Merge tag 'v6.18.30' into qcom-6.18.y by svankas · Pull Request #586 · qualcomm-linux/kernel

svankas · 2026-05-15T09:00:42Z

No description provided.

commit be5fa87 upstream. The VMCB12 is stored in guest memory and can be mangled while in SMM; it is then reloaded by svm_leave_smm(), but it is not checked again for validity. Move the cached vmcb12 control and save consistency checks out of svm_set_nested_state() and into a helper, and reuse it in svm_leave_smm(). Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c171e67 upstream. On the Renesas RZ/V2H EVK platform, where the stmmac MAC is connected to a Microchip KSZ9131RNXI PHY, creating or deleting VLAN interfaces may fail with timeouts: # ip link add link end1 name end1.5 type vlan id 5 15c40000.ethernet end1: Timeout accessing MAC_VLAN_Tag_Filter RTNETLINK answers: Device or resource busy Disabling EEE at runtime avoids the problem: # ethtool --set-eee end1 eee off # ip link add link end1 name end1.5 type vlan id 5 # ip link del end1.5 The stmmac hardware requires the receive clock to be running when writing certain registers, such as those used for MAC address configuration or VLAN filtering. However, by default the driver enables Energy Efficient Ethernet (EEE) and allows the PHY to stop the receive clock when the link is idle. As a result, the RX clock might be stopped when attempting to access these registers, leading to timeouts and other issues. Commit dd55726 ("net: stmmac: block PHY RXC clock-stop") addressed this issue for most register accesses by wrapping them in phylink_rx_clk_stop_block()/phylink_rx_clk_stop_unblock() calls. However, VLAN add/delete operations may be invoked with bottom halves disabled, where sleeping is not allowed, so using these helpers is not possible. Therefore, to fix this, disable the RX clock stop feature in the phylink configuration if VLAN features are set. This ensures the RX clock remains active and register accesses succeed during VLAN operations. Signed-off-by: Ovidiu Panait <ovidiu.panait.rb@renesas.com> Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/20251113112721.70500-3-ovidiu.panait.rb@renesas.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…equeue_peeked commit 458d5615272d3de535748342eb68ca492343048c upstream. When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch qualcomm-linux#3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() - and when sensing there's an skb the child can offer, then - the child in this case(red) calls its child's (qfq) peek. qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem. - red will call the child's dequeue() which will essentially just try to grab something of qfq's queue. [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900 The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead. Fixes: 77be155 ("pkt_sched: Add peek emulation for non-work-conserving qdiscs.") Reported-by: Manas <ghandatmanas@gmail.com> Reported-by: Rakshit Awasthi <rakshitawasthi17@gmail.com> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://patch.msgid.link/20260430152957.194015-2-jhs@mojatatu.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1fa0bb633e4a6b11e83ffc57fa5abe8ebb87891 upstream. When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler) Fixes: 7f80a2f ("exit: Stop poorly open coding do_task_dead in make_task_dead") Cc: stable@kernel.org Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bb8e38f upstream. Previously, the AMPDU state bit for a given TID was set before attempting to start a BA session, which could result in the AMPDU state being marked active even if ieee80211_start_tx_ba_session() failed. This patch changes the logic to only set the AMPDU state bit after successfully starting a BA session, ensuring proper synchronization between AMPDU state and BA session status. This fixes potential issues with aggregation state tracking and improves compatibility with mac80211 BA session management. Fixes: 44eb173 ("wifi: mt76: mt7925: add link handling in mt7925_txwi_free") Cc: stable@vger.kernel.org Signed-off-by: Quan Zhou <quan.zhou@mediatek.com> Reviewed-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/d5960fbced0beaf33c30203f7f8fb91d0899c87b.1764228973.git.quan.zhou@mediatek.com Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ccb1863 upstream. Set `tx_power_tlv->len` to `msg_len` instead of `sizeof(*tx_power_tlv)` to ensure the correct message length is sent to firmware. Cc: stable@vger.kernel.org Fixes: c948b5d ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com> Link: https://patch.msgid.link/20250908072526.1833938-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5373f8b upstream. The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure. Cc: stable@vger.kernel.org Fixes: fa6ad88 ("wifi: mt76: mt7921: fix country count limitation for CLC") Signed-off-by: Leon Yen <leon.yen@mediatek.com> Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com> Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fdfa39f upstream. The mt7921_set_roc API may be executed concurrently with mt7921_roc_work, specifically between the following code paths: - The check and clear of MT76_STATE_ROC in mt7921_roc_work: if (!test_and_clear_bit(MT76_STATE_ROC, &phy->mt76->state)) return; - The execution of ieee80211_iterate_active_interfaces. This race condition can interrupt the ROC abort flow, resulting in the ROC process failing to abort as expected. To address this defect, the modification of MT76_STATE_ROC is now protected by mt792x_mutex_acquire(phy->dev). This ensures that changes to the ROC state are properly synchronized, preventing race conditions and ensuring the ROC abort flow is not interrupted. Fixes: 034ae28 ("wifi: mt76: mt7921: introduce remain_on_channel support") Cc: stable@vger.kernel.org Signed-off-by: Quan Zhou <quan.zhou@mediatek.com> Reviewed-by: Sean Wang <sean.wang@mediatek.com> Link: https://patch.msgid.link/2568ece8b557e5dda79391414c834ef3233049b6.1769133724.git.quan.zhou@mediatek.com Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a035766f970bde2d4298346a31a80685be5c0205 upstream. Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices. Fixes: 75388ac ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7a5b81e0c87a075afd572f659d8eb68c9c4cd2ba upstream. ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result. Fixes: 3468e1e ("wifi: mac80211: add mesh fast-rx support") Cc: stable@vger.kernel.org Signed-off-by: Catherine <enderaoelyther@gmail.com> Link: https://patch.msgid.link/20260424131435.83212-2-enderaoelyther@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream. RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed. Cc: <stable@vger.kernel.org> Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/ Fixes: 4c62764 ("rsi: improve kernel thread handling to fix kernel panic") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ac8eb3e18f41e2cc8492cc1d358bcb786c850270 upstream. The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error. Cc: stable@vger.kernel.org Fixes: bca8bc0 ("wifi: mac80211: handle ieee80211_radar_detected() for MLO") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Link: https://patch.msgid.link/20260505151539.236d63a1b736.I35dbb9e96a2d4a480be208770fdd99ba3b817b79@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d748603f12baff112caa3ab7d39f50100f010dbd upstream. Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal. Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org> Reported-by: Vincent Danjean <vdanjean@debian.org> Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan Closes: https://bugs.debian.org/1119093 Fixes: 6d7b97b ("ath5k: fix tx status reporting issues") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 283fc9e44ff5b5ac967439b4951b80bd4299f4e4 upstream. If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs. Cc: stable@vger.kernel.org Fixes: 81151ce ("wifi: mac80211: support MLO authentication/association with one link") Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com> Link: https://patch.msgid.link/20260505151533.c4e52deb06ad.Iafe56cec7de8512626169496b134bce3a6c17010@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream. The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index. Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Acked-by: Michael Büsch <m@bues.ch> Fixes: e4d6b79 ("[B43]: add mac80211-based driver for modern BCM43xx devices") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…hdog task commit c623b63580880cc742255eaed3d79804c1b91143 upstream. Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put(). Cc: stable@vger.kernel.org Fixes: 373c83a ("brcmfmac: stop watchdog before detach and free everything") Fixes: a9ffda8 ("brcm80211: fmac: abstract bus_stop interface function pointer") Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream. usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device. Cc: Pete Zaitcev <zaitcev@redhat.com> Assisted-by: gkh_clanker_t1000 Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream. Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening. Cc: Pete Zaitcev <zaitcev@redhat.com> Assisted-by: gkh_clanker_t1000 Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3c57c9c2a49a21d784b7c04a2c883bffc070659 upstream. USB MIDI 2.0 suspend saves the endpoint running state, clears it and kills all endpoint URBs. Resume restores the running state, but only restarts input endpoints. For a running output endpoint, this leaves the endpoint marked running with an empty URB queue. Output transfer progress depends on either the rawmidi trigger path starting the queue or an output completion refilling it. After suspend there is no completion left, and output data that remains queued in the raw UMP or legacy rawmidi buffer can stay stalled until userspace happens to trigger the stream again. Restore the saved state with atomic accessors, keep input endpoints restarted as before, and restart output endpoints that were running before suspend. Clear the saved suspend state after restoring it. Fixes: ff49d1d ("ALSA: usb-audio: USB MIDI 2.0 UMP support") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260504-usb-midi2-output-resume-v1-1-c089cc8ad3c6@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6e7247d upstream. The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor. Add a proper size check to abort the loop for plugging the hole. Fixes: ecfd411 ("ALSA: usb-audio: Validate UAC3 cluster segment descriptors") Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260427152224.15276-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 26265dd upstream. The UAC3 cluster descriptor length check in snd_usb_get_audioformat_uac3()was added to make sure that the buffer is large enough for a struct uac3_cluster_header_descriptor before the returned data is cast and used. However, the check uses sizeof(cluster), where cluster is a pointer, not the size of the descriptor header. This makes the validation depend on the architecture pointer size and does not match the intended object size. Check against sizeof(*cluster) instead. Fixes: fb4e2a6 ("ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3()") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260424-alsa-usb-uac3-cluster-size-v1-1-99a5808898a3@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3f91484f6c13c434bd573ca6b6779c26adb0ddab upstream. Commit 6511108 ("USB: more omap_udc updates (dma and omap1710)") added setting for DMA burst 4 mode. But I think this should be undone for two reasons: - It breaks DMA on 15xx boards - transfers just silently stall. - On newer OMAP1 boards, like Nokia 770 (omap1710), there is no measurable performance impact when testing TCP throughput with g_ether with large 15000 byte MTU size. It's also worth noting that when the original change was made, the OMAP_DMA_DATA_BURST_4 handling in arch/arm/plat-omap/dma.c was broken, and actually resulted in the same as the OMAP_DMA_DATA_BURST_DIS i.e. burst disabled. This was fixed not until a couple kernel releases later in an unrelated commit 1a8bfa1 ("[ARM] 3142/1: OMAP 2/5: Update files common to omap1 and omap2"). So based on this it seems there was never really a very good reason to enable this burst mode in omap_udc, so remove it now to allow 15xx DMA to work again (it provides 2x throughput compared to PIO mode). Fixes: 6511108 ("[PATCH] USB: more omap_udc updates (dma and omap1710)") Cc: stable <stable@kernel.org> Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> Link: https://patch.msgid.link/ad06qHLclWHeSGnV@darkstar.musicnaut.iki.fi Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 100201d349edd226ca3470c894c92dccc67ee7a8 upstream. Add the following Telit Cinterion LE910Cx compositions: 0x1251: RNDIS + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=108 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1251 Rev=03.18 S: Manufacturer=Android S: Product=LE910C1-EU S: SerialNumber=0123456789ABCDEF C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=ff Driver=rndis_host E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms 0x1253: ECM + tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=121 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1253 Rev=03.18 S: Manufacturer=Android S: Product=LE910C1-EU S: SerialNumber=0123456789ABCDEF C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms 0x1254: tty (AT) + tty (AT) T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=122 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1254 Rev=03.18 S: Manufacturer=Android S: Product=LE910C1-EU S: SerialNumber=0123456789ABCDEF C: #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms 0x1255: tty (AT/NMEA) + tty (AT) + tty (AT) + tty (SAP) T: Bus=01 Lev=01 Prnt=21 Port=06 Cnt=01 Dev#=123 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1255 Rev=03.18 S: Manufacturer=Android S: Product=LE910C1-EU S: SerialNumber=0123456789ABCDEF C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms Cc: stable@vger.kernel.org Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com> Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0b9fcab1b8608d429e5f239afb197de928d4de7d upstream. Commit 01af542 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation. Fixes: 01af542 ("usb: ulpi: fix double free in ulpi_register_interface() error path") Cc: stable <stable@kernel.org> Signed-off-by: Felix Gu <ustc.gu@gmail.com> Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Link: https://patch.msgid.link/20260407-ulpi-v1-1-f3fafe53f7b2@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f6ec9bb4acc7182b25a793ad094a764e1cb819a7 upstream. The port in debug accessory mode can be either a source or sink. The previous tcpm_port_is_debug() function only checked for source port. Commit 8db73e6 ("usb: typec: tcpm: allow sink (ufp) to toggle into accessory mode debug") changed the detection logic to support both roles, but left some logic in _tcpm_cc_change() unchanged, This causes the state machine to transition to an incorrect state when operating as a sink in debug accessory mode. Log as below: [ 978.637541] CC1: 0 -> 5, CC2: 0 -> 5 [state TOGGLING, polarity 0, connected] [ 978.637567] state change TOGGLING -> SRC_ATTACH_WAIT [rev1 NONE_AMS] [ 978.637596] pending state change SRC_ATTACH_WAIT -> DEBUG_ACC_ATTACHED @ 180 ms [rev1 NONE_AMS] [ 978.647098] CC1: 5 -> 0, CC2: 5 -> 5 [state SRC_ATTACH_WAIT, polarity 0, connected] [ 978.647115] state change SRC_ATTACH_WAIT -> SRC_ATTACH_WAIT [rev1 NONE_AMS] It should go to SNK_ATTACH_WAIT instead of SRC_ATTACH_WAIT state. To fix this, add tcpm_port_is_debug_source() and tcpm_port_is_debug_sink() helper to explicitly identify the power mode in debug accessory mode. Update the state transition logic in _tcpm_cc_change() to ensure the state machine transitions comply with Type-C specification. Also update the logic in run_state_machine() to keep consistency. Fixes: 8db73e6 ("usb: typec: tcpm: allow sink (ufp) to toggle into accessory mode debug") Cc: stable <stable@kernel.org> Signed-off-by: Xu Yang <xu.yang_2@nxp.com> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Reviewed-by: Amit Sunil Dhamne <amitsd@google.com> Link: https://patch.msgid.link/20260424074009.2979266-1-xu.yang_2@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0faacc0 upstream. cs35l56_hda_mixer_get() ignores regmap_read() and cs35l56_hda_mixer_put() ignores regmap_update_bits_check(). This makes the ASP TX source controls report success when a regmap access fails. The write path returns no change instead of an error, and the read path continues after a failed read instead of aborting the control callback. Propagate the regmap errors, matching the posture and volume controls in this driver. Fixes: 73cfbfa ("ALSA: hda/cs35l56: Add driver for Cirrus Logic CS35L56 amplifier") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260423-alsa-cs35l56-asp-tx-source-errors-v1-1-17ea7c62ec31@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 901ac0f upstream. Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll(). Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr> Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr Cc: <stable@vger.kernel.org> Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…aptop Pro 15 commit 92a8b5e2eff6920bf815cd6a80b088ec3fdf01a3 upstream. The Xiaomi Mi Laptop Pro 15 (TM1905, subsystem 1d72:1905) ships with the Realtek ALC256 codec on Intel Comet Lake PCH-LP. After S3 resume the codec sets coefficient register 0x10 to 0x0220 instead of 0x0020 — bit 9 is erroneously set, which silences the internal speaker. Bluetooth and HDMI audio are unaffected because they use different paths. This is the same mechanism fixed for Clevo NJ51CU by commit edca7cc ("ALSA: hda/realtek: Fix quirk for Clevo NJ51CU"), but the existing ALC256_FIXUP_MIC_NO_PRESENCE_AND_RESUME also reconfigures pin 0x19 as a front mic, which is wrong for this Xiaomi where pin 0x19 default is 0x411111f0 (disabled). Add a minimal fixup that only clears the stuck coef bit, and add the Xiaomi SSID to the quirk table. Verified by reading coef 0x10 with hda-verb after resume (returns 0x0220), writing 0x0020, and confirming the internal speaker resumes output. With this fixup applied the bit is cleared on every codec init, including post-resume. Signed-off-by: Yuriy Padlyak <yuriypadlyak@gmail.com> Cc: <stable@vger.kernel.org> Tested-by: Yuriy Padlyak <yuriypadlyak@gmail.com> Link: https://patch.msgid.link/20260429220903.14918-1-yuriypadlyak@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0749daa8eb5ab90334aaad3b0671efd7150d43b1 upstream. tscm_hwdep_read_queue() copies as many queued control events as fit in the userspace buffer. When the buffer is smaller than the current contiguous queue segment, length is rounded down to the number of bytes that can be copied. However, after copying that shortened length, the code advances pull_pos to the original tail_pos, marking the whole contiguous segment as consumed. Any events between the copied portion and tail_pos are lost. Limit tail_pos to the position after the entries actually copied before updating pull_pos. When the whole segment fits, this is equivalent to the old tail_pos update; when the buffer is smaller, the remaining events stay queued for the next read. Fixes: a8c0d13 ("ALSA: firewire-tascam: notify events of change of state for userspace applications") Cc: stable@vger.kernel.org Suggested-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Co-developed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://patch.msgid.link/20260503-alsa-firewire-tascam-read-queue-v2-1-126c6efd7642@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5337213381df578058e2e41da93cbd0e4639935f upstream. snd_fasync_helper() updates fasync->on under snd_fasync_lock, and snd_fasync_work_fn() now also evaluates fasync->on under the same lock. snd_kill_fasync() still tests the flag before taking the lock, leaving an unsynchronized read against FASYNC enable/disable updates. Move the enabled-state check into the locked section. Also clear fasync->on under snd_fasync_lock in snd_fasync_free() before unlinking the pending entry. Together with the locked sender-side check, this publishes teardown before flushing the deferred work and prevents a racing sender from requeueing the entry after free has started. Fixes: ef34a0a ("ALSA: core: Add async signal helpers") Fixes: 8146cd3 ("ALSA: core: Fix potential data race at fasync handling") Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 95093e5 upstream. Commit d8f867f ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46a ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start(). The issue was discovered by sashiko [1]. Link: https://lore.kernel.org/20260411213638.77768-1-sj@kernel.org Link: https://lore.kernel.org/20260403155530.64647-1-sj@kernel.org [1] Fixes: d8f867f ("mm/damon: add damon_ctx->min_sz_region") Signed-off-by: SeongJae Park <sj@kernel.org> Cc: <stable@vger.kernel.org> # 6.18.x Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…info [ Upstream commit 9ded47a ] Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 60b59be ("fbdev: mm: Deferred IO support") Cc: Helge Deller <deller@gmx.de> Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org # v2.6.22+ Signed-off-by: Helge Deller <deller@gmx.de> [ replaced kzalloc_obj(*fbdefio_state) with kzalloc(sizeof(*fbdefio_state), GFP_KERNEL) ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit ca085fa ] When a structure contains a buffer that DMA writes to alongside fields that the CPU writes to, cache line sharing between the DMA buffer and CPU-written fields can cause data corruption on non-cache-coherent platforms. Add __dma_from_device_group_begin()/end() annotations to ensure proper alignment to prevent this: struct my_device { spinlock_t lock1; __dma_from_device_group_begin(); char dma_buffer1[16]; char dma_buffer2[16]; __dma_from_device_group_end(); spinlock_t lock2; }; Message-ID: <19163086d5e4704c316f18f6da06bc1c72968904.1767601130.git.mst@redhat.com> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Petr Tesarik <ptesarik@suse.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Stable-dep-of: 3023c05 ("hwmon: (powerz) Avoid cacheline sharing for DMA buffer") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 3023c05 ] Depending on the architecture the transfer buffer may share a cacheline with the following mutex. As the buffer may be used for DMA, that is problematic. Use the high-level DMA helpers to make sure that cacheline sharing can not happen. Also drop the comment, as the helpers are documentation enough. https://sashiko.dev/#/message/20260408175814.934BFC19421%40smtp.kernel.org Fixes: 4381a36 ("hwmon: add POWER-Z driver") Cc: stable@vger.kernel.org # ca085fa: dma-mapping: add __dma_from_device_group_begin()/end() Signed-off-by: Thomas Weißschuh <linux@weissschuh.net> Link: https://lore.kernel.org/r/20260408-powerz-cacheline-alias-v1-1-1254891be0dd@weissschuh.net Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit dd66b42 ] napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure. Fixes: 1cd3b40 ("octeon_ep_vf: add Tx/Rx processing and interrupt support") Cc: stable@vger.kernel.org Signed-off-by: David Carlier <devnexen@gmail.com> Link: https://patch.msgid.link/20260409184009.930359-3-devnexen@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> [ inlined missing octep_vf_oq_next_idx() helper as read_idx++ with wraparound ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 3e487a6 ] JEDEC JESD84-B51B which was released in September 2025, increases the manufacturing year limit for eMMC devices. The eMMC manufacturing year is stored in a 4-bit field in the CID register. Originally, it covered 1997–2012. Later, with EXT_CSD_REV=8, it was extended up to 2025. Now, with EXT_CSD_REV=9, the range is rolled over by another 16 years, up to 2038. The mapping is as follows: cid[8..11] | rev ≤ 4 | 8 ≥ rev > 4 | rev > 8 --------------------------------------------- 0 | 1997 | 2013 | 2029 1 | 1998 | 2014 | 2030 2 | 1999 | 2015 | 2031 3 | 2000 | 2016 | 2032 4 | 2001 | 2017 | 2033 5 | 2002 | 2018 | 2034 6 | 2003 | 2019 | 2035 7 | 2004 | 2020 | 2036 8 | 2005 | 2021 | 2037 9 | 2006 | 2022 | 2038 10 | 2007 | 2023 | 11 | 2008 | 2024 | 12 | 2009 | 2025 | 13 | 2010 | | 2026 14 | 2011 | | 2027 15 | 2012 | | 2028 Signed-off-by: Avri Altman <avri.altman@sandisk.com> Reviewed-by: Shawn Lin <shawn.lin@rock-chips.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Stable-dep-of: d6bf2e6 ("mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 263ff31 ] Some eMMC vendors need to report manufacturing dates beyond 2025 but are reluctant to update the EXT_CSD revision from 8 to 9. Changing the Updating the EXT_CSD revision may involve additional testing or qualification steps with customers. To ease this transition and avoid a full re-qualification process, a workaround is needed. This patch introduces a temporary quirk that re-purposes the year codes corresponding to 2010, 2011, and 2012 to represent the years 2026, 2027, and 2028, respectively. This solution is only valid for this three-year period. After 2028, vendors must update their firmware to set EXT_CSD_REV=9 to continue reporting the correct manufacturing date in compliance with the JEDEC standard. The `MMC_QUIRK_BROKEN_MDT` is introduced and enabled for all Sandisk devices to handle this behavior. Signed-off-by: Avri Altman <avri.altman@sandisk.com> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Stable-dep-of: d6bf2e6 ("mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit d6bf2e6 ] Kingston eMMC IY2964 and IB2932 takes a fixed ~2 seconds for each secure erase/trim operation regardless of size - that is, a single secure erase/trim operation of 1MB takes the same time as 1GB. With default calculated 3.5MB max discard size, secure erase 1GB requires ~300 separate operations taking ~10 minutes total. Add a card quirk, MMC_QUIRK_FIXED_SECURE_ERASE_TRIM_TIME, to set maximum secure erase size for those devices. This allows 1GB secure erase to complete in a single operation, reducing time from 10 minutes to just 2 seconds. Signed-off-by: Luke Wang <ziniu.wang_1@nxp.com> Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 4963b39 ] The macros in qat_hal.c were using a mixture of tabs and spaces. Update all macro indentation to use tabs consistently, matching the predominant style. This does not introduce any functional change. Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Stable-dep-of: e7dcb72 ("crypto: qat - fix firmware loading failure for GEN6 devices") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit e7dcb72 ] QAT GEN6 hardware requires a minimum 3 us delay during the acceleration engine reset sequence to ensure the hardware fully settles. Without this delay, the firmware load may fail intermittently. Add a delay after placing the AE into reset and before clearing the reset, matching the hardware requirements and ensuring stable firmware loading. Earlier generations remain unaffected. Fixes: 17fd751 ("crypto: qat - add qat_6xxx driver") Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Cc: stable@vger.kernel.org Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 396f57b ] Since commit 0ff67f9 ("mm, swap: remove swap slot cache"), hibernation has been using the swap slot slow allocation path for simplification, which turns out might cause regression for some devices because the allocator now rotates clusters too often, leading to slower allocation and more random distribution of data. Fast allocation is not complex, so implement hibernation support as well. Test result with Samsung SSD 830 Series (SATA II, 3.0 Gbps) shows the performance is several times better [1]: 6.19: 324 seconds After this series: 35 seconds Link: https://lkml.kernel.org/r/20260216-hibernate-perf-v4-1-1ba9f0bf1ec9@tencent.com Link: https://lore.kernel.org/linux-mm/8b4bdcfa-ce3f-4e23-839f-31367df7c18f@gmx.de/ [1] Signed-off-by: Kairui Song <kasong@tencent.com> Fixes: 0ff67f9 ("mm, swap: remove swap slot cache") Reported-by: Carsten Grohmann <mail@carstengrohmann.de> Closes: https://lore.kernel.org/linux-mm/20260206121151.dea3633d1f0ded7bbf49c22e@linux-foundation.org/ Cc: Baoquan He <bhe@redhat.com> Cc: Barry Song <baohua@kernel.org> Cc: Chris Li <chrisl@kernel.org> Cc: Kemeng Shi <shikemeng@huaweicloud.com> Cc: Nhat Pham <nphamcs@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> [ adjusted helper signatures ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit a2be37e ] All the functions operating on the 'handle' pointer are claiming it is a pointer to const thus they should not modify the handle. In fact that's a false statement, because first thing these functions do is drop the cast to const with container_of: struct acpm_info *acpm = handle_to_acpm_info(handle); And with such cast the handle is easily writable with simple: acpm->handle.ops.pmic_ops.read_reg = NULL; The code is not correct logically, either, because functions like acpm_get_by_node() and acpm_handle_put() are meant to modify the handle reference counting, thus they must modify the handle. Modification here happens anyway, even if the reference counting is stored in the container which the handle is part of. The code does not have actual visible bug, but incorrect 'const' annotations could lead to incorrect compiler decisions. Fixes: a88927b ("firmware: add Exynos ACPM protocol driver") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com> Link: https://patch.msgid.link/20260224104203.42950-2-krzysztof.kozlowski@oss.qualcomm.com Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> [ dropped hunks for DVFS/clk-acpm files and `acpm_dvfs_ops` struct that don't exist in 6.18 ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit b6b5922 ] Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. Reported-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d80abb5b890d39261e72 Fixes: 1da177e ("Linux-2.6.12-rc2") Tested-by: syzbot+d80abb5b890d39261e72@syzkaller.appspotmail.com Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Tested-by: Viacheslav Dubeyko <slava@dubeyko.com> Suggested-by: Charalampos Mitrodimas <charmitro@posteo.net> Link: https://lore.kernel.org/all/20260120051114.1281285-1-kartikey406@gmail.com/ [v1] Link: https://lore.kernel.org/all/20260121063109.1830263-1-kartikey406@gmail.com/ [v2] Link: https://lore.kernel.org/all/20260212014233.2422046-1-kartikey406@gmail.com/ [v3] Link: https://lore.kernel.org/all/20260214002100.436125-1-kartikey406@gmail.com/T/ [v4] Link: https://lore.kernel.org/all/20260221061626.15853-1-kartikey406@gmail.com/T/ [v5] Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Link: https://lore.kernel.org/r/20260307010302.41547-1-kartikey406@gmail.com Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Stable-dep-of: 90c500e ("hfsplus: fix held lock freed on hfsplus_fill_super()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 90c500e ] hfsplus_fill_super() calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. The later cleanup path then frees the tree data structure with the lock still held, triggering a held lock freed warning. Fix this by adding the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label. This ensures that tree->tree_lock is properly released on the error path. The bug was originally detected on v6.13-rc1 using an experimental static analysis tool we are developing, and we have verified that the issue persists in the latest mainline kernel. The tool is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available. We confirmed the bug by runtime testing under QEMU with x86_64 defconfig, lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we used GDB to dynamically shrink the max_unistr_len parameter to 1 before hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and exercises the faulty error path. The following warning was observed during mount: ========================= WARNING: held lock freed! 7.0.0-rc3-00016-gb4f0dd314b39 qualcomm-linux#4 Not tainted ------------------------- mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there! ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 2 locks held by mount/174: #0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40 qualcomm-linux#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 stack backtrace: CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 qualcomm-linux#4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 debug_check_no_locks_freed+0x13a/0x180 kfree+0x16b/0x510 ? hfsplus_fill_super+0xcb4/0x18a0 hfsplus_fill_super+0xcb4/0x18a0 ? __pfx_hfsplus_fill_super+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x65f/0xc30 ? srso_return_thunk+0x5/0x5f ? pointer+0x4ce/0xbf0 ? trace_contention_end+0x11c/0x150 ? __pfx_pointer+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x79b/0xc30 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? vsnprintf+0x6da/0x1270 ? srso_return_thunk+0x5/0x5f ? __mutex_unlock_slowpath+0x157/0x740 ? __pfx_vsnprintf+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? mark_held_locks+0x49/0x80 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? irqentry_exit+0x17b/0x5e0 ? trace_irq_disable.constprop.0+0x116/0x150 ? __pfx_hfsplus_fill_super+0x10/0x10 ? __pfx_hfsplus_fill_super+0x10/0x10 get_tree_bdev_flags+0x302/0x580 ? __pfx_get_tree_bdev_flags+0x10/0x10 ? vfs_parse_fs_qstr+0x129/0x1a0 ? __pfx_vfs_parse_fs_qstr+0x3/0x10 vfs_get_tree+0x89/0x320 fc_mount+0x10/0x1d0 path_mount+0x5c5/0x21c0 ? __pfx_path_mount+0x10/0x10 ? trace_irq_enable.constprop.0+0x116/0x150 ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x307/0x540 ? user_path_at+0x51/0x60 ? __x64_sys_mount+0x212/0x280 ? srso_return_thunk+0x5/0x5f __x64_sys_mount+0x212/0x280 ? __pfx___x64_sys_mount+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f do_syscall_64+0x111/0x680 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ffacad55eae Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8 RSP: 002b:00007fff1ab55718 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffacad55eae RDX: 000055740c64e5b0 RSI: 000055740c64e630 RDI: 000055740c651ab0 RBP: 000055740c64e380 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000055740c64e5b0 R14: 000055740c651ab0 R15: 000055740c64e380 </TASK> After applying this patch, the warning no longer appears. Fixes: 89ac9b4 ("hfsplus: fix longname handling") CC: stable@vger.kernel.org Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com> Tested-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 9ae7719 ] - Add some useful comments to explain inplace I/Os and decompression; - Rearrange the code to get rid of one unnecessary goto. Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Stable-dep-of: 21e161d ("erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 21e161d ] Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1 Fixes: 598162d ("erofs: support decompress big pcluster for lz4 backend") Reported-by: Yuhao Jiang <danisjiang@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Junrui Luo <moonafterrain@outlook.com> Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit d134fee ] Add print_hex_dump_devel() as the hex dump equivalent of pr_devel(), which emits output only when DEBUG is enabled, but keeps call sites compiled otherwise. Suggested-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Reviewed-by: John Ogness <john.ogness@linutronix.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Stable-dep-of: 177730a ("crypto: caam - guard HMAC key hex dumps in hash_digest_key") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 177730a ] Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in hash_digest_key() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG is enabled. Fixes: 045e367 ("crypto: caam - ahash hmac support") Fixes: 3f16f6c ("crypto: caam/qi2 - add support for ahash algorithms") Cc: stable@vger.kernel.org Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 6b4286e ] STMMAC_GET_ENTRY() doesn't describe what this macro is doing - it is incrementing the provided index for the circular array of descriptors. Replace "GET" with "NEXT" as this better describes the action here. Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk> Link: https://patch.msgid.link/E1w2vba-0000000DbWo-1oL5@rmk-PC.armlinux.org.uk Signed-off-by: Jakub Kicinski <kuba@kernel.org> Stable-dep-of: 0bb05e6 ("net: stmmac: Prevent NULL deref when RX memory exhausted") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit 0bb05e6 ] The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change. Fixes: b6cb454 ("net: stmmac: avoid rx queue overrun") Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221010 Cc: stable@vger.kernel.org Suggested-by: Russell King <linux@armlinux.org.uk> Signed-off-by: Sam Edwards <CFSworks@gmail.com> Link: https://patch.msgid.link/20260422044503.5349-1-CFSworks@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 68bf102226cf2199dc609b67c1e847cad4de4b57 upstream When a field has been initialized, `init!`/`pin_init!` create a reference or pinned reference to the field so it can be accessed later during the initialization of other fields. However, the reference it created is incorrectly `&'static` rather than just the scope of the initializer. This means that you can do init!(Foo { a: 1, _: { let b: &'static u32 = a; } }) which is unsound. This is caused by `&mut (*$slot).$ident`, which actually allows arbitrary lifetime, so this is effectively `'static`. Fix it by adding `let_binding` method on `DropGuard` to shorten lifetime. This results in exactly what we want for these accessors. The safety and invariant comments of `DropGuard` have been reworked; instead of reasoning about what caller can do with the guard, express it in a way that the ownership is transferred to the guard and `forget` takes it back, so the unsafe operations within the `DropGuard` can be more easily justified. Assisted-by: Claude:claude-3-opus Signed-off-by: Gary Guo <gary@garyguo.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

… op cache commit c21b90f77687075115d989e53a8ec5e2bb427ab1 upstream. Make sure resources are not improperly shared in the op cache and cause instruction corruption this way. Signed-off-by: Prathyushi Nangia <prathyushi.nangia@amd.com> Co-developed-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 996454bc0da84d5a1dedb1a7861823087e01a7ae upstream. smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr. It verifies that each ACE contains the fixed SID header before using it, but does not verify that the variable-length SID described by sid.num_subauth is fully contained in the ACE. A malformed inheritable ACE can advertise more subauthorities than are present in the ACE. compare_sids() may then read past the ACE. smb_set_ace() also clamps the copied destination SID, but used the unchecked source SID count to compute the inherited ACE size. That could advance the temporary inherited ACE buffer pointer and nt_size accounting past the allocated buffer. Fix this by validating the parent ACE SID count and SID length before using the SID during inheritance. Compute the inherited ACE size from the copied SID so the size matches the bounded destination SID. Reject the inherited DACL if size accumulation would overflow smb_acl.size or the security descriptor allocation size. Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") Signed-off-by: Shota Zaizen <s@zaizen.me> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Link: https://lore.kernel.org/r/20260512173938.452574370@linuxfoundation.org Tested-by: Pavel Machek (CIP) <pavel@nabladev.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Link: https://lore.kernel.org/r/20260513153744.746440810@linuxfoundation.org Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Ron Economos <re@w6rz.net> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Barry K. Nathan <barryn@pobox.com> Tested-by: Miguel Ojeda <ojeda@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

* refs/heads/52dc660 Linux 6.18.30 ksmbd: validate inherited ACE SID length x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache rust: pin-init: fix incorrect accessor reference lifetime net: stmmac: Prevent NULL deref when RX memory exhausted net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() crypto: caam - guard HMAC key hex dumps in hash_digest_key printk: add print_hex_dump_devel() erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() erofs: tidy up z_erofs_lz4_handle_overlap() hfsplus: fix held lock freed on hfsplus_fill_super() hfsplus: fix uninit-value by validating catalog record size firmware: exynos-acpm: Drop fake 'const' on handle pointer mm, swap: speed up hibernation allocation and writeout crypto: qat - fix firmware loading failure for GEN6 devices crypto: qat - fix indentation of macros in qat_hal.c mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs mmc: core: Add quirk for incorrect manufacturing date mmc: core: Adjust MDT beyond 2025 octeon_ep_vf: add NULL check for napi_build_skb() hwmon: (powerz) Avoid cacheline sharing for DMA buffer dma-mapping: add __dma_from_device_group_begin()/end() fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info mm/damon/core: disallow non-power of two min_region_sz on damon_start() bpf: Fix use-after-free in arena_vm_close on fork io_uring/tw: serialize ctx->retry_llist with ->uring_lock io_uring/kbuf: support min length left for incremental buffers LoongArch: Use per-root-bridge PCIH flag to skip mem resource fixup LoongArch: KVM: Use kvm_set_pte() in kvm_flush_pte() LoongArch: KVM: Move unconditional delay into timer clear scenery LoongArch: KVM: Fix HW timer interrupt lost when inject interrupt by software LoongArch: KVM: Fix "unreliable stack" for kvm_exc_entry LoongArch: KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer KVM: arm64: Fix initialisation order in __pkvm_init_finalise() KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value KVM: arm64: Wake-up from WFI when iqrchip is in userspace f2fs: fix fsck inconsistency caused by FGGC of node block f2fs: fix inline data not being written to disk in writeback path f2fs: refactor f2fs_move_node_folio function f2fs: fix uninitialized kobject put in f2fs_init_sysfs() f2fs: fix node_cnt race between extent node destroy and writeback f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() f2fs: fix incorrect file address mapping when inline inode is unwritten f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage f2fs: fix fiemap boundary handling when read extent cache is incomplete f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() mptcp: pm: ADD_ADDR rtx: return early if no retrans mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker mptcp: pm: ADD_ADDR rtx: free sk if last mptcp: pm: ADD_ADDR rtx: always decrease sk refcount mptcp: pm: ADD_ADDR rtx: fix potential data-race mptcp: pm: ADD_ADDR rtx: allow ID 0 mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 mptcp: pm: prio: skip closed subflows mptcp: fix scheduling with atomic in timestamp sockopt mptcp: fix rx timestamp corruption on fastopen mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf mptcp: sockopt: set timestamp flags on subflow socket, not msk mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure mptcp: fastclose msk when linger time is 0 selftests: mptcp: pm: restrict 'unknown' check to pm_nl_ctl selftests: mptcp: check output: catch cmd errors sched_ext: idle: Recheck prev_cpu after narrowing allowed mask RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path RDMA/rxe: Reject unknown opcodes before ICRC processing RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() RDMA/mana: Validate rx_hash_key_len RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() RDMA/ionic: Fix typo in format string RDMA/ionic: bound node_desc sysfs read with %.64s perf/x86/intel: Always reprogram ACR events to prevent stale masks powerpc/xive: fix kmemleak caused by incorrect chip_data lookup power: supply: max17042: avoid overflow when determining health PCI/ASPM: Fix pci_clear_and_set_config_dword() usage PCI/AER: Stop ruling out unbound devices as error source PCI/AER: Clear only error bits in PCIe Device Status PCI: Update saved_config_space upon resource assignment mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock mm/damon/stat: detect and use fresh enabled value KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty KVM: x86: check for nEPT/nNPT in slow flush hypercalls smb: client: validate dacloffset before building DACL pointers smb: client: use kzalloc to zero-initialize security descriptor buffer smb/client: fix out-of-bounds read in symlink_data() smb/client: fix out-of-bounds read in smb2_compound_op() scsi: mpt3sas: Limit NVMe request size to 2 MiB s390/debug: Reject zero-length input before trimming a newline s390/debug: Reject zero-length input in debug_input_flush_fn() riscv: kvm: fix vector context allocation leak RDMA/hns: Fix unlocked call to hns_roce_qp_remove() psp: strip variable-length PSP header in psp_dev_rcv() pmdomain: core: Fix detach procedure for virtual devices in genpd openvswitch: vport: fix self-deadlock on release of tunnel ports nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free nvmet-tcp: fix race between ICReq handling and queue teardown nvme-apple: drop invalid put of admin queue reference count md/raid10: fix divide-by-zero in setup_geo() with zero far_copies libceph: Fix slab-out-of-bounds access in auth message processing lib/scatterlist: fix temp buffer in extract_user_to_sg() lib/scatterlist: fix length calculations in extract_kvec_to_sg lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update iommu/vt-d: Block PASID attachment to nested domain with dirty tracking iommufd: Fix return value of iommufd_fault_fops_write() isofs: validate block number from NFS file handle in isofs_export_iget isofs: validate Rock Ridge CE continuation extent against volume size dm-verity-fec: correctly reject too-small hash devices dm-verity-fec: correctly reject too-small FEC devices eventfs: Hold eventfs_mutex and SRCU when remount walks events dm: fix a buffer overflow in ioctl processing dm: don't report warning when doing deferred remove dm-thin: fix metadata refcount underflow btrfs: fix missing last_unlink_trans update when removing a directory btrfs: fix double free in create_space_info() error path ASoC: qcom: q6apm: remove child devices when apm is removed ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop ASoC: Intel: bytcr_wm5102: Fix MCLK leak on platform_clock_control error ASoC: fsl_easrc: fix comment typo ASoC: ES8389: convert to devm_clk_get_optional() to get clock ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table cpuidle: powerpc: avoid double clear when breaking snooze clk: microchip: mpfs-ccc: fix out of bounds access during output registration clk: imx: imx8-acm: fix flags for acm clocks tracing/probes: Limit size of event probe to 3K spi: topcliff-pch: fix use-after-free on unbind spi: topcliff-pch: fix controller deregistration thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata thermal: core: Free thermal zone ID later during removal udf: reject descriptors with oversized CRC length tracefs: Fix default permissions not being applied on initial mount spi: microchip-core-qspi: control built-in cs manually spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations spi: microchip-core-qspi: fix controller deregistration ice: fix double free in ice_sf_eth_activate() error path ibmveth: Disable GSO for packets with small MSS hv_sock: Return -EIO for malformed/short packets hv_sock: Report EOF instead of -EIO for FIN hv_sock: fix ARM64 support hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS gpio: of: clear OF_POPULATED on hog nodes in remove path extcon: ptn5150: handle pending IRQ events during system resume cifs: change_conf needs to be called for session setup cifs: abort open_cached_dir if we don't request leases block: only read from sqe on initial invocation of blkdev_uring_cmd() block: add pgmap check to biovec_phys_mergeable pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() arm64/fpsimd: ptrace: zero target's fpsimd_state, not the tracer's af_unix: Reject SIOCATMARK on non-stream sockets hwmon: (corsair-psu) Close HID device on probe errors clk: rk808: fix OF node reference imbalance hwmon: (ltc2992) Fix u32 overflow in power read path hwmon: (ltc2992) Clamp threshold writes to hardware range x86/efi: Fix graceful fault handling after FPU softirq changes parisc: Fix IRQ leak in LASI driver platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler net/rds: handle zerocopy send cleanup before the message is queued netpoll: pass buffer size to egress_dev() to avoid MAC truncation net: libwx: use request_irq for VF misc interrupt ip6_gre: Use cached t->net in ip6erspan_changelink(). net: libwx: fix VF illegal register access pseries/papr-hvpipe: Fix the usage of copy_to_user() pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init() pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace sound: ua101: fix division by zero at probe perf/x86/intel: Improve validation and configuration of ACR masks mptcp: pm: ADD_ADDR rtx: skip inactive subflows net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo LoongArch: Fix SYM_SIGFUNC_START definition for 32BIT mm/hugetlb_cma: round up per_node before logging it arm64: signal: Preserve POR_EL0 if poe_context is missing mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() KVM: arm64: Fix kvm_vcpu_initialized() macro parameter fanotify: fix false positive on permission events staging: vme_user: fix root device leak on init failure spi: s3c64xx: fix NULL-deref on driver unbind spi: zynqmp-gqspi: fix controller deregistration spi: sun6i: fix controller deregistration spi: ti-qspi: fix controller deregistration spi: sun4i: fix controller deregistration spi: syncuacer: fix controller deregistration rust: allow `clippy::collapsible_if` globally rust: allow `clippy::collapsible_match` globally rust: drm: gem: clean up GEM state in init failure case Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt Bluetooth: btmtk: validate WMT event SKB length before struct access Bluetooth: virtio_bt: validate rx pkt_type header length Bluetooth: virtio_bt: clamp rx length before skb_put LoongArch: KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() selinux: prune /sys/fs/selinux/user selinux: prune /sys/fs/selinux/disable selinux: prune /sys/fs/selinux/checkreqprot selinux: shrink critical section in sel_write_load() selinux: don't reserve xattr slot when we won't fill it selinux: use sk blob accessor in socket permission helpers selinux: fix avdcache auditing xfrm: ah: account for ESN high bits in async callbacks ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete xfrm: provide message size for XFRM_MSG_MAPPING x86/efi: Restore IRQ state in EFI page fault handler powerpc/kdump: fix KASAN sanitization flag for core_$(BITS).o ALSA: seq: Fix UMP group 16 filtering ALSA: core: Serialize deferred fasync state checks ALSA: firewire-tascam: Do not drop unread control events ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger ALSA: hda: cs35l56: Propagate ASP TX source control errors usb: typec: tcpm: fix debug accessory mode detection for sink ports usb: ulpi: fix memory leak on ulpi_register() error paths USB: serial: option: add Telit Cinterion LE910Cx compositions USB: omap_udc: DMA: Don't enable burst 4 mode ALSA: usb-audio: Fix UAC3 cluster descriptor size check ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() ALSA: usb-audio: midi2: Restart output URBs on resume usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl usb: usblp: fix heap leak in IEEE 1284 device ID via short response wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task wifi: b43: enforce bounds check on firmware key index in b43_rx() wifi: mac80211: remove station if connection prep fails wifi: ath5k: do not access array OOB wifi: mac80211: use safe list iteration in radar detect work wifi: rsi: fix kthread lifetime race between self-exit and external-stop wifi: mac80211: drop stray 'static' from fast-RX rx_result wifi: b43legacy: enforce bounds check on firmware key index in RX path wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work wifi: mt76: mt7921: fix a potential clc buffer length underflow wifi: mt76: mt7925: fix incorrect length field in txpower command wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr exit: prevent preemption of oopsing TASK_DEAD task net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked net: stmmac: Disable EEE RX clock stop when VLAN is enabled KVM: SVM: check validity of VMCB controls when returning from SMM net: af_key: zero aligned sockaddr tail in PF_KEY exports smb: client/smbdirect: fix MR registration for coalesced SG lists mptcp: sync the msk->sndbuf at accept() time flow_dissector: do not dissect PPPoE PFC frames ceph: fix num_ops off-by-one when crypto allocation fails KVM: x86: Fix shadow paging use-after-free due to unexpected GFN ksmbd: rewrite stop_sessions() with restartable iteration spi: rockchip: fix controller deregistration wifi: mt76: mt7925: fix incorrect TLV length in CLC command ASoC: SOF: Don't allow pointer operations on unconfigured streams iommufd: Fix a race with concurrent allocation and unmap tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() ACPI: video: force native backlight on HP OMEN 16 (8A44) ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO ACPI: scan: Use acpi_dev_put() in object add error paths fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free ipmi:si: Return state to normal if message allocation fails ipmi: Check event message buffer response for bad data ipmi: Add limits to event and receive message requests scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() Linux 6.18.29 rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present Linux 6.18.28 xfrm: esp: avoid in-place decrypt on shared skb frags Linux 6.18.27 ipmi:ssif: NULL thread on error ipmi:ssif: Remove unnecessary indention netfilter: reject zero shift in nft_bitwise net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels mm/slab: return NULL early from kmalloc_nolock() in NMI on UP mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP vmalloc: fix buffer overflow in vrealloc_node_align() ALSA: aloop: Fix peer runtime UAF during format-change stop ALSA: caiaq: fix usb_dev refcount leak on probe failure drm/amdgpu: fix zero-size GDS range init on RDNA4 ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ALSA: caiaq: Don't abort when no input device is available ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path driver core: Add kernel-doc for DEV_FLAG_COUNT enum value crypto: authencesn - reject short ahash digests during instance creation net: qrtr: ns: Limit the total number of nodes net: qrtr: ns: Limit the maximum number of lookups net: qrtr: ns: Limit the maximum server registration per node iio: frequency: admv1013: fix NULL pointer dereference on str iio: frequency: admv1013: add dev variable media: rc: igorplugusb: heed coherency rules media: rc: ttusbir: respect DMA coherency rules wifi: mt76: mt792x: fix mt7925u USB WFSYS reset handling wifi: mt76: mt792x: describe USB WFSYS reset with a descriptor phy: qcom: m31-eusb2: clear PLL_EN during init phy: qcom: m31-eusb2: Update init sequence to set PHY_ENABLE mei: me: add nova lake point H DID mei: me: use PCI_DEVICE_DATA macro lib: test_hmm: evict device pages on file close to avoid use-after-free arm64: mm: Fix rodata=full block mapping support for realm guests arm64: mm: Simplify check in arch_kfence_init_pool() mm: prevent droppable mappings from being locked seg6: fix seg6 lwtunnel output redirect for L2 reduced encap mode scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails sched_ext: Documentation: Clarify ops.dispatch() role in task lifecycle rxgk: Fix potential integer overflow in length check rtmutex: Use waiter::task instead of current in remove_waiter() ntfs3: fix integer overflow in run_unpack() volume boundary check ntfs3: add buffer boundary checks to run_unpack() NFSv4.1: Apply session size limits on clone path ktest: Fix the month in the name of the failure directory IB/core: Fix zero dmac race in neighbor resolution gtp: disable BH before calling udp_tunnel_xmit_skb() ceph: only d_add() negative dentries when they are unhashed dm mirror: fix integer overflow in create_dirty_log() crypto: nx - Fix packed layout in struct nx842_crypto_header crypto: nx - fix context leak in nx842_crypto_free_ctx crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx crypto: atmel-sha204a - Fix uninitialized data access on OTP read error crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path crypto: atmel-sha204a - Fix error codes in OTP reads crypto: atmel-tdes - fix DMA sync direction crypto: ccree - fix a memory leak in cc_mac_digest() crypto: hisilicon - Fix dma_unmap_single() direction crypto: atmel-ecc - Release client on allocation failure crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup crypto: arm64/aes - Fix 32-bit aes_mac_update() arg treated as 64-bit crypto: acomp - fix wrong pointer stored by acomp_save_req() can: ucan: fix devres lifetime bus: mhi: host: pci_generic: Switch to async power up to avoid boot delays Bluetooth: hci_event: fix potential UAF in SSP passkey handlers apparmor: use target task's context in apparmor_getprocattr() mfd: core: Preserve OF node when ACPI handle is present taskstats: set version in TGID exit notifications tcp: call sk_data_ready() after listener migration wifi: rtl8xxxu: fix potential use of uninitialized value x86/shstk: Prevent deadlock during shstk sigreturn x86/cpu: Disable FRED when PTI is forced on inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails HID: apple: ensure the keyboard backlight is off if suspending check-uapi: link into shared objects md/raid5: validate payload size before accessing journal metadata md/raid5: fix soft lockup in retry_aligned_read() md/md-llbitmap: raise barrier before state machine transition md/md-llbitmap: skip reading rdevs that are not in_sync amdgpu/jpeg: fix deepsleep register for jpeg 5_0_0 and 5_0_2 mtd: spinand: winbond: Declare the QE bit on W25NxxJW mtd: spi-nor: sst: Fix write enable before AAI sequence ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access ring-buffer: Do not double count the reader_page ARM: 9472/1: fix race condition on PG_dcache_clean in __sync_icache_dcache() perf annotate: Use jump__delete when freeing LoongArch jumps KVM: nSVM: Always intercept VMMCALL when L2 is active KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 KVM: nSVM: Add missing consistency check for nCR3 validity KVM: nSVM: Drop the non-architectural consistency check for NP_ENABLE KVM: nSVM: Add missing consistency check for EFER, CR0, CR4, and CS KVM: nSVM: Clear tracking of L1->L2 NMI and soft IRQ on nested #VMEXIT KVM: nSVM: Clear EVENTINJ fields in vmcb12 on nested #VMEXIT KVM: nSVM: Clear GIF on nested #VMEXIT(INVALID) KVM: nSVM: Triple fault if mapping VMCB12 fails on nested #VMEXIT KVM: nSVM: Refactor writing vmcb12 on nested #VMEXIT as a helper KVM: nSVM: Refactor checking LBRV enablement in vmcb12 into a helper KVM: nSVM: Always inject a #GP if mapping VMCB12 fails on nested VMRUN KVM: SVM: Add missing save/restore handling of LBR MSRs KVM: SVM: Switch svm_copy_lbrs() to a macro KVM: nSVM: Delay setting soft IRQ RIP tracking fields until vCPU run KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 KVM: nSVM: Use vcpu->arch.cr2 when updating vmcb12 on nested #VMEXIT KVM: nSVM: Delay stuffing L2's current RIP into NextRIP until vCPU run KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN KVM: nSVM: Ensure AVIC is inhibited when restoring a vCPU to guest mode KVM: SVM: Explicitly mark vmcb01 dirty after modifying VMCB intercepts KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 KVM: nSVM: Sync NextRIP to cached vmcb12 after VMRUN of L2 KVM: nSVM: Mark all of vmcb02 dirty when restoring nested state KVM: x86: Defer non-architectural deliver of exception payload to userspace read LoongArch: KVM: Use CSR_CRMD_PLV in kvm_arch_vcpu_in_kernel() userfaultfd: allow registration of ranges below mmap_min_addr mm/damon/core: use time_in_range_open() for damos quota window start mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start() mm/mempolicy: fix memory leaks in weighted_interleave_auto_store() mm/vmalloc: take vmap_purge_lock in shrinker rtc: ntxec: fix OF node reference imbalance tpm: tpm_tis: stop transmit if retries are exhausted tpm: tpm_tis: add error logging for data transfer tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm: Fix auth session leak in tpm2_get_random() error path tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() pwm: imx-tpm: Count the number of enabled channels in probe crypto: talitos - rename first/last to first_desc/last_desc crypto: talitos - fix SEC1 32k ahash request limitation firmware: google: framebuffer: Do not unregister platform device xfs: fix a resource leak in xfs_alloc_buftarg() xfs: start gc on zonegc_low_space attribute updates crypto: qat - fix IRQ cleanup on 6xxx probe failure arm64: dts: ti: am62-verdin: Enable pullup for eMMC data pins mmc: sdhci-of-dwcmshc: Disable clock before DLL configuration mmc: block: use single block write in retry randomize_kstack: Maintain kstack_offset per task hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() ASoC: Intel: avs: replace strcmp with sysfs_streq drm/amd: Fix set but not used warnings fs: prepare for adding LSM blob to backing_file hwmon: (isl28022) Fix integer overflow in power calculation on 32-bit power: supply: axp288_charger: Do not cancel work before initializing it LoongArch: Show CPU vulnerabilites correctly tpm: avoid -Wunused-but-set-variable extract-cert: Wrap key_pass with '#ifdef USE_PKCS11_ENGINE' spi: fix resource leaks on device setup failure libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() ipv4: icmp: validate reply type before using icmp_pointers RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv tracing/fprobe: Reject registration of a registered fprobe before init slub: fix data loss and overflow in krealloc() drm/arcpgu: fix device node leak net: ks8851: Avoid excess softirq scheduling net: mctp: fix don't require received header reserved bits to be zero netconsole: avoid out-of-bounds access on empty string in trim_newline() net: bridge: use a stable FDB dst snapshot in RCU readers net: ks8851: Reinstate disabling of BHs around IRQ handler net/smc: avoid early lgr access in smc_clc_wait_msg net: txgbe: fix firmware version check net: rds: fix MR cleanup on copy error net: qrtr: ns: Free the node during ctrl_cmd_bye() arm64: dts: marvell: uDPU: add ethernet aliases net: txgbe: fix RTNL assertion warning when remove module tools/accounting: handle truncated taskstats netlink messages EDAC/versalnet: Fix memory leak in remove and probe error paths rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets rxrpc: Fix re-decryption of RESPONSE packets rxrpc: Fix error handling in rxgk_extract_token() rxrpc: Fix rxkad crypto unalignment handling rxrpc: Fix conn-level packet handling to unshare RESPONSE packets rxrpc: Fix memory leaks in rxkad_verify_response() rxrpc: Fix potential UAF after skb_unshare() failure iio: adc: ad7768-1: remove switch to one-shot mode iio: adc: ad7768-1: fix one-shot mode data acquisition ALSA: pcmtest: Fix resource leaks in module init error paths ALSA: pcmtest: fix reference leak on failed device registration ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa2xxx ALSA: 6fire: Fix input volume change detection ALSA: caiaq: Handle probe errors properly ALSA: caiaq: Fix control_put() result and cache rollback ALSA: core: Fix potential data race at fasync handling io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE io_uring/poll: fix signed comparison in io_poll_get_ownership() iio: adc: ti-ads7950: use iio_push_to_buffers_with_ts_unaligned() block: relax pgmap check in bio_add_page for compatible zone device pages io_uring/timeout: check unused sqe fields block: fix zone write plugs refcount handling in disk_zone_wplug_schedule_bio_work() rbd: fix null-ptr-deref when device_add_disk() fails selftests/landlock: Skip stale records in audit_match_record() selftests/landlock: Fix snprintf truncation checks in audit helpers selftests/landlock: Fix format warning for __u64 in net_test selftests/landlock: Drain stale audit records on init landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork() selftests/mqueue: Fix incorrectly named file sched: Use u64 for bandwidth ratio calculations reset: rzv2h-usb2phy: Keep PHY clock enabled for entire device lifetime remoteproc: xlnx: Only access buffer information if IPI is buffered RDMA/mana_ib: Disable RX steering on RSS QP destroy PCI: cadence: Use cdns_pcie_read_sz() for byte or word read access parisc: Drop ip_fast_csum() inline assembly implementation parisc: _llseek syscall is only available for 32-bit userspace nvme: respect NVME_QUIRK_DISABLE_WRITE_ZEROES when wzsl is set nvme-pci: add NVME_QUIRK_DISABLE_WRITE_ZEROES for Kingston OM3SGP4 mtd: docg3: fix use-after-free in docg3_release() mm/hugetlb: fix early boot crash on parameters without '=' separator mm/damon/core: fix damon_call() vs kdamond_fn() exit race mm/alloc_tag: clear codetag for pages allocated before page_ext initialization mfd: stpmic1: Attempt system shutdown twice in case PMIC is confused io_uring/register: fix ring resizing with mixed/large SQEs/CQEs md/raid10: fix deadlock with check operation and nowait requests KVM: selftests: Fix reserved value WRMSR testcase for multi-feature MSRs jbd2: fix deadlock in jbd2_journal_cancel_revoke() ipmi:ssif: Clean up kthread on errors erofs: fix the out-of-bounds nameoff handling for trailing dirents ALSA: seq_oss: return full count for successful SEQ_FULLSIZE writes ALSA: ctxfi: Add fallback to default RSR for S/PDIF ALSA: aoa: Skip devices with no codecs in i2sbus_resume() ALSA: aoa: i2sbus: fix OF node lifetime handling ALSA: aoa: i2sbus: clear stale prepared state mm/zsmalloc: copy KMSAN metadata in zs_page_migrate() ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() net: qrtr: ns: Fix use-after-free in driver remove() media: i2c: imx219: Check return value of devm_gpiod_get_optional() in imx219_probe() lib/ts_kmp: fix integer overflow in pattern length calculation PCI: epf-mhi: Return 0, not remaining timeout, when eDMA ops complete Revert "ALSA: usb: Increase volume range that triggers a warning" PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown crypto: atmel-sha204a - Fix OTP sysfs read and error handling media: mtk-jpeg: fix use-after-free in release path due to uncancelled work net: strparser: fix skb_head leak in strp_abort_strp() net: caif: clear client service pointer on teardown ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() media: amphion: Fix race between m2m job_abort and device_run PCI: imx6: Skip waiting for L2/L3 Ready on i.MX6SX EDAC/versalnet: Fix device_node leak in mc_probe() hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt of: unittest: fix use-after-free in testdrv_probe() of: unittest: fix use-after-free in of_unittest_changeset() dt-bindings: display: ti, am65x-dss: Fix AM62L DSS reg and clock constraints crypto: pcrypt - Fix handling of MAY_BACKLOG requests crypto: algif_aead - snapshot IV for async AEAD requests mm: call ->free_folio() directly in folio_unmap_invalidate() spi: ch341: fix memory leaks on probe failures spi: imx: fix use-after-free on unbind thermal: core: Fix thermal zone governor cleanup issues um: drivers: call kernel_strrchr() explicitly in cow_user.c vfio/cdx: Fix NULL pointer dereference in interrupt trigger path vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio/virtio: Convert list_lock from spinlock to mutex vfio: selftests: Fix VLA initialisation in vfio_pci_irq_set() wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() wifi: rtw88: check for PCI upstream bridge existence zram: do not forget to endio for partial discard requests Input: edt-ft5x06 - fix use-after-free in debugfs teardown ocfs2: split transactions in dio completion to avoid credit exhaustion mm: migrate: requeue destination folio on deferred split queue arm64/mm: Enable batched TLB flush in unmap_hotplug_range() firmware: google: framebuffer: Do not mark framebuffer as busy fs: afs: revert mmap_prepare() change kbuild: rust: allow `clippy::uninlined_format_args` rust: dma: remove DMA_ATTR_NO_KERNEL_MAPPING from public attrs drm/nouveau: fix nvkm_device leak on aperture removal failure device property: Make modifications of fwnode "flags" thread safe driver core: Don't let a device probe until it's ready ibmasm: fix heap over-read in ibmasm_send_i2o_message() ibmasm: fix OOB reads in command_file_write due to missing size checks misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() greybus: gb-beagleplay: bound bootloader receive buffering leds: qcom-lpg: Check for array overflow when selecting the high resolution drm/nouveau: fix u32 overflow in pushbuf reloc bounds check LoongArch: Add spectre boundry for syscall dispatch table ALSA: usb-audio: Evaluate packsize caps at the right place usb: chipidea: core: allow ci_irq_handler() handle both ID and VBUS change usb: chipidea: otg: not wait vbus drop if use role_switch usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() ALSA: usb-audio: Fix Audio Advantage Micro II SPDIF switch ALSA: usb-audio: Avoid false E-MU sample-rate notifications ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES Linux 6.18.26 Buffer overflow in drivers/xen/sys-hypervisor.c xen/privcmd: fix double free via VMA splitting Signed-off-by: Sivasri Kumar, Vanka <svanka@qti.qualcomm.com>

qswat-orbit-external · 2026-05-15T09:00:51Z

Merge Check Failed: No CR Numbers Found

Error: No Change Request numbers were found.

Please add Change Request numbers to your pull request description in the format CRs-Fixed: 12345 or link GitHub issues that are associated with Change Requests.

bonzini and others added 30 commits May 14, 2026 15:30

sjp38 and others added 25 commits May 14, 2026 15:30

svankas requested review from a team, knaveen-qc, quicAspratap and rrnayak May 15, 2026 09:00

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge tag 'v6.18.30' into qcom-6.18.y#586

Merge tag 'v6.18.30' into qcom-6.18.y#586
svankas wants to merge 555 commits into
qualcomm-linux:qcom-6.18.yfrom
svankas:6.18.30-lts

svankas commented May 15, 2026

Uh oh!

qswat-orbit-external Bot commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

svankas commented May 15, 2026

Uh oh!

qswat-orbit-external Bot commented May 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants