GKI (arm64) relevant 87 out of 414 changes, affecting 112 files +738/-352
bdb71ee651 configfs: Do not override creating attribute file failure in populate_attrs() [1 file, +1/-1]
ba789be63d io_uring: account drain memory to cgroup [1 file, +1/-1]
c58b577cf7 io_uring/kbuf: account ring io_buffer_list memory [1 file, +1/-1]
f78b38af35 jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() [1 file, +3/-2]
2429bb9fad media: v4l2-dev: fix error handling in __video_register_device() [1 file, +7/-7]
5d8b057ed7 media: videobuf2: use sgtable-based scatterlist wrappers [1 file, +2/-2]
b52dc88361 media: uvcvideo: Return the number of processed controls [1 file, +10/-1]
6d2b12e7c5 media: uvcvideo: Send control events for partial succeeds [1 file, +9/-3]
aac91ae06c media: uvcvideo: Fix deferred probing error [1 file, +19/-8]
86d9837e46 arm64/mm: Close theoretical race where stale TLB entry remains valid [1 file, +5/-4]
5538af3843 block: use plug request list tail for one-shot backmerge attempt [1 file, +13/-13]
943801c380 block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion [1 file, +1/-0]
1c71f3cf5f cgroup,freezer: fix incomplete freezing when attaching tasks [1 file, +1/-2]
a0890b7805 bus: firewall: Fix missing static inline annotations for stubs [1 file, +9/-6]
5766da2237 ext4: inline: fix len overflow in ext4_prepare_inline_data [1 file, +1/-1]
796632e6f8 ext4: fix calculation of credits for extent tree modification [1 file, +6/-5]
4b36399711 ext4: ensure i_size is smaller than maxbytes [1 file, +2/-1]
be5f3061a6 ext4: only dirty folios when data journaling regular files [1 file, +6/-1]
a0b1c91ada Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer() [1 file, +2/-0]
fed611bd8c f2fs: fix to do sanity check on ino and xnid [1 file, +6/-0]
aaa644e7ff f2fs: prevent kernel warning due to negative i_nlink from corrupted image [1 file, +9/-0]
ee1b421c46 f2fs: fix to do sanity check on sit_bitmap_size [1 file, +8/-0]
f16a797dce watchdog: fix watchdog may detect false positive of softlockup [1 file, +27/-14]
02137179ff mm: fix ratelimit_pages update error in dirty_ratio_handler() [1 file, +1/-1]
462eee6d42 firmware: arm_scmi: Ensure that the message-id supports fastchannel [2 files, +45/-33]
e3cf1ef571 dm-verity: fix a memory leak if some arguments are specified multiple times [3 files, +24/-5]
f2986bccf2 dm: lock limits when reading them [1 file, +7/-1]
ec5f0b4412 ovl: Fix nested backing file paths [1 file, +2/-2]
92776ca0cc remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() [1 file, +2/-3]
f4ef928ca5 remoteproc: core: Release rproc->clean_table after rproc_attach() fails [1 file, +1/-0]
68e58f5791 PCI: dwc: ep: Correct PBA offset in .set_msix() callback [1 file, +3/-2]
b20701d594 PCI: Add ACS quirk for Loongson PCIe [1 file, +23/-0]
be0cf75cbd PCI: Fix lock symmetry in pci_slot_unlock() [1 file, +2/-1]
7b45d2401d clocksource: Fix the CPUs' choice in the watchdog per CPU verification [1 file, +1/-1]
c05aba32a9 ACPICA: Avoid sequence overread in call to strncmp() [1 file, +1/-1]
66613b13cd ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case [1 file, +8/-1]
33cd650d38 pmdomain: core: Reset genpd->states to avoid freeing invalid data [1 file, +3/-1]
f34e0c1556 platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all() [1 file, +1/-0]
c519f81e9c gpiolib: of: Add polarity quirk for s5m8767 [1 file, +9/-0]
1f152ae557 PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn() [1 file, +1/-1]
6c1151d53c tipc: use kfree_sensitive() for aead cleanup [1 file, +1/-1]
b0e647442c f2fs: use vmalloc instead of kvmalloc in .init_{,de}compress_ctx [2 files, +15/-13]
2d834477bb bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() [1 file, +2/-1]
77ff6aec7c cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs [1 file, +35/-1]
0a8446058c tcp: always seek for minimal rtt in tcp_rcv_rtt_update() [1 file, +8/-14]
f97085d365 tcp: remove zero TCP TS samples for autotuning [1 file, +5/-5]
89b20c406e tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows [1 file, +3/-3]
84c156a351 tcp: add receive queue awareness in tcp_rcv_space_adjust() [2 files, +5/-3]
3a9e74d158 ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT [1 file, +4/-0]
5eb9c50e0c net: page_pool: Don't recycle into cache on PREEMPT_RT [1 file, +4/-0]
8b0741b167 xfrm: validate assignment of maximal possible SEQ number [1 file, +42/-10]
8fdf2f79eb bpf: Pass the same orig_call value to trampoline functions [1 file, +1/-1]
f0023d7a2a f2fs: fix to bail out in get_new_segment() [2 files, +6/-1]
448dc45eea bpf: Use proper type to calculate bpf_raw_tp_null_args.mask index [1 file, +2/-2]
78f768e36c net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions [1 file, +69/-8]
4b3383110b software node: Correct a OOB check in software_node_get_reference_args() [1 file, +1/-1]
b7129ef57d sock: Correct error checking condition for (assign|release)_proto_idx() [1 file, +2/-2]
a58f0a0e99 f2fs: fix to set atomic write status more clear [3 files, +12/-2]
b8b4b8bb34 bpf, sockmap: Fix data lost during EAGAIN retries [1 file, +2/-1]
7c41f73b64 fs/xattr.c: fix simple_xattr_list() [1 file, +1/-0]
2e10dc9c2a io_uring/kbuf: don't truncate end buffer for multiple buffer peeks [1 file, +4/-1]
1a4254ab06 io_uring: fix task leak issue in io_wq_create() [1 file, +3/-1]
4220cc0b98 nvme: always punt polled uring_cmd end_io work to task_work [1 file, +7/-14]
f9b97d466e net_sched: sch_sfq: reject invalid perturb period [1 file, +8/-2]
2a3ad42a57 net: clear the dst when changing skb protocol [1 file, +13/-6]
510a29d776 mm: close theoretical race where stale TLB entries could linger [1 file, +2/-0]
57ec081869 sched_ext, sched/core: Don't call scx_group_set_weight() prematurely from sched_create_group() [3 files, +9/-2]
3d828519bd atm: Revert atm_account_tx() if copy_from_iter_full() fails. [3 files, +8/-1]
47f34289d1 arm64: Restrict pagetable teardown to avoid false warning [1 file, +2/-1]
9cf5b2a3b7 mm/hugetlb: unshare page tables during VMA split, not before [5 files, +57/-16]
dc5f0aef9e net: Fix checksum update for ILA adj-transport [4 files, +7/-7]
2516299184 bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE [3 files, +7/-2]
50189d9c5e erofs: remove unused trace event erofs_destroy_inode [1 file, +0/-18]
348e541fef ipv6: remove leftover ip6 cookie initializer [1 file, +0/-2]
3c44ebad5a ipv6: replace ipcm6_init calls with ipcm6_init_sk [4 files, +3/-29]
6b358b3adf io_uring/sqpoll: don't put task_struct on tctx setup failure [1 file, +1/-4]
8873080b88 workqueue: Initialize wq_isolated_cpumask in workqueue_init_early() [1 file, +2/-1]
ac462a75fd net: netmem: fix skb_ensure_writable with unreadable skbs [1 file, +0/-3]
61b39e189d ptp: allow reading of currently dialed frequency to succeed on free-running clocks [1 file, +2/-1]
397c1faf8f tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior [1 file, +25/-12]
0d3d91c350 tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer [1 file, +2/-2]
31d50dfe9c tcp: fix passive TFO socket having invalid NAPI ID [1 file, +3/-0]
0f8df5d6f2 ublk: santizize the arguments from userspace when adding a device [1 file, +3/-0]
456019adaa perf: Fix sample vs do_exit() [2 files, +16/-8]
7335c33d62 perf: Fix cgroup state vs ERROR [1 file, +30/-21]
fd199366bf perf/core: Fix WARN in perf_cgroup_switch() [1 file, +20/-2]
22f935bc86 arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() [1 file, +1/-1]
Changes in 6.12.35
configfs: Do not override creating attribute file failure in populate_attrs()
crypto: marvell/cesa - Do not chain submitted requests
gfs2: move msleep to sleepable context
crypto: qat - add shutdown handler to qat_c3xxx
crypto: qat - add shutdown handler to qat_420xx
crypto: qat - add shutdown handler to qat_4xxx
crypto: qat - add shutdown handler to qat_c62x
crypto: qat - add shutdown handler to qat_dh895xcc
ASoC: qcom: sdm845: Add error handling in sdm845_slim_snd_hw_params()
ASoC: meson: meson-card-utils: use of_property_present() for DT parsing
ASoC: amd: sof_amd_sdw: Fix unlikely uninitialized variable use in create_sdw_dailinks()
io_uring: account drain memory to cgroup
io_uring/kbuf: account ring io_buffer_list memory
powerpc/pseries/msi: Avoid reading PCI device registers in reduced power states
s390/pci: Remove redundant bus removal and disable from zpci_release_device()
s390/pci: Prevent self deletion in disable_slot()
s390/pci: Allow re-add of a reserved but not yet removed device
s390/pci: Serialize device addition and removal
regulator: max20086: Fix MAX200086 chip id
regulator: max20086: Change enable gpio to optional
net/mlx5_core: Add error handling inmlx5_query_nic_vport_qkey_viol_cntr()
net/mlx5: Add error handling in mlx5_query_nic_vport_node_guid()
wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback()
wifi: mt76: mt7925: fix host interrupt register initialization
wifi: ath11k: fix rx completion meta data corruption
wifi: rtw88: usb: Upload the firmware in bigger chunks
wifi: ath11k: fix ring-buffer corruption
NFSD: unregister filesystem in case genl_register_family() fails
NFSD: fix race between nfsd registration and exports_proc
NFSD: Implement FATTR4_CLONE_BLKSIZE attribute
nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request
nfsd: Initialize ssc before laundromat_work to prevent NULL dereference
SUNRPC: Prevent hang on NFS mount with xprtsec=[m]tls
NFSv4: Don't check for OPEN feature support in v4.1
fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio()
wifi: ath12k: fix ring-buffer corruption
jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata()
svcrdma: Unregister the device if svc_rdma_accept() fails
wifi: rtw88: usb: Reduce control message timeout to 500 ms
wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723
media: ov8856: suppress probe deferral errors
media: ov5675: suppress probe deferral errors
media: imx335: Use correct register width for HNUM
media: nxp: imx8-isi: better handle the m2m usage_count
media: i2c: ds90ub913: Fix returned fmt from .set_fmt()
media: ccs-pll: Start VT pre-PLL multiplier search from correct value
media: ov2740: Move pm-runtime cleanup on probe-errors to proper place
media: ccs-pll: Start OP pre-PLL multiplier search from correct value
media: ccs-pll: Correct the upper limit of maximum op_pre_pll_clk_div
media: ccs-pll: Check for too high VT PLL multiplier in dual PLL case
media: cxusb: no longer judge rbuf when the write fails
media: davinci: vpif: Fix memory leak in probe error path
media: gspca: Add error handling for stv06xx_read_sensor()
media: i2c: imx335: Fix frame size enumeration
media: imagination: fix a potential memory leak in e5010_probe()
media: intel/ipu6: Fix dma mask for non-secure mode
media: ipu6: Remove workaround for Meteor Lake ES2
media: mediatek: vcodec: Correct vsi_core framebuffer size
media: omap3isp: use sgtable-based scatterlist wrappers
media: v4l2-dev: fix error handling in __video_register_device()
media: venus: Fix probe error handling
media: videobuf2: use sgtable-based scatterlist wrappers
media: vidtv: Terminating the subsequent process of initialization failure
media: vivid: Change the siize of the composing
media: imx-jpeg: Drop the first error frames
media: imx-jpeg: Move mxc_jpeg_free_slot_data() ahead
media: imx-jpeg: Reset slot data pointers when freed
media: imx-jpeg: Cleanup after an allocation error
media: uvcvideo: Return the number of processed controls
media: uvcvideo: Send control events for partial succeeds
media: uvcvideo: Fix deferred probing error
arm64/mm: Close theoretical race where stale TLB entry remains valid
ARM: 9447/1: arm/memremap: fix arch_memremap_can_ram_remap()
ARM: omap: pmic-cpcap: do not mess around without CPCAP or OMAP4
ASoC: codecs: wcd9375: Fix double free of regulator supplies
ASoC: codecs: wcd937x: Drop unused buck_supply
block: use plug request list tail for one-shot backmerge attempt
block: Clear BIO_EMULATES_ZONE_APPEND flag on BIO completion
bus: mhi: ep: Update read pointer only after buffer is