doing the panic notification, even if bytes_written is zero. Also ensure that bytes_written is initialized, which fixes a kernel test robot warning. The warning is actually bogus because kmsg_dump_get_buffer() happens to set bytes_written even if it fails, and in the kernel test robot's CONFIG_PRINTK not set case, hv_kmsg_dump() is never called. But do the initialization for robustness and to quiet the static checker. Fixes: 9c318a1 ("Drivers: hv: move panic report code from vmbus to hv early init code") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/202512172103.OcUspn1Z-lkp@intel.com/ Signed-off-by: Michael Kelley <mhklinux@outlook.com> Reviewed-by: Roman Kisel <vdso@mailbox.org> Signed-off-by: Wei Liu <wei.liu@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 6abad2eb9a1bdbb8965ef1d2b5aae3573d3b7d27) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1d8f69f453c2e8a2d99b158e58e02ed65031fa6d ] When the BLOCK_GROUP_TREE compat_ro flag is set, the extent root and csum root fields are getting missed. This is because EXTENT_TREE_V2 treated these differently, and when they were split off this special-casing was mistakenly assigned to BGT rather than the rump EXTENT_TREE_V2. There's no reason why the existence of the block group tree should mean that we don't record the details of the last commit's extent root and csum root. Fix the code in backup_super_roots() so that the correct check gets made. Fixes: 1c56ab9 ("btrfs: separate BLOCK_GROUP_TREE compat RO flag from EXTENT_TREE_V2") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Mark Harmstone <mark@harmstone.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 4818f28cd902334980800b34e719521d3572ccff) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 45e1be5ddec98db71e7481fa7a3005673200d85c ] Not sure how useful it's gonna be in practice, but the definition is missing (unlike the previously-unused SC8280XP_MXC-non-_AO), so add it to allow the driver to create the corresponding pmdomain. Fixes: dbfb5f9 ("dt-bindings: power: rpmpd: Add sc8280xp RPMh power-domains") Acked-by: Rob Herring (Arm) <robh@kernel.org> Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-1-46cdf47a829e@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0f56c3f23ed5638d9f0a6918aa929738d8f1e74a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5bc3e720e725cd5fa34875fa1e5434d565858067 ] This was apparently accounted for in dt-bindings, but never made its way into the driver. Fix it for SC8280XP and its VDD_GFX-less cousin, SA8540P. Fixes: f68f1cb ("soc: qcom: rpmhpd: add sc8280xp & sa8540p rpmh power-domains") Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20251202-topic-8280_mxc-v2-2-46cdf47a829e@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d395afac28adb3a8cb45f2456cfbbc980d38d754) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 1fed08c5519d2f929457f354d3c06c6a8c33829c ] freq_to_idx() is used to map a channel to a survey index. Commit acc152f ("wifi: ath12k: combine channel list for split-phy devices in single-wiphy") adds radio specific frequency range check in this helper to make sure an invalid index is returned if the channel falls outside that range. However, this check introduces a race, resulting in below warnings as reported in [1]. ath12k_pci 0000:08:00.0: chan info: invalid frequency 6455 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6535 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6615 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6695 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6775 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6855 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6935 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 7015 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 7095 (idx 101 out of bounds) ath12k_pci 0000:08:00.0: chan info: invalid frequency 6435 (idx 101 out of bounds) Race scenario: 1) A regdomain covering below frequency range is uploaded to host via WMI_REG_CHAN_LIST_CC_EXT_EVENTID event: Country 00, CFG Regdomain UNSET FW Regdomain 0, num_reg_rules 6 1. (2402 - 2472 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0) 2. (2457 - 2477 @ 20) (0, 20) (0 ms) (FLAGS 360576) (0, 0) 3. (5170 - 5330 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) 4. (5490 - 5730 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) 5. (5735 - 5895 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0) 6. (5925 - 7125 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 255) As a result, radio frequency range is updated as [2402, 7125] ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->7125 MHz If no scan in progress or after scan finished, command WMI_SCAN_CHAN_LIST_CMDID is sent to firmware notifying that firmware is allowed to do scan on all channels within that range. The running path is: /* redomain uploaded */ 1. WMI_REG_CHAN_LIST_CC_EXT_EVENTID 2. ath12k_reg_chan_list_event() 3. ath12k_reg_handle_chan_list() 4. queue_work(..., &ar->regd_update_work) 5. ath12k_regd_update_work() 6. ath12k_regd_update() /* update radio frequency range */ 7. ath12k_mac_update_freq_range() 8. regulatory_set_wiphy_regd() 9. ath12k_reg_notifier() 10. ath12k_reg_update_chan_list() 11. queue_work(..., &ar->regd_channel_update_work) 12. ath12k_regd_update_chan_list_work() /* wait scan finishes */ 13. wait_for_completion_timeout(&ar->scan.completed, ...) /* command notifying list of valid channels */ 14. ath12k_wmi_send_scan_chan_list_cmd() 2) Hardware scan is triggered on all allowed channels. 3) Before scan completed, 11D mechanism detects a new country code ath12k_pci 0000:08:00.0: wmi 11d new cc GB With this code sent to firmware, firmware uploads a new regdomain Country GB, CFG Regdomain ETSI FW Regdomain 2, num_reg_rules 9 1. (2402 - 2482 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0) 2. (5170 - 5250 @ 80) (0, 23) (0 ms) (FLAGS 264192) (0, 0) 3. (5250 - 5330 @ 80) (0, 23) (0 ms) (FLAGS 264216) (0, 0) 4. (5490 - 5590 @ 80) (0, 30) (0 ms) (FLAGS 264208) 5. (5590 - 5650 @ 40) (0, 30) (600000 ms) (FLAGS 264208) 6. (5650 - 5730 @ 80) (0, 30) (0 ms) (FLAGS 264208) 7. (5735 - 5875 @ 80) (0, 14) (0 ms) (FLAGS 264192) (0, 0) 8. (5855 - 5875 @ 20) (0, 14) (0 ms) (FLAGS 264192) (0, 0) 9. (5945 - 6425 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 11) Then radio frequency range is updated as [2402, 6425] ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->6425 MHz Please note this is a smaller range than the previous one. Later host runs the same path for the purpose of notifying the new channel list. However since scan not completed, host just waits there. Meanwhile, firmware is possibly scanning channels outside the new range. As a result, WMI_CHAN_INFO_EVENTID events for those channels fail freq_to_idx() check and triggers warnings above. Fix this issue by removing radio frequency check in freq_to_idx(). This is valid because channels being scanned do not synchronize with frequency range update. Besides, this won't cause any problem, since freq_to_idx() is only used for survey data. Even out-of-range channels filled in the survey, they won't get delivered to userspace due to the range check already there in ath12k_mac_op_get_survey(). Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 Fixes: acc152f ("wifi: ath12k: combine channel list for split-phy devices in single-wiphy") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220871 # 1 Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Link: https://patch.msgid.link/20260108-ath12k-fix-freq-to-idx-v1-1-b2458cf7aa0d@oss.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a57459614aa695c570db6fd55932bb2b35d9b934) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ea4d4ea6d10a561043922d285f1765c7e4bfd32a ] An AHCI HBA specifies the number of ports it supports using CAP.NP. The HBA is free to only make a subset of the number of ports available using the PI (Ports Implemented) register. libata currently creates dummy ports for HBA ports that are provided by the HBA, but which are marked as "unavailable" using the PI register. Each port will have a per port area of registers in the HBA, regardless if the port is marked as "unavailable" or not. ahci_mark_external_port() currently reads this per port area of registers using readl() to see if the port is marked as external/hotplug-capable. However, AHCI 1.3.1, section "3.1.4 Offset 0Ch: PI – Ports Implemented" states: "Software must not read or write to registers within unavailable ports." Thus, make sure that we only call ahci_mark_external_port() and ahci_update_initial_lpm_policy() for ports that are implemented. From a libata perspective, this should not change anything related to LPM, as dummy ports do not provide any ap->ops (they do not have a .set_lpm() callback), so even if EH were to call .set_lpm() on a dummy port, it was already a no-op. Fixes: f713193 ("ata: ahci: move marking of external port earlier") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 62ced8e065787d065445d10f6af9f468160dc735) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8f3fb33f8f3f825c708ece800c921977c157f9b6 ] Commit d360121 ("ata: libata-core: Introduce ata_dev_config_lpm()") introduced ata_dev_config_lpm(). However, it only called this function for ATA_DEV_ATA and ATA_DEV_ZAC devices, not for ATA_DEV_ATAPI devices. Additionally, commit d99a914 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") moved the LPM quirk application from ata_dev_configure() to ata_dev_config_lpm(), causing LPM quirks for ATAPI devices to no longer be applied. Call ata_dev_config_lpm() also for ATAPI devices, such that LPM quirks are applied for ATAPI devices with an entry in __ata_dev_quirks once again. Fixes: d360121 ("ata: libata-core: Introduce ata_dev_config_lpm()") Fixes: d99a914 ("ata: libata-core: Move device LPM quirk settings to ata_dev_config_lpm()") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 05db73211387f6957c8c4f44b3ab62e807318997) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…bute [ Upstream commit ce83767ea323baf8509a75eb0c783cd203e14789 ] The link_power_management_supported sysfs attribute is currently set as true even for ata ports that lack