Merge tag 'v6.18.34' into qcom-6.18.y#646
Open
svankas wants to merge 1519 commits into
Open
Conversation
commit b607463 upstream. VPE1 could possibly hang and fail to power off at the end of commands in collaboration mode. This workaround adds a COLLAB_SYNC after TRAP to force instances synchronized to avoid VPE1 fail to power off. Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Alan liu <haoping.liu@amd.com> Closes: https://gitlab.freedesktop.org/drm/amd/-/work_items/5171 Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit a8b749c5c5afb7e5daa2bfb95d958fb3c6b8f055) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e02b526 upstream. The it66121_ctx structure has a gpio_reset field, and it66121_hw_reset() calls gpiod_set_value() on it. However, the GPIO descriptor is never acquired via devm_gpiod_get(), leaving gpio_reset as NULL throughout the driver lifetime. gpiod_set_value() silently returns when passed a NULL descriptor, so the hardware reset sequence in it66121_hw_reset() is a no-op. This leaves the chip in an undefined state at probe time, which can prevent it from responding on the I2C bus. The DT binding marks reset-gpios as a required property, so all compliant device trees provide this GPIO. Add the missing devm_gpiod_get() call after enabling power supplies and before the hardware reset, so the chip is properly reset with power applied. Fixes: 988156d ("drm: bridge: add it66121 driver") Cc: stable@vger.kernel.org Signed-off-by: Julien Chauveau <chauveau.julien@gmail.com> Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Tested-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patch.msgid.link/20260324193011.16583-1-chauveau.julien@gmail.com Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d45d5c8 upstream. If devm_request_threaded_irq() fails after drm_bridge_add(), remove the bridge before returning. Keep drm_bridge_add() rather than devm_drm_bridge_add(): registration is tied to the STDP4028 device while ge_b850v3_register() may complete from either I2C probe; devm would not unwind the bridge if the other client's probe fails. Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com> Fixes: fcfa0dd ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)") Cc: stable@vger.kernel.org Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Tested-by: Ian Ray <ian.ray@gehealthcare.com> Link: https://patch.msgid.link/20260430195700.80317-1-osama.abdelkader@gmail.com Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cd86529 upstream. [Why&How] The bounds check in bios_get_image() computes 'offset + size' using unsigned 32-bit arithmetic before comparing against bios_size. If a VBIOS image contains a near-UINT32_MAX offset the addition wraps to a small value, the comparison passes, and the function returns a wild pointer past the VBIOS mapping. Additionally, the comparison uses '<' (strict), which incorrectly rejects the valid exact-fit case where offset + size == bios_size. Fix both issues by restructuring the check to avoid the addition entirely: first reject if offset alone exceeds bios_size, then check size against the remaining space (bios_size - offset). This eliminates the overflow and correctly permits exact-fit accesses. Assisted-by: GitHub Copilot:claude-opus-4.6 Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Ivan Lipski <ivan.lipski@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit d40fb392af659c4a02b560319f226842f6ec1a95) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 86d2b20 upstream. [Why&How] The GPIO pin table parsers in get_gpio_i2c_info() and bios_parser_get_gpio_pin_info() derive an element count from the VBIOS table_header.structuresize field, then iterate over gpio_pin[] entries. However, GET_IMAGE() only validates that the table header itself fits within the BIOS image. If the VBIOS reports a structuresize larger than the actual mapped data, the loop reads past the end of the BIOS image, causing an out-of-bounds read. Fix this by calling bios_get_image() to validate that the full claimed structuresize is accessible within the BIOS image before entering the loop in both functions. Assisted-by: GitHub Copilot:claude-opus-4-6 Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Ivan Lipski <ivan.lipski@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit ba5e95b43b773ae1bf1f66ee6b31eb774e65afe3) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…_dmub_aux_transfer_async commit 6c92f6d upstream. [Why&How] dc_process_dmub_aux_transfer_async() copies payload->length bytes into a 16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which is a no-op in release builds. If a caller ever passes length > 16 this results in a stack buffer overflow via memcpy. Additionally, link_index is used to dereference dc->links[] without bounds checking against dc->link_count, risking an out-of-bounds access. Replace the ASSERT with a hard runtime check that returns false when payload->length exceeds the destination buffer size, and add a bounds check for link_index before it is used. Assisted-by: GitHub Copilot:Claude claude-4-opus Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Ivan Lipski <ivan.lipski@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f8ce8b8 upstream. When a batadv_hard_iface is disabled, its mesh_iface pointer is set to NULL. However, batadv_v_ogm_send_meshif() may still dispatch OGMs via batadv_v_ogm_queue_on_if() for interfaces that have since lost their mesh_iface association. This results in a NULL pointer dereference when batadv_v_ogm_queue_on_if() unconditionally calls netdev_priv() on the now NULL hard_iface->mesh_iface to retrieve the batadv_priv. It is necessary to ensure that the batadv_v_ogm_queue_on_if() checks that it is using the same mesh_iface for which batadv_v_ogm_send_meshif() was called. Cc: stable@kernel.org Fixes: 0da0035 ("batman-adv: OGMv2 - add basic infrastructure") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reviewed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5013685 upstream. batadv_tvlv_container_ogm_append() could fail in two ways: a memory allocation failure when resizing the packet buffer, or the tvlv data exceeding U16_MAX bytes. In both cases the function previously returned the old (now stale) tvlv_value_len rather than signalling an error, causing the OGM/OGM2 send path to transmit a packet whose TVLV length field no longer matched the actual buffer contents. And because it also didn't fill in the new TVLV data, sending either uninitialized or corrupted data on the wire. All errors in batadv_tvlv_container_ogm_append() must be forwarded to the caller. And the caller must abort the send of the OGM2. For B.A.T.M.A.N. IV, it is currently not allowed to abort the send. The non-TVLV part of the OGM must be queued up instead. Cc: stable@kernel.org Fixes: ef26157 ("batman-adv: tvlv - basic infrastructure") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f50487e upstream. batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded. Cc: stable@kernel.org Fixes: ef26157 ("batman-adv: tvlv - basic infrastructure") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reviewed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit aa3153b upstream. When batadv_iv_ogm_schedule_buff() fails to allocate and queue a forward packet for OGM transmission, the work item that drives periodic OGM scheduling is never re-armed. This silently halts transmission of the node's own OGMs on the affected interface — only OGMs from other peers continue to be aggregated and forwarded. Fix this by tracking whether batadv_iv_ogm_queue_add() (and transitively batadv_iv_ogm_aggregate_new()) successfully scheduled a forward packet. When scheduling fails, batadv_iv_ogm_schedule_buff() falls back to queuing a dedicated recovery work item (reschedule_work) that fires after one originator interval and calls batadv_iv_ogm_schedule() again. Cc: stable@kernel.org Fixes: c6c8fea ("net: Add batman-adv meshing protocol") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 20c2d6a upstream. batadv_mcast_purge_orig() removes entries from RCU-protected hlists but does not wait for an RCU grace period before returning. Concurrent RCU readers may still accesses references to those entries at the point of removal. RCU-protected readers trying to operate on entries like orig->mcast_want_all_ipv6_node will then access already freed memory. Fix this by moving batadv_mcast_purge_orig() to batadv_orig_node_release(), just before the call_rcu() invocation. This ensures RCU readers that were active at purge time have drained before the orig_node memory is reclaimed. Cc: stable@kernel.org Fixes: ab49886 ("batman-adv: Add IPv4 link-local/IPv6-ll-all-nodes multicast support") Acked-by: Linus Lüssing <linus.luessing@c0d3.blue> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a340a51 upstream. batadv_gw_node_free() removes the gateway list entries during mesh teardown, but it does not clear the currently selected gateway. This leaves stale gateway state behind across cleanup and can break a later mesh recreation. Clear bat_priv->gw.curr_gw before walking the gateway list so the selected gateway reference is dropped as part of teardown. Fixes: 2265c14 ("batman-adv: gateway election code refactoring") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Ruijie Li <ruijieli51@gmail.com> Signed-off-by: Zhanpeng Li <lzhanpeng2025@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2d8826a upstream. batadv_dat_forward_data() calls pskb_copy_for_clone() to duplicate an skb for each DHT candidate, but does not check the return value before passing it to batadv_send_skb_prepare_unicast_4addr(). That function dereferences the skb unconditionally, so a failed allocation triggers a NULL pointer dereference. Skip forwarding to the current DHT candidate on allocation failure. Cc: stable@kernel.org Fixes: 785ea11 ("batman-adv: Distributed ARP Table - create DHT helper functions") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reviewed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9cd3f16 upstream. batman-adv keeps a running payload length for queued fragments and uses it to validate a fragment chain before reassembly. That accounting currently allows the accumulated fragment length to be truncated during updates. As a result, malformed fragment chains can bypass the intended validation and drive reassembly with inconsistent length state, leading to a local denial of service. Fix the accounting by storing the accumulated length in a length-typed field and rejecting update overflows before the existing validation logic runs. The fix was verified against the original reproducer and against valid fragment reassembly paths. Fixes: 610bfc6 ("batman-adv: Receive fragmented packets and merge") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Ruide Cao <caoruide123@gmail.com> Tested-by: Ren Wei <enjou1224z@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 94f3b13 upstream. batadv_tp_sender_shutdown() unconditionally decrements the "sending" atomic counter. If multiple paths (e.g. timeout, user cancel, and normal finish) call this function, the counter can underflow to -1. Since the sender logic treats any non-zero value as "still sending", a negative value causes the sender kthread to loop indefinitely. This leads to a use-after-free when the interface is removed while the zombie thread is still active. Fix this by using atomic_xchg() to ensure the counter only transitions from 1 to 0 once. Fixes: 33a3bb4 ("batman-adv: throughput meter implementation") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Luxiao Xu <rakukuip@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> [sven: added missing change in batadv_tp_send] Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bc62216 upstream. batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a BATADV_UNICAST_FRAG packet is received. Once all fragments are collected and the packet is reassembled, batadv_recv_frag_packet() calls batadv_batman_skb_recv() again to process the defragmented payload. A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting). Each nesting level recurses through batadv_batman_skb_recv() without bound, growing the kernel stack until it is exhausted. Since refragmentation or fragments in fragments are not actually allowed, discard all packets which are still BATADV_UNICAST_FRAG packets after the defragmentation process. Cc: stable@kernel.org Fixes: 610bfc6 ("batman-adv: Receive fragmented packets and merge") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reviewed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0459430 upstream. batadv_bla_purge_backbone_gw() removes stale backbone gateway entries, but fails to properly handle their associated report_work: - If report_work is running, the purge must wait for it to finish before freeing the backbone_gw, otherwise the worker may access freed memory (e.g. bat_priv). - If report_work is pending, the purge must cancel it and release the reference held for that pending work item. The previous implementation called hlist_for_each_entry_safe() inside a spin_lock_bh() section, but cancel_work_sync() may sleep and therefore cannot be called from within a spinlock-protected region. Restructure the loop to handle one entry per spinlock critical section: acquire the lock, find the next entry to purge, remove it from the hash list, then release the lock before calling cancel_work_sync() and dropping the hash_entry reference. Repeat until no more entries require purging. Cc: stable@kernel.org Fixes: 2372138 ("batman-adv: add basic bridge loop avoidance code") Reviewed-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 83ab69b upstream. The bla.num_requests is increased when no request_sent was in progress. And it is decremented in various places (announcement was received, backbone is purged, periodic work). But the check if the request_sent is actually set to a specific state and the atomic_dec/_inc are not safe because they are not atomic (TOCTOU) and multiple such code portions can run concurrently. At the same time, it is necessary to modify request_sent (state) and bla.num_requests atomically. Otherwise batadv_bla_send_request() might set request_sent to 1 and is interrupted. batadv_handle_announce() can then set request_sent back to 0 and decrement num_requests before batadv_bla_send_request() incremented it. The two operations must therefore be locked. And since state (request_sent) and wait_periods are only accessed inside this lock, they can be converted to simpler datatypes. And to avoid that the bla.num_requests is touched by a parallel running context with a valid backbone_gw reference after batadv_bla_purge_backbone_gw() ran, a third state "stopped" is required to correctly signal that a backbone_gw is in the state of being cleaned up. Cc: stable@kernel.org Fixes: 2372138 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f80d3d9 upstream. Without rtnl_lock held, a hardif might be retrieved as primary interface of a meshif, but then (while operating on this interface) getting decoupled from the mesh interface. In this case, the meshif still exists but the pointer from the primary hardif to the meshif is set to NULL. The mesh_iface must be checked first to be non-NULL before continuing to send an ARP request using meshif. Cc: stable@kernel.org Fixes: 2372138 ("batman-adv: add basic bridge loop avoidance code") Reported-by: Ido Schimmel <idosch@nvidia.com> Reported-by: syzbot+9fdcc9f05a98a540b816@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9fdcc9f05a98a540b816 Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6c65cf2 upstream. batadv_tp_recv_ack() and batadv_tp_stop() are only valid for tp_vars in the BATADV_TP_SENDER role. When called with a BATADV_TP_RECEIVER role, it proceeds to read sender-only members that were never initialized, leading to undefined behavior. This can be triggered when a node that is currently acting as a receiver in an ongoing tp_meter session receives a malicious ACK packet. Guard against this by checking tp_vars->role immediately after the lookup and bailing out if it is not BATADV_TP_SENDER, before any of those members are accessed. Cc: stable@kernel.org Fixes: 33a3bb4 ("batman-adv: throughput meter implementation") Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Reviewed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d548724 upstream. batadv_tp_sender_cleanup() was calling timer_delete_sync() followed by timer_delete() to guard against the timer handler re-arming itself between the two calls. This double-deletion hack relied on the sending status being set to 0 to suppress re-arming. Replace both calls with a single timer_shutdown_sync(). This function both waits for any running timer callback to complete (like timer_delete_sync()) and permanently disarms the timer so it cannot be re-armed afterwards, making re-arming prevention unconditional and self-documenting. The re-arming property is also required because otherwise: 1. context 0 (batadv_tp_recv_ack()) checks in batadv_tp_reset_sender_timer() if sending is still 1 -> it is 2. context 1 changes in batadv_tp_sender_shutdown() sending to 0 and in this process forces the kthread to stop timer in batadv_tp_sender_cleanup() 3. context 0 continues in batadv_tp_reset_sender_timer() and rearms the timer -> but the reference for it is already gone Cc: stable@kernel.org Fixes: 33a3bb4 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 77098e4 upstream. The receiver shutdown timer handler, batadv_tp_receiver_shutdown(), is responsible for releasing the tp_vars reference it holds. However, the existing logic for coordinating this release with batadv_tp_stop_all() was flawed. timer_shutdown_sync() guarantees the timer will not fire again after it returns, but it returns non-zero only when the timer was pending at the time of the call. If the timer had already expired (and batadv_tp_stop_all() would unsucessfully try to rearm itself), batadv_tp_stop_all() skips its batadv_tp_vars_put(), and batadv_tp_receiver_shutdown() fails to put its own reference as well. Fix this by introducing a new atomic variable receiving that is set to 1 when the receiver is initialized and cleared atomically with atomic_xchg() by whichever side claims it first. Only the side that observes the transition from 1 to 0 is responsible for releasing the tp_vars timer reference, eliminating the uncertainty. Cc: stable@kernel.org Fixes: 3d3cf6a ("batman-adv: stop tp_meter sessions during mesh teardown") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 71dce47 upstream. batadv_tp_sender_shutdown() previously used two separate variables to track session state: sending (an atomic flag indicating whether the session was active) and reason (a plain enum storing the stop reason). This introduced a race window between the two writes: after sending was cleared to 0, batadv_tp_send() could observe the stopped state and call batadv_tp_sender_end() before reason was written, causing the wrong stop reason to be reported to the caller. Fix this by consolidating both variables into a single atomic send_result, which holds 0 while the session is running and the stop reason once it ends. Cc: stable@kernel.org Fixes: 33a3bb4 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ff24f2e upstream. Session lookups in tp_list matched only on destination address (and optionally session ID), leaving role validation to the caller. If two sessions with the same other_end coexisted (one as sender, one as receiver) a lookup could silently return the wrong one, causing the caller's role to bail out early, potentially skipping necessary cleanup. Move the role check into the lookup functions themselves so the correct entry is always returned, or none at all. Since batadv_tp_start() legitimately needs to detect any active session to a destination regardless of role, introduce a dedicated helper for that case rather than bending the existing lookup semantics. Cc: stable@kernel.org Fixes: 33a3bb4 ("batman-adv: throughput meter implementation") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 94d2700 upstream. The local TT based TVLV is generated by first checking the number of VLANs which have at least one TT entry. A new buffer with the correct size for the VLANs is then allocated. Only then, the list of VLANs s used to fill the VLAN entries in the buffer. During this time, the meshif_vlan_list_lock is held. But the actual number of TT entries of each VLAN can still increase during this time - just not the number of VLANs in the list. But the prefilter used in the buffer size calculation might still cause an increase of the number of VLANs which need to be stored. Simply because a VLAN might now suddenly have at least one entry when it had none in the pre-alloc check - and then needs to occupy space which was not allocated. It is better to overestimate the buffer size at the beginning and then fill the buffer only with the VLANs which are not empty. Cc: stable@kernel.org Fixes: 16116da ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1e9fab7 upstream. The commit 3a359bf ("batman-adv: reject oversized global TT response buffers") added a check to ensure that a global return buffer size can be stored in an u16. The same buffer handling also exists for the local data buffer but was not touched. A similar check should be also be in place for the local TVLV buffer. It doesn't have the similar attack surface because it is only generated from locally discovered MAC addresses but the dynamic nature could still cause temporarily to large buffers. Cc: stable@kernel.org Fixes: 7ea7b4a ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fa1bd70 upstream. The commit 16116da ("batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs") added checks to the local (direct) TT response code. But the response can also be done indirectly by another node using the global TT state. To avoid such inconsistency states reported in the original fix, also avoid sending empty VLANs for replies from the global TT state. Cc: stable@kernel.org Fixes: 7ea7b4a ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fc92cdf upstream. batadv_piv_tt::last_changeset_len len was declared as s16, but the field is never intended to hold a negative value. When a value greater than 32767 is assigned, it wraps to a negative signed integer. In batadv_send_my_tt_response(), last_changeset_len is temporarily widened to s32. The incorrectly negative s16 value propagates into the s32, causing batadv_tt_prepare_tvlv_local_data() to allocate a full sized buffer but populates only a small portion of it with the collected changeset. All remaining bits are kept uninitialized. Using an u16 avoids this type confusion and ensures that no (negative) sign extension is performed in batadv_send_my_tt_response(). Cc: stable@kernel.org Fixes: a73105b ("batman-adv: improved client announcement mechanism") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b64963a upstream. batadv_orig_node::tt_buff_len was declared as s16, but the field is never intended to hold a negative value. When a value greater than 32767 is assigned, it wraps to a negative signed integer. In batadv_send_other_tt_response(), tt_buff_len is temporarily widened to s32. The incorrectly negative s16 value propagates into the s32, causing batadv_tt_prepare_tvlv_global_data() to allocate a full sized buffer but populates only a small portion of it with the collected changeset. All remaining bits are kept uninitialized. Using an u16 avoids this type confusion and ensures that no (negative) sign extension is performed in batadv_send_other_tt_response(). Cc: stable@kernel.org Fixes: a73105b ("batman-adv: improved client announcement mechanism") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 99d9958 upstream. The helpers to prepare the buffers for the local and global TT based replies are trying to sum up all TT entries which can be found for each VLAN. In theory, this sum can be too big for an u16 and therefore overflow. A too small buffer would then be allocated for the TVLV. The too small buffer will be handled gracefully by batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a truncated reply. But this overflow shouldn't have happened in the first and the too small buffer should never have been allocated when an overflow was detected. Cc: stable@kernel.org Fixes: 7ea7b4a ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4d25342 ] In xe_oa_stream_open_ioctl(), when param.exec_q->width > 1 the function returns -EOPNOTSUPP directly, skipping the existing err_exec_q cleanup path. The exec_queue reference obtained by xe_exec_queue_lookup() is leaked. The exec queue holds a reference on the xe_file, which is only dropped during queue teardown. The leaked lookup ref is not on the file's exec_queue xarray, so file close cannot release it. This keeps both the exec queue and the file private state pinned indefinitely. Jump to err_exec_q instead of returning directly so the reference is released. Fixes: f0ed398 ("xe/oa: Fix query mode of operation for OAR/OAC") Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Link: https://patch.msgid.link/20260514203210.593488-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> (cherry picked from commit 339fa0be9e4a5d69fa47e91f4a36574224fb478f) Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit dfc0770 ] Data adjustment cases failed with "Data exchange failed" when using IPv4 because the program did not update the IP and UDP checksums in the IPv4 branch. The issue was masked when both IPv4 and IPv6 were configured, since the test harness prefers IPv6. While here, generalize csum_fold_helper() to fold twice so it works for any 32-bit input. Fixes: 0b65cfc ("selftests: drv-net: Test tail-adjustment support") Reviewed-by: Carolina Jubran <cjubran@nvidia.com> Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com> Signed-off-by: Nimrod Oren <noren@nvidia.com> Link: https://patch.msgid.link/20260520153928.3371765-1-noren@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9eddc81 ] When installing the allmulticast NPC rule, rvu_npc_install_allmulti_entry() should skip LBK and SDP VFs (only CGX PF/VF may add the entry). The code combined is_lbk_vf() and is_sdp_vf() with logical AND, which is never true for a single pcifunc, so the intended early return never ran. Use logical OR instead. Cc: Geetha sowjanya <gakula@marvell.com> Fixes: ae70353 ("octeontx2-af: Cleanup loopback device checks") Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com> Link: https://patch.msgid.link/20260520043036.1523798-1-rkannoth@marvell.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b809d04 ] In mana_hwc_rx_event_handler(), rx_req_idx is derived from sge->address in DMA-coherent memory. In Confidential VMs (SEV-SNP/TDX), this memory is shared unencrypted and HW can modify WQE contents at any time. No bounds check exists on rx_req_idx, which can lead to an out-of-bounds access into reqs[]. Add bounds check on rx_req_idx in mana_hwc_rx_event_handler() before using it to index the reqs[] array. Fixes: ca9c54d ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com> Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com> Link: https://patch.msgid.link/20260520051553.857120-1-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bddc092 ] In the SIOCGIFHWADDR path, tap_ioctl() copies 16 bytes of an uninitialised on-stack struct sockaddr_storage to userspace via ifr_hwaddr, but netif_get_mac_address() only writes sa_family and dev->addr_len (6 for Ethernet) bytes, leaving sa_data[6..13] uninitialised. Those 8 trailing bytes leak kernel stack contents; SIOCGIFHWADDR on a macvtap chardev returns kernel .text and direct-map pointers, defeating KASLR. Initialise ss at declaration. Fixes: 3b23a32 ("net: fix dev_ifsioc_locked() race condition") Reported-by: Xiang Mei <xmei5@asu.edu> Signed-off-by: Weiming Shi <bestswngs@gmail.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260520075736.3415676-3-bestswngs@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 985d4a5 ] Hw design requires to disable GDM2 forwarding before configuring GDM2 loopback in airoha_set_gdm2_loopback routine. Fixes: 9cd451d ("net: airoha: Add loopback support for GDM2") Tested-by: Madhur Agrawal <madhur.agrawal@airoha.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Link: https://patch.msgid.link/20260520-airoha-disable-gdm2-fwd-v1-1-1eeea5dffc2f@kernel.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3d4432d ] The driver passes fw_version directly to devlink_info_version_stored_put() without ensuring null-termination. While current firmware null-terminates these strings, the driver should not rely on this behavior. Add explicit null-termination to prevent potential issues if firmware behavior changes. Fixes: 45d76f4 ("pds_core: set up device and adminq") Signed-off-by: Nikhil P. Rao <nikhil.rao@amd.com> Link: https://patch.msgid.link/20260520205842.1486718-1-nikhil.rao@amd.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4db79a3 ] skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs. Fixes: 753f1ca ("net: introduce managed frags infrastructure") Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/c3b7f906bbfcbdfd7b4fa9d6c18a438870df85be.1779307748.git.sd@queasysnail.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit e97ff8b ] This fixes an inconsistency where io_nop() called req_set_fail() based on ret, but passed just nop->result to userspace. Originally, ret is a even copy of nop->result, but is set to an error when such happens subsequently. Now that's also passed to userspace. Fixes: a85f310 ("io_uring/nop: add support for testing registered files and buffers") Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Link: https://patch.msgid.link/20260520180045.538533-1-grandmaster@al2klimov.de Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 3515503 ] After a durable reconnect succeeds, ksmbd_reopen_durable_fd() republishes the same ksmbd_file into the session volatile-id table. If smb2_open() then takes a later error path, cleanup first calls ksmbd_fd_put(work, fp) and then unconditionally calls ksmbd_put_durable_fd(dh_info.fp). In this case fp and dh_info.fp are the same object. The first put drops the reconnect lookup reference, but the final durable put can run __ksmbd_close_fd(NULL, fp). Because the final close is not session-aware, it can free the file object without removing the volatile-id entry that was just published into the session table. Use the session-aware put for the final reconnect drop when the reconnect had already succeeded and the error path is cleaning up the republished file. Earlier reconnect failures, before fp is assigned to dh_info.fp, keep using the durable-only put path. Fixes: 1baff47 ("ksmbd: fix use-after-free in smb2_open during durable reconnect") Signed-off-by: Junyi Liu <moss80199@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1c856e1 ] KPROBE_HIT_SS and KPROBE_REENTER are two types of fatal recursions that can not be safely recovered in kprobes. KPROBE_HIT_SS means that a kprobe is hit during single-stepping. At this point, the architecture-specific single-step context is already active. Nested single-stepping would corrupt the state, as the kprobe control block (kcb) and hardware registers cannot safely store multiple levels of stepping state. KPROBE_REENTER means that a third-level recursion occurs when a probe is hit while the system is already handling a nested probe (second- level). The kcb only provides a single slot (prev_kprobe) to backup the state. When a third probe is hit, there is no more space to save the state without corrupting the first-level backup. Kprobes work by replacing instructions with breakpoints. In order to execute the original instruction and continue, it must be moved to a temporary "single-step" slot. Since there is no backup space left to set up this slot safely, the CPU would be forced to return to the same original breakpoint address, triggering an endless loop. Currently, the code only prints a warning and returns. This leads to an infinite re-entry loop as the CPU repeatedly hits the same trap and a "stuck" CPU core because preemption was disabled at the start of the handler and never re-enabled in this early return path. Fix the logic by: 1. Merging KPROBE_HIT_SS and KPROBE_REENTER cases, as both represent fatal recursions that cannot be safely recovered. 2. Replacing WARN_ON_ONCE() with BUG() to terminate the system. This aligns LoongArch with other architectures (x86, arm64, riscv) and prevents stack overflow while providing diagnostic information. Fixes: 6d4cc40 ("LoongArch: Add kprobes support") Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 53676e4 ] After commit 3392291 ("drm/msm: Fix shrinker deadlock"), all supported versions of clang warn (or error with CONFIG_WERROR=y): drivers/gpu/drm/msm/msm_gem_shrinker.c:105:58: error: omitting the parameter name in a function definition is a C23 extension [-Werror,-Wc23-extensions] 105 | purge(struct drm_gem_object *obj, struct ww_acquire_ctx *) | ^ drivers/gpu/drm/msm/msm_gem_shrinker.c:117:58: error: omitting the parameter name in a function definition is a C23 extension [-Werror,-Wc23-extensions] 117 | evict(struct drm_gem_object *obj, struct ww_acquire_ctx *) | ^ 2 errors generated. With older but supported versions of GCC, this is an unconditional hard error: drivers/gpu/drm/msm/msm_gem_shrinker.c: In function 'purge': drivers/gpu/drm/msm/msm_gem_shrinker.c:105:35: error: parameter name omitted purge(struct drm_gem_object *obj, struct ww_acquire_ctx *) ^~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/msm/msm_gem_shrinker.c: In function 'evict': drivers/gpu/drm/msm/msm_gem_shrinker.c:117:35: error: parameter name omitted evict(struct drm_gem_object *obj, struct ww_acquire_ctx *) ^~~~~~~~~~~~~~~~~~~~~~~ Restore the parameter name to clear up the warnings, renaming it "unused" to make it clear it is only needed to satisfy the prototype of drm_gem_lru_scan(). Cc: stable@vger.kernel.org Fixes: 3392291 ("drm/msm: Fix shrinker deadlock") Signed-off-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 43a1e37 upstream. Nicholas Carlini reports that the keyring code calls assoc_array_find() in find_key_to_update() without holding the RCU read lock, while the assoc_array_gc() code really is designed around removing the node from the tree and then freeing it after an RCU grace-period. The regular key handling doesn't see this because holding the keyring semaphore hides any lifetime issues, but the persistent key handling uses a different model. Instead of extending the keyring locking, just do the simple RCU locking that the assoc_array was designed for. Reported-by: Nicholas Carlini <npc@anthropic.com> Cc: David Howells <dhowells@redhat.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Cc: Paul Moore <paul@paul-moore.com> Cc: James Morris James Morris <jmorris@namei.org> Cc: Serge E. Hallyn <serge@hallyn.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20260528194638.371537336@linuxfoundation.org Tested-by: Ron Economos <re@w6rz.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Pavel Machek (CIP) <pavel@nabladev.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Wentao Guan <guanwentao@uniontech.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
Merge Check Failed: No CR Numbers Found Error: No Change Request numbers were found. Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests. |
1 similar comment
|
Merge Check Failed: No CR Numbers Found Error: No Change Request numbers were found. Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests. |
PR #646 — validate-patchPR: #646
Final Summary
Recommendation: ✅ APPROVE — This is a standard stable kernel release update containing vetted bug fixes and security patches from the upstream stable maintainers.
|
PR #646 — checker-log-analyzerPR: #646
Detailed report: Full report
|
svankas
commented
Jun 4, 2026
| return ret; | ||
| buffer->attr |= BUF_ATTR_PENDING_RELEASE; | ||
| } |
Author
There was a problem hiding this comment.
This fix is from
commit dd24998
Author: Dikshita Agarwal dikshita.agarwal@oss.qualcomm.com
Date: Mon Feb 16 12:37:42 2026 +0530
media: iris: Fix use-after-free in iris_release_internal_buffers()
commit f27cfdcfc916bb59297825805f4c3499f89f9e76 upstream.
svankas
commented
Jun 4, 2026
| dev_err(dev, "sfr alloc and map failed\n"); | ||
| dma_free_attrs(dev, sizeof(*q_tbl_hdr), core->iface_q_table_vaddr, | ||
| dev_err(core->dev, "sfr alloc and map failed\n"); | ||
| dma_free_attrs(core->dev, queue_size, core->iface_q_table_vaddr, |
Author
There was a problem hiding this comment.
This fix is from below commit.
commit 696ac7c
Author: Thomas Fourier fourier.thomas@gmail.com
Date: Fri Feb 13 10:13:27 2026 +0100
media: iris: Fix dma_free_attrs() size in iris_hfi_queues_init()
commit 4a49ae56b0e4268d48fd96babe0cc68596bc301a upstream.
The core->iface_q_table_vaddr buffer is alloc'd with size queue_size
but freed with sizeof(*q_tbl_hdr) which is different.
Change the dma_free_attrs() size.
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Dikshita Agarwal <dikshita.agarwal@oss.qualcomm.com>
Fixes: d7378f84e94e ("media: iris: introduce iris core state management with shared queues")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/media/platform/qcom/iris/iris_hfi_queue.c b/drivers/media/platform/qcom/iris/iris_hfi_queue.c
index b3ed06297953..bf6db23b53e2 100644
--- a/drivers/media/platform/qcom/iris/iris_hfi_queue.c
+++ b/drivers/media/platform/qcom/iris/iris_hfi_queue.c
@@ -263,7 +263,7 @@ int iris_hfi_queues_init(struct iris_core *core)
GFP_KERNEL, DMA_ATTR_WRITE_COMBINE);
if (!core->sfr_vaddr) {
dev_err(core->dev, "sfr alloc and map failed\n");
-
dma_free_attrs(core->dev, sizeof(*q_tbl_hdr), core->iface_q_table_vaddr,
-
dma_free_attrs(core->dev, queue_size, core->iface_q_table_vaddr, core->iface_q_table_daddr, DMA_ATTR_WRITE_COMBINE); return -ENOMEM; }
vgarodia
reviewed
Jun 4, 2026
| @@ -263,8 +263,8 @@ int iris_hfi_queues_init(struct iris_core *core) | |||
| &core->sfr_daddr, | |||
| GFP_KERNEL, DMA_ATTR_WRITE_COMBINE); | |||
| if (!core->sfr_vaddr) { | |||
| dev_err(dev, "sfr alloc and map failed\n"); | |||
| dma_free_attrs(dev, sizeof(*q_tbl_hdr), core->iface_q_table_vaddr, | |||
| dev_err(core->dev, "sfr alloc and map failed\n"); | |||
vgarodia
reviewed
Jun 4, 2026
| dev_err(dev, "sfr alloc and map failed\n"); | ||
| dma_free_attrs(dev, sizeof(*q_tbl_hdr), core->iface_q_table_vaddr, | ||
| dev_err(core->dev, "sfr alloc and map failed\n"); | ||
| dma_free_attrs(core->dev, queue_size, core->iface_q_table_vaddr, |
vgarodia
suggested changes
Jun 4, 2026
* refs/heads/18ad16c
Linux 6.18.34
security/keys: fix missed RCU read section on lookup
drm/msm: Restore second parameter name in purge() and evict()
LoongArch: kprobes: Fix handling of fatal unrecoverable recursions
ksmbd: fix durable reconnect error path file lifetime
io_uring/nop: pass all errors to userspace
net: gro: don't merge zcopy skbs
pds_core: ensure null-termination for firmware version strings
net: airoha: Disable GDM2 forwarding before configuring GDM2 loopback
tap: fix stack info leak in tap_ioctl() SIOCGIFHWADDR
net: mana: validate rx_req_idx to prevent out-of-bounds array access
octeontx2-af: npc: Fix allmulticast skip logic for LBK and SDP VFs
selftests: net: Fix checksums in xdp_native
drm/xe/oa: Fix exec_queue leak on width check in stream open
ASoC: cs35l56: Fix flushing of IRQ work in cs35l56_sdw_remove()
gpio: aggregator: lock device when calling device_is_bound()
gpio: aggregator: remove the software node when deactivating the aggregator
gpio: aggregator: stop using dev-sync-probe
gpio: aggregator: fix a potential use-after-free
gpio: cdev: check if uAPI v2 config attributes are correctly zeroed
tcp: fix stale per-CPU tcp_tw_isn leak enabling ISN prediction
bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
net: ag71xx: check error for platform_get_irq
crypto/krb5, rxrpc: Fix lack of pre-decrypt/pre-verify length checks
net: shaper: rework the VALID marking (again)
net: shaper: annotate the data races
net/mlx5e: Fix eswitch mode block underflow on IPsec acquire SA
Bluetooth: btmtk: fix urb->setup_packet leak in error paths
Bluetooth: btintel_pcie: Fix incorrect MAC access programming
tracing: Avoid NULL return from hist_field_name() on truncation
cgroup: rstat: relax NMI guard after switch to try_cmpxchg
ALSA: seq: Serialize UMP output teardown with event_input
wifi: wilc1000: fix dma_buffer leak on bus acquire failure
wifi: mac80211: fix MLE defragmentation
wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs
erofs: fix managed cache race for unaligned extents
pds_core: fix debugfs_lookup dentry leak and error handling
pds_core: fix error handling in pdsc_devcmd_wait
net: airoha: Fix NPU RX DMA descriptor bits
net: phy: honor eee_disabled_modes in phy_advertise_eee_all()
net: phy: honor eee_disabled_modes in phy_support_eee()
bridge: mcast: Fix a possible use-after-free when removing a bridge port
net: bridge: Flush multicast groups when snooping is disabled
RDMA/rtrs: Fix use-after-free in path file creation cleanup
RDMA/mana_ib: Report max_msg_sz in mana_ib_query_port
ASoC: soc-utils: Add missing va_end in snd_soc_ret()
platform/x86: intel-vbtn: Check ACPI_HANDLE() against NULL
platform/x86: intel-hid: Check ACPI_HANDLE() against NULL
platform/x86: hp_accel: Check ACPI_COMPANION() against NULL
platform/x86: adv_swbutton: Check ACPI_HANDLE() against NULL
platform/surface: aggregator_registry: omit battery & AC nodes on Surface Laptop 7
net: mana: Fix TOCTOU double-fetch of hwc_msg_id from DMA buffer
net: dsa: mt7530: preserve VLAN tags on trapped link-local frames
net: dsa: mt7530: fix FDB entries not aging out with short timeout
kbuild: pacman-pkg: make "rc" releases adhere to pacman versioning scheme
drm/i915/dp: Fix readback for target_rr in Adaptive Sync SDP
igc: set tx buffer type for SMD frames
ice: ptp: use primary NAC semaphore on E825
ice: ptp: serialize E825 PHY timer start with PTP lock
cgroup/rstat: validate cpu before css_rstat_cpu() access
drm/mediatek: mtk_hdmi_ddc: Fix non-static global variable
