[Deepin-Kernel-SIG] [linux 6.6-y] [Upstream] Update kernel base to 6.6.122 #1476
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 120f3e6ff76209ee2f62a64e5e7e9d70274df42b upstream. The soundwire update_status() callback may be called multiple times with the same ATTACHED status but initialisation should only be done when transitioning from UNATTACHED to ATTACHED. Fix the inverted hw_init flag which was set to false instead of true after initialisation which defeats its purpose and may result in repeated unnecessary initialisation. Similarly, the initial state of the flag was also inverted so that the codec would only be initialised and brought out of regmap cache only mode if its status first transitions to UNATTACHED. Fixes: aa21a7d ("ASoC: codecs: wsa884x: Add WSA884x family of speakers") Cc: stable@vger.kernel.org # 6.5 Cc: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Link: https://patch.msgid.link/20260102111413.9605-4-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6eb597cb4e37f1e7ef3557168a0029685dd8900d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ] Commit 61fafbe ("xfrm: Determine inner GSO type from packet inner protocol") attempted to fix GSO segmentation by reading the inner protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect because the field holds the inner L4 protocol (TCP/UDP) instead of the required tunnel protocol. Also, the memory location (shared by XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow()) is prone to corruption. This combination caused the kernel to select the wrong inner mode and get the wrong address family. The correct value is in xfrm_offload(skb)->proto, which is set from the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the inner packet's address family. Fixes: 61fafbe ("xfrm: Determine inner GSO type from packet inner protocol") Signed-off-by: Jianbo Liu <jianbol@nvidia.com> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 55787a73fbb61cd385264fe4500c9fca352fa899) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ] In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. Fixes: d67ae82 ("pnfs/flexfiles: Add the FlexFile Layout Driver") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 869862056e100973e76ce9f5f1b01837771b7722) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ] When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label 'free_urbs', which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). Fixes: 8537257 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8 Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com> Reviewed-by: Vincent Mailhol <mailhol@kernel.org> Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 611e839d2d552416b498ed5593e10670f61fcd4d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 75011bd ] Simplify the nvmet_tcp_handle_h2c_data_pdu() function by removing boilerplate code. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Keith Busch <kbusch@kernel.org> Stable-dep-of: 32b63acd78f5 ("nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 50f80e82e79669dd5222fcd191ab872cad485f2b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ] Commit efa5630 ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command's data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: - Uninitialized commands: both NULL - READ commands: cmd->req.sg allocated, cmd->iov NULL - WRITE commands: both allocated Fixes: efa5630 ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length") Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit fdecd3b6aac10d5a18d0dc500fe57f8648b66cd4) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ] Before accessing the disk_bytenr field of a file extent item we need to check if we are dealing with an inline extent. This is because for inline extents their data starts at the offset of the disk_bytenr field. So accessing the disk_bytenr means we are accessing inline data or in case the inline data is less than 8 bytes we can actually cause an invalid memory access if this inline extent item is the first item in the leaf or access metadata from other items. Fixes: 82bfb2e ("Btrfs: incremental send, fix unnecessary hole writes for sparse files") Reviewed-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f2dc6ab3a14c2d2eb0b14783427eb9b03bf631c9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cbf51ac ] In preparation of the following fdb limit for dynamically learned entries, allow fdb_create to detect that the entry was added by the user. This way it can skip applying the limit in this case. Reviewed-by: Ido Schimmel <idosch@nvidia.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Signed-off-by: Johannes Nixdorf <jnixdorf-oss@avm.de> Link: https://lore.kernel.org/r/20231016-fdb_limit-v5-1-32cddff87758@avm.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: b25a0b4a2193 ("net: bridge: annotate data-races around fdb->{updated,used}") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9f1ac4c98add75e286dfaf6b87a1687868aa90c9) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ] fdb->updated and fdb->used are read and written locklessly. Add READ_ONCE()/WRITE_ONCE() annotations. Fixes: 31cbc39 ("net: bridge: add option to allow activity notifications for any fdb entries") Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/ Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Reviewed-by: Ido Schimmel <idosch@nvidia.com> Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 98151bb13af1e5f37d3ff1c20fb24e8915260ea3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ] Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Fixes: 8d975c1 ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()") Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 2f03dafea0a8096a2eb60f551218b360e5bab9a3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ] Add missing entries in netdev_lock_type[] and netdev_lock_name[] : CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON, IEEE802154_MONITOR. Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting next time a protocol is added without updating these arrays. Fixes: 1a33e10 ("net: partially revert dynamic lockdep key changes") Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0ba0a79500fcfc25ae80a4d57b7ae9bb81b3e894) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ] Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). Fixes: 79cf79a ("macvlan: add source mode") Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 15f6faf36e162532bec5cc05eb3fc622108bf2ed) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Over the years, syzbot found many ways to crash the kernel
in ipgre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ipgre device.
[1]
skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
kernel BUG at net/core/skbuff.c:213 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
Call Trace:
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Fixes: c544193 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
Closes: https://www.spinics.net/lists/netdev/msg1147302.html
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 06fe0801396a36cab865b34f666de1d65bc5ce8e)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ] If the last test fails, the other side still completes correctly, which could lead to false positives. Let's add a final barrier that ensures that the last test has finished correctly on both sides, but also that the two sides agree on the number of tests to be performed. Fixes: 2f65b44 ("VSOCK: add full barrier between test cases") Reviewed-by: Luigi Leonardi <leonardi@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 147b9a2fc7a3516131039abff6b76b0bc1650a0e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
Profile rollback can fail in mlx5e_netdev_change_profile() and we will
end up with invalid mlx5e_priv memset to 0, we must maintain the
'destroying' bit in order to gracefully shutdown even if the
profile/priv are not valid.
This patch maintains the previous state of the 'destroying' state of
mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
common resources from mlx5_core to avoid FW fatal errors as seen below:
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
$ devlink dev reload pci/0000:00:03.0
mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
mlx5_core 0000:00:03.0: firmware version: 28.41.1000
mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
Fixes: c4d7eb5 ("net/mxl5e: Add change profile method")
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 6126877f90fe74a210a8a4edb2b8c9431a630ea8)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 42f620a ] This is handy when computing space_info dynamic reclaim thresholds where we do not have access to a block group. We could add it to the various functions as a parameter, but it seems reasonable for space_info to have an fs_info pointer. Reviewed-by: Josef Bacik <josef@toxicpanda.com> Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Boris Burkov <boris@bur.io> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 1fe74715ccb4e48001be551402acb6f83e99cf20) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ac5578f ] Factor out initialization of the space_info struct, which is used in a later patch. There is no functional change. Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 34d5cd41418af8cda0e0594db454e0abf3d6407f) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…roups() [ Upstream commit 1cfdbe0 ] Factor out check_removing_space_info() from btrfs_free_block_groups(). It sanity checks a to-be-removed space_info. There is no functional change. Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 42c8d48bf3abeba7041658bc2470ee432f94d55c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f92ee31 ] Current code assumes we have only one space_info for each block group type (DATA, METADATA, and SYSTEM). We sometime need multiple space infos to manage special block groups. One example is handling the data relocation block group for the zoned mode. That block group is dedicated for writing relocated data and we cannot allocate any regular extent from that block group, which is implemented in the zoned extent allocator. This block group still belongs to the normal data space_info. So, when all the normal data block groups are full and there is some free space in the dedicated block group, the space_info looks to have some free space, while it cannot allocate normal extent anymore. That results in a strange ENOSPC error. We need to have a space_info for the relocation data block group to represent the situation properly. Adds a basic infrastructure for having a "sub-group" of a space_info: creation and removing. A sub-group space_info belongs to one of the primary space_infos and has the same flags as its parent. This commit first introduces the relocation data sub-space_info, and the next commit will introduce tree-log sub-space_info. In the future, it could be useful to implement tiered storage for btrfs e.g. by implementing a sub-group space_info for block groups resides on a fast storage. Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> Signed-off-by: David Sterba <dsterba@suse.com> Stable-dep-of: a11224a016d6 ("btrfs: fix memory leaks in create_space_info() error paths") Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0bd151ce4200ca847990e05cca29a76456982ca5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ] In create_space_info(), the 'space_info' object is allocated at the beginning of the function. However, there are two error paths where the function returns an error code without freeing the allocated memory: 1. When create_space_info_sub_group() fails in zoned mode. 2. When btrfs_sysfs_add_space_info_type() fails. In both cases, 'space_info' has not yet been added to the fs_info->space_info list, resulting in a memory leak. Fix this by adding an error handling label to kfree(space_info) before returning. Fixes: 2be12ef ("btrfs: Separate space_info create/update") Reviewed-by: Qu Wenruo <wqu@suse.com> Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 58208907c4044a764dbd8896026283905da6d9be) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…n table [ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ] RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior. Fixes: 962f3fe ("netvsc: add ethtool ops to get/set RSS key") Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com> Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com> Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com> Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 82c9039c8ebb715753a40434df714f865a3aec9c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ] syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let's move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Fixes: 00b5b7a ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged") Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Reviewed-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 9356b69d03d0f50cce91cebdabd33dda023fbd64) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ] The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 = 0xfff0, only allowing CPUs 0-3. Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs 0-15. Fixes: 5ebfb4c ("selftests/net: toeplitz test") Reviewed-by: Nimrod Oren <noren@nvidia.com> Signed-off-by: Gal Pressman <gal@nvidia.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit a3f895d4494a8c3ee92bbb0baa36cc20501e8df5) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ] Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. Fixes: 462dbc9 ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost") Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com> Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 0a234660dc70ce45d771cbc76b20d925b73ec160) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ] The "snd_soc_component" in "adcx140_priv" was only used once but never set. It was only used for reaching "dev" which is already present in "adcx140_priv". Fixes: 4e82971 ("ASoC: tlv320adcx140: Add a new kcontrol") Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 659939d08e5f7bc17b941c53e8c9c0a6c6113b21) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ] The word length is the physical width of the channel slots. So the hw_params would misconfigure when format width and physical width doesn't match. Like S24_LE which has data width of 24 bits but physical width of 32 bits. So if using asymmetric formats you will get a lot of noise. Fixes: 689c765 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family") Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 805f1c634817ac2b50a257509dc28ff091f61a59) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ] Sphinx reports kernel-doc warning: WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops' Describe @list member to fix it. Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com Fixes: 2de4ff7 ("[LIB]: Textsearch infrastructure.") Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> Cc: Thomas Graf <tgraf@suug.ch> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit f332d75388ea518d7efd0ed028c19801de2b6949) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ] Sphinx reports kernel-doc warning: WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info' Fix it by describing @slab parameter. Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com Fixes: 2dfe63e ("mm, kfence: support kmem_dump_obj() for KFENCE objects") Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com> Acked-by: Marco Elver <elver@google.com> Acked-by: David Hildenbrand (Red Hat) <david@kernel.org> Acked-by: Harry Yoo <harry.yoo@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 7602a67114cd55916af42f5094ca0aac7e14bade) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ] The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault [...] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault Fixes: 17ce252 ("dmaengine: xilinx: xdma: Add xilinx xdma driver") Reviewed-by: Lizhi Hou <lizhi.hou@amd.com> Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com> Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com> Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com> Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit df8a131a41ff6202d47f59452735787f2b71dd2d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
Fixes: f46b195 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
Signed-off-by: Sheetal <sheetal@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 59cb421b0902fbef2b9512ae8ba198a20f26b41f)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 038a102535eb49e10e93eafac54352fcc5d78847 ] The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it's normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] Link: https://lkml.kernel.org/r/20260105-fix-pcp-up-v1-1-5579662d2071@suse.cz Fixes: 5749077 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations") Signed-off-by: Vlastimil Babka <vbabka@suse.cz> Reported-by: kernel test robot <oliver.sang@intel.com> Closes: https://lore.kernel.org/oe-lkp/202512101320.e2f2dd6f-lkp@intel.com Analyzed-by: Matthew Wilcox <willy@infradead.org> Link: https://lore.kernel.org/all/aUW05pyc9nZkvY-1@casper.infradead.org/ Acked-by: Mel Gorman <mgorman@techsingularity.net> Cc: Brendan Jackman <jackmanb@google.com> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Zi Yan <ziy@nvidia.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ drop changes to decay_pcp_high() and zone_pcp_update_cacheinfo() ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 4a04ff9cd816e7346fcc8126f00ed80481f6569d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4795d205d78690a46b60164f44b8bb7b3e800865 ] kmsan_free_page() is called by the page allocator's free_pages_prepare() during page freeing. Its job is to poison all the memory covered by the page. It can be called with an order-0 page, a compound high-order page or a non-compound high-order page. But page_size() only works for order-0 and compound pages. For a non-compound high-order page it will incorrectly return PAGE_SIZE. The implication is that the tail pages of a high-order non-compound page do not get poisoned at free, so any invalid access while they are free could go unnoticed. It looks like the pages will be poisoned again at allocation time, so that would bookend the window. Fix this by using the order parameter to calculate the size. Link: https://lkml.kernel.org/r/20260104134348.3544298-1-ryan.roberts@arm.com Fixes: b073d7f ("mm: kmsan: maintain KMSAN metadata for page operations") Signed-off-by: Ryan Roberts <ryan.roberts@arm.com> Reviewed-by: Alexander Potapenko <glider@google.com> Tested-by: Alexander Potapenko <glider@google.com> Cc: Dmitriy Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Marco Elver <elver@google.com> Cc: Ryan Roberts <ryan.roberts@arm.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d6705bcc5fe7c2e2035b58e04b1ca11b41ffcb7b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 4045252 ] Improve error handling in the probe path by using function dev_err_probe() instead of function dev_err(), where appropriate. Signed-off-by: Dragan Simic <dsimic@manjaro.org> Reviewed-by: Heiko Stuebner <heiko@sntech.de> Link: https://lore.kernel.org/r/d4ccd9fc278fb46ea868406bf77811ee507f0e4e.1725524803.git.dsimic@manjaro.org Signed-off-by: Vinod Koul <vkoul@kernel.org> Stable-dep-of: e07dea3de508 ("phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 479fab9aeade18da4a29cea023a0b0c3caa61565) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…robe() [ Upstream commit e07dea3de508cd6950c937cec42de7603190e1ca ] The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put(). Fixes: ed2b5a8 ("phy: phy-rockchip-inno-usb2: support muxed interrupts") Cc: stable@vger.kernel.org Signed-off-by: Wentao Liang <vulab@iscas.ac.cn> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Link: https://patch.msgid.link/20260109154626.2452034-1-vulab@iscas.ac.cn Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ebae26dd15140b840cf65be5e1c0daee949ba70b) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 3d2a69e ] Driver does not use the device version after reading it from the registers, so simplify by dropping unneeded code. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Link: https://patch.msgid.link/20240710-asoc-wsa88xx-version-v1-1-f1c54966ccde@linaro.org Signed-off-by: Mark Brown <broonie@kernel.org> Stable-dep-of: 29d71b8a5a40 ("ASoC: codecs: wsa881x: fix unnecessary initialisation") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ea2474ea2eef4052d32f2234cb476621072d7b8e) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 29d71b8a5a40708b3eed9ba4953bfc2312c9c776 ] The soundwire update_status() callback may be called multiple times with the same ATTACHED status but initialisation should only be done when transitioning from UNATTACHED to ATTACHED. Fixes: a0aab9e ("ASoC: codecs: add wsa881x amplifier support") Cc: stable@vger.kernel.org # 5.6 Cc: Srinivas Kandagatla <srini@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Link: https://patch.msgid.link/20260102111413.9605-3-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 0ded4420b54e9e8d207abc523a7d50e900c1e37d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 49aadf830eb048134d33ad7329d92ecff45d8dbb ] The soundwire update_status() callback may be called multiple times with the same ATTACHED status but initialisation should only be done when transitioning from UNATTACHED to ATTACHED. This avoids repeated initialisation of the codecs during boot of machines like the Lenovo ThinkPad X13s: [ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 [ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2 Fixes: 43b8c7d ("ASoC: codecs: add wsa883x amplifier support") Cc: stable@vger.kernel.org # 6.0 Cc: Srinivas Kandagatla <srini@kernel.org> Signed-off-by: Johan Hovold <johan@kernel.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com> Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org Signed-off-by: Mark Brown <broonie@kernel.org> [ Adjust context ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit f83824b023c751ac8047f24c751d8da2f0d12c55) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 205fb5f ] Rename nvme_fc_nvme_ctrl_freed to nvme_fc_free_ctrl to match the name pattern for the callback. Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Sagi Grimberg <sagi@grimberg.me> Reviewed-by: Hannes Reinecke <hare@suse.de> Signed-off-by: Daniel Wagner <dwagner@suse.de> Signed-off-by: Keith Busch <kbusch@kernel.org> Stable-dep-of: 0edb475ac0a7 ("nvme: fix PCIe subsystem reset controller state transition") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit ca88419cf0623dcdbb2beacb8fad30206ed7faf3) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 210b1f6 ] Scheduling reset_work after a nvme subsystem reset is expected to fail on pcie, but this also prevents potential handling the platform's pcie services may provide that might successfully recovering the link without re-enumeration. Such examples include AER, DPC, and power's EEH. Provide a pci specific operation that safely initiates a subsystem reset, and instead of scheduling reset work, read back the status register to trigger a pcie read error. Since this only affects pci, the other fabrics drivers subscribe to a generic nvmf subsystem reset that is exactly the same as before. The loop fabric doesn't use it because nvmet doesn't support setting that property anyway. And since we're using the magic NSSR value in two places now, provide a symbolic define for it. Reported-by: Nilay Shroff <nilay@linux.ibm.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Keith Busch <kbusch@kernel.org> Stable-dep-of: 0edb475ac0a7 ("nvme: fix PCIe subsystem reset controller state transition") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7dfb39b0186ddd929400686fbacfb9b0915888d7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 0edb475ac0a7d153318a24d4dca175a270a5cc4f ] The commit d2fe192 (“nvme: only allow entering LIVE from CONNECTING state”) disallows controller state transitions directly from RESETTING to LIVE. However, the NVMe PCIe subsystem reset path relies on this transition to recover the controller on PowerPC (PPC) systems. On PPC systems, issuing a subsystem reset causes a temporary loss of communication with the NVMe adapter. A subsequent PCIe MMIO read then triggers EEH recovery, which restores the PCIe link and brings the controller back online. For EEH recovery to proceed correctly, the controller must transition back to the LIVE state. Due to the changes introduced by commit d2fe192 (“nvme: only allow entering LIVE from CONNECTING state”), the controller can no longer transition directly from RESETTING to LIVE. As a result, EEH recovery exits prematurely, leaving the controller stuck in the RESETTING state. Fix this by explicitly transitioning the controller state from RESETTING to CONNECTING and then to LIVE. This satisfies the updated state transition rules and allows the controller to be successfully recovered on PPC systems following a PCIe subsystem reset. Cc: stable@vger.kernel.org Fixes: d2fe192 ("nvme: only allow entering LIVE from CONNECTING state") Reviewed-by: Daniel Wagner <dwagner@suse.de> Signed-off-by: Nilay Shroff <nilay@linux.ibm.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit d89f3037d54d3a0d5902aa1b962ad9a594f22993) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f7fb730 ] As of now nfsd calls create_proc_exports_entry() at start of init_nfsd and cleanup by remove_proc_entry() at last of exit_nfsd. Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd for 5.4 kernel ARM64: CPU 1: el1_irq+0xbc/0x180 arch_counter_get_cntvct+0x14/0x18 running_clock+0xc/0x18 preempt_count_add+0x88/0x110 prep_new_page+0xb0/0x220 get_page_from_freelist+0x2d8/0x1778 __alloc_pages_nodemask+0x15c/0xef0 __vmalloc_node_range+0x28c/0x478 __vmalloc_node_flags_caller+0x8c/0xb0 kvmalloc_node+0x88/0xe0 nfsd_init_net+0x6c/0x108 [nfsd] ops_init+0x44/0x170 register_pernet_operations+0x114/0x270 register_pernet_subsys+0x34/0x50 init_nfsd+0xa8/0x718 [nfsd] do_one_initcall+0x54/0x2e0 CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 PC is at : exports_net_open+0x50/0x68 [nfsd] Call trace: exports_net_open+0x50/0x68 [nfsd] exports_proc_open+0x2c/0x38 [nfsd] proc_reg_open+0xb8/0x198 do_dentry_open+0x1c4/0x418 vfs_open+0x38/0x48 path_openat+0x28c/0xf18 do_filp_open+0x70/0xe8 do_sys_open+0x154/0x248 Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). and same is happening on latest 6.14 kernel as well: [ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty ... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 ... [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 ... [ 285.469695] Call trace: [ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) [ 285.470488] seq_read+0xe0/0x11c [ 285.470675] proc_reg_read+0x9c/0xf0 [ 285.470874] vfs_read+0xc4/0x2fc [ 285.471057] ksys_read+0x6c/0xf4 [ 285.471231] __arm64_sys_read+0x1c/0x28 [ 285.471428] invoke_syscall+0x44/0x100 [ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 [ 285.471870] do_el0_svc_compat+0x1c/0x34 [ 285.472073] el0_svc_compat+0x2c/0x80 [ 285.472265] el0t_32_sync_handler+0x90/0x140 [ 285.472473] el0t_32_sync+0x19c/0x1a0 [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) [ 285.473422] ---[ end trace 0000000000000000 ]--- It reproduced simply with below script: while [ 1 ] do /exportfs -r done & while [ 1 ] do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done & So exporting interfaces to user space shall be done at last and cleanup at first place. With change there is no Kernel OOPs. Co-developed-by: Shubham Rana <s9.rana@samsung.com> Signed-off-by: Shubham Rana <s9.rana@samsung.com> Signed-off-by: Maninder Singh <maninder1.s@samsung.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Cc: stable@vger.kernel.org Signed-off-by: Chuck Lever <chuck.lever@oracle.com> [ The context change is due to the commit bd9d6a3 ("NFSD: add rpc_status netlink support") and the proper adoption is done. ] Signed-off-by: Rahul Sharma <black.hawk@163.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8120e420013d947c890f358f30a2d98ba8ac20bc) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 327cd4b ] Syzbot reported the following warning: BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879 caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49 usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331 usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708 usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417 __dev_set_mtu net/core/dev.c:9443 [inline] netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496 netif_set_mtu+0xb0/0x160 net/core/dev.c:9520 dev_set_mtu+0xae/0x170 net/core/dev_api.c:247 dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572 dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821 sock_do_ioctl+0x19d/0x280 net/socket.c:1204 sock_ioctl+0x42f/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f For historical and portability reasons, the netif_rx() is usually run in the softirq or interrupt context, this commit therefore add local_bh_disable/enable() protection in the usbnet_resume_rx(). Fixes: 43daa96 ("usbnet: Stop RX Q on MTU change") Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1 Suggested-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Zqiang <qiang.zhang@linux.dev> Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev Signed-off-by: Paolo Abeni <pabeni@redhat.com> [ The context change is due to the commit 2c04d27 ("net: usb: Convert tasklet API to new bottom half workqueue mechanism") in v6.17 which is irrelevant to the logic of this patch.] Signed-off-by: Rahul Sharma <black.hawk@163.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 17fbad93879e87a334062882b45fa727ba1b3dd7) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a1f46c9 ] A UAF issue can occur due to a race condition between ksmbd_session_rpc_open() and __session_rpc_close(). Add rpc_lock to the session to protect it. Cc: stable@vger.kernel.org Reported-by: Norbert Szetei <norbert@doyensec.com> Tested-by: Norbert Szetei <norbert@doyensec.com> Signed-off-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> [ KSMBD_DEFAULT_GFP is introduced by commit 0066f62 ("ksmbd: use __GFP_RETRY_MAYFAIL") after linux-6.13. Here we still use GFP_KERNEL. ] Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1067361a1cc6ad9cdf7acfc47f90012b72ad1502) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a8a3ca23bbd9d849308a7921a049330dc6c91398 ] KMSAN reports: Multiple uninitialized values detected: - KMSAN: uninit-value in ntfs_read_hdr (3) - KMSAN: uninit-value in bcmp (3) Memory is allocated by __getname(), which is a wrapper for kmem_cache_alloc(). This memory is used before being properly cleared. Change kmem_cache_alloc() to kmem_cache_zalloc() to properly allocate and clear memory before use. Fixes: 82cae26 ("fs/ntfs3: Add initialization of super block") Fixes: 78ab59f ("fs/ntfs3: Rework file operations") Tested-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=332bd4e9d148f11a87dc Fixes: 82cae26 ("fs/ntfs3: Add initialization of super block") Fixes: 78ab59f ("fs/ntfs3: Rework file operations") Tested-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com Reported-by: syzbot+0399100e525dd9696764@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0399100e525dd9696764 Reviewed-by: Khalid Aziz <khalid@kernel.org> Signed-off-by: Bartlomiej Kubik <kubik.bartlomiej@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 7d52c592cf53f5bb7163967edc01d2d7d80de44a) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit a0fa787 ] After process exit to unmap csa and free GPU vm, if signal is accepted and then waiting to take vm lock is interrupted and return, it causes memory leaking and below warning backtrace. Change to use uninterruptible wait lock fix the issue. WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525 amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu] Call Trace: <TASK> drm_file_free.part.0+0x1da/0x230 [drm] drm_close_helper.isra.0+0x65/0x70 [drm] drm_release+0x6a/0x120 [drm] amdgpu_drm_release+0x51/0x60 [amdgpu] __fput+0x9f/0x280 ____fput+0xe/0x20 task_work_run+0x67/0xa0 do_exit+0x217/0x3c0 do_group_exit+0x3b/0xb0 get_signal+0x14a/0x8d0 arch_do_signal_or_restart+0xde/0x100 exit_to_user_mode_loop+0xc1/0x1a0 exit_to_user_mode_prepare+0xf4/0x100 syscall_exit_to_user_mode+0x17/0x40 do_syscall_64+0x69/0xc0 Signed-off-by: Philip Yang <Philip.Yang@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 7dbbfb3) Cc: stable@vger.kernel.org [The third parameter of drm_exec_init() was introduced by commit 05d2493 ("drm/exec: Pass in initial # of objects") after Linux 6.8. This code targets linux 6.6, so the current implementation is used and the third parameter is not needed.] Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8d2979b9bb1be0f4a52dff600e56d780403e04ac) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit 16c6c35 ] While processing the monitor destination ring, MSDUs are reaped from the link descriptor based on the corresponding buf_id. However, sometimes the driver cannot obtain a valid buffer corresponding to the buf_id received from the hardware. This causes an infinite loop in the destination processing, resulting in a kernel crash. kernel log: ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed ath11k_pci 0000:58:00.0: data msdu_pop: invalid buf_id 309 ath11k_pci 0000:58:00.0: data dp_rx_monitor_link_desc_return failed Fix this by skipping the problematic buf_id and reaping the next entry, replacing the break with the next MSDU processing. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Fixes: d5c6515 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Kang Yang <quic_kangyang@quicinc.com> Acked-by: Kalle Valo <kvalo@kernel.org> Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> Link: https://patch.msgid.link/20241219110531.2096-2-quic_kangyang@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Li hongliang <1468888505@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 8db5de0cf02fccf4c759aa58edbe65659daf607c) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit b45f721775947a84996deb5c661602254ce25ce6 ] When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for features that are disabled via the guest's XFD. Because the kernel executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm deepin-community#171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ------------[ cut here ]------------ WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm deepin-community#168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> ---[ end trace 0000000000000000 ]--- The new behavior is consistent with the AMX architecture. Per Intel's SDM, XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. Reported-by: Paolo Bonzini <pbonzini@redhat.com> Cc: stable@vger.kernel.org Fixes: 820a6ee ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14) Signed-off-by: Sean Christopherson <seanjc@google.com> [Move clearing of XSTATE_BV from fpu_copy_uabi_to_guest_fpstate to kvm_vcpu_ioctl_x86_set_xsave. - Paolo] Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 1e2848bda819af569dfe7ab186223855e092a2cb) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit f40a673 ] In an upcoming change, mdio_bus_phy_may_suspend() will need to distinguish a phylib-based PHY client from a phylink PHY client. For that, it will need to compare the phydev->phy_link_change() function pointer with the eponymous phy_link_change() provided by phylib. To avoid forward function declarations, the default PHY link state change method should be moved upwards. There is no functional change associated with this patch, it is only to reduce the noise from a real bug fix. Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/20250407093900.2155112-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ Minor context change fixed ] Signed-off-by: Rajani Kantha <681739313@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit b5a933535cc34084f28c106cbfaab9b950959b81) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
…nk-controlled PHY [ Upstream commit fc75ea2 ] DSA has 2 kinds of drivers: 1. Those who call dsa_switch_suspend() and dsa_switch_resume() from their device PM ops: qca8k-8xxx, bcm_sf2, microchip ksz 2. Those who don't: all others. The above methods should be optional. For type 1, dsa_switch_suspend() calls dsa_user_suspend() -> phylink_stop(), and dsa_switch_resume() calls dsa_user_resume() -> phylink_start(). These seem good candidates for setting mac_managed_pm = true because that is essentially its definition [1], but that does not seem to be the biggest problem for now, and is not what this change focuses on. Talking strictly about the 2nd category of DSA drivers here (which do not have MAC managed PM, meaning that for their attached PHYs, mdio_bus_phy_suspend() and mdio_bus_phy_resume() should run in full), I have noticed that the following warning from mdio_bus_phy_resume() is triggered: WARN_ON(phydev->state != PHY_HALTED && phydev->state != PHY_READY && phydev->state != PHY_UP); because the PHY state machine is running. It's running as a result of a previous dsa_user_open() -> ... -> phylink_start() -> phy_start() having been initiated by the user. The previous mdio_bus_phy_suspend() was supposed to have called phy_stop_machine(), but it didn't. So this is why the PHY is in state PHY_NOLINK by the time mdio_bus_phy_resume() runs. mdio_bus_phy_suspend() did not call phy_stop_machine() because for phylink, the phydev->adjust_link function pointer is NULL. This seems a technicality introduced by commit fddd910 ("phylib: fix PAL state machine restart on resume"). That commit was written before phylink existed, and was intended to avoid crashing with consumer drivers which don't use the PHY state machine - phylink always does, when using a PHY. But phylink itself has historically not been developed with suspend/resume in mind, and apparently not tested too much in that scenario, allowing this bug to exist unnoticed for so long. Plus, prior to the WARN_ON(), it would have likely been invisible. This issue is not in fact restricted to type 2 DSA drivers (according to the above ad-hoc classification), but can be extrapolated to any MAC driver with phylink and MDIO-bus-managed PHY PM ops. DSA is just where the issue was reported. Assuming mac_managed_pm is set correctly, a quick search indicates the following other drivers might be affected: $ grep -Zlr PHYLINK_NETDEV drivers/ | xargs -0 grep -L mac_managed_pm drivers/net/ethernet/atheros/ag71xx.c drivers/net/ethernet/microchip/sparx5/sparx5_main.c drivers/net/ethernet/microchip/lan966x/lan966x_main.c drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c drivers/net/ethernet/freescale/fs_enet/fs_enet-main.c drivers/net/ethernet/freescale/dpaa/dpaa_eth.c drivers/net/ethernet/freescale/ucc_geth.c drivers/net/ethernet/freescale/enetc/enetc_pf_common.c drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c drivers/net/ethernet/marvell/mvneta.c drivers/net/ethernet/marvell/prestera/prestera_main.c drivers/net/ethernet/mediatek/mtk_eth_soc.c drivers/net/ethernet/altera/altera_tse_main.c drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c drivers/net/ethernet/meta/fbnic/fbnic_phylink.c drivers/net/ethernet/tehuti/tn40_phy.c drivers/net/ethernet/mscc/ocelot_net.c Make the existing conditions dependent on the PHY device having a phydev->phy_link_change() implementation equal to the default phy_link_change() provided by phylib. Otherwise, we implicitly know that the phydev has the phylink-provided phylink_phy_change() callback, and when phylink is used, the PHY state machine always needs to be stopped/ started on the suspend/resume path. The code is structured as such that if phydev->phy_link_change() is absent, it is a matter of time until the kernel will crash - no need to further complicate the test. Thus, for the situation where the PM is not managed by the MAC, we will make the MDIO bus PM ops treat identically the phylink-controlled PHYs with the phylib-controlled PHYs where an adjust_link() callback is supplied. In both cases, the MDIO bus PM ops should stop and restart the PHY state machine. [1] https://lore.kernel.org/netdev/Z-1tiW9zjcoFkhwc@shell.armlinux.org.uk/ Fixes: 744d23c ("net: phy: Warn about incorrect mdio_bus_phy_resume() state") Reported-by: Wei Fang <wei.fang@nxp.com> Tested-by: Wei Fang <wei.fang@nxp.com> Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com> Link: https://patch.msgid.link/20250407094042.2155633-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Rajani Kantha <681739313@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 043aa41c43f8cb9cce75367ea07895ce68b5abb0) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
[ Upstream commit e0d1c55 ] The blamed commit changed the conditions which phylib uses to stop and start the state machine in the suspend and resume paths, and while improving it, has caused two issues. The original code used this test: phydev->attached_dev && phydev->adjust_link and if true, the paths would handle the PHY state machine. This test evaluates true for normal drivers that are using phylib directly while the PHY is attached to the network device, but false in all other cases, which include the following cases: - when the PHY has never been attached to a network device. - when the PHY has been detached from a network device (as phy_detach() sets phydev->attached_dev to NULL, phy_disconnect() calls phy_detach() and additionally sets phydev->adjust_link NULL.) - when phylink is using the driver (as phydev->adjust_link is NULL.) Only the third case was incorrect, and the blamed commit attempted to fix this by changing this test to (simplified for brevity, see phy_uses_state_machine()): phydev->phy_link_change == phy_link_change ? phydev->attached_dev && phydev->adjust_link : true However, this also incorrectly evaluates true in the first two cases. Fix the first case by ensuring that phy_uses_state_machine() returns false when phydev->phy_link_change is NULL. Fix the second case by ensuring that phydev->phy_link_change is set to NULL when phy_detach() is called. Reported-by: Xu Yang <xu.yang_2@nxp.com> Link: https://lore.kernel.org/r/20250806082931.3289134-1-xu.yang_2@nxp.com Fixes: fc75ea2 ("net: phy: allow MDIO bus PM ops to start/stop state machine for phylink-controlled PHY") Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com> Link: https://patch.msgid.link/E1uvMEz-00000003Aoe-3qWe@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Rajani Kantha <681739313@139.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 96aa13ff68ef5501b2d879d9be73ebed72128510) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Link: https://lore.kernel.org/r/20260128145344.698118637@linuxfoundation.org Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Slade Watkins <sr@sladewatkins.com> Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 2cf6f68313dcc3c404f49fdee41bbf3c694ad75d) Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @opsiff, your pull request is larger than the review limit of 150000 diff characters
deepin-ci-robot
requested review from
Ink-Paper,
MingcongBai,
chenchongbiao and
hello666888999
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update kernel base to 6.6.122.
git log --oneline v6.6.121..v6.6.122 |wc
255 2210 18368
Merged: #1471
x86/resctrl: Add missing resctrl initialization for Hygon
x86/resctrl: Fix memory bandwidth counter width for Hygon
Handle:
posix-clock: introduce posix_clock_context concept
scsi: core: Fix error handler encryption support
Abdun Nihaal (1):
scsi: xen: scsiback: Fix potential memory leak in scsiback_remove()
Aboorva Devarajan (1):
mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
Aditya Garg (1):
net: hv_netvsc: reject RSS hash key programming without RX indirection
table
Akhil P Oommen (1):
dt-bindings: power: qcom,rpmpd: add Turbo L5 corner
Alex Hung (1):
drm/amd/display: Check dce_hwseq before dereferencing it
Alok Tiwari (1):
octeontx2: cn10k: fix RX flowid TCAM mask handling
Andreas Gruenbacher (1):
Revert "gfs2: Fix use of bio_chain"
Andrew Cooper (1):
x86/kfence: avoid writing L1TF-vulnerable PTEs
Andrew Davis (1):
spi: sprd: adi: Use devm_register_restart_handler()
Andrey Vatoropin (1):
be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list
Andy Shevchenko (1):
iio: core: add missing mutex_destroy in iio_dev_release()
Anthony Brandon (1):
dmaengine: xilinx: xdma: Fix regmap max_register
Arkadiusz Kozdra (1):
kconfig: fix static linking of nconf
Arnaud Ferraris (1):
tcpm: allow looking for role_sw device in the main node
Arnd Bergmann (1):
irqchip/gic-v3-its: Avoid truncating memory addresses
Arun Raghavan (1):
ALSA: usb: Increase volume range that triggers a warning
Bagas Sanjaya (2):
textsearch: describe @list member in ts_ops search
mm, kfence: describe @slab parameter in __kfence_obj_info()
Bartlomiej Kubik (1):
fs/ntfs3: Initialize allocated memory before use
Benjamin Tissoires (1):
HID: usbhid: paper over wrong bNumDescriptor field
Berk Cem Goksel (1):
ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()
Biju Das (1):
dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
Boris Burkov (1):
btrfs: store fs_info in space_info
Brian Kao (1):
scsi: core: Fix error handler encryption support
Cedric Xing (1):
x86: make page fault handling disable interrupts properly
Cheng-Yu Lee (1):
regmap: Fix race condition in hwspinlock irqsave routine
Chenghai Huang (2):
uacce: fix isolate sysfs check condition
uacce: ensure safe queue release with state management
Chwee-Lin Choong (1):
igc: fix race condition in TX timestamp read for register 0
Damien Le Moal (1):
ata: libata-core: Introduce ata_dev_config_lpm()
Dan Carpenter (2):
phy: stm32-usphyc: Fix off by one in probe()
wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()
Dan Williams (1):
x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
Daniel Borkmann (1):
bpf: Do not let BPF test infra emit invalid GSO types to stack
Daniel Wagner (1):
nvme-fc: rename free_ctrl callback to match name pattern
Danila Tikhonov (1):
dt-bindings: power: qcom,rpmpd: Add SM7150
Dave Ertman (1):
ice: Avoid detrimental cleanup for bond during interface stop
David Hildenbrand (Red Hat) (1):
mm/rmap: fix two comments related to huge_pmd_unshare()
David Jeffery (1):
scsi: core: Wake up the error handler when final completions race
against each other
David Yang (4):
veth: fix data race in veth_get_ethtool_stats
net: hns3: fix data race in hns3_fetch_stats
be2net: fix data race in be_get_new_eqd
net: openvswitch: fix data race in ovs_vport_get_upcall_stats
Dmitry Baryshkov (1):
dt-bindings: power: qcom-rpmpd: split RPMh domains definitions
Dmitry Skorodumov (1):
ipvlan: Make the addrs_lock be per port
Dragan Simic (1):
phy: phy-rockchip-inno-usb2: Use dev_err_probe() in the probe path
Emil Svendsen (2):
ASoC: tlv320adcx140: fix null pointer
ASoC: tlv320adcx140: fix word length
Eric Dumazet (12):
net: bridge: annotate data-races around fdb->{updated,used}
ip6_tunnel: use skb_vlan_inet_prepare() in _ip6_tnl_rcv()
net: update netdev_lock{type,name}
macvlan: fix possible UAF in macvlan_forward_source()
ipv4: ip_gre: make ipgre_header() robust
net/sched: sch_qfq: do not free existing class in qfq_change_class()
bonding: limit BOND_MODE_8023AD to Ethernet devices
l2tp: avoid one data-race in l2tp_tunnel_del_work()
mISDN: annotate data-race around dev->work
ipv6: annotate data-race in ndisc_router_discovery()
bonding: provide a net pointer to __skb_flow_dissect()
net/sched: act_ife: avoid possible NULL deref
Ethan Nelson-Moore (2):
USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
net: usb: dm9601: remove broken SR9700 support
Felix Gu (1):
spi: spi-sprd-adi: Fix double free in probe error path
Fernand Sieber (1):
perf/x86/intel: Do not enable BTS for guests
Fiona Klute (1):
iio: chemical: scd4x: fix reported channel endianness
Francesco Lavra (1):
iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event
detection
Gal Pressman (1):
selftests: drv-net: fix RPS mask handling for high CPU numbers
Georgi Djakov (1):
interconnect: debugfs: initialize src_node and dst_node to empty
strings
Geraldo Nascimento (2):
arm64: dts: rockchip: remove dangerous max-link-speed from helios64
arm64: dts: rockchip: remove redundant max-link-speed from nanopi-r4s
Greg Kroah-Hartman (1):
Linux 6.6.122
Hangbin Liu (1):
selftests/net: convert fib-onlink-tests.sh to run it in unique
namespace
Hans de Goede (1):
leds: led-class: Only Add LED to leds_list when it is fully ready
Haotian Zhang (1):
dmaengine: omap-dma: fix dma_pool resource leak in error paths
Haoxiang Li (5):
EDAC/x38: Fix a resource leak in x38_probe1()
EDAC/i3200: Fix a resource leak in i3200_probe1()
drm/amdkfd: fix a memory leak in device_queue_manager_init()
drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
w1: fix redundant counter decrement in w1_attach_slave_device()
Huacai Chen (1):
USB: OHCI/UHCI: Add soft dependencies on ehci_platform
Ian Abbott (2):
comedi: dmm32at: serialize use of paged registers
comedi: Fix getting range information for subdevices 16 to 255
Ido Schimmel (1):
bridge: mcast: Fix use-after-free during router port configuration
Ihor Solodrai (1):
selftests/bpf: Check for timeout in perf_link test
Ilikara Zheng (1):
nvme-pci: disable secondary temp for Wodposit WPBSNM8
Ivaylo Ivanov (1):
phy: phy-snps-eusb2: refactor constructs names
Jacob Keller (1):
ice: initialize ring_stats->syncp
Jamal Hadi Salim (2):
net/sched: Enforce that teql can only be used as root qdisc
net/sched: qfq: Use cl_is_active to determine whether class is active
in qfq_rm_from_ag
Janne Grunau (1):
dmaengine: apple-admac: Add "apple,t8103-admac" compatible
Jaroslav Kysela (1):
ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
Jens Axboe (1):
io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop
Jeongjun Park (1):
netrom: fix double-free in nr_route_frame()
Jianbo Liu (1):
xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
Jiasheng Jiang (2):
btrfs: fix memory leaks in create_space_info() error paths
scsi: qla2xxx: Sanitize payload size to prevent member overflow
Jijie Shao (2):
net: hns3: fix wrong GENMASK() for HCLGE_FD_AD_COUNTER_NUM_M
net: hns3: fix the HCLGE_FD_AD_NXT_KEY error setting issue
Johan Hovold (18):
ASoC: codecs: wsa884x: fix codec initialisation
phy: drop probe registration printks
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
dmaengine: bcm-sba-raid: fix device leak on probe
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
dmaengine: idxd: fix device leaks on compat bind and unbind
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
dmaengine: ti: dma-crossbar: fix device leak on am335x route
allocation
dmaengine: ti: k3-udma: fix device leak on udma lookup
slimbus: core: fix runtime PM imbalance on report present
slimbus: core: fix device reference leak on report present
intel_th: fix device leak on output open()
iio: adc: exynos_adc: fix OF populate on driver rebind
dmaengine: stm32: dmamux: fix device leak on route allocation
dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
ASoC: codecs: wsa881x: fix unnecessary initialisation
ASoC: codecs: wsa883x: fix unnecessary initialisation
Johannes Brüderl (1):
usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS
descriptor
Johannes Nixdorf (1):
net: bridge: Set BR_FDB_ADDED_BY_USER early in fdb_add_entry
Keith Busch (1):
nvme-pci: do not directly handle subsys reset fallout
Konrad Dybcio (3):
arm64: dts: qcom: sc8280xp: Add missing VDD_MXC links
dt-bindings: power: qcom,rpmpd: Add SC8280XP_MXC_AO
pmdomain: qcom: rpmhpd: Add MXC to SC8280XP
Krzysztof Kozlowski (2):
phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
ASoC: codecs: wsa881x: Drop unused version readout
Kuniyuki Iwashima (4):
ipv6: Fix use-after-free in inet6_addr_del().
gue: Fix skb memleak with inner IP protocol 0.
tools: ynl: Specify --no-line-number in ynl-regen.sh.
fou: Don't allow 0 for FOU_ATTR_IPPROTO.
Kübrich, Andreas (1):
iio: dac: ad5686: add AD5695R to ad5686_chip_info_tbl
Laurent Vivier (1):
usbnet: limit max_mtu based on device's hard_mtu
Linus Torvalds (1):
Fix memory leak in posix_clock_open()
Lisa Robinson (1):
LoongArch: Fix PMU counter allocation for mixed-type event groups
Loic Poulain (1):
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
Long Li (1):
scsi: storvsc: Process unsupported MODE_SENSE_10
Louis Chauvet (1):
phy: rockchip: inno-usb2: fix disconnection in gadget mode
Luca Ceresoli (1):
phy: rockchip: inno-usb2: fix communication disruption in gadget mode
Lyude Paul (1):
drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
Mahesh Bandewar (1):
selftest/ptp: update ptp selftest to exercise the gettimex options
Maninder Singh (1):
NFSD: fix race between nfsd registration and exports_proc
Marc Kleine-Budde (7):
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on
usb_submit_urb() error
can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak
can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak
can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak
can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak
can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak
Marek Vasut (2):
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18
panel
wifi: rsi: Fix memory corruption due to not set vif driver data size
Mario Limonciello (4):
drm/amd/display: Bump the HDMI clock to 340MHz
platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute
names
platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
platform/x86: hp-bioscfg: Fix automatic module loading
Mario Limonciello (AMD) (1):
drm/amd: Clean up kfd node on surprise disconnect
Mark Harmstone (1):
btrfs: fix missing fields in superblock backup with BLOCK_GROUP_TREE
Mark Rutland (1):
arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA
Markus Koeniger (1):
iio: accel: iis328dq: fix gain values
Marnix Rijnart (1):
serial: 8250_pci: Fix broken RS485 for F81504/508/512
Matthew Schwartz (1):
mmc: rtsx_pci_sdmmc: implement sdmmc_card_busy function
Matthew Wilcox (Oracle) (1):
migrate: correct lock ordering for hugetlb file folios
Maurizio Lombardi (1):
nvmet-tcp: remove boilerplate code
Melbin K Mathew (2):
vsock/virtio: fix potential underflow in virtio_transport_get_credit()
vsock/virtio: cap TX credit to local buffer size
Miaoqian Lin (1):
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Michael Kelley (1):
Drivers: hv: Always do Hyper-V panic notification in hv_kmsg_dump()
Ming Lei (1):
io_uring: move local task_work in exit cancel loop
Ming Qian (1):
pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu
Morduan Zang (1):
efi/cper: Fix cper_bits_to_str buffer handling and return value
Namjae Jeon (1):
ksmbd: fix use-after-free in ksmbd_session_rpc_open
Naohiko Shimizu (1):
riscv: clocksource: Fix stimecmp update hazard on RV32
Naohiro Aota (3):
btrfs: factor out init_space_info() from create_space_info()
btrfs: factor out check_removing_space_info() from
btrfs_free_block_groups()
btrfs: introduce btrfs_space_info sub-group
Neil Armstrong (2):
i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
dt-bindings: power: qcom,rpmpd: document the SM8650 RPMh Power Domains
Niklas Cassel (3):
ata: libata: Add cpr_log to ata_dev_print_features() early return
ata: libata: Call ata_dev_config_lpm() for ATAPI devices
ata: libata: Print features also for ATAPI devices
Nilay Shroff (2):
null_blk: fix kmemleak by releasing references to fault configfs items
nvme: fix PCIe subsystem reset controller state transition
Nuno Das Neves (1):
hyperv-tlfs: Change prefix of generic HV_REGISTER_* MSRs to HV_MSR_*
Ondrej Ille (1):
can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1
MBit.
Ondrej Jirman (1):
arm64: dts: rockchip: Fix voltage threshold for volume keys for
Pinephone Pro
Otto Pflüger (1):
dt-bindings: power: rpmpd: Add MSM8917, MSM8937 and QM215
P Praneesh (1):
wifi: ath11k: fix RCU stall while reaping monitor destination ring
Pavel Zhigulin (1):
iio: adc: ad7280a: handle spi_setup() errors in probe()
Pei Xiao (1):
iio: adc: at91-sama5d2_adc: Fix potential use-after-free in
sama5d2_adc driver
Peng Fan (1):
firmware: imx: scu-irq: Set mu_resource_id before get handle
Philip Yang (1):
drm/amdgpu: csa unmap use uninterruptible lock
Qu Wenruo (1):
btrfs: send: check for inline extents in range_is_hole_in_parent()
Rafael Beims (1):
phy: freescale: imx8m-pcie: assert phy reset during power on
Raju Rangoju (1):
amd-xgbe: avoid misleading per-packet error log
Rasmus Villemoes (1):
iio: core: add separate lockdep class for info_exist_lock
Ratheesh Kannoth (1):
octeontx2-af: Fix error handling
Ricardo B. Marlière (1):
selftests: net: fib-onlink-tests: Convert to use namespaces by default
Rob Herring (Arm) (1):
of: platform: Use default match table for /firmware
Robbie Ko (1):
btrfs: fix deadlock in wait_current_trans() due to ignored transaction
type
Russell King (Oracle) (1):
net: phy: fix phy_uses_state_machine()
Ryan Roberts (1):
mm: kmsan: fix poisoning of high-order non-compound pages
Saeed Mahameed (1):
net/mlx5e: Restore destroying state bit after profile cleanup
Samasth Norway Ananda (1):
ALSA: scarlett2: Fix buffer overflow in config retrieval
Sean Christopherson (1):
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
SeongJae Park (3):
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir
setup failure
mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup
failure
Shawn Lin (1):
mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400
mode
Sheetal (1):
dmaengine: tegra-adma: Fix use-after-free
Shivam Kumar (1):
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Sibi Sankar (1):
dt-bindings: power: rpmpd: Update part number to X1E80100
Stefano Garzarella (2):
vsock/test: add a final full barrier after run all tests
vsock/test: fix seqpacket message bounds test
Stefano Radaelli (1):
phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
Steven Rostedt (1):
tracing: Fix crash on synthetic stacktrace field usage
Suraj Gupta (1):
dmaengine: xilinx_dma: Fix uninitialized addr_width when
"xlnx,addrwidth" property is missing
Szymon Wilczek (1):
can: etas_es58x: allow partial RX URB allocation to succeed
Taehee Yoo (1):
selftests: net: amt: wait longer for connection before sending packets
Taeyang Lee (1):
crypto: authencesn - reject too-short AAD (assoclen<8) to match
ESP/ESN spec
Takashi Iwai (1):
ALSA: ctxfi: Fix potential OOB access in audio mixer handling
Taniya Das (1):
dt-bindings: power: qcom,rpmpd: document the SM8750 RPMh Power Domains
Tetsuo Handa (1):
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session
upon receiving the second rts
Thadeu Lima de Souza Cascardo (1):
Revert "nfc/nci: Add the inconsistency check between the input data
length and count"
Thinh Nguyen (1):
usb: dwc3: Check for USB4 IP_NAME
Thomas Fourier (3):
wifi: ath10k: fix dma_free_coherent() pointer
wifi: ath12k: fix dma_free_coherent() pointer
octeontx2: Fix otx2_dma_map_page() error return code
Thomas Weißschuh (1):
hrtimer: Fix softirq base check in update_needs_ipi()
Thorsten Blum (1):
w1: therm: Fix off-by-one buffer overflow in alarms_store
Timur Kristóf (2):
drm/amd/pm: Don't clear SI SMC table when setting power limit
drm/amd/pm: Workaround SI powertune issue on Radeon 430 (v2)
Tomas Melin (1):
iio: adc: ad9467: fix ad9434 vref mask
Ulrich Mohr (1):
USB: serial: option: add Telit LE910 MBIM composition
Vladimir Oltean (3):
net: dsa: fix off-by-one in maximum bridge ID determination
net: phy: move phy_link_change() prior to mdio_bus_phy_may_suspend()
net: phy: allow MDIO bus PM ops to start/stop state machine for
phylink-controlled PHY
Vlastimil Babka (1):
mm/page_alloc: prevent pcp corruption with SMP=n
Wayne Chang (1):
phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
Weigang He (1):
of: fix reference count leak in of_alias_scan()
Wenkai Lin (1):
uacce: fix cdev handling in the cleanup path
Wentao Liang (1):
phy: rockchip: inno-usb2: Fix a double free bug in
rockchip_usb2phy_probe()
Wojtek Wasko (3):
posix-clock: Store file pointer in struct posix_clock_context
ptp: Add PHC file mode checks. Allow RO adjtime() without FMODE_WRITE.
testptp: Add option to open PHC in readonly mode
Xabier Marquiegui (2):
posix-clock: introduce posix_clock_context concept
ptp: add testptp mask test
Xin Long (1):
sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT
Yang Erkun (1):
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Yang Shen (1):
uacce: implement mremap in uacce_vm_ops to return -EPERM
Yang Yingliang (1):
spi: sprd-adi: switch to use spi_alloc_host()
Yun Lu (1):
netdevsim: fix a race issue related to the operation on
bpf_bound_progs list
Zhaoyang Huang (1):
arm64: Set __nocfi on swsusp_arch_resume()
Zilin Guan (1):
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
Zqiang (1):
usbnet: Fix using smp_processor_id() in preemptible code warnings
feng (1):
Input: i8042 - add quirk for ASUS Zenbook UX425QA_UM425QA
gongqi (1):
Input: i8042 - add quirks for MECHREVO Wujie 15X Pro
.../devicetree/bindings/power/qcom,rpmpd.yaml | 83 +++---
Documentation/netlink/specs/fou.yaml | 2 +
Makefile | 2 +-
arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 16 +-
.../dts/rockchip/rk3399-kobol-helios64.dts | 1 -
.../boot/dts/rockchip/rk3399-nanopi-r4s.dts | 1 -
.../dts/rockchip/rk3399-pinephone-pro.dts | 4 +-
arch/arm64/include/asm/hyperv-tlfs.h | 45 ++-
arch/arm64/include/asm/mshyperv.h | 4 +-
arch/arm64/kernel/hibernate.c | 2 +-
arch/arm64/kernel/signal.c | 4 +
arch/loongarch/kernel/perf_event.c | 21 +-
arch/x86/events/perf_event.h | 13 +-
arch/x86/hyperv/hv_init.c | 8 +-
arch/x86/include/asm/hyperv-tlfs.h | 145 +++++-----
arch/x86/include/asm/kfence.h | 29 +-
arch/x86/include/asm/mshyperv.h | 30 +-
arch/x86/kernel/cpu/mshyperv.c | 56 ++--
arch/x86/kernel/fpu/core.c | 32 ++-
arch/x86/kvm/x86.c | 9 +
arch/x86/mm/fault.c | 15 +-
arch/x86/mm/kaslr.c | 10 +-
crypto/authencesn.c | 6 +
drivers/ata/libata-core.c | 32 ++-
drivers/base/regmap/regmap.c | 4 +-
drivers/block/null_blk/main.c | 12 +-
drivers/clocksource/hyperv_timer.c | 26 +-
drivers/clocksource/timer-riscv.c | 3 +-
drivers/comedi/comedi_fops.c | 2 +-
drivers/comedi/drivers/dmm32at.c | 32 ++-
drivers/comedi/range.c | 2 +-
drivers/dma/apple-admac.c | 1 +
drivers/dma/at_hdmac.c | 9 +-
drivers/dma/bcm-sba-raid.c | 6 +-
drivers/dma/dw/rzn1-dmamux.c | 4 +-
drivers/dma/idxd/compat.c | 23 +-
drivers/dma/lpc18xx-dmamux.c | 19 +-
drivers/dma/qcom/gpi.c | 6 +-
drivers/dma/sh/rz-dmac.c | 5 +
drivers/dma/stm32-dmamux.c | 22 +-
drivers/dma/tegra210-adma.c | 10 +-
drivers/dma/ti/dma-crossbar.c | 18 +-
drivers/dma/ti/k3-udma-private.c | 2 +-
drivers/dma/ti/omap-dma.c | 4 +
drivers/dma/xilinx/xdma-regs.h | 1 +
drivers/dma/xilinx/xdma.c | 2 +-
drivers/dma/xilinx/xilinx_dma.c | 7 +-
drivers/edac/i3200_edac.c | 11 +-
drivers/edac/x38_edac.c | 9 +-
drivers/firmware/efi/cper.c | 2 +-
drivers/firmware/imx/imx-scu-irq.c | 24 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +
.../drm/amd/amdkfd/kfd_device_queue_manager.c | 19 +-
.../gpu/drm/amd/display/dc/dc_hdmi_types.h | 2 +-
.../display/dc/dce110/dce110_hw_sequencer.c | 2 +-
.../drm/amd/display/dc/link/link_detection.c | 4 +-
drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 23 +-
drivers/gpu/drm/nouveau/dispnv50/curs507a.c | 1 +
drivers/gpu/drm/panel/panel-simple.c | 1 +
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +-
drivers/hid/usbhid/hid-core.c | 17 +-
drivers/hv/hv.c | 36 ++-
drivers/hv/hv_common.c | 32 ++-
drivers/hwtracing/intel_th/core.c | 19 +-
drivers/i2c/busses/i2c-qcom-geni.c | 11 +-
drivers/iio/accel/st_accel_core.c | 72 ++++-
drivers/iio/adc/ad7280a.c | 4 +-
drivers/iio/adc/ad9467.c | 2 +-
drivers/iio/adc/at91-sama5d2_adc.c | 1 +
drivers/iio/adc/exynos_adc.c | 13 +-
drivers/iio/chemical/scd4x.c | 6 +-
drivers/iio/dac/ad5686.c | 6 +
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 15 +-
drivers/iio/industrialio-core.c | 12 +-
drivers/input/serio/i8042-acpipnpio.h | 18 ++
drivers/interconnect/debugfs-client.c | 5 +
drivers/irqchip/irq-gic-v3-its.c | 8 +-
drivers/isdn/mISDN/timerdev.c | 13 +-
drivers/leds/led-class.c | 10 +-
drivers/misc/uacce/uacce.c | 48 +++-
drivers/mmc/host/rtsx_pci_sdmmc.c | 41 +++
drivers/mmc/host/sdhci-of-dwcmshc.c | 7 +
drivers/net/bonding/bond_main.c | 11 +-
drivers/net/can/ctucanfd/ctucanfd_base.c | 2 +-
drivers/net/can/usb/ems_usb.c | 8 +-
drivers/net/can/usb/esd_usb.c | 9 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
drivers/net/can/usb/gs_usb.c | 9 +
.../net/can/usb/kvaser_usb/kvaser_usb_core.c | 9 +-
drivers/net/can/usb/mcba_usb.c | 8 +-
drivers/net/can/usb/usb_8dev.c | 8 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 5 +-
drivers/net/ethernet/emulex/benet/be_cmds.c | 3 +-
drivers/net/ethernet/emulex/benet/be_main.c | 8 +-
.../net/ethernet/hisilicon/hns3/hns3_enet.c | 69 ++---
.../hisilicon/hns3/hns3pf/hclge_cmd.h | 2 +-
.../hisilicon/hns3/hns3pf/hclge_main.c | 2 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 29 +-
drivers/net/ethernet/intel/igc/igc_ptp.c | 43 +--
.../net/ethernet/marvell/octeontx2/af/rvu.c | 86 ++++--
.../marvell/octeontx2/nic/cn10k_macsec.c | 2 +-
.../marvell/octeontx2/nic/otx2_common.h | 7 +-
.../net/ethernet/mellanox/mlx5/core/en_main.c | 3 +
drivers/net/hyperv/netvsc_drv.c | 3 +
drivers/net/ipvlan/ipvlan.h | 2 +-
drivers/net/ipvlan/ipvlan_core.c | 16 +-
drivers/net/ipvlan/ipvlan_main.c | 49 ++--
drivers/net/macvlan.c | 20 +-
drivers/net/netdevsim/bpf.c | 6 +
drivers/net/netdevsim/dev.c | 2 +
drivers/net/netdevsim/netdevsim.h | 1 +
drivers/net/phy/phy_device.c | 58 +++-
drivers/net/usb/dm9601.c | 4 -
drivers/net/usb/usbnet.c | 11 +-
drivers/net/veth.c | 8 +-
drivers/net/wireless/ath/ath10k/ce.c | 16 +-
drivers/net/wireless/ath/ath11k/dp_rx.c | 4 +-
drivers/net/wireless/ath/ath12k/ce.c | 12 +-
.../wireless/marvell/mwifiex/11n_rxreorder.c | 6 +-
drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
drivers/nfc/virtual_ncidev.c | 4 -
drivers/nvme/host/fabrics.c | 15 +
drivers/nvme/host/fabrics.h | 1 +
drivers/nvme/host/fc.c | 5 +-
drivers/nvme/host/nvme.h | 14 +-
drivers/nvme/host/pci.c | 41 +++
drivers/nvme/host/rdma.c | 1 +
drivers/nvme/host/tcp.c | 1 +
drivers/nvme/target/tcp.c | 28 +-
drivers/of/base.c | 8 +-
drivers/of/platform.c | 2 +-
drivers/pci/Kconfig | 6 -
drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
drivers/phy/broadcom/phy-bcm-ns2-pcie.c | 2 -
drivers/phy/broadcom/phy-bcm-ns2-usbdrd.c | 1 -
drivers/phy/broadcom/phy-bcm-sr-pcie.c | 2 -
drivers/phy/broadcom/phy-brcm-sata.c | 2 +-
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 3 +-
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 +
drivers/phy/marvell/phy-pxa-usb.c | 1 -
.../phy/qualcomm/phy-qcom-eusb2-repeater.c | 2 -
drivers/phy/qualcomm/phy-qcom-m31.c | 2 -
drivers/phy/qualcomm/phy-qcom-qusb2.c | 18 +-
drivers/phy/qualcomm/phy-qcom-snps-eusb2.c | 256 +++++++++---------
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 41 ++-
drivers/phy/st/phy-stih407-usb.c | 2 -
drivers/phy/st/phy-stm32-usbphyc.c | 6 +-
drivers/phy/tegra/xusb-tegra186.c | 3 +
drivers/phy/ti/phy-twl4030-usb.c | 1 -
drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 8 +
drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 12 +-
drivers/pmdomain/imx/imx8m-blk-ctrl.c | 11 +-
drivers/pmdomain/qcom/rpmhpd.c | 4 +
drivers/ptp/ptp_chardev.c | 37 ++-
drivers/ptp/ptp_private.h | 16 +-
drivers/scsi/qla2xxx/qla_isr.c | 7 +
drivers/scsi/scsi_error.c | 35 ++-
drivers/scsi/scsi_lib.c | 8 +
drivers/scsi/storvsc_drv.c | 3 +-
drivers/slimbus/core.c | 19 +-
drivers/spi/spi-sprd-adi.c | 63 ++---
drivers/tty/serial/8250/8250_pci.c | 2 +-
drivers/usb/core/config.c | 5 +
drivers/usb/core/quirks.c | 3 +
drivers/usb/dwc3/core.c | 2 +
drivers/usb/dwc3/core.h | 1 +
drivers/usb/host/ohci-platform.c | 1 +
drivers/usb/host/uhci-platform.c | 1 +
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/option.c | 1 +
drivers/usb/typec/tcpm/tcpm.c | 2 +-
drivers/w1/slaves/w1_therm.c | 62 ++---
drivers/w1/w1.c | 2 -
drivers/xen/xen-scsiback.c | 1 +
fs/btrfs/block-group.c | 60 ++--
fs/btrfs/disk-io.c | 2 +-
fs/btrfs/send.c | 2 +
fs/btrfs/space-info.c | 76 +++++-
fs/btrfs/space-info.h | 10 +
fs/btrfs/sysfs.c | 18 +-
fs/btrfs/transaction.c | 11 +-
fs/ext4/xattr.c | 1 +
fs/gfs2/lops.c | 2 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
fs/nfsd/nfsctl.c | 17 +-
fs/ntfs3/inode.c | 7 +-
fs/smb/server/mgmt/user_session.c | 20 +-
fs/smb/server/mgmt/user_session.h | 1 +
include/asm-generic/hyperv-tlfs.h | 32 ++-
include/asm-generic/mshyperv.h | 2 +-
include/dt-bindings/power/qcom,rpmhpd.h | 235 ++++++++++++++++
include/dt-bindings/power/qcom-rpmpd.h | 246 ++---------------
include/linux/iio/iio-opaque.h | 2 +
include/linux/kfence.h | 1 +
include/linux/nvme.h | 3 +
include/linux/posix-clock.h | 39 ++-
include/linux/textsearch.h | 1 +
include/linux/usb/quirks.h | 3 +
include/scsi/scsi_eh.h | 5 +
include/sound/pcm.h | 2 +-
include/uapi/linux/comedi.h | 2 +-
io_uring/io-wq.c | 2 +-
io_uring/io_uring.c | 8 +-
kernel/time/hrtimer.c | 2 +-
kernel/time/posix-clock.c | 53 ++--
kernel/trace/trace_events_hist.c | 9 +
kernel/trace/trace_events_synth.c | 8 +-
mm/Kconfig | 12 +-
mm/damon/sysfs-schemes.c | 11 +-
mm/damon/sysfs.c | 5 +-
mm/kmsan/shadow.c | 2 +-
mm/migrate.c | 12 +-
mm/page_alloc.c | 47 +++-
mm/rmap.c | 20 +-
net/bpf/test_run.c | 5 +
net/bridge/br_fdb.c | 35 ++-
net/bridge/br_input.c | 4 +-
net/bridge/br_multicast.c | 9 +
net/can/j1939/transport.c | 10 +-
net/core/dev.c | 25 +-
net/core/filter.c | 7 +
net/dsa/dsa.c | 2 +-
net/ipv4/esp4_offload.c | 4 +-
net/ipv4/fou_core.c | 3 +
net/ipv4/fou_nl.c | 2 +-
net/ipv4/ip_gre.c | 11 +-
net/ipv6/addrconf.c | 4 +-
net/ipv6/esp6_offload.c | 4 +-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/ndisc.c | 4 +-
net/l2tp/l2tp_core.c | 4 +-
net/netrom/nr_route.c | 13 +-
net/openvswitch/vport.c | 11 +-
net/sched/act_ife.c | 6 +-
net/sched/sch_qfq.c | 8 +-
net/sched/sch_teql.c | 5 +
net/sctp/sm_statefuns.c | 10 +-
net/vmw_vsock/virtio_transport_common.c | 30 +-
scripts/kconfig/nconf-cfg.sh | 11 +-
sound/core/oss/pcm_oss.c | 4 +-
sound/core/pcm_native.c | 9 +-
sound/pci/ctxfi/ctamixer.c | 2 +
sound/soc/codecs/tlv320adcx140.c | 8 +-
sound/soc/codecs/wsa881x.c | 11 +-
sound/soc/codecs/wsa883x.c | 9 +
sound/soc/codecs/wsa884x.c | 3 +-
sound/usb/mixer.c | 22 +-
sound/usb/mixer_scarlett2.c | 7 +-
tools/net/ynl/ynl-regen.sh | 2 +-
.../selftests/bpf/prog_tests/perf_link.c | 15 +-
tools/testing/selftests/net/amt.sh | 7 +-
.../testing/selftests/net/fib-onlink-tests.sh | 76 +++---
tools/testing/selftests/net/toeplitz.c | 4 +-
tools/testing/selftests/ptp/testptp.c | 114 ++++++--
tools/testing/vsock/util.c | 12 +
tools/testing/vsock/vsock_test.c | 11 +
258 files changed, 2706 insertions(+), 1454 deletions(-)