a .set_lpm() callback, e.g. dummy ports. This is a bit silly, because while writing to the link_power_management_policy sysfs attribute will make ata_scsi_lpm_store() update ap->target_lpm_policy (thus sysfs will reflect the new value) and call ata_port_schedule_eh() for the port, it is essentially a no-op. This is because for a port without a .set_lpm() callback, once EH gets to run, the ata_eh_link_set_lpm() will simply return, since the port does not provide a .set_lpm() callback. Thus, make sure that the link_power_management_supported sysfs attribute is set to false for ports that lack a .set_lpm() callback. This way the link_power_management_policy sysfs attribute will no longer be writable, so we will no longer be misleading users to think that their sysfs write actually does something. Fixes: 0060bee ("ata: libata-sata: Add link_power_management_supported sysfs attribute") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 7fe7e7858b32d250c011ef82993af9ed361cb4b3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a6bee5e5243ad02cae575becc4c83df66fc29573 ] ata_dev_print_features() is supposed to return early and not print anything if there are no features supported. However, commit fe22e1c ("libata: support concurrent positioning ranges log") added another feature to ata_dev_print_features() without updating the early return conditional. Add the missing feature to the early return conditional. Fixes: fe22e1c ("libata: support concurrent positioning ranges log") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 93f484d63f87352ea85169d95bf648aa181eee4e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 89531b68fc293e91187bf0992147e8d22c65cff3 ] ata_dev_print_features() is supposed to return early and not print anything if there are no features supported. However, commit b1f5af5 ("ata: libata-core: Advertize device support for DIPM and HIPM features") added additional features to ata_dev_print_features() without updating the early return conditional. Add the missing features to the early return conditional. Fixes: b1f5af5 ("ata: libata-core: Advertize device support for DIPM and HIPM features") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit d5529d36e76469d70b29fefa7945bf06e2590c7d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c8c6fb886f57d5bf71fb6de6334a143608d35707 ] Commit d633b8a ("libata: print feature list on device scan") added a print of the features supported by the device for ATA_DEV_ATA and ATA_DEV_ZAC devices, but not for ATA_DEV_ATAPI devices. Fix this by printing the features also for ATAPI devices. Before changes: ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 After changes: ata1.00: ATAPI: Slimtype DVD A DU8AESH, 6C2M, max UDMA/133 ata1.00: Features: Dev-Attention HIPM DIPM Fixes: d633b8a ("libata: print feature list on device scan") Signed-off-by: Niklas Cassel <cassel@kernel.org> Tested-by: Wolf <wolf@yoxt.cc> Signed-off-by: Damien Le Moal <dlemoal@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 887032ba3ff23f1c7999b15a8e04e54d3dc6db2d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 39c90b1a1dbe6d7c49d19da6e5aec00980c55d8b ] Cancel the scheduled scan request only on the vdev that has an active scan running. Currently, ahvif->links_map is used to obtain the links, but this includes links for which no scan is scheduled. In failure cases where the scan fails due to an invalid channel definition, other links which are not yet brought up (vdev not created) may also be accessed, leading to the following trace: Unable to handle kernel paging request at virtual address 0000000000004c8c pc : _raw_spin_lock_bh+0x1c/0x54 lr : ath12k_scan_abort+0x20/0xc8 [ath12k] Call trace: _raw_spin_lock_bh+0x1c/0x54 (P) ath12k_mac_op_cancel_hw_scan+0xac/0xc4 [ath12k] ieee80211_scan_cancel+0xcc/0x12c [mac80211] ieee80211_do_stop+0x6c4/0x7a8 [mac80211] ieee80211_stop+0x60/0xd8 [mac80211] Skip links that are not created or are not the current scan vdev. This ensures only the scan for the matching links is aborted and avoids aborting unrelated links during cancellation, thus aligning with how start/cleanup manage ar->scan.arvif. Also, remove the redundant arvif->is_started check from ath12k_mac_op_cancel_hw_scan() that was introduced in commit 3863f01 ("wifi: ath12k: symmetrize scan vdev creation and deletion during HW scan") to avoid deleting the scan interface if the scan is triggered on the existing AP vdev as this use case is already handled in ath12k_scan_vdev_clean_work(). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Fixes: feed05f ("wifi: ath12k: Split scan request for split band device") Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20260107-scan_vdev-v1-1-b600aedc645a@qti.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1aa669892459567b43365474e5ef76cbc211f20e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…_channel [ Upstream commit 8b8d6ee53dfdee61b0beff66afe3f712456e707a ] Scan finish workqueue was introduced in __ath12k_mac_scan_finish() by [1]. During ath12k_mac_op_cancel_remain_on_channel(), scan state is set to ABORTING and should be reset to IDLE in the queued work. However, wiphy_work_cancel() is called before exiting ath12k_mac_op_cancel_remain_on_channel(), which prevents the work from running and leaves the state in ABORTING. This blocks all subsequent scan requests. Replace wiphy_work_cancel() with wiphy_work_flush() to ensure the queued work runs and scan state is reset to IDLE. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 Fixes: 3863f01 ("wifi: ath12k: symmetrize scan vdev creation and deletion during HW scan") # [1] Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Link: https://patch.msgid.link/20260112115516.2144219-1-yingying.tang@oss.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit c8e5f49667f5f689a88240d00b39c8e93fdab058) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f88e9fc30a261d63946ddc6cc6a33405e6aa27c3 ] Commit [1] converted the management transmission work item into a wiphy work. Since a wiphy work can only run under wiphy lock protection, a race condition happens in below scenario: 1. a management frame is queued for transmission. 2. ath12k_mac_op_flush() gets called to flush pending frames associated with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush() the process waits for the transmission done. 3. Since wiphy lock has been taken by the flush process, the transmission work item has no chance to run, hence the dead lock. >From user view, this dead lock results in below issue: wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticate with xxxxxx (local address=xxxxxx) wlp8s0: send auth to xxxxxx (try 1/3) wlp8s0: authenticated wlp8s0: associate with xxxxxx (try 1/3) wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING) ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1 The dead lock can be avoided by invoking wiphy_work_flush() to proactively run the queued work item. Note actually it is already present in ath12k_mac_op_flush(), however it does not protect the case where vif being NULL. Hence move it ahead to cover this case as well. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 Fixes: 56dcbf0 ("wifi: ath12k: convert struct ath12k::wmi_mgmt_tx_work to struct wiphy_work") # [1] Reported-by: Stuart Hayhurst <stuart.a.hayhurst@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220959 Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20260113-ath12k-fix-dead-lock-while-flushing-v1-1-9713621f3a0f@oss.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 06ac2aa13f701a0296e92f5f54ae24224d426b28) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 31707572108da55a005e7fed32cc3869c16b7c16 ] Wrong P2P device link id value of 0 was introduced in ath12k_mac_op_tx() by [1]. During the P2P negotiation process, there is only one scan vdev with link ID 15. Currently, the device link ID is incorrectly set to 0 in ath12k_mac_op_tx() during the P2P negotiation process, which leads to TX failures. Set the correct P2P device link ID to 15 to fix the TX failure issue. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3 Fixes: 648a121 ("wifi: ath12k: ath12k_mac_op_tx(): MLO support") # [1] Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Cc: linux-next@vger.kernel.org Cc: netdev@vger.kernel.org Link: https://patch.msgid.link/20260113054636.2620035-1-yingying.tang@oss.qualcomm.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> (cherry picked from commit c35a0cb145f2cf79b2c24e4656701da68f201e1c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8439016c3b8b5ab687c2420317b1691585106611 ] The u64_stats_sync structure is empty on 64-bit systems. However, on 32-bit systems it contains a seqcount_t which needs to be initialized. While the memory is zero-initialized, a lack of u64_stats_init means that lockdep won't get initialized properly. Fix this by adding u64_stats_init() calls to the rings just after allocation. Fixes: 2b245cb ("ice: Implement transmit and NAPI support") Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Signed-off-by: Jacob Keller <jacob.e.keller@intel.com> Reviewed-by: Simon Horman <horms@kernel.org> Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel) Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0bc8d94bf66949c5e5207cc5d302a3af39b8f323) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 5d5fe8bcd331f1e34e0943ec7c18432edfcf0e8b upstream.
Fix the following:
BUG: KCSAN: data-race in rxrpc_peer_keepalive_worker / rxrpc_send_data_packet
which is reporting an issue with the reads and writes to ->last_tx_at in:
conn->peer->last_tx_at = ktime_get_seconds();
and:
keepalive_at = peer->last_tx_at + RXRPC_KEEPALIVE_TIME;
The lockless accesses to these to values aren't actually a problem as the
read only needs an approximate time of last transmission for the purposes
of deciding whether or not the transmission of a keepalive packet is
warranted yet.
Also, as ->last_tx_at is a 64-bit value, tearing can occur on a 32-bit
arch.
Fix both of these by switching to an unsigned int for ->last_tx_at and only
storing the LSW of the time64_t. It can then be reconstructed at need
provided no more than 68 years has elapsed since the last transmission.
Fixes: ace45be ("rxrpc: Fix firewall route keepalive")
Reported-by: syzbot+6182afad5045e6703b3d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/695e7cfb.050a0220.1c677c.036b.GAE@google.com/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/1107124.1768903985@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f8cf1368e0a5491b27189a695c36f64e48f3d19d)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 91dcfae0ff2b9b9ab03c1ec95babaceefbffb9f4 upstream. By default when users program perf to sample branch instructions (PERF_COUNT_HW_BRANCH_INSTRUCTIONS) with a sample period of 1, perf interprets this as a special case and enables BTS (Branch Trace Store) as an optimization to avoid taking an interrupt on every branch. Since BTS doesn't virtualize, this optimization doesn't make sense when the request originates from a guest. Add an additional check that prevents this optimization for virtualized events (exclude_host). Reported-by: Jan H. Schönherr <jschoenh@amazon.de> Suggested-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Fernand Sieber <sieberf@amazon.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20251211183604.868641-1-sieberf@amazon.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit cdb3f95a94f9f5cad054260de551942942e8a8f7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8d76a7d89c12d08382b66e2f21f20d0627d14859 upstream. On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the 'itt' object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit 'unsigned long' variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don't call virt_to_phys or similar interfaces. It's expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. Fixes: cc2d321 ("irqchip: GICv3: ITS command queue") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260119201603.2713066-1-arnd@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ca1bb3fedf26a08ed31974131bc0064d4fe33649 upstream. The MAX_FL (maximum frame length) and related calculations used ETH_HLEN, which does not account for the 4-byte VLAN tag in tagged frames. This caused the hardware to reject valid VLAN frames as oversized, resulting in RX errors and dropped packets. Use VLAN_ETH_HLEN instead of ETH_HLEN in the MAX_FL register setup, cut-through mode threshold, buffer allocation, and max_mtu calculation. Cc: stable@kernel.org # v6.18+ Fixes: 62b5bb7 ("net: fec: update MAX_FL based on the current MTU") Fixes: d466c16 ("net: fec: enable the Jumbo frame support for i.MX8QM") Fixes: 59e9bf0 ("net: fec: add change_mtu to support dynamic buffer allocation") Fixes: ec2a168 ("net: fec: use a member variable for maximum buffer size") Signed-off-by: Clemens Gruber <mail@clemensgruber.at> Reviewed-by: Wei Fang <wei.fang@nxp.com> Link: https://patch.msgid.link/20260121083751.66997-1-mail@clemensgruber.at Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 326470b33c28ac1f4a4795f4c73eac3ba74b14ea) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit a92a6c50e35b75a8021265507f3c2a9084df0b94 upstream. This is another one of those XGSPON ONU sticks that's using the X-ONU-SFPP internally, thus it also requires the potron quirk to avoid tx faults. So, add an entry for it in sfp_quirks[]. Cc: stable@vger.kernel.org Signed-off-by: Hamza Mahfooz <someguy@effective-light.com> Link: https://patch.msgid.link/20260113232957.609642-1-someguy@effective-light.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 69b5b028fc130c55d810bd964c2f949433256afa) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 3d778e65b4f44c6af4901d83020bb8a0a010f39e upstream. For these two firmware mailbox commands, in txgbe_test_hostif() and txgbe_set_phy_link_hostif(), there is no need to read data from the buffer. Under the current setting, OEM firmware will cause the driver to fail to probe. Because OEM firmware returns more link information, with a larger OEM structure txgbe_hic_ephy_getlink. However, the current driver does not support the OEM function. So just fix it in the way that does not involve reading the returned data. Fixes: d84a3ff ("net: txgbe: Restrict the use of mismatched FW versions") Cc: stable@vger.kernel.org Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com> Link: https://patch.msgid.link/2914AB0BC6158DDA+20260119065935.6015-1-jiawenwu@trustnetic.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit aac95b3dd1c26c01f0f07e33394e70e2db1d2809) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 0ce73a0eb5a27070957b67fd74059b6da89cc516 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In ems_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
ems_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in ems_usb_close().
Fix the memory leak by anchoring the URB in the
ems_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 702171a ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-1-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 68c62b3e53901846b5f68c5a8bade72a5d9c0b87)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 5a4391bdc6c8357242f62f22069c865b792406b3 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In esd_usb_open(), the URBs for USB-in transfers are allocated, added to
the dev->rx_submitted anchor and submitted. In the complete callback
esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
esd_usb_close() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in esd_usb_close().
Fix the memory leak by anchoring the URB in the
esd_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 96d8e90 ("can: Add driver for esd CAN-USB/2 device")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-2-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit a9503ae43256e80db5cba9d449b238607164c51d)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 248e8e1a125fa875158df521b30f2cc7e27eeeaa upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the
URBs for USB-in transfers are allocated, added to the dev->rx_submitted
anchor and submitted. In the complete callback
kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In
kvaser_usb_remove_interfaces() the URBs are freed by calling
usb_kill_anchored_urbs(&dev->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor.
Fixes: 080f40a ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-3-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3b1a593eab941c3f32417896cc7df564191f2482)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 710a7529fb13c5a470258ff5508ed3c498d54729 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback mcba_usb_read_bulk_callback(), the URBs are processed and
resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor.
Fixes: 51f3baa ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-4-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit d374d715e338dfc3804aaa006fa6e470ffebb264)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit f7a980b3b8f80fe367f679da376cf76e800f9480 upstream.
Fix similar memory leak as in commit 7352e1d5932a ("can: gs_usb:
gs_usb_receive_bulk_callback(): fix URB memory leak").
In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are
allocated, added to the priv->rx_submitted anchor and submitted. In the
complete callback usb_8dev_read_bulk_callback(), the URBs are processed and
resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by
calling usb_kill_anchored_urbs(&priv->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in usb_kill_anchored_urbs().
Fix the memory leak by anchoring the URB in the
usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor.
Fixes: 0024d8a ("can: usb_8dev: Add support for USB2CAN interface from 8 devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260116-can_usb-fix-memory-leak-v2-5-4b8cb2915571@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 07e9373739c6388af9d99797cdb2e79dbbcbe92b)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 10343253328e0dbdb465bff709a2619a08fe01ad upstream. Remove emit_frame_cntl function for gfx v12, which is not support. Signed-off-by: Likun Gao <Likun.Gao@amd.com> Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 5aaa5058dec5bfdcb24c42fe17ad91565a3037ca) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ce2cca8e27d1680f26aee857c351096600e3b94a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1a0f69e3c28477b97d3609569b7e8feb4b6162e8 upstream. Fix several issues in dw_dp_bind() error handling: 1. Missing return after drm_bridge_attach() failure - the function continued execution instead of returning an error. 2. Resource leak: drm_dp_aux_register() is not a devm function, so drm_dp_aux_unregister() must be called on all error paths after aux registration succeeds. This affects errors from: - drm_bridge_attach() - phy_init() - devm_add_action_or_reset() - platform_get_irq() - devm_request_threaded_irq() 3. Bug fix: platform_get_irq() returns the IRQ number or a negative error code, but the error path was returning ERR_PTR(ret) instead of ERR_PTR(dp->irq). Use a goto label for cleanup to ensure consistent error handling. Fixes: 86eecc3 ("drm/bridge: synopsys: Add DW DPTX Controller support library") Cc: stable@vger.kernel.org Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com> Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com> Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Link: https://patch.msgid.link/20260102155553.13243-1-osama.abdelkader@gmail.com Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 569ed6a73e927a34cae4ae6de1464c0737a5ec44) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit ca9e5115e870b9a531deb02752055a8a587904e3 upstream. Page accounting can change via the shrinker without calling xe_ttm_tt_unpopulate(), which normally updates page count tracepoints through update_global_total_pages. Add a call to update_global_total_pages when the shrinker successfully shrinks a BO. v2: - Don't adjust global accounting when pinning (Stuart) Cc: stable@vger.kernel.org Fixes: ce3d39f ("drm/xe/bo: add GPU memory trace points") Signed-off-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Stuart Summers <stuart.summers@intel.com> Link: https://patch.msgid.link/20260107205732.2267541-1-matthew.brost@intel.com (cherry picked from commit cc54eabdfbf0c5b6638edc50002cfafac1f1e18b) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 85d4652f9cdcf334a096262ac743a197f84450dd) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 6f287b1c8d0e255e94e54116ebbe126515f5c911 upstream. Workqueue xe-ggtt-wq has been allocated using WQ_MEM_RECLAIM, but the flag has been passed as 3rd parameter (max_active) instead of 2nd (flags) creating the workqueue as per-cpu with max_active = 8 (the WQ_MEM_RECLAIM value). So change this by set WQ_MEM_RECLAIM as the 2nd parameter with a default max_active. Fixes: 60df57e ("drm/xe: Mark GGTT work queue with WQ_MEM_RECLAIM") Cc: stable@vger.kernel.org Signed-off-by: Marco Crivellari <marco.crivellari@suse.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Signed-off-by: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/20260108180148.423062-1-marco.crivellari@suse.com (cherry picked from commit aa39abc08e77d66ebb0c8c9ec4cc8d38ded34dc9) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit e7200b0a4b2a51c970b687f78f237f11cc7467a0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit faff6846474e99295a139997f93ef6db222b5cee upstream. -ENOMEM is a more appropriate return code for memory allocation failures. Correct it. Cc: stable@vger.kernel.org Fixes: 20bddcb ("gpiolib: cdev: replace locking wrappers for gpio_device with guards") Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://lore.kernel.org/r/20260116081036.352286-6-tzungbi@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 919f27eb24b0e82ea232379bec40a5a52e3483d9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 70b3c280533167749a8f740acaa8ef720f78f984 upstream. On error handling paths, lineinfo_changed_notify() doesn't free the allocated resources which results leaks. Fix it. Cc: stable@vger.kernel.org Fixes: d4cd090 ("gpio: cdev: make sure the cdev fd is still active before emitting events") Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://lore.kernel.org/r/20260120030857.2144847-1-tzungbi@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 16414341b0dd58b650b5df45c79115bc5977bb76) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 8a8c942cad4cd12f739a8bb60cac77fd173c4e07 upstream. On error handling paths, gpiolib_cdev_register() doesn't free the allocated resources which results leaks. Fix it. Cc: stable@vger.kernel.org Fixes: 7b9b77a ("gpiolib: add a per-gpio_device line state notification workqueue") Fixes: d83cee3 ("gpio: protect the pointer to gpio_chip in gpio_device with SRCU") Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org> Link: https://lore.kernel.org/r/20260120092650.2305319-1-tzungbi@kernel.org Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ab140fc93108360cfb53ff04592be05547aa5c0f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
commit 1fb0d830dab89d0dc99bb84a7087b0ceca63d2d8 upstream. During S4 (hibernate), the Bluetooth device loses power. Upon resume, the driver performs the following actions: 1. Unregisters hdev 2. Calls function level reset 3. Registers hdev Test case: - run command sudo rtcwake -m disk -s 60 Signed-off-by: Ravindra <ravindra@intel.com> Signed-off-by: Kiran K <kiran.k@intel.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Cc: Mariappan Ramasamy <mail@nappairam.dev> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 908795c02dbc7f3acc33b05b46c73e219fbbc2f8) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b6c46600bfb28b4be4e9cff7bad4f2cf357e0fb7 ] Below are some typos in the code comments: intevals ==> intervals addesses ==> addresses unavaliable ==> unavailable facor ==> factor droping ==> dropping exlusive ==> exclusive decription ==> description confict ==> conflict desriptions ==> descriptions otherwize ==> otherwise vlaue ==> value cheching ==> checking exisitng ==> existing modifed ==> modified differenciate ==> differentiate refernece ==> reference permissons ==> permissions indepdenent ==> independent spliting ==> splitting Just fix it. Link: https://lkml.kernel.org/r/20250929002608.1633825-1-jianyungao89@gmail.com Signed-off-by: jianyun.gao <jianyungao89@gmail.com> Reviewed-by: SeongJae Park <sj@kernel.org> Reviewed-by: Wei Yang <richard.weiyang@gmail.com> Reviewed-by: Dev Jain <dev.jain@arm.com> Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com> Acked-by: Chris Li <chrisl@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Stable-dep-of: 3937027caecb ("mm/hugetlb: fix two comments related to huge_pmd_unshare()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 918ba220debc4705e0b2ee3518c15c268c39b84d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3937027caecb4f8251e82dd857ba1d749bb5a428 ] Ever since we stopped using the page count to detect shared PMD page tables, these comments are outdated. The only reason we have to flush the TLB early is because once we drop the i_mmap_rwsem, the previously shared page table could get freed (to then get reallocated and used for other purpose). So we really have to flush the TLB before that could happen. So let's simplify the comments a bit. The "If we unshared PMDs, the TLB flush was not recorded in mmu_gather." part introduced as in commit a4a118f ("hugetlbfs: flush TLBs correctly after huge_pmd_unshare") was confusing: sure it is recorded in the mmu_gather, otherwise tlb_flush_mmu_tlbonly() wouldn't do anything. So let's drop that comment while at it as well. We'll centralize these comments in a single helper as we rework the code next. Link: https://lkml.kernel.org/r/20251223214037.580860-3-david@kernel.org Fixes: 59d9094 ("mm: hugetlb: independent PMD page table shared count") Signed-off-by: David Hildenbrand (Red Hat) <david@kernel.org> Reviewed-by: Rik van Riel <riel@surriel.com> Tested-by: Laurence Oberman <loberman@redhat.com> Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Acked-by: Oscar Salvador <osalvador@suse.de> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Cc: Liu Shixin <liushixin2@huawei.com> Cc: Lance Yang <lance.yang@linux.dev> Cc: "Uschakow, Stanislav" <suschako@amazon.de> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit c5dbad55ce02a84a778ce33a47f6c6e6372ba8a2) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c76ba4b2644424b8dbacee80bb40991eac29d39e ]
Replace lockdep_set_class() + mutex_init() by combined call
mutex_init_with_key().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 9910159f0659 ("iio: core: add separate lockdep class for info_exist_lock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 2dabc85131c8405c55c027ad8bac47e15258b158)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 9910159f06590c17df4fbddedaabb4c0201cc4cb ]
When one iio device is a consumer of another, it is possible that
the ->info_exist_lock of both ends up being taken when reading the
value of the consumer device.
Since they currently belong to the same lockdep class (being
initialized in a single location with mutex_init()), that results in a
lockdep warning
CPU0
----
lock(&iio_dev_opaque->info_exist_lock);
lock(&iio_dev_opaque->info_exist_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
4 locks held by sensors/414:
#0: c31fd6dc (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0x44/0x4e4
#1: c4f5a1c4 (&of->mutex){+.+.}-{3:3}, at: kernfs_seq_start+0x1c/0xac
#2: c2827548 (kn->active#34){.+.+}-{0:0}, at: kernfs_seq_start+0x30/0xac
#3: c1dd2b6 (&iio_dev_opaque->info_exist_lock){+.+.}-{3:3}, at: iio_read_channel_processed_scale+0x24/0xd8
stack backtrace:
CPU: 0 UID: 0 PID: 414 Comm: sensors Not tainted 6.17.11 deepin-community#5 NONE
Hardware name: Generic AM33XX (Flattened Device Tree)
Call trace:
unwind_backtrace from show_stack+0x10/0x14
show_stack from dump_stack_lvl+0x44/0x60
dump_stack_lvl from print_deadlock_bug+0x2b8/0x334
print_deadlock_bug from __lock_acquire+0x13a4/0x2ab0
__lock_acquire from lock_acquire+0xd0/0x2c0
lock_acquire from __mutex_lock+0xa0/0xe8c
__mutex_lock from mutex_lock_nested+0x1c/0x24
mutex_lock_nested from iio_read_channel_raw+0x20/0x6c
iio_read_channel_raw from rescale_read_raw+0x128/0x1c4
rescale_read_raw from iio_channel_read+0xe4/0xf4
iio_channel_read from iio_read_channel_processed_scale+0x6c/0xd8
iio_read_channel_processed_scale from iio_hwmon_read_val+0x68/0xbc
iio_hwmon_read_val from dev_attr_show+0x18/0x48
dev_attr_show from sysfs_kf_seq_show+0x80/0x110
sysfs_kf_seq_show from seq_read_iter+0xdc/0x4e4
seq_read_iter from vfs_read+0x238/0x2e4
vfs_read from ksys_read+0x6c/0xec
ksys_read from ret_fast_syscall+0x0/0x1c
Just as the mlock_key already has its own lockdep class, add a
lock_class_key for the info_exist mutex.
Note that this has in theory been a problem since before IIO first
left staging, but it only occurs when a chain of consumers is in use
and that is not often done.
Fixes: ac917a8 ("staging:iio:core set the iio_dev.info pointer to null on unregister under lock.")
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Reviewed-by: Peter Rosin <peda@axentia.se>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 25be3c170ff8e18472047694f7c006bbd497ff4c)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 8bb3754909cde5df4f8c1012bde220b97d8ee3bc ] The current UFS clocks does not align with their respective names, causing the ref_clk to be set to an incorrect frequency as below, which results in command timeouts. ufshcd-qcom 1d84000.ufshc: invalid ref_clk setting = 300000000 This commit fixes the issue by properly reordering the UFS clocks to match their names. Fixes: ea172f6 ("arm64: dts: qcom: qcs615: Fix up UFS clocks") Cc: stable@vger.kernel.org Signed-off-by: Pradeep P V K <pradeep.pragallapati@oss.qualcomm.com> Link: https://lore.kernel.org/r/20251126131146.16146-1-pradeep.pragallapati@oss.qualcomm.com Signed-off-by: Bjorn Andersson <andersson@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 79966baabcfe9aea00f2f16f8750aa659ea4b62b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cd4a3ced4d1cdb14ffe905657b98a91e9d239dfb ] A glitch in the edge detection circuit can cause a spurious interrupt. The hardware manual recommends clearing the status flag after setting the ICU_TSSRk register as a countermeasure. Currently, a spurious interrupt is generated on the resume path of s2idle for the PMIC RTC TINT interrupt due to a glitch related to unnecessary enabling/disabling of the TINT enable bit. Fix this issue by not setting TSSR(TINT Source) and TITSR(TINT Detection Method Selection) registers if the values are the same as those set in these registers. Fixes: 0d7605e ("irqchip: Add RZ/V2H(P) Interrupt Control Unit (ICU) driver") Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260113125315.359967-2-biju.das.jz@bp.renesas.com [tm: Added field_get() to avoid build error] Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 9966c8cc987e307ecd439266db8b4fd4feaad482) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ upstream commit 61f67c230a5e7c741c352349ea80147fbe65bfae ] Patch series "mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge", v2. Commit 879bca0 ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA. The issues arise in three cases: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next This series fixes each of these cases, and introduces self tests to assert that the issues are corrected. I also test a further case which was already handled, to assert that my changes continues to correctly handle it: 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug. I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses. I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this). I also cleaned up vma_expand() as part of this work, renamed vma_had_uncowed_parents() to vma_is_fork_child() as the previous name was unduly confusing, and simplified the comments around this function. This patch (of 4): Commit 879bca0 ("mm/vma: fix incorrectly disallowed anonymous VMA merges") introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() - no anon_vma in place, initial mapping. * do_brk_flags() - expanding an existing VMA. * vma_merge_extend() - expanding an existing VMA. * relocate_vma_down() - no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=unfaulted, src=faulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied -----| v |-----------|.............| | unfaulted |(faulted VMA)| |-----------|.............| prev target = prev, expand prev to cover. 2. Next VMA unfaulted: copied -----| v |.............|-----------| |(faulted VMA)| unfaulted | |.............|-----------| next target = next, expand next to cover. 3. Both adjacent VMAs unfaulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| unfaulted | |-----------|.............|-----------| prev next target = prev, expand prev to cover. 4. prev unfaulted, next faulted: copied -----| v |-----------|.............|-----------| | unfaulted |(faulted VMA)| faulted | |-----------|.............|-----------| prev next target = prev, expand prev to cover. Essentially equivalent to 3, but with additional requirement that next's anon_vma is the same as the copied VMA's. This is covered by the existing logic. To account for this very explicitly, we introduce vma_merge_copied_range(), which sets a newly introduced vmg->copied_from field, then invokes vma_merge_new_range() which handles the rest of the logic. We then update the key vma_expand() function to clean up the logic and make what's going on clearer, making the 'remove next' case less special, before invoking dup_anon_vma() unconditionally should we be copying from a VMA. Note that in case 3, the if (remove_next) ... branch will be a no-op, as next=src in this instance and src is unfaulted. In case 4, it won't be, but since in this instance next=src and it is faulted, this will have required tgt=faulted, src=faulted to be compatible, meaning that next->anon_vma == vmg->copied_from->anon_vma, and thus a single dup_anon_vma() of next suffices to copy anon_vma state for the copied-from VMA also. If we are copying from a VMA in a successful merge we must _always_ propagate anon_vma state. This issue can be observed most directly by invoked mremap() to move around a VMA and cause this kind of merge with the MREMAP_DONTUNMAP flag specified. This will result in unlink_anon_vmas() being called after failing to duplicate anon_vma state to the target VMA, which results in the anon_vma itself being freed with folios still possessing dangling pointers to the anon_vma and thus a use-after-free bug. This bug was discovered via a syzbot report, which this patch resolves. We further make a change to update the mergeable anon_vma check to assert the copied-from anon_vma did not have CoW parents, as otherwise dup_anon_vma() might incorrectly propagate CoW ancestors from the next VMA in case 4 despite the anon_vma's being identical for both VMAs. Link: https://lkml.kernel.org/r/cover.1767638272.git.lorenzo.stoakes@oracle.com Link: https://lkml.kernel.org/r/b7930ad2b1503a657e29fe928eb33061d7eadf5b.1767638272.git.lorenzo.stoakes@oracle.com Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Fixes: 879bca0 ("mm/vma: fix incorrectly disallowed anonymous VMA merges") Reported-by: syzbot+b165fc2e11771c66d8ba@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/694a2745.050a0220.19928e.0017.GAE@google.com/ Reported-by: syzbot+5272541ccbbb14e2ec30@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/694e3dc6.050a0220.35954c.0066.GAE@google.com/ Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Reviewed-by: Jeongjun Park <aha310510@gmail.com> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Yeoreum Yun <yeoreum.yun@arm.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Liam R. Howlett <Liam.Howlett@oracle.com> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Rik van Riel <riel@surriel.com> Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ updated to account for lack of sticky VMA flags + built, tested confirmed working ] Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit a4d9dbfc1bab16e25fefd34b5e537a46bed8fc96) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3b617fd3d317bf9dd7e2c233e56eafef05734c9d ] The is_mergeable_anon_vma() function uses vmg->middle as the source VMA. However when merging a new VMA, this field is NULL. In all cases except mremap(), the new VMA will either be newly established and thus lack an anon_vma, or will be an expansion of an existing VMA thus we do not care about whether VMA is CoW'd or not. In the case of an mremap(), we can end up in a situation where we can accidentally allow an unfaulted/faulted merge with a VMA that has been forked, violating the general rule that we do not permit this for reasons of anon_vma lock scalability. Now we have the ability to be aware of the fact we are copying a VMA and also know which VMA that is, we can explicitly check for this, so do so. This is pertinent since commit 879bca0 ("mm/vma: fix incorrectly disallowed anonymous VMA merges"), as this patch permits unfaulted/faulted merges that were previously disallowed running afoul of this issue. While we are here, vma_had_uncowed_parents() is a confusing name, so make it simple and rename it to vma_is_fork_child(). Link: https://lkml.kernel.org/r/6e2b9b3024ae1220961c8b81d74296d4720eaf2b.1767638272.git.lorenzo.stoakes@oracle.com Fixes: 879bca0 ("mm/vma: fix incorrectly disallowed anonymous VMA merges") Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Reviewed-by: Harry Yoo <harry.yoo@oracle.com> Reviewed-by: Jeongjun Park <aha310510@gmail.com> Acked-by: Vlastimil Babka <vbabka@suse.cz> Cc: David Hildenbrand (Red Hat) <david@kernel.org> Cc: Jann Horn <jannh@google.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Pedro Falcato <pfalcato@suse.de> Cc: Rik van Riel <riel@surriel.com> Cc: Yeoreum Yun <yeoreum.yun@arm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ with upstream commit 61f67c230a5e backported, this simply applied correctly. Built + tested ] Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 5b0caf3913e725c76a6e99f749f1957a64934f77) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260128145344.331957407@linuxfoundation.org Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Salvatore Bonaccorso <carnil@debian.org> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Slade Watkins <sr@sladewatkins.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Brett Mastbergen <bmastbergen@ciq.com> Tested-by: Hardik Garg <hargar@linux.microsoft.com> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d905362ff5b86f6b619953ada8e0af84158db2e9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
opsiff
force-pushed
the
linux-6.18-update-6.18.8
branch
from
b422485 to
cd4bcec
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.18.8.
git log --oneline v6.18.7..v6.18.8 |wc
228 1993 16219
Abdun Nihaal (1):
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Alex Deucher (1):
drm/amdgpu: fix type for wptr in ring backup
Alex Ramírez (2):
drm/nouveau: add missing DCB connector types
drm/nouveau: implement missing DCB connector types; gracefully handle
unknown connectors
Alexander Egorenkov (1):
s390/boot/vmlinux.lds.S: Ensure bzImage ends with SecureBoot trailer
Alexander Usyskin (1):
mei: trace: treat reg parameter as string
Alexandre Courbot (2):
rust: io: always inline functions using build_assert with arguments
rust: irq: always inline functions using build_assert with arguments
Alexey Charkov (2):
arm64: dts: rockchip: Fix headphones widget name on NanoPi M5
arm64: dts: rockchip: Configure MCLK for analog sound on NanoPi M5
Alok Tiwari (1):
octeontx2: cn10k: fix RX flowid TCAM mask handling
Andrew Cooper (1):
x86/kfence: avoid writing L1TF-vulnerable PTEs
Andrey Vatoropin (1):
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
Andy Shevchenko (1):
iio: core: Replace lockdep_set_class() + mutex_init() by combined call
Arkadiusz Kozdra (1):
kconfig: fix static linking of nconf
Arnd Bergmann (1):
irqchip/gic-v3-its: Avoid truncating memory addresses
Arun Raghavan (1):
ALSA: usb: Increase volume range that triggers a warning
Baochen Qiang (2):
wifi: ath12k: don't force radio frequency check in freq_to_idx()
wifi: ath12k: fix dead lock while flushing management frames
Berk Cem Goksel (1):
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
Biju Das (1):
irqchip/renesas-rzv2h: Prevent TINT spurious interrupt during resume
Brajesh Gupta (1):
drm/imagination: Wait for FW trace update command completion
Cedric Xing (1):
x86: make page fault handling disable interrupts properly
Chaitanya Kulkarni (1):
iommu/io-pgtable-arm: fix size_t signedness bug in unmap path
Chaoyi Chen (1):
arm64: dts: rockchip: Fix wrong register range of rk3576 gpu
Chen-Yu Tsai (1):
drm/mediatek: dpi: Find next bridge during probe
Cheng-Yu Lee (1):
regmap: Fix race condition in hwspinlock irqsave routine
Chenghai Huang (2):
uacce: fix isolate sysfs check condition
uacce: ensure safe queue release with state management
Chwee-Lin Choong (2):
igc: fix race condition in TX timestamp read for register 0
igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue
Clemens Gruber (1):
net: fec: account for VLAN header in frame length calculations
Cody Haas (1):
ice: Fix persistent failure in ice_get_rxfh
Dan Carpenter (1):
wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
Daniel Golle (2):
net: phy: intel-xway: fix OF node refcount leakage
net: pcs: pcs-mtk-lynxi: report in-band capability for 2500Base-X
Dave Ertman (1):
ice: Avoid detrimental cleanup for bond during interface stop
Dave Jiang (1):
ntb: transport: Fix uninitialized mutex
David Hildenbrand (Red Hat) (3):
mm/hugetlb: fix hugetlb_pmd_shared()
mm/rmap: fix two comments related to huge_pmd_unshare()
mm/hugetlb: fix two comments related to huge_pmd_unshare()
David Howells (2):
rxrpc: Fix recvmsg() unconditional requeue
rxrpc: Fix data-race warning and potential load/store tearing
David Jeffery (1):
scsi: core: Wake up the error handler when final completions race
against each other
David Yang (5):
veth: fix data race in veth_get_ethtool_stats
net: hns3: fix data race in hns3_fetch_stats
idpf: Fix data race in idpf_net_dim
be2net: fix data race in be_get_new_eqd
net: openvswitch: fix data race in ovs_vport_get_upcall_stats
Ding Hui (1):
ice: Fix incorrect timeout ice_release_res()
Dmitry Skorodumov (1):
ipvlan: Make the addrs_lock be per port
Eric Dumazet (6):
bonding: limit BOND_MODE_8023AD to Ethernet devices
l2tp: avoid one data-race in l2tp_tunnel_del_work()
mISDN: annotate data-race around dev->work
ipv6: annotate data-race in ndisc_router_discovery()
bonding: provide a net pointer to __skb_flow_dissect()
net/sched: act_ife: avoid possible NULL deref
Ethan Nelson-Moore (1):
net: usb: dm9601: remove broken SR9700 support
Faisal Bukhari (1):
perf parse-events: Fix evsel allocation failure
Fan Gong (1):
hinic3: Fix netif_queue_set_napi queue_index input parameter error
Felix Gu (1):
spi: spi-sprd-adi: Fix double free in probe error path
Fernand Sieber (1):
perf/x86/intel: Do not enable BTS for guests
Fiona Klute (1):
iio: chemical: scd4x: fix reported channel endianness
Francesco Lavra (2):
iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event
detection
iio: accel: adxl380: fix handling of unavailable "INT1" interrupt
Frank Zhang (1):
pmdomain:rockchip: Fix init genpd as GENPD_STATE_ON before regulator
ready
Gal Pressman (1):
panic: only warn about deprecated panic_print on write access
Georgi Djakov (1):
interconnect: debugfs: initialize src_node and dst_node to empty
strings
Geraldo Nascimento (2):
arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
arm64: dts: rockchip: remove dangerous max-link-speed from helios64
Greg Kroah-Hartman (1):
Linux 6.18.8
Hamza Mahfooz (1):
net: sfp: add potron quirk to the H-COM SPP425H-GAB4 SFP+ Stick
Hans de Goede (1):
leds: led-class: Only Add LED to leds_list when it is fully ready
Haotian Zhang (1):
iio: adc: ad7606: Fix incorrect type for error return variable
Haoxiang Li (1):
w1: fix redundant counter decrement in w1_attach_slave_device()
Harald Freudenberger (1):
s390/ap: Fix wrong APQN fill calculation
Hari Prasath Gujulan Elango (1):
ARM: dts: microchip: sama7d65: fix the ranges property for flx9
Hariprasad Kelam (2):
Octeontx2-pf: Update xdp features
Octeontx2-af: Add proper checks for fwdata
Ian Abbott (2):
comedi: dmm32at: serialize use of paged registers
comedi: Fix getting range information for subdevices 16 to 255
Ivan Vecera (1):
dpll: Prevent duplicate registrations
Jacob Keller (1):
ice: initialize ring_stats->syncp
Jamal Hadi Salim (2):
net/sched: Enforce that teql can only be used as root qdisc
net/sched: qfq: Use cl_is_active to determine whether class is active
in qfq_rm_from_ag
Jani Nikula (2):
drm/xe/xe_late_bind_fw: fix enum xe_late_bind_fw_id kernel-doc
drm/xe/vm: fix xe_vm_validation_exec() kernel-doc
Jens Axboe (1):
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Jeongjun Park (1):
netrom: fix double-free in nr_route_frame()
Jiasheng Jiang (1):
scsi: qla2xxx: Sanitize payload size to prevent member overflow
Jiawen Wu (1):
net: txgbe: remove the redundant data return in SW-FW mailbox
Jijie Shao (2):
net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
Joanne Koong (1):
fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()
Johan Hovold (4):
iio: adc: exynos_adc: fix OF populate on driver rebind
slimbus: core: fix runtime PM imbalance on report present
slimbus: core: fix device reference leak on report present
intel_th: fix device leak on output open()
Justin Chen (1):
net: bcmasp: Fix network filter wake for asp-3.0
Konrad Dybcio (3):
arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links
dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
Krishna Kurapati (2):
arm64: dts: qcom: sm8550: Fix compile warnings in USB controller node
arm64: dts: qcom: sm8650: Fix compile warnings in USB controller node
Krzysztof Kozlowski (1):
serial: Fix not set tty->port race condition
Kuniyuki Iwashima (4):
l2tp: Fix memleak in l2tp_udp_encap_recv().
gue: Fix skb memleak with inner IP protocol 0.
tools: ynl: Specify --no-line-number in ynl-regen.sh.
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
Kurt Kanzenbach (1):
igc: Restore default Qbv schedule when changing channels
Kübrich, Andreas (1):
iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
Lachlan Hodges (1):
wifi: mac80211: don't perform DA check on S1G beacon
Laurent Vivier (1):
usbnet: limit max_mtu based on device's hard_mtu
Likun Gao (1):
drm/amdgpu: remove frame cntl for gfx v12
Long Li (1):
scsi: storvsc: Process unsupported MODE_SENSE_10
Lorenzo Stoakes (2):
mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge
mm/vma: enforce VMA fork limit on unfaulted,faulted mremap merge too
Lukasz Laguna (1):
drm/xe: Update wedged.mode only after successful reset policy change
Lyude Paul (1):
drm/nouveau/disp: Set drm_mode_config_funcs.atomic_(check|commit)
Manish Dharanenthiran (1):
wifi: ath12k: cancel scan only on active scan vdev
Marc Kleine-Budde (6):
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
usb_submit_urb() error
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
Marco Crivellari (1):
drm/xe: fix WQ_MEM_RECLAIM passed as max_active to alloc_workqueue()
Marek Vasut (1):
wifi: rsi: Fix memory corruption due to not set vif driver data size
Mario Limonciello (3):
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute
names
platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
platform/x86: hp-bioscfg: Fix automatic module loading
Mark Harmstone (1):
btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE
Mark Rutland (3):
arm64/fpsimd: ptrace: Fix SVE writes on !SME systems
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
arm64/fpsimd: signal: Fix restoration of SVE context
Markus Koeniger (1):
iio: accel: iis328dq: fix gain values
Marnix Rijnart (1):
serial: 8250_pci: Fix broken RS485 for F81504/508/512
Matt Roper (1):
drm/xe/pm: Add scope-based cleanup helper for runtime PM
Matthew Auld (2):
drm/xe/uapi: disallow bind queue sharing
drm/xe/migrate: fix job lock assert
Matthew Brost (2):
drm/xe: Disable timestamp WA on VFs
drm/xe: Adjust page count tracepoints in shrinker
Matthew Schwartz (1):
mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
Matthew Wilcox (Oracle) (1):
migrate: correct lock ordering for hugetlb file folios
Maxime Chevallier (1):
net: freescale: ucc_geth: Return early when TBI PHY can't be found
Melbin K Mathew (2):
vsock/virtio: fix potential underflow in virtio_transport_get_credit()
vsock/virtio: cap TX credit to local buffer size
Miaoqian Lin (1):
iio: dac: ad3552r-hs: fix out-of-bound write in
ad3552r_hs_write_data_source
Michael Kelley (1):
Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump()
Michal Luczaj (2):
vsock/virtio: Coalesce only linear skb
vsock/test: Do not filter kallsyms by symbol type
Mina Almasry (1):
idpf: read lower clock bits inside the time sandwich
Ming Lei (3):
selftests/ublk: fix IO thread idle check
selftests/ublk: fix error handling for starting device
selftests/ublk: fix garbage output in foreground mode
Ming Qian (1):
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
Naohiko Shimizu (2):
riscv: clocksource: Fix stimecmp update hazard on RV32
riscv: suspend: Fix stimecmp update hazard on RV32
Nicolas Ferre (1):
ARM: dts: microchip: sama7d65: fix size-cells property for i2c3
Niklas Cassel (6):
ata: ahci: Do not read the per port area for unimplemented ports
ata: libata: Call ata_dev_config_lpm() for ATAPI devices
ata: libata-sata: Improve link_power_management_supported sysfs
attribute
ata: libata: Add cpr_log to ata_dev_print_features() early return
ata: libata: Add DIPM and HIPM to ata_dev_print_features() early
return
ata: libata: Print features also for ATAPI devices
Oleksandr Shamray (1):
platform/mellanox: Fix SN5640/SN5610 LED platform data
Ondrej Jirman (1):
arm64: dts: rockchip: Fix voltage threshold for volume keys for
Pinephone Pro
Osama Abdelkader (1):
drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind
Paul Greenwalt (2):
ice: add missing ice_deinit_hw() in devlink reinit path
ice: fix devlink reload call trace
Pavel Zhigulin (1):
iio: adc: ad7280a: handle spi_setup() errors in probe()
Pei Xiao (1):
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in
sama5d2_adc driver
Pradeep P V K (1):
arm64: dts: qcom: talos: Correct UFS clocks ordering
Quentin Schulz (1):
arm64: dts: rockchip: fix unit-address for RK3588 NPU's core1 and
core2's IOMMU
Raju Rangoju (1):
amd-xgbe: avoid misleading per-packet error log
Rasmus Villemoes (1):
iio: core: add separate lockdep class for info_exist_lock
Ratheesh Kannoth (1):
octeontx2-af: Fix error handling
Ravindra (1):
Bluetooth: btintel_pcie: Support for S4 (Hibernate)
Ricardo B. Marlière (1):
selftests: net: fib-onlink-tests: Convert to use namespaces by default
Richard Genoud (1):
pwm: max7360: Populate missing .sizeof_wfhw in max7360_pwm_ops
Rob Herring (Arm) (1):
of: platform: Use default match table for /firmware
Samasth Norway Ananda (1):
ALSA: scarlett2: Fix buffer overflow in config retrieval
Seamus Connor (1):
ublk: fix ublksrv pid handling for pid namespaces
Shawn Lin (1):
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400
mode
Srish Srinivasan (1):
keys/trusted_keys: fix handle passed to tpm_buf_append_name during
unseal
Stefano Garzarella (1):
vsock/test: fix seqpacket message bounds test
Steven Rostedt (1):
tracing: Fix crash on synthetic stacktrace field usage
Swaraj Gaikwad (1):
slab: fix kmalloc_nolock() context check for PREEMPT_RT
Taehee Yoo (1):
selftests: net: amt: wait longer for connection before sending packets
Taeyang Lee (1):
crypto: authencesn - reject too-short AAD (assoclen<8) to match
ESP/ESN spec
Takashi Iwai (1):
ALSA: ctxfi: Fix potential OOB access in audio mixer handling
Thadeu Lima de Souza Cascardo (1):
Revert "nfc/nci: Add the inconsistency check between the input data
length and count"
Thomas Fourier (4):
wifi: ath10k: fix dma_free_coherent() pointer
wifi: ath12k: fix dma_free_coherent() pointer
ksmbd: smbd: fix dma_unmap_sg() nents
octeontx2: Fix otx2_dma_map_page() error return code
Thomas Gleixner (1):
clocksource: Reduce watchdog readout delay limit to prevent false
positives
Thomas Hellström (1):
drm, drm/xe: Fix xe userptr in the absence of CONFIG_DEVICE_PRIVATE
Thomas Weißschuh (1):
timekeeping: Adjust the leap state for the correct auxiliary
timekeeper
Thorsten Blum (2):
w1: therm: Fix off-by-one buffer overflow in alarms_store
iio: adc: pac1934: Fix clamped value in pac1934_reg_snapshot
Timur Kristóf (3):
drm/amd/pm: Fix si_dpm mmCG_THERMAL_INT setting
drm/amd/pm: Don't clear SI SMC table when setting power limit
drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
Tomas Melin (1):
iio: adc: ad9467: fix ad9434 vref mask
Tzung-Bi Shih (3):
gpio: cdev: Correct return code on memory allocation failure
gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify()
gpio: cdev: Fix resource leaks on errors in gpiolib_cdev_register()
Uwe Kleine-König (1):
pwm: Ensure ioctl() returns a negative errno on error
Vasant Hegde (1):
iommu/amd: Fix error path in amd_iommu_probe_device()
Vincent Guittot (1):
sched/fair: Fix pelt clock sync when entering idle
Vladimir Oltean (1):
net: dsa: fix off-by-one in maximum bridge ID determination
Weigang He (1):
of: fix reference count leak in of_alias_scan()
Wenkai Lin (1):
uacce: fix cdev handling in the cleanup path
Will Rosenberg (1):
perf: Fix refcount warning on event->mmap_count increment
Xin Long (1):
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Yang Shen (1):
uacce: implement mremap in uacce_vm_ops to return -EPERM
Yingying Tang (2):
wifi: ath12k: Fix scan state stuck in ABORTING after
cancel_remain_on_channel
wifi: ath12k: Fix wrong P2P device link id issue
Yixun Lan (1):
i2c: spacemit: drop IRQF_ONESHOT flag from IRQ request
Yosry Ahmed (1):
mm: restore per-memcg proactive reclaim with !CONFIG_NUMA
Yun Lu (1):
netdevsim: fix a race issue related to the operation on
bpf_bound_progs list
Zhang Heng (1):
ALSA: hda/realtek: Add quirk for Samsung 730QED to fix headphone
Zhaoyang Huang (1):
arm64: Set __nocfi on swsusp_arch_resume()
Zilin Guan (1):
platform/x86/amd: Fix memory leak in wbrf_record()
feng (1):
Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
gongqi (1):
Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
jianyun.gao (1):
mm: fix some typos in mm module
Documentation/netlink/specs/fou.yaml | 2 +
Makefile | 2 +-
arch/arm/boot/dts/microchip/sama7d65.dtsi | 4 +-
arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 16 ++-
arch/arm64/boot/dts/qcom/sm6150.dtsi | 4 +-
arch/arm64/boot/dts/qcom/sm8550.dtsi | 2 -
arch/arm64/boot/dts/qcom/sm8650.dtsi | 3 -
.../dts/rockchip/rk3399-kobol-helios64.dts | 1 -
.../boot/dts/rockchip/rk3399-nanopi-r4s.dtsi | 1 -
.../dts/rockchip/rk3399-pinephone-pro.dts | 4 +-
.../boot/dts/rockchip/rk3576-nanopi-m5.dts | 12 ++-
arch/arm64/boot/dts/rockchip/rk3576.dtsi | 2 +-
arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 4 +-
arch/arm64/kernel/hibernate.c | 2 +-
arch/arm64/kernel/ptrace.c | 26 +++--
arch/arm64/kernel/signal.c | 26 +++--
arch/riscv/kernel/suspend.c | 3 +-
arch/s390/boot/vmlinux.lds.S | 17 +--
arch/x86/events/perf_event.h | 13 ++-
arch/x86/include/asm/kfence.h | 29 ++++-
arch/x86/mm/fault.c | 15 +--
crypto/authencesn.c | 6 ++
drivers/ata/ahci.c | 10 +-
drivers/ata/libata-core.c | 8 +-
drivers/ata/libata-sata.c | 2 +-
drivers/base/regmap/regmap.c | 4 +-
drivers/block/ublk_drv.c | 39 ++++++-
drivers/bluetooth/btintel_pcie.c | 41 +++++++
drivers/bluetooth/btintel_pcie.h | 2 +
drivers/clocksource/timer-riscv.c | 3 +-
drivers/comedi/comedi_fops.c | 2 +-
drivers/comedi/drivers/dmm32at.c | 32 +++++-
drivers/comedi/range.c | 2 +-
drivers/dpll/dpll_core.c | 12 +--
drivers/gpio/gpiolib-cdev.c | 12 ++-
drivers/gpu/drm/Kconfig | 2 +-
drivers/gpu/drm/Makefile | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_fence.c | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v12_0.c | 12 ---
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 31 +++---
drivers/gpu/drm/bridge/synopsys/dw-dp.c | 20 ++--
drivers/gpu/drm/imagination/pvr_fw_trace.c | 8 +-
drivers/gpu/drm/mediatek/mtk_dpi.c | 23 ++--
.../nouveau/include/nvkm/subdev/bios/conn.h | 95 ++++++++++++----
drivers/gpu/drm/nouveau/nouveau_display.c | 2 +
.../gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 73 +++++++++----
drivers/gpu/drm/xe/Kconfig | 2 +-
drivers/gpu/drm/xe/xe_bo.c | 9 +-
drivers/gpu/drm/xe/xe_debugfs.c | 72 ++++++++++---
drivers/gpu/drm/xe/xe_device_types.h | 18 ++++
drivers/gpu/drm/xe/xe_exec_queue.c | 32 +++++-
drivers/gpu/drm/xe/xe_exec_queue.h | 1 +
drivers/gpu/drm/xe/xe_exec_queue_types.h | 6 ++
drivers/gpu/drm/xe/xe_ggtt.c | 2 +-
drivers/gpu/drm/xe/xe_guc_ads.c | 14 +--
drivers/gpu/drm/xe/xe_guc_ads.h | 5 +-
drivers/gpu/drm/xe/xe_late_bind_fw_types.h | 4 +-
drivers/gpu/drm/xe/xe_lrc.c | 3 +
drivers/gpu/drm/xe/xe_migrate.c | 4 +-
drivers/gpu/drm/xe/xe_pm.c | 21 ++++
drivers/gpu/drm/xe/xe_pm.h | 17 +++
drivers/gpu/drm/xe/xe_sriov_vf_ccs.c | 2 +-
drivers/gpu/drm/xe/xe_vm.c | 7 +-
drivers/gpu/drm/xe/xe_vm.h | 2 +-
drivers/hv/hv_common.c | 12 ++-
drivers/hwtracing/intel_th/core.c | 19 +++-
drivers/i2c/busses/i2c-k1.c | 2 +-
drivers/iio/accel/adxl380.c | 6 +-
drivers/iio/accel/st_accel_core.c | 72 ++++++++++++-
drivers/iio/adc/ad7280a.c | 4 +-
drivers/iio/adc/ad7606_par.c | 3 +-
drivers/iio/adc/ad9467.c | 2 +-
drivers/iio/adc/at91-sama5d2_adc.c | 1 +
drivers/iio/adc/exynos_adc.c | 15 +--
drivers/iio/adc/pac1934.c | 6 +-
drivers/iio/chemical/scd4x.c | 6 +-
drivers/iio/dac/ad3552r-hs.c | 5 +-
drivers/iio/dac/ad5686.c | 6 ++
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 15 ++-
drivers/iio/industrialio-core.c | 7 +-
drivers/input/serio/i8042-acpipnpio.h | 18 ++++
drivers/interconnect/debugfs-client.c | 5 +
drivers/iommu/amd/iommu.c | 3 +-
drivers/iommu/io-pgtable-arm.c | 2 +-
drivers/irqchip/irq-gic-v3-its.c | 8 +-
drivers/irqchip/irq-renesas-rzv2h.c | 11 +-
drivers/isdn/mISDN/timerdev.c | 13 ++-
drivers/leds/led-class.c | 10 +-
drivers/misc/mei/mei-trace.h | 18 ++--
drivers/misc/uacce/uacce.c | 48 +++++++--
drivers/mmc/host/rtsx_pci_sdmmc.c | 41 +++++++
drivers/mmc/host/sdhci-of-dwcmshc.c | 7 ++
drivers/net/bonding/bond_main.c | 11 +-
drivers/net/can/usb/ems_usb.c | 8 +-
drivers/net/can/usb/esd_usb.c | 9 +-
drivers/net/can/usb/gs_usb.c | 7 ++
.../net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 +-
drivers/net/can/usb/mcba_usb.c | 8 +-
drivers/net/can/usb/usb_8dev.c | 8 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +-
drivers/net/ethernet/broadcom/asp2/bcmasp.c | 5 +-
drivers/net/ethernet/broadcom/asp2/bcmasp.h | 1 +
drivers/net/ethernet/emulex/benet/be_cmds.c | 3 +-
drivers/net/ethernet/emulex/benet/be_main.c | 8 +-
drivers/net/ethernet/freescale/fec_main.c | 13 +--
drivers/net/ethernet/freescale/ucc_geth.c | 4 +-
.../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++++++------
.../hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +-
.../hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
.../net/ethernet/huawei/hinic3/hinic3_irq.c | 22 ++--
.../net/ethernet/intel/ice/devlink/devlink.c | 1 +
drivers/net/ethernet/intel/ice/ice.h | 1 +
drivers/net/ethernet/intel/ice/ice_common.c | 2 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 6 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 29 +++--
drivers/net/ethernet/intel/ice/ice_main.c | 31 +++++-
drivers/net/ethernet/intel/idpf/idpf_ptp.c | 2 +-
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 16 ++-
drivers/net/ethernet/intel/igc/igc_defines.h | 5 +-
drivers/net/ethernet/intel/igc/igc_ethtool.c | 4 +-
drivers/net/ethernet/intel/igc/igc_main.c | 5 +
drivers/net/ethernet/intel/igc/igc_ptp.c | 43 ++++----
.../net/ethernet/marvell/octeontx2/af/rvu.c | 86 +++++++++++----
.../ethernet/marvell/octeontx2/af/rvu_cgx.c | 3 +
.../ethernet/marvell/octeontx2/af/rvu_sdp.c | 2 +-
.../marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
.../marvell/octeontx2/nic/otx2_common.h | 7 +-
.../ethernet/marvell/octeontx2/nic/otx2_pf.c | 4 +-
.../net/ethernet/wangxun/txgbe/txgbe_aml.c | 4 +-
drivers/net/ipvlan/ipvlan.h | 2 +-
drivers/net/ipvlan/ipvlan_core.c | 16 ++-
drivers/net/ipvlan/ipvlan_main.c | 49 +++++----
drivers/net/netdevsim/bpf.c | 6 ++
drivers/net/netdevsim/dev.c | 2 +
drivers/net/netdevsim/netdevsim.h | 1 +
drivers/net/pcs/pcs-mtk-lynxi.c | 4 +-
drivers/net/phy/intel-xway.c | 7 +-
drivers/net/phy/sfp.c | 2 +
drivers/net/usb/dm9601.c | 4 -
drivers/net/usb/usbnet.c | 9 +-
drivers/net/veth.c | 8 +-
drivers/net/wireless/ath/ath10k/ce.c | 16 +--
drivers/net/wireless/ath/ath12k/ce.c | 12 +--
drivers/net/wireless/ath/ath12k/mac.c | 16 +--
drivers/net/wireless/ath/ath12k/wmi.c | 9 +-
.../wireless/marvell/mwifiex/11n_rxreorder.c | 6 +-
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
drivers/nfc/virtual_ncidev.c | 4 -
drivers/ntb/ntb_transport.c | 1 +
drivers/of/base.c | 8 +-
drivers/of/platform.c | 2 +-
drivers/platform/mellanox/mlx-platform.c | 2 +-
drivers/platform/x86/amd/wbrf.c | 4 +-
drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 8 ++
drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 12 ++-
drivers/pmdomain/imx/imx8m-blk-ctrl.c | 11 +-
drivers/pmdomain/qcom/rpmhpd.c | 4 +
drivers/pmdomain/rockchip/pm-domains.c | 10 ++
drivers/pwm/core.c | 10 +-
drivers/pwm/pwm-max7360.c | 1 +
drivers/s390/crypto/ap_card.c | 2 +-
drivers/s390/crypto/ap_queue.c | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 7 ++
drivers/scsi/scsi_error.c | 11 +-
drivers/scsi/scsi_lib.c | 8 ++
drivers/scsi/storvsc_drv.c | 3 +-
drivers/slimbus/core.c | 19 ++--
drivers/spi/spi-sprd-adi.c | 33 ++----
drivers/tty/serial/8250/8250_pci.c | 2 +-
drivers/tty/serial/serial_core.c | 6 ++
drivers/w1/slaves/w1_therm.c | 62 ++++-------
drivers/w1/w1.c | 2 -
drivers/xen/xen-scsiback.c | 1 +
fs/btrfs/disk-io.c | 2 +-
fs/fs-writeback.c | 7 +-
fs/fuse/file.c | 4 +-
fs/smb/server/transport_rdma.c | 15 ++-
include/drm/drm_pagemap.h | 19 +++-
include/dt-bindings/power/qcom,rpmhpd.h | 1 +
include/linux/hugetlb.h | 2 +-
include/linux/iio/iio-opaque.h | 2 +
include/linux/pagemap.h | 11 ++
include/trace/events/rxrpc.h | 4 +
include/uapi/linux/comedi.h | 2 +-
io_uring/io-wq.c | 2 +-
kernel/events/core.c | 9 ++
kernel/panic.c | 4 +-
kernel/sched/fair.c | 6 --
kernel/sched/idle.c | 6 ++
kernel/time/clocksource.c | 2 +-
kernel/time/timekeeping.c | 2 +-
kernel/trace/trace_events_hist.c | 9 ++
kernel/trace/trace_events_synth.c | 8 +-
mm/damon/sysfs.c | 2 +-
mm/gup.c | 2 +-
mm/hugetlb.c | 28 ++---
mm/hugetlb_vmemmap.c | 6 +-
mm/internal.h | 8 --
mm/kmsan/core.c | 2 +-
mm/ksm.c | 2 +-
mm/memory-tiers.c | 2 +-
mm/memory.c | 4 +-
mm/migrate.c | 12 +--
mm/rmap.c | 20 +---
mm/secretmem.c | 2 +-
mm/slab_common.c | 2 +-
mm/slub.c | 10 +-
mm/swapfile.c | 2 +-
mm/userfaultfd.c | 2 +-
mm/vma.c | 102 ++++++++++++------
mm/vma.h | 3 +
mm/vmscan.c | 13 ++-
net/dsa/dsa.c | 2 +-
net/ipv4/fou_core.c | 3 +
net/ipv4/fou_nl.c | 2 +-
net/ipv6/ndisc.c | 4 +-
net/l2tp/l2tp_core.c | 8 +-
net/mac80211/scan.c | 9 +-
net/netrom/nr_route.c | 13 ++-
net/openvswitch/vport.c | 11 +-
net/rxrpc/ar-internal.h | 9 +-
net/rxrpc/conn_event.c | 2 +-
net/rxrpc/output.c | 14 +--
net/rxrpc/peer_event.c | 17 ++-
net/rxrpc/proc.c | 4 +-
net/rxrpc/recvmsg.c | 19 +++-
net/rxrpc/rxgk.c | 2 +-
net/rxrpc/rxkad.c | 2 +-
net/sched/act_ife.c | 6 +-
net/sched/sch_qfq.c | 2 +-
net/sched/sch_teql.c | 5 +
net/sctp/sm_statefuns.c | 10 +-
net/vmw_vsock/virtio_transport_common.c | 36 +++++--
rust/kernel/io.rs | 9 +-
rust/kernel/io/resource.rs | 2 +
rust/kernel/irq/flags.rs | 2 +
scripts/kconfig/nconf-cfg.sh | 11 +-
security/keys/trusted-keys/trusted_tpm2.c | 4 +-
sound/hda/codecs/realtek/alc269.c | 1 +
sound/pci/ctxfi/ctamixer.c | 2 +
sound/usb/mixer.c | 22 +++-
sound/usb/mixer_scarlett2.c | 6 +-
tools/net/ynl/ynl-regen.sh | 2 +-
tools/perf/util/parse-events.c | 7 +-
tools/testing/selftests/net/amt.sh | 7 +-
.../testing/selftests/net/fib-onlink-tests.sh | 71 ++++++------
tools/testing/selftests/ublk/kublk.c | 11 +-
tools/testing/vsock/util.h | 2 +-
tools/testing/vsock/vsock_test.c | 11 ++
249 files changed, 1889 insertions(+), 875 deletions(-)