drm/mediatek: mtk_cec: Fix non-static global variable
wifi: ath11k: fix peer resolution on rx path when peer_id=0
drm/xe/pf: Fix CFI failure in debugfs access
drm/xe/vf: Fix signature of print functions
drm/xe/gsc: Fix double-free of managed BO in error path
dma-mapping: move dma_map_resource() sanity check into debug code
wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it
wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
hwmon: (lm90) Add lock protection to lm90_alert
hwmon: (lm90) Stop work before releasing hwmon device
drm/msm/snapshot: fix dumping of the unaligned regions
ALSA: hda/realtek: Use ALC287_FIXUP_TXNW2781_I2C for ASUS Strix Gxx5
netfilter: nft_inner: release local_lock before re-enabling softirqs
spi: mtk-snfi: Fix resource leak in mtk_snand_read_page_cache()
ASoC: amd: acp-sdw-legacy: check CPU DAI name before logging
btrfs: fix squota accounting during enable generation
btrfs: check for subvolume before deleting squota qgroup
btrfs: relax squota parent qgroup deletion rule
btrfs: check squota parent usage on membership change
btrfs: remaining BTRFS_PATH_AUTO_FREE conversions
btrfs: don't search back for dir inode item in INO_LOOKUP_USER
btrfs: use the key format macros when printing keys
btrfs: add macros to facilitate printing of keys
vsock/virtio: fix zerocopy completion for multi-skb sends
io_uring/net: punt IORING_OP_BIND async if it needs file create
ALSA: scarlett2: Add missing error check when initialise Autogain Status
ASoC: codecs: fs210x: fix possible buffer overflow
scsi: sd: Fix return code handling in sd_spinup_disk()
net/mlx5: Do not restore destination-less TC rules
tls: Preserve sk_err across recvmsg() when data has been copied
ovpn: disable BHs when updating device stats
x86/xen: Fix xen_e820_swap_entry_with_ram()
gcc-plugins: Always define CONST_CAST_GIMPLE and CONST_CAST_TREE
ovpn: fix race between deleting interface and adding new peer
ovpn: respect peer refcount in CMD_NEW_PEER error path
ovpn: tcp - use cached peer pointer in ovpn_tcp_close()
net: phy: DP83TC811: add reading of abilities
net: tls: prevent chain-after-chain in plain text SG
net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring
net/smc: reject CHID-0 ACCEPT that matches an empty ism_dev slot
powerpc/time: Remove redundant preempt_disable|enable() calls from arch_irq_work_raise()
drm/msm: Fix iommu_map_sgtable() return value check and avoid WARN
drm/msm/adreno: fix userspace-triggered crash on a2xx-a4xx
Documentation: intel_pstate: Fix description of asymmetric packing with SMT
x86/mce: Restore MCA polling interval halving
selftests: ublk: cap nthreads to kernel's actual nr_hw_queues
drm/msm/dpu: don't mix devm and drmm functions
drm/msm/dsi: don't dump registers past the mapped region
ethtool: fix ethnl_bitmap32_not_zero() bit interval semantics
net/smc: avoid NULL deref of conn->lnk in smc_msg_event tracepoint
accel/qaic: Add overflow check to remap_pfn_range during mmap
block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
HID: quirks: really enable the intended work around for appledisplay
block: recompute nr_integrity_segments in blk_insert_cloned_request
block: don't overwrite bip_vcnt in bio_integrity_copy_user()
net: shaper: reject QUEUE scope handle with missing id
net: shaper: enforce singleton NETDEV scope with id 0
net: shaper: fix undersized reply skb allocation in GROUP command
net: shaper: set ret to -ENOMEM when genlmsg_new() fails in group_doit
net: shaper: reject duplicate leaves in GROUP request
net: shaper: fix trivial ordering issue in net_shaper_commit()
net: shaper: flip the polarity of the valid flag
wifi: ath10k: skip WMI and beacon transmission when device is wedged
wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
wifi: ath11k: fix error path leaks in some WMI WOW calls
net: ethernet: cs89x0: remove stale CONFIG_MACH_MX31ADS reference
net: ethernet: cortina: Carry over frag counter
net: ethernet: cortina: Drop half-assembled SKB
net: ethernet: cortina: Make RX SKB per-port
netfs, afs: Fix write skipping in dir/link writepages
netfs: Fix netfs_read_folio() to wait on writeback
netfs: Fix folio->private handling in netfs_perform_write()
netfs: Fix partial invalidation of streaming-write folio
netfs: Fix potential UAF in netfs_unlock_abandoned_read_pages()
netfs: Fix leak of request in netfs_write_begin() error handling
netfs: Fix early put of sink folio in netfs_read_gaps()
netfs: Fix write streaming disablement if fd open O_RDWR
netfs: Fix read-gaps to remove netfs_folio from filled folio
netfs: Fix potential deadlock in write-through mode
netfs: Fix streaming write being overwritten
netfs: Defer the emission of trace_netfs_folio()
netfs: Fix netfs_invalidate_folio() to clear dirty bit if all changes gone
netfs: Fix overrun check in netfs_extract_user_iter()
netfs: fix VM_BUG_ON_FOLIO() issue in netfs_write_begin() call
netfs: Fix netfs_read_to_pagecache() to pause on subreq failure
netfs: Fix cancellation of a DIO and single read subrequests
powerpc: fix dead default for GUEST_STATE_BUFFER_TEST
powerpc: 82xx: fix uninitialized pointers with free attribute
ASoC: SOF: amd: Fix error code handling in psp_send_cmd()
tcp: Fix out-of-bounds access for twsk in tcp_ao_established_key().
zonefs: handle integer overflow in zonefs_fname_to_fno
nvme-pci: fix use-after-free in nvme_free_host_mem()
nvme: fix bio leak on mapping failure
irq_work: Fix use-after-free in irq_work_single() on PREEMPT_RT
nsfs: fix wrong error code returned for pidns ioctls
ublk: reject max_sectors smaller than PAGE_SECTORS in parameter validation
irqchip/ath79-cpu: Remove unused function
fs: Fix return in jfs_mkdir and orangefs_mkdir
fs/statmount: fix slab out-of-bounds write in statmount_mnt_idmap
fprobe: Fix unregister_fprobe() to wait for RCU grace period
ASoC: sdw_utils: Add quirk to ignore RT721 CODEC_MIC
ASoC: sdw_utils: Add quirk to ignore RT712 CODEC_MIC
NFSD: Fix infinite loop in layout state revocation
phy: marvell: mvebu-a3700-utmi: fix incorrect USB2_PHY_CTRL register access
net: ti: icssm-prueth: fix eth_ports_node leak in probe
net: lan966x: avoid unregistering netdev on register failure
ice: fix locking in ice_dcb_rebuild()
ice: fix setting RSS VSI hash for E830
idpf: fix read_dev_clk_lock spinlock init in idpf_ptp_init()
net: shaper: Reject reparenting of existing nodes
net: napi: Avoid gro timer misfiring at end of busypoll
tcp: Fix imbalanced icsk_accept_queue count.
test_kprobes: clear kprobes between test runs
kprobes: skip non-symbol addresses in kprobe_add_ksym_blacklist()
netfilter: bridge: eb_tables: close module init race
netfilter: x_tables: close dangling table module init race
netfilter: ebtables: close dangling table module init race
netfilter: ebtables: move to two-stage removal scheme
netfilter: x_tables: add and use xtables_unregister_table_exit
netfilter: x_tables: add and use xt_unregister_table_pre_exit
netfilter: x_tables: unregister the templates first
btrfs: tracepoints: fix sleep while in atomic context in btrfs_sync_file()
ALSA: hda: cs35l41: Put ACPI device on missing physical node
ALSA: hda: cs35l56: Put ACPI device after setting companion
ARM: integrator: Fix early initialization
firmware: arm_ffa: Fix sched-recv callback partition lookup
firmware: arm_ffa: Snapshot notifier callbacks under lock
firmware: arm_ffa: Align RxTx buffer size before mapping
firmware: arm_ffa: Validate framework notification message layout
firmware: arm_ffa: Keep framework RX release under lock
firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies
pinctrl: qcom: Fix wakeirq map by removing disconnected irqs for sm8150
kunit: config: KUNIT_DEBUGFS should depend on DEBUG_FS
kunit: config: Enable KUNIT_DEBUGFS by default
riscv: mm: Fixup no5lvl failure when vaddr is invalid
riscv: errata: Fix bitwise vs logical AND in MIPS errata patching
firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0
firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue
firmware: arm_ffa: Skip free_pages on RX buffer alloc failure
firmware: arm_ffa: Check for NULL FF-A ID table while driver registration
HID: uclogic: Fix regression of input name assignment
HID: intel-thc-hid: Intel-quickspi: Fix some error codes
pinctrl: qcom: Fix GPIO to PDC wake irq map for qcs615
pinctrl: meson: amlogic-a4: fix deadlock issue
pinctrl: renesas: rzg2l: Fix SMT register cache handling
pinctrl: renesas: rzg2l: Fix incorrect PUPD register offset for high pins during suspend/resume
ARM: dts: renesas: rskrza1: Drop superfluous cells
ARM: dts: renesas: genmai: Drop superfluous cells
pinctrl: qcom: ipq4019: mark gpio as a GPIO pin function
hwmon: (pmbus/adm1266) reject short block-read responses in the GPIO accessors
hwmon: (pmbus/adm1266) register the nvmem device after pmbus_do_probe()
hwmon: (pmbus/adm1266) register the gpio_chip after pmbus_do_probe()
hwmon: (pmbus/adm1266) don't clobber GPIO bits before PDIO read in get_multiple
hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer
hwmon: (pmbus/adm1266) include PEC byte in pmbus_block_xfer read buffer
hwmon: (pmbus/adm1266) reject implausible blackbox record_count
hwmon: (pmbus/adm1266) seed timestamp from the real-time clock
batman-adv: tt: prevent TVLV entry number overflow
batman-adv: tt: fix negative tt_buff_len
batman-adv: tt: fix negative last_changeset_len
batman-adv: tt: avoid empty VLAN responses
batman-adv: tt: reject oversized local TVLV buffers
batman-adv: tt: fix TOCTOU race for reported vlans
batman-adv: tp_meter: avoid role confusion in tp_list
batman-adv: tp_meter: fix race condition in send error reporting
batman-adv: tp_meter: fix tp_vars reference leak in receiver shutdown
batman-adv: tp_meter: directly shut down timer on cleanup
batman-adv: tp_meter: avoid use of uninit sender vars
batman-adv: bla: avoid NULL-ptr deref for claim via dropped interface
batman-adv: bla: avoid double decrement of bla.num_requests
batman-adv: bla: fix report_work leak on backbone_gw purge
batman-adv: frag: disallow unicast fragment in fragment
batman-adv: fix tp_meter counter underflow during shutdown
batman-adv: fix fragment reassembly length accounting
batman-adv: dat: handle forward allocation error
batman-adv: clear current gateway during teardown
batman-adv: mcast: fix use-after-free in orig_node RCU release
batman-adv: iv: recover OGM scheduling after forward packet error
batman-adv: tvlv: reject oversized TVLV packets
batman-adv: tvlv: abort OGM send on tvlv append failure
batman-adv: v: stop OGMv2 on disabled interface
drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async
drm/amd/display: Validate GPIO pin LUT table size before iterating
drm/amd/display: Fix integer overflow in bios_get_image()
drm/bridge: megachips: remove bridge when irq request fails
drm/bridge: it66121: acquire reset GPIO in probe
drm/amdgpu/vpe: Force collaborate sync after TRAP
drm/virtio: use uninterruptible resv lock for plane updates
drm/v3d: Release indirect CSD GEM reference on CPU job free
drm/v3d: Fix use-after-free of CPU job query arrays on error path
drm/msm: Fix shrinker deadlock
device property: set fwnode->secondary to NULL in fwnode_init()
LoongArch: Remove unused code to avoid build warning
LoongArch: kprobes: Use larch_insn_text_copy() to patch instructions
fwctl: pds: Validate RPC input size before parsing
RDMA/siw: Reject MPA FPDU length underflow before signed receive math
spi: ti-qspi: fix use-after-free after DMA setup failure
spi: sprd: fix error pointer deref after DMA setup failure
spi: ep93xx: fix error pointer deref after DMA setup failure
scsi: isci: Fix use-after-free in device removal path
phy: qcom-qmp-ufs: Fix kaanapali PHY PLL lock failure after SM8650 G4 fix
phy: tegra: xusb: Fix per-pad high-speed termination calibration
phy: exynos5-usbdrd: fix USB 2.0 HS PHY tuning values for Exynos7870
spi: qup: fix error pointer deref after DMA setup failure
drm/bridge: chipone-icn6211: use devm_drm_bridge_add in i2c probe
virt: sev-guest: Explicitly leak pages in unknown state
riscv: kvm: return SBI_ERR_FAILURE for pmu_event_info() when OOM
riscv: kvm: return SBI_ERR_FAILURE for pmu_snapshot_set_shmem() when OOM
KVM: SVM: Disable AVIC IPI virtualization on Hygon Family 18h (erratum #1235)
KVM: arm64: vgic: Free private_irqs when init fails after allocation
KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits
arm64: probes: Handle probes on hinted conditional branch instructions
tracing: Do not call map->ops->elt_free() if elt_alloc() fails
cifs: Fix busy dentry used after unmounting
wifi: mac80211: consume only present negotiated TTLM maps
af_unix: Fix UAF read of tail->len in unix_stream_data_wait()
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
ice: restore PTP Rx timestamp config after ethtool set-channels
ice: fix setting promisc mode while adding VID filter
ice: fix locking around wait_event_interruptible_locked_irq
igc: fix potential skb leak in igc_fpe_xmit_smd_frame()
octeontx2-pf: fix double free in rvu_rep_rsrc_init()
octeontx2-af: CGX: add bounds check to cgx_speed_mbps index
lsm: hold cred_guard_mutex for lsm_set_self_attr()
rbd: eliminate a race in lock_dwork draining on unmap
ixgbevf: fix use-after-free in VEPA multicast source pruning
ipv4: raw: reject IP_HDRINCL packets with ihl < 5
wifi: iwlwifi: mld: stop TX during firmware restart
wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
wifi: ath11k: clear shared SRNG pointer state on restart
ice: fix VF queue configuration with low MTU values
vsock/virtio: reset connection on receiving queue overflow
vsock/vmci: fix UAF when peer resets connection during handshake
mptcp: pm: fix ADD_ADDR timer infinite retry on option space insufficient
ipv6: ioam: add NULL check for idev in ipv6_hop_ioam()
ring-buffer: Flush and stop persistent ring buffer on panic
ring-buffer: Fix reporting of missed events in iterator
qed: fix double free in qed_cxt_tables_alloc()
l2tp: use list_del_rcu in l2tp_session_unhash
fs/ntfs3: handle attr_set_size() errors when truncating files
net: ethtool: phy: avoid NULL deref when PHY driver is unbound
net: ethtool: fix NULL pointer dereference in phy_reply_size
cgroup/cpuset: Reset DL migration state on can_attach() failure
tracing/fprobe: Check the same type fprobe on table as the unregistered one
tracing/fprobe: Avoid kcalloc() in rcu_read_lock section
tracing: fprobe: use ftrace if CONFIG_DYNAMIC_FTRACE_WITH_ARGS
tracing: fprobe: Remove unused local variable
sched_ext: Avoid UAF in scx_root_enable_workfn() init failure path
sched_ext: Fix missing warning in scx_set_task_state() default case
netfilter: nft_inner: Fix IPv6 inner_thoff desync
netfilter: ipset: stop hash:* range iteration at end
netfilter: nf_queue: hold bridge skb->dev while queued
netfilter: ip6t_hbh: reject oversized option lists
net: pse-pd: fix sign on -ENOENT check in of_load_pse_pis()
net: ifb: report ethtool stats over num_tx_queues
net/mlx5e: Fix use-after-free in mlx5e_tx_reporter_timeout_recover
net: phy: skip EEE advertisement write when autoneg is disabled
net: bcmgenet: keep RBUF EEE/PM disabled
phonet/pep: disable BH around forwarded sk_receive_skb()
Bluetooth: serialize accept_q access
Bluetooth: MGMT: validate Add Extended Advertising Data length
Bluetooth: L2CAP: ecred_reconfigure: send packed pdu, not stack pointer
Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths
Bluetooth: bnep: Fix UAF read of dev->name
Bluetooth: ISO: drop ISO_END frames received without prior ISO_START
Bluetooth: fix UAF in l2cap_sock_cleanup_listen() vs l2cap_conn_del()
net: wwan: iosm: fix potential memory leaks in ipc_imem_init()
selftests/mm: run_vmtests.sh: fix destructive tests invocation
mm/page_alloc: fix initialization of tags of the huge zero folio with init_on_free
mm/memory_hotplug: fix memory block reference leak on remove
mm: fix __vm_normal_page() to handle missing support for pmd_special()/pud_special()
mm/memory: fix spurious warning when unmapping device-private/exclusive pages
ipv6: ioam: refresh hdr pointer before ioam6_event()
drivers/base/memory: fix memory block reference leak in poison accounting
io_uring/waitid: clear waitid info before copying it to userspace
spi: amd: Set correct bus number in ACPI probe path
efi: Allocate runtime workqueue before ACPI init
ALSA: scarlett2: Allow flash writes ending at segment boundary
ALSA: asihpi: Fix potential OOB array access at reading cache
ALSA: pcm: Don't setup bogus iov_iter for silencing
ALSA: ua101: Reject too-short USB descriptors
hwmon: (pmbus/adm1266) widen blackbox-info buffer to I2C_SMBUS_BLOCK_MAX
smb/server: promote S_DEL_ON_CLS to S_DEL_PENDING when close
smb: client: use data_len for SMB2 READ encrypted folioq copy
smb: client: protect tc_count increment in smb2_find_smb_sess_tcon_unlocked()
smb: client: require net admin for CIFS SWN netlink
regulator: tps65219: fix irq_data.rdev not being assigned
ksmbd: validate SID in parent security descriptor during ACL inheritance
ksmbd: fix SID memory leak in set_posix_acl_entries_dacl() on overflow
ksmbd: fix null pointer dereference in compare_guid_key()
mm/damon/sysfs-schemes: call missing mem_cgroup_iter_break()
sysfs: don't remove existing directory on update failure
drm/vblank: Fix kernel docs for vblank timer
drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()
drm/vkms: Convert to DRM's vblank timer
drm/vblank: Add CRTC helpers for simple use cases
drm/vblank: Add vblank timer
Revert "ice: Remove jumbo_remove step from TX path"
Revert "ice: fix double-free of tx_buf skb"
ata: libata-scsi: do not needlessly defer commands when using PMP with FBS
ata: libata-scsi: do not use the deferred QC feature on PMPs with CBS
ata: libata-scsi: do not use the deferred QC feature for ATA_DEFER_PORT
ata: libata-scsi: improve readability of ata_scsi_qc_issue()
mfd: bcm2835-pm: Add support for BCM2712
arm64: dts: broadcom: bcm2712: Add watchdog DT node
dt-bindings: soc: bcm: Add bcm2712 compatible
smb: client: reject userspace cifs.spnego descriptions
ksmbd: close durable scavenger races against m_fp_list lookups
spi: spi-dw-dma: fix print error log when wait finish transaction
bridge: mrp: reject zero test interval to avoid OOM panic
sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
sched: Employ sched_change guards
cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()
fuse: fix uninit-value in fuse_dentry_revalidate()
iommu/amd: Remove latent out-of-bounds access in IOMMU debugfs
iommu/amd: Fix illegal cap/mmio access in IOMMU debugfs
drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()
Linux 6.18.33
netfs: Fix potential uninitialised var in netfs_extract_user_iter()
selftests/bpf: Remove test_access_variable_array
net: skbuff: propagate shared-frag marker through frag-transfer helpers
net: skbuff: preserve shared-frag marker during coalescing
net/rds: reset op_nents when zerocopy page pin fails
spi: sifive: fix controller deregistration
spi: sifive: Simplify clock handling with devm_clk_get_enabled()
f2fs: fix false alarm of lockdep on cp_global_sem lock
sched_ext: Pass held rq to SCX_CALL_OP() for core_sched_before
sched_ext: Guard scx_dsq_move() against NULL kit->dsq after failed iter_new
perf/x86/intel: Disable PMI for self-reloaded ACR events
btrfs: do not mark inode incompressible after inline attempt fails
smb: client: Use FullSessionKey for AES-256 encryption key derivation
eventfs: Use list_add_tail_rcu() for SRCU-protected children list
drm/v3d: Reject empty multisync extension to prevent infinite loop
drm/gma500/oaktrail_lvds: fix i2c adapter leaks on init
drm/gma500/oaktrail_lvds: fix hang on init failure
drm/gma500/oaktrail_hdmi: fix i2c adapter leak on setup
drm/ttm: Convert -EAGAIN from dmem_cgroup_try_charge to -ENOSPC
drm/xe/dma-buf: fix UAF with retry loop
drm/xe/dma-buf: handle empty bo and UAF races
drm/panfrost: Fix wait_bo ioctl leaking positive return from dma_resv_wait_timeout()
drm/i915: skip __i915_request_skip() for already signaled requests
iommu/vt-d: Avoid NULL pointer dereference or refcount corruption
iommu/vt-d: Fix oops due to out of scope access
iommu/vt-d: Disable DMAR for Intel Q35 IGFX
libceph: handle rbtree insertion error in decode_choose_args()
libceph: Fix potential out-of-bounds access in crush_decode()
libceph: Fix potential null-ptr-deref in decode_choose_args()
libceph: Fix potential out-of-bounds access in osdmap_decode()
irqchip/gic-v5: Allocate ITS parent LPIs as a range
irqchip/gic-v5: Support range allocation for LPIs
irqchip/gic-v5: Move LPI allocation into the LPI domain
irqchip/meson-gpio: Use the correct register in meson_s4_gpio_irq_set_type()
irqchip/riscv-imsic: Clear interrupt move state during CPU offlining
nfsd: fix file change detection in CB_GETATTR
netfs: fix error handling in netfs_extract_user_iter()
powerpc/warp: Fix error handling in pika_dtm_thread
virt: sev-guest: Do not use host-controlled page order in cleanup path
xfs: fix memory leak on error in xfs_alloc_zone_info()
x86/kexec: Push kjump return address even for non-kjump kexec
iommu/amd: Bounds-check devid in __rlookup_amd_iommu()
io-wq: check that the predecessor is hashed in io_wq_remove_pending()
ceph: fix BUG_ON in __ceph_build_xattrs_blob() due to stale blob size
ceph: fix a buffer leak in __ceph_setxattr()
btrfs: only release the dirty pages io tree after successful writes
ALSA: usb-audio: qcom: Check offload mapping failures
ALSA: usb-audio: Bound MIDI endpoint descriptor scans
ALSA: usb-audio: Bound MIDI 2.0 endpoint descriptor scans
ALSA: hda/realtek: Add quirk for Samsung Galaxy Book5 360 headphone
ALSA: hda/realtek: Add mute LED quirk for HP Pavilion Laptop 16-ag0xxx
accel/rocket: Fix prep_bo ioctl leaking positive return from dma_resv_wait_timeout()
platform/x86: lenovo-wmi-other: Fix tunable_attr_01 struct members
platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers
platform/x86: intel: Move debugfs register before creating devices
drm/i915/dp: Fix VSC dynamic range signaling for RGB formats
drm: Replace old pointer to new idr
drm/loongson: Use managed KMS polling
smb/client: fix possible infinite loop and oob read in symlink_data()
nvme-apple: Reset q->sq_tail during queue init
Bluetooth: btmtk: accept too short WMT FUNC_CTRL events
media: staging: imx: configure src_mux in csi_start
ata: libata-scsi: fix requeue of deferred ATA PASS-THROUGH commands
fuse: avoid 0x10 fault in fuse_readahead when max_pages == 0
HID: core: Fix size_t specifier in hid_report_raw_event()
HID: core: introduce hid_safe_input_report()
HID: pass the buffer size to hid_report_raw_event
KVM: x86: Fix Xen hypercall tracepoint argument assignment
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
audit: enforce AUDIT_LOCKED for AUDIT_TRIM and AUDIT_MAKE_EQUIV
net: atlantic: preserve PCI wake-from-D3 on shutdown when WOL enabled
netfilter: nft_ct: fix missing expect put in obj eval
Revert "ACPI: CPPC: Adjust debug messages in amd_set_max_freq_ratio() to warn"
idpf: fix double free and use-after-free in aux device error paths
cgroup/dmem: Return -ENOMEM on failed pool preallocation
net: ena: PHC: Check return code before setting timestamp output
audit: fix incorrect inheritable capability in CAPSET records
netfilter: nf_conntrack_sip: get helper before allocating expectation
net: ena: PHC: Fix potential use-after-free in get_timestamp
workqueue: Fix wq->cpu_pwq leak in alloc_and_link_pwqs() WQ_UNBOUND path
i40e: Cleanup PTP pins on probe failure
crypto: af_alg - Cap AEAD AD length to 0x80000000
sched/fair: Revert force wakeup preemption
sched/fair: Fix wakeup_preempt_fair() for not waking up task
net: mana: Init gf_stats_work before potential error paths in probe
net: mana: Fix use-after-free in reset service rescan path
net: airoha: Fix VIP configuration for AN7583 SoC
net: airoha: Use gdm port enum value whenever possible
net: airoha: Remove code duplication in airoha_regs.h
net/sched: sch_pie: annotate more data-races in pie_dump_stats()
net: airoha: Move ndesc initialization at end of airoha_qdma_init_tx()
net: airoha: Move entries to queue head in case of DMA mapping failure in airoha_dev_xmit()
rtla: Fix parse_cpu_set() bug introduced by strtoi()
net: airoha: Fix a copy and paste bug in probe()
bpf: Fix sync_linked_regs regarding BPF_ADD_CONST32 zext propagation
PCI: Initialize temporary device in new_id_store()
Revert "papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"
Revert "pseries/papr-hvpipe: Fix race with interrupt handler"
futex: Drop CLONE_THREAD requirement for private default hash alloc
arm64: Reserve an extra page for early kernel mapping
kselftest/arm64: Include <asm/ptrace.h> for user_gcs definition
net/sched: cls_flower: revert unintended changes
sfc: fix error code in efx_devlink_info_running_versions()
net: tls: fix strparser anchor skb leak on offload RX setup failure
ice: add dpll peer notification for paired SMA and U.FL pins
dpll: export __dpll_pin_change_ntf() for use under dpll_lock
dpll: Add notifier chain for dpll events
dpll: Allow associating dpll pin with a firmware node
ice: fix missing dpll notifications for SW pins
ice: fix SMA and U.FL pin state changes affecting paired pin
ice: fix missing SMA pin initialization in DPLL subsystem
ice: fix infinite recursion in ice_cfg_tx_topo via ice_init_dev_hw
ice: fix NULL pointer dereference in ice_reset_all_vfs()
iavf: add VIRTCHNL_OP_ADD_VLAN to success completion handler
iavf: wait for PF confirmation before removing VLAN filters
iavf: stop removing VLAN filters from PF on interface down
iavf: rename IAVF_VLAN_IS_NEW to IAVF_VLAN_ADDING
page_pool: fix memory-provider leak in page_pool_create_percpu() error path
bonding: 3ad: implement proper RCU rules for port->aggregator
bonding: print churn state via netlink
net: airoha: Do not return err in ndo_stop() callback
net: airoha: fix BQL imbalance in TX path
drm/xe/gsc: Fix BO leak on error in query_compatibility_version()
drm/xe/eustall: Fix drm_dev_put called before stream disable in close
drm/xe: Fix error cleanup in xe_exec_queue_create_ioctl()
drm/xe/debugfs: Correct printing of register whitelist ranges
drm/amd/display: Read EDID from VBIOS embedded panel info
drm/amd/display: Allow constructing DCE8 link encoder without DDC
drm/amd/display: Allow constructing DCE6 link encoder without DDC
drm/amd/display: Allow DCE link encoder without AUX registers
futex: Prevent lockup in requeue-PI during signal/ timeout wakeup
ALSA: hda/tas2781: Fix incorrect bit update for non-book-zero or book 0 pages >1
ALSA: hda: cs35l56: Fix uninitialized value in cs35l56_hda_read_acpi()
ALSA: hda/conexant: Fix missing error check for jack detection
netconsole: propagate device name truncation in dev_name_store()
net/sched: sch_cake: annotate data-races in cake_dump_stats() (V)
net/sched: sch_cake: annotate data-races in cake_dump_stats() (III)
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst()
sctp: discard stale INIT after handshake completion
netfilter: skip recording stale or retransmitted INIT
ASoC: codecs: ab8500: Fix casting of private data
net: psp: require admin permission for dev-set and key-rotate
net: psp: check for device unregister when creating assoc
io_uring/napi: cap busy_poll_to 10 msec
drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.1 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v5.0.0 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.5 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0.3 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v4.0 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v3.0 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.5 ring
drm/amdgpu/jpeg: set no_user_fence for JPEG v2.0 ring
drm/amdgpu/vcn: set no_user_fence for VCN v5.0.1 enc ring
drm/amdgpu/vcn: set no_user_fence for VCN v5.0.0 enc ring
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.5 enc ring
drm/amdgpu/vcn: set no_user_fence for VCN v4.0.3 enc ring
drm/amdgpu/vcn: set no_user_fence for VCN v4.0 enc ring
drm/amdgpu/vcn: set no_user_fence for VCN v3.0 enc/dec rings
drm/amdgpu/vcn: set no_user_fence for VCN v2.5 enc/dec rings
drm/amdgpu/vcn: set no_user_fence for VCN v2.0 enc/dec rings
net: phy: dp83869: fix setting CLK_O_SEL field.
s390/mm: Fix phys_to_folio() usage in do_secure_storage_access()
md/md-bitmap: add a none backend for bitmap grow
md/md-bitmap: split bitmap sysfs groups
md: factor bitmap creation away from sysfs handling
md: add fallback to correct bitmap_ops on version mismatch
md/raid1,raid10: don't fail devices for invalid IO errors
net: mctp i2c: check length before marking flow active
sched/fair: Clear rel_deadline when initializing forked entities
sched/fair: Fix wakeup_preempt_fair() vs delayed dequeue
sched/fair: Reimplement NEXT_BUDDY to align with EEVDF goals
ALSA: usb-audio: Fix potential leak of pd at parsing UAC3 streams
netpoll: fix IPv6 local-address corruption
tcp: make probe0 timer handle expired user timeout
neigh: let neigh_xmit take skb ownership
net/sched: taprio: fix NULL pointer dereference in class dump
NFC: trf7970a: Ignore antenna noise when checking for RF field
spi: amlogic-spisg: initialize completion before requesting IRQ
net: usb: rtl8150: free skb on usb_submit_urb() failure in xmit
net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
vrf: Fix a potential NPD when removing a port from a VRF
net/sched: sch_fq_pie: annotate data-races in fq_pie_dump_stats()
net/sched: sch_choke: annotate data-races in choke_dump_stats()
net: airoha: Do not read uninitialized fragment address in airoha_dev_xmit()
net: airoha: Do not wake all netdev TX queues in airoha_qdma_wake_netdev_txqs()
net: airoha: fix typo in function name
net: airoha: stop net_device TX queue before updating CPU index
net/sched: netem: check for negative latency and jitter
net/sched: netem: fix slot delay calculation overflow
net/sched: netem: validate slot configuration
net/sched: netem: only reseed PRNG when seed is explicitly provided
net/sched: netem: fix queue limit check to include reordered packets
net/sched: netem: fix probability gaps in 4-state loss model
netdevsim: zero initialize struct iphdr in dummy sk_buff
cdrom, scsi: sr: propagate read-only status to block layer via set_disk_ro()
ACPI: APEI: EINJ: Fix EINJV2 memory error injection
ACPICA: Provide #defines for EINJV2 error types
arm64/scs: Fix potential sign extension issue of advance_loc4
drm/color-mgmt: Typo s/R332/RGB332/
drm/sysfb: ofdrm: fix PCI device reference leaks
ASoC: tas2770: Fix order of operations for temperature calculation
ASoC: tas2764: Mark die temp register as volatile
spi: rockchip: Read ISR, not IMR, to detect cs-inactive IRQ
ASoC: amd: acp: Add DMI quirk for Valve Steam Deck OLED
netfilter: nf_conntrack_sip: don't use simple_strtoul
netfilter: xt_policy: fix strict mode inbound policy matching
drm/amdgpu/gfx6: Support harvested SI chips with disabled TCCs (v2)
drm/amdgpu/uvd3.1: Don't validate the firmware when already validated
drm/amdgpu: fix AMDGPU_INFO_READ_MMR_REG
drm/amdgpu/gmc: Fix AMDGPU_GART_PLACEMENT_LOW to not overlap with VRAM
nvme-pci: fix missed admin queue sq doorbell write
netfilter: nf_tables: use list_del_rcu for netlink hooks
netfilter: arp_tables: fix IEEE1394 ARP payload parsing
nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
tracing: branch: Fix inverted check on stat tracer registration
cgroup: Increment nr_dying_subsys_* from rmdir context
btrfs: fix double-decrement of bytes_may_use in submit_one_async_extent()
fsnotify: fix inode reference leak in fsnotify_recalc_mask()
mailbox: mailbox-test: make data_ready a per-instance variable
mailbox: mailbox-test: initialize struct earlier
mailbox: mailbox-test: don't free the reused channel
mailbox: add sanity check for channel array
cgroup/rdma: fix integer overflow in rdmacg_try_charge()
sched/psi: fix race between file release and pressure write
mailbox: mailbox-test: free channels on probe error
mailbox: mtk-cmdq: Fix CURR and END addr for task insert case
kbuild: Never respect CONFIG_WERROR / W=e to fixdep
tools/power turbostat: Fix unrecognized option '-P'
tools/power turbostat: Fix and document --header_iterations
tools/power turbostat: Use strtoul() for iteration parsing
tools/power turbostat.8: Document the "--force" option
fbdev: offb: fix PCI device reference leak on probe failure
kbuild: builddeb - avoid recompiles for non-cross-compiles
rtc: abx80x: Disable alarm feature if no interrupt attached
fs/adfs: validate nzones in adfs_validate_bblk()
eventpoll: fix ep_remove struct eventpoll / struct file UAF
eventpoll: move epi_fget() up
eventpoll: drop vestigial __ prefix from ep_remove_{file,epi}()
eventpoll: kill __ep_remove()
eventpoll: split __ep_remove()
eventpoll: use hlist_is_singular_node() in __ep_remove()
nstree: fix func. parameter kernel-doc warnings
vhost_net: fix sleeping with preempt-disabled in vhost_net_busy_poll()
tipc: fix double-free in tipc_buf_append()
tcp: send a challenge ACK on SEG.ACK > SND.NXT
nfp: fix swapped arguments in nfp_encode_basic_qdr() calls
virtio_net: sync rss_trailer.max_tx_vq on queue_pairs change via VQ_PAIRS_SET
vsock/virtio: fix MSG_ZEROCOPY pinned-pages accounting
net: mana: Fix EQ leak in mana_remove on NULL port
net: mana: Implement ndo_tx_timeout and serialize queue resets per port.
net: mana: Handle hardware recovery events when probing the device
net: mana: Handle SKB if TX SGEs exceed hardware limit
net: mana: Don't overwrite port probe error with add_adev result
net: mana: Add standard counter rx_missed_errors
net: mana: Move hardware counter stats from per-port to per-VF context
net: mana: Guard mana_remove against double invocation
net: mana: Init link_change_work before potential error paths in probe
net: airoha: Add size check for TX NAPIs in airoha_qdma_cleanup()
net: airoha: Rework the code flow in airoha_remove() and in airoha_probe() error path
net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
net: dsa: realtek: rtl8365mb: fix mode mask calculation
net: airoha: Add missing bits in airoha_qdma_cleanup_tx_queue()
net: airoha: Add the capability to consume out-of-order DMA tx descriptors
net: airoha: Add AN7583 SoC support
net: airoha: Refactor src port configuration in airhoha_set_gdm2_loopback
net: airoha: ppe: Move PPE memory info in airoha_eth_soc_data struct
net: airoha: ppe: Dynamically allocate foe_check_time array in airoha_ppe struct
net/sched: sch_sfb: annotate data-races in sfb_dump_stats()
net/sched: sch_red: annotate data-races in red_dump_stats()
net/sched: sch_fq_codel: remove data-races from fq_codel_dump_stats()
net/sched: sch_pie: annotate data-races in pie_dump_stats()
net_sched: sch_hhf: annotate data-races in hhf_dump_stats()
ice: fix ice_ptp_read_tx_hwtstamp_status_eth56g
ice: fix ready bitmap check for non-E822 devices
ice: perform PHY soft reset for E825C ports at initialization
ice: fix timestamp interrupt configuration for E825C
net/rds: zero per-item info buffer before handing it to visitors
bnge: remove unsupported backing store type
bnge: fix initial HWRM sequence
net: validate skb->napi_id in RX tracepoints
ksmbd: scope conn->binding slowpath to bound sessions only
ksmbd: fix durable fd leak on ClientGUID mismatch in durable v2 open
ksmbd: destroy async_ida in ksmbd_conn_free()
ksmbd: destroy tree_conn_ida in ksmbd_session_destroy()
pwm: atmel-tcb: Cache clock rates and mark chip as atomic
arm64: dts: meson-gxl-p230: fix ethernet PHY interrupt number
arm64: dts: amlogic: meson-axg: Add missing cache information to cpu0
net/sched: sch_dualpi2: drain both C-queue and L-queue in dualpi2_change()
slip: bound decode() reads against the compressed packet length
slip: reject VJ receive packets on instances with no rstate array
netfilter: nfnetlink_osf: fix potential NULL dereference in ttl check
netfilter: nfnetlink_osf: fix out-of-bounds read on option matching
ipvs: fix MTU check for GSO packets in tunnel mode
netfilter: nat: use kfree_rcu to release ops
netfilter: xtables: restrict several matches to inet family
netfilter: conntrack: remove sprintf usage
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO
netfilter: nft_osf: restrict it to ipv4
net: airoha: Fix possible TX queue stall in airoha_qdma_tx_napi_poll()
openvswitch: cap upcall PID array size and pre-size vport replies
net/mlx5: Fix HCA caps leak on notifier init failure
pppoe: drop PFC frames
sctp: fix OOB write to userspace in sctp_getsockopt_peer_auth_chunks
ipv6: fix possible UAF in icmpv6_rcv()
e1000e: Unroll PTP in probe error handling
iavf: fix wrong VLAN mask for legacy Rx descriptors L2TAG2
i40e: don't advertise IFF_SUPP_NOFCS
ice: fix ICE_AQ_LINK_SPEED_M for 200G
ice: fix double-free of tx_buf skb
ice: Remove jumbo_remove step from TX path
ice: update PCS latency settings for E825 10G/25Gb modes
ice: fix 'adjust' timer programming for E830 devices
tcp: annotate data-races around tp->plb_rehash
tcp: annotate data-races around (tp->write_seq - tp->snd_nxt)
tcp: annotate data-races around tp->timeout_rehash
tcp: annotate data-races around tp->srtt_us
tcp: better handle TCP_TX_DELAY on established flows
tcp: annotate data-races around tp->reord_seen
tcp: annotate data-races around tp->dsack_dups
tcp: annotate data-races around tp->bytes_retrans
tcp: annotate data-races around tp->bytes_sent
tcp: add data-race annotations for TCP_NLA_SNDQ_SIZE
tcp: annotate data-races around tp->delivered and tp->delivered_ce
tcp: annotate data-races around tp->snd_ssthresh
tcp: add data-races annotations around tp->reordering, tp->snd_cwnd
tcp: add data-race annotations around tp->data_segs_out and tp->total_retrans
tcp: annotate data-races in tcp_get_info_chrono_stats()
tcp: inline tcp_chrono_start()
tcp: move tp->chrono_type next tp->chrono_stat[]
ksmbd: fix use-after-free in smb2_open during durable reconnect
smb: move smb_version_values to common/smbglob.h
net: enetc: fix NTMP DMA use-after-free issue
net: enetc: correct the command BD ring consumer index
net: dsa: remove redundant netdev_lock_ops() from conduit ethtool ops
net: dsa: append ethtool counters of all hidden ports to conduit
net: dsa: use kernel data types for ethtool ops on conduit
net: dsa: cpu_dp->orig_ethtool_ops might be NULL
net/sched: taprio: fix use-after-free in advance_sched() on schedule switch
net: airoha: Wait for NPU PPE configuration to complete in airoha_ppe_offload_setup()
nexthop: fix IPv6 route referencing IPv4 nexthop
net/sched: sch_cake: fix NAT destination port not being updated in cake_update_flowkeys
macvlan: fix macvlan_get_size() not reserving space for IFLA_MACVLAN_BC_CUTOFF
net/sched: act_mirred: fix wrong device for mac_header_xmit check in tcf_blockcast_redir
pwm: stm32: Fix rounding issue for requests with inverted polarity
arm64: dts: marvell: armada-37xx: use 'usb2-phy' in USB3 controller's phy-names
arm64: dts: imx8mm-tqma8mqml: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mn-tqma8mqnl: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mm-emtop-som: Correct PAD settings for PMIC_nINT
reset: amlogic: t7: Fix null reset ops
PCMCIA: Fix garbled log messages for KERN_CONT
arm64: dts: imx8mp-data-modul-edm-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-dhcom-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-ultra-mach-sbc: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-sr-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-nitrogen-som: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-aristainetos3a-som-v1: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-edm-g: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-icore-mx8mp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-navqp: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-som-a: Correct PAD settings for PMIC_nINT
arm64: dts: imx8mp-debix-model-a: Correct PAD settings for PMIC_nINT
erofs: unify lcn as u64 for 32-bit platforms
crypto: ccp - copy IV using skcipher ivsize
crypto: sa2ul - Fix AEAD fallback algorithm names
crypto: eip93 - fix hmac setkey algo selection
virt: arm-cca-guest: fix error check for RSI_INCOMPLETE
drm/i915/wm: Verify the correct plane DDB entry
f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()
f2fs: allow empty mount string for Opt_usr|grp|projjquota
clk: visconti: pll: initialize clk_init_data to zero
clk: qcom: gcc-x1e80100: Keep GCC USB QTB clock always ON
f2fs: fix to preserve previous reserve_{blocks,node} value when remount
f2fs: expand scalability of f2fs mount option
lib/hexdump: print_hex_dump_bytes() calls print_hex_dump_debug()
clk: qcom: gdsc: Fix error path on registration of multiple pm subdomains
f2fs: avoid reading already updated pages during GC
f2fs: use f2fs_filemap_get_folio() instead of f2fs_pagecache_get_page()
clk: spacemit: ccu_mix: fix inverted condition in ccu_mix_trigger_fc()
clk: qcom: dispcc-sc7180: Add missing MDSS resets
dt-bindings: clock: qcom,dispcc-sc7180: Define MDSS resets
clk: xgene: Fix mapping leak in xgene_pllclk_init()
clk: qoriq: avoid format string warning
x86/um: fix vDSO installation
x86/um/vdso: Drop VDSO64-y from Makefile
clk: imx8mq: Correct the CSI PHY sels
clk: imx: imx6q: Fix device node reference leak in of_assigned_ldb_sels()
clk: imx: imx6q: Fix device node reference leak in pll6_bypassed()
clk: qcom: dispcc-sm8250: Enable parents for pixel clocks
clk: qcom: dispcc-sm8250: Use shared ops on the mdss vsync clk
clk: qcom: gcc-sc8180x: Use retention for PCIe power domains
clk: qcom: gcc-sc8180x: Use retention for USB power domains
clk: qcom: gcc-sc8180x: Add missing GDSCs
dt-bindings: clock: qcom,gcc-sc8180x: Add missing GDSCs
scsi: ufs: rockchip,rk3576-ufshc: dt-bindings: Add new mphy reset item
scsi: target: core: Fix integer overflow in UNMAP bounds check
clk: renesas: r9a09g057: Remove entries for WDT{0,2,3}
clk: renesas: r9a09g057: Fix ordering of module clocks array
clk: renesas: r9a09g057: Add entries for RSCIs
clk: renesas: r9a09g057: Add clock and reset entries for RTC
clk: qcom: dispcc[01]-sa8775p: Fix DSI byte clock rate setting
clk: qcom: dispcc-sm4450: Fix DSI byte clock rate setting
clk: qcom: dispcc-milos: Fix DSI byte clock rate setting
clk: qcom: dispcc-glymur: Fix DSI byte clock rate setting
clk: qcom: dispcc-sc8280xp: remove CLK_SET_RATE_PARENT from byte_div_clk_src dividers
scsi: sg: Resolve soft lockup issue when opening /dev/sgX
scsi: sg: Fix sysctl sg-big-buff register during sg_init()
clk: sunxi-ng: sun55i-a523-r: Add missing r-spi module clock
clk: qcom: dispcc-sm8450: use RCG2 ops for DPTX1 AUX clock source
clk: qcom: dispcc-glymur: use RCG2 ops for DPTX1 AUX clock source
clk: qcom: gcc-glymur: Add video axi clock resets for glymur
dt-bindings: clock: qcom: Add GCC video axi reset clock for Glymur
RDMA/core: Prefer NLA_NUL_STRING
platform/x86: dell-wmi-sysman: bound enumeration string aggregation
platform/x86: dell_rbu: avoid uninit value usage in packet_size_write()
fs/ntfs3: terminate the cached volume label after UTF-8 conversion
tty: serial: ip22zilog: Fix section mispatch warning
platform/x86: asus-wmi: fix screenpad brightness range
platform/x86: asus-wmi: adjust screenpad power/brightness handling
NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg
nfs/blocklayout: Fix compilation error (`make W=1`) in bl_write_pagelist()
mfd: mc13xxx-core: Fix memory leak in mc13xxx_add_subdevice_pdata()
platform/x86: barco-p50-gpio: normalize return value of gpio_get
platform/x86: panasonic-laptop: Fix OPTD notifier registration and cleanup
usb: typec: ps883x: Fix Oops at unbind
tty: hvc_iucv: fix off-by-one in number of supported devices
usb: typec: Fix error pointer dereference
leds: lgm-sso: Remove duplicate assignments for priv->mmap
platform/surface: surfacepro3_button: Drop wakeup source on remove
backlight: sky81452-backlight: Check return value of devm_gpiod_get_optional() in sky81452_bl_parse_dt()
i3c: mipi-i3c-hci: fix IBI payload length calculation for final status
i3c: master: adi: Fix error propagation for CCCs
i3c: dw: Fix memory leak in dw_i3c_master_i3c_xfers()
i3c: master: renesas: Fix memory leak in renesas_i3c_i3c_xfers()
i3c: master: dw-i3c: Fix missing reset assertion in remove() callback
perf util: Kill die() prototype, dead for a long time
perf maps: Fix copy_from that can break sorted by name order
perf maps: Fix fixup_overlap_and_insert that can break sorted by name order
pinctrl: sophgo: pinctrl-sg2044: Fix wrong module description
pinctrl: sophgo: pinctrl-sg2042: Fix wrong module description
perf cgroup: Update metric leader in evlist__expand_cgroup
ipmi: ssif_bmc: change log level to dbg in irq callback
ipmi: ssif_bmc: fix message desynchronization after truncated response
ipmi: ssif_bmc: fix missing check for copy_to_user() partial failure
perf expr: Return -EINVAL for syntax error in expr__find_ids()
perf tools: Fix module symbol resolution for non-zero .text sh_addr
memblock: reserve_mem: fix end caclulation in reserve_mem_release_by_name()
perf stat: Fix opt->value type for parse_cache_level
perf lock: Fix option value type in parse_max_stack
pinctrl: renesas: rzg2l: Fix save/restore of {IOLH,IEN,PUPD,SMT} registers
pinctrl: abx500: Fix type of 'argument' variable
pinctrl: realtek: Fix function signature for config argument
pinctrl: pinconf-generic: Fully validate 'pinmux' property
perf: tools: cs-etm: Fix print issue for Coresight debug in ETE/TRBE trace
perf branch: Avoid incrementing NULL
pinctrl: cy8c95x0: Avoid returning positive values to user space
pinctrl: cy8c95x0: Unify messages with help of dev_err_probe()
pinctrl: cy8c95x0: remove duplicate error message
perf trace: Avoid an ERR_PTR in syscall_stats
pinctrl: pinctrl-pic32: Fix resource leak
perf trace: Fix IS_ERR() vs NULL check bug
bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
bpf: Validate node_id in arena_alloc_pages()
libbpf: Prevent double close and leak of btf objects
bpf: allow UTF-8 literals in bpf_bprintf_prepare()
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
bpf: Fix precedence bug in convert_bpf_ld_abs alignment check
bpf, sockmap: Take state lock for af_unix iter
bpf, sockmap: Fix af_unix null-ptr-deref in proto update
bpf, sockmap: Fix af_unix iter deadlock
bpf, riscv: Remove redundant bpf_flush_icache() after pack allocator finalize
bpf, arm64: Remove redundant bpf_flush_icache() after pack allocator finalize
bpf, arm64: Fix off-by-one in check_imm signed range check
ext4: fix possible null-ptr-deref in mbt_kunit_exit()
HID: usbhid: fix deadlock in hid_post_reset()
mtd: spinand: winbond: Clarify when to enable the HS bit
mtd: spinand: Give the bus interface to the configuration helper
mtd: spinand: Add support for setting a bus interface
mtd: spinand: Gather all the bus interface steps in one single function
mtd: spinand: winbond: Configure the IO mode after the dummy cycles
mtd: spinand: winbond: Rename IO_MODE register macro
mtd: spinand: Create an array of operation templates
mtd: spinand: Decouple write enable and write disable operations
mtd: spinand: Add missing check
mtd: rawnand: sunxi: fix sunxi_nfc_hw_ecc_read_extra_oob
cxl/pci: Check memdev driver binding status in cxl_reset_done()
mtd: parsers: ofpart: call of_node_get() for dedicated subpartitions
mtd: parsers: ofpart: call of_node_put() only in ofpart_fail path
mtd: spi-nor: swp: check SR_TB flag when getting tb_mask
mtd: spi-nor: update spi_nor_fixups::post_sfdp() documentation
mtd: spi-nor: sfdp: introduce smpt_map_id fixup hook
mtd: spi-nor: sfdp: introduce smpt_read_dummy fixup hook
mtd: spi-nor: core: correct the op.dummy.nbytes when check read operations
dt-bindings: interrupt-controller: arm,gic-v3: Fix EPPI range
ima_fs: Correctly create securityfs files for unsupported hash algos
mtd: physmap_of_gemini: Fix disabled pinctrl state check
HID: asus: do not abort probe when not necessary
HID: asus: make asus_resume adhere to linux kernel coding standards
ima: check return value of crypto_shash_final() in boot aggregate
remoteproc: imx_rproc: Check return value of regmap_attach_dev() in imx_rproc_mmio_detect_mode()
stop_machine: Fix the documentation for a NULL cpus argument
remoteproc: xlnx: Fix sram property parsing
hte: tegra194: remove Kconfig dependency on Tegra194 SoC
tracing: Rebuild full_name on each hist_field_name() call
tracing: move __printf() attribute on __ftrace_vbprintk()
tracing: move tracing declarations from kernel.h to a dedicated header
tracing: remove size parameter in __trace_puts()
soundwire: cadence: Clear message complete before signaling waiting thread
dmaengine: mxs-dma: Fix missing return value from of_dma_controller_register()
soundwire: Intel: test bus.bpt_stream before assigning it
soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
dmaengine: dw-axi-dmac: Remove unnecessary return statement from void function
ocfs2: validate group add input before caching
ocfs2: validate bg_bits during freefrag scan
ocfs2: fix listxattr handling when the buffer is full
fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
firmware: arm_ffa: Use the correct buffer size during RXTX_MAP
ARM: dts: imx27-eukrea: replace interrupts with interrupts-extended
lib: kunit_iov_iter: fix memory leaks
slab: Introduce kmalloc_obj() and family
arm64/xor: fix conflicting attributes for xor_block_template
ARM: OMAP1: Fix DEBUG_LL and earlyprintk on OMAP16XX
arm64: dts: qcom: sm8250: Add missing CPU7 3.09GHz OPP
soc: qcom: aoss: compare against normalized cooling state
soc: qcom: llcc: fix v1 SB syndrome register offset
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
ocfs2/dlm: validate qr_numregions in dlm_match_regions()
unshare: fix nsproxy leak in ksys_unshare() on set_cred_ucounts() failure
soc/tegra: cbb: Fix cross-fabric target timeout lookup
soc/tegra: cbb: Fix incorrect ARRAY_SIZE in fabric lookup tables
soc/tegra: cbb: Set ERD on resume for err interrupt
arm64: dts: imx8qxp-mek: switch Type-C connector power-role to dual
arm64: dts: imx8qm-mek: switch Type-C connector power-role to dual
arm64: dts: lx2160a: complete pinmux for rcwsr12 configuration word
arm64: dts: lx2160a: change zeros to hexadecimal in pinmux nodes
arm64: dts: lx2160a: add sda gpio references for i2c bus recovery
arm64: dts: lx2160a: rename pinmux nodes for readability
arm64: dts: lx2160a: remove duplicate pinmux nodes
arm64: dts: lx2160a: change i2c0 (iic1) pinmux mask to one bit
arm64: dts: imx8dxl-evk: Use audio-graph-card2 for wm8960-2 and wm8960-3
arm64: dts: imx8mp-kontron: Fix boot order for PMIC and RTC
arm64: dts: freescale: imx8mp-tqma8mpql-mba8mp-ras314: fix UART1 RTS/CTS muxing
arm64: dts: ti: k3-am62-verdin: Fix SPI_1 GPIO CS pinctrl label
arm64: dts: ti: k3-am62-lp-sk: Enable internal pulls for MMC0 data pins
arm64: dts: ti: k3-am62p5-sk: Disable MMC1 internal pulls on data pins
arm64: dts: qcom: msm8917-xiaomi-riva: Fix board-id for all bootloader
arm64: dts: qcom: sdm845-xiaomi-beryllium: Mark l1a regulator as powered during boot
arm64: dts: qcom: sm7225-fairphone-fp4: Fix conflicting bias pinctrl
arm64: dts: qcom: sm8650: Enable UHS-I SDR50 and SDR104 SD card modes
arm64: dts: qcom: sm8550: Enable UHS-I SDR50 and SDR104 SD card modes
arm64: dts: qcom: sm8450: Enable UHS-I SDR50 and SDR104 SD card modes
arm64: dts: qcom: hamoa: Fix xo clock supply of platform SD host controller
arm64: dts: qcom: sm8650: Fix xo clock supply of SD host controller
arm64: dts: qcom: sm8550: Fix xo clock supply of platform SD host controller
arm64: dts: qcom: sm8750: Fix GIC_ITS range length
arm64: dts: qcom: sm8650: Fix GIC_ITS range length
arm64: dts: qcom: sm8550: Fix GIC_ITS range length
arm64: dts: qcom: sm8450: Fix GIC_ITS range length
arm64: dts: qcom: sm8650: correct Iris corners for the MXC rail
arm64: dts: qcom: sm8550: correct Iris corners for the MXC rail
arm64: dts: qcom: monaco: correct Iris corners for the MXC rail
arm64: dts: qcom: lemans: correct Iris corners for the MXC rail
arm64: dts: qcom: hamoa: correct Iris corners for the MXC rail
bus: rifsc: fix RIF configuration check for peripherals
arm64: dts: rockchip: Add mphy reset to ufshc node
arm64: dts: rockchip: Fix RK3562 EVB2 model name
soc: qcom: ocmem: return -EPROBE_DEFER is ocmem is not available
soc: qcom: ocmem: register reasons for probe deferrals
soc: qcom: ocmem: make the core clock optional
arm64: dts: rockchip: Correct Joystick Axes on Gameforce Ace
arm64: dts: rockchip: Correct Fan Supply for Gameforce Ace
Revert "arm64: dts: rockchip: add SPDIF audio to Beelink A1"
arm64: dts: rockchip: Fix Bluetooth stability on LCKFB TaiShan Pi
arm64: dts: qcom: msm8953-xiaomi-daisy: fix backlight
arm64: dts: qcom: msm8953-xiaomi-vince: correct wled ovp value
arm64: dts: imx8mp-hummingboard-pulse: fix mini-hdmi dsi port reference
arm64: dts: imx8mp-kontron: Drop vmmc-supply to fix SD card on SMARC eval carrier
arm64: dts: imx8mp-kontron: Fix touch reset configuration on DL devices
iommufd/selftest: Fix page leaks in mock_viommu_{init,destroy}
arm64: dts: mediatek: mt7986a: Fix gpio-ranges pin count
arm64: dts: mediatek: mt7981b: Fix gpio-ranges pin count
arm64: dts: mediatek: mt6795: Fix gpio-ranges pin count
arm64: dts: qcom: talos: Add missing clock-names to GCC
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Fix reserved gpio ranges
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove extcon
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Correct reserved memory ranges
arm64: dts: qcom: sm6125-xiaomi-ginkgo: Remove board-id
arm64: dts: qcom: sm6125-ginkgo: Fix missing msm-id subtype
iommufd: vfio compatibility extension check for noiommu mode
arm64: dts: imx8mp-evk: Enable pull select bit for PCIe regulator GPIO (M.2 W_DISABLE1)
arm64: dts: rockchip: Make Jaguar PCIe-refclk pin use pull-up config
arm64: dts: imx91-11x11-evk: change usdhc tuning step for eMMC and SD
arm64: dts: imx8-apalis: Fix LEDs name collision
memory: tegra30-emc: Fix dll_change check
memory: tegra124-emc: Fix dll_change check
ARM: dts: mediatek: mt7623: fix efuse fallback compatible
arm64: dts: mediatek: mt8365: Describe infracfg-nao as a pure syscon
ksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
efi/capsule-loader: fix incorrect sizeof in phys array reallocation
gfs2: prevent NULL pointer dereference during unmount
gfs2: add some missing log locking
vfio: unhide vdev->debug_root
quota: Fix race of dquot_scan_active() with quota deactivation
gfs2: less aggressive low-memory log flushing
rtla/utils: Fix resource leak in set_comm_sched_attr()
rtla: Replace atoi() with a robust strtoi()
rtla: Fix -C/--cgroup interface
ktest: Run POST_KTEST hooks on failure and cancellation
ktest: Honor empty per-test option overrides
ktest: Avoid undef warning when WARNINGS_FILE is unset
fanotify: call fanotify_events_supported() before path_permission() and security_path_notify()
fanotify: avoid/silence premature LSM capability checks
gfs2: Call unlock_new_inode before d_instantiate
ALSA: hda/realtek - fixed speaker no sound update
ALSA: usb-audio: Exclude Scarlett 18i20 1st Gen from SKIP_IFACE_SETUP
crypto: jitterentropy - replace long-held spinlock with mutex
sched_ext: Fix ops.cgroup_move() invocation kf_mask and rq tracking
sched_ext: Track @p's rq lock across set_cpus_allowed_scx -> ops.set_cpumask
dm cache: fix missing return in invalidate_committed's error path
ALSA: sc6000: Keep the programmed board state in card-private data
spi: mtk-snfi: unregister ECC engine on probe failure and remove() callback
PCI: tegra194: Fix CBB timeout caused by DBI access before core power-on
PCI: tegra194: Disable L1.2 capability of Tegra234 EP
PCI: tegra194: Remove unnecessary L1SS disable code
PCI: dwc: Apply ECRC workaround to DesignWare 5.00a as well
PCI: tegra194: Use DWC IP core version
PCI: tegra194: Free up Endpoint resources during remove()
PCI: tegra194: Allow system suspend when the Endpoint link is not up
PCI: tegra194: Set LTR message request before PCIe link up in Endpoint mode
PCI: tegra194: Disable direct speed change for Endpoint mode
PCI: tegra194: Use devm_gpiod_get_optional() to parse "nvidia,refclk-select"
PCI: tegra194: Disable PERST# IRQ only in Endpoint mode
PCI: tegra194: Don't force the device into the D0 state before L2
PCI: tegra194: Disable LTSSM after transition to Detect on surprise link down
PCI: tegra194: Increase LTSSM poll time on surprise link down
PCI: tegra194: Fix polling delay for L2 state
ALSA: usb-audio: qcom: Fix incorrect type in enable_audio_stream
PCI/NPEM: Set LED_HW_PLUGGABLE for hotplug-capable ports
ASoC: SOF: compress: return the configured codec from get_params
ALSA: scarlett2: Add missing sentinel initializer field
selftest: memcg: skip memcg_sock test if address family not supported
Documentation: fix a hugetlbfs reservation statement
kho: make debugfs interface optional
selftests/mm: skip migration tests if NUMA is unavailable
gpu: nova-core: bitfield: fix broken Default implementation
gpu: nova-core: bitfield: Move bitfield-specific code from register! into new macro
gpu: nova-core: register: use field type for Into implementation
PCI: mediatek-gen3: Prevent leaking IRQ domains when IRQ not found
PCI: Enable AtomicOps only if Root Port supports them
ASoC: rsnd: Fix potential out-of-bounds access of component_dais[]
crypto: qat - use swab32 macro
crypto: iaa - fix per-node CPU counter reset in rebalance_wq_table()
crypto: qat - fix type mismatch in RAS sysfs show functions
crypto: qat - fix compression instance leak
crypto: qat - disable 420xx AE cluster when lead engine is fused off
crypto: qat - disable 4xxx AE cluster when lead engine is fused off
PCI: dwc: Fix type mismatch for kstrtou32_from_user() return value
ASoC: qcom: qdsp6: topology: check widget type before accessing data
iommu/riscv: Remove overflows on the invalidation path
iommu/amd: Fix clone_alias() to use the original device's devid
ASoC: fsl_easrc: Change the type for iec958 channel status controls
ASoC: fsl_easrc: Fix value type in fsl_easrc_iec958_get_bits()
ASoC: fsl_easrc: Check the variable range in fsl_easrc_iec958_put_bits()
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_mode_put()
ASoC: fsl_xcvr: Fix event generation in fsl_xcvr_arc_mode_put()
ASoC: fsl_micfil: Fix event generation in micfil_quality_set()
ASoC: fsl_micfil: Fix event generation in micfil_put_dc_remover_state()
ASoC: fsl_micfil: Fix event generation in hwvad_put_init_mode()
ASoC: fsl_micfil: Fix event generation in hwvad_put_enable()
ASoC: fsl_micfil: Add access property for "VAD Detected"
drm/msm/dpu: drop INTF_0 on MSM8953
PM: domains: De-constify fields in struct dev_pm_domain_attach_data
pmdomain: imx: scu-pd: Fix device_node reference leak during ->probe()
pmdomain: ti: omap_prm: Fix a reference leak on device node
ALSA: hda/cmedia: Remove duplicate pin configuration parsing
drm/msm/a6xx: Use barriers while updating HFI Q headers
drm/msm/a6xx: Fix dumping A650+ debugbus blocks
drm/msm/shrinker: Fix can_block() logic
drm/msm/a6xx: Fix HLSQ register dumping
drm/msm: Fix VM_BIND UNMAP locking
drm/msm: Reject fb creation from _NO_SHARE objs
drm/msm/vma: Avoid lock in VM_BIND fence signaling path
ASoC: SOF: Intel: hda: Place check before dereference
ALSA: hda/realtek: fix code style (ERROR: else should follow close brace '}')
hwmon: (aspeed-g6-pwm-tach): remove redundant driver remove callback
PCI/DPC: Log AER error info for DPC/EDR uncorrectable errors
drm/amdgpu/uvd4.2: Don't initialize UVD 4.2 when DPM is disabled
drm/amd/pm/smu7: Add SCLK cap for quirky Hawaii board
drm/amd/pm/ci: F…
|
Merge Check Failed: No CR Numbers Found Error: No Change Request numbers were found. Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CR: 4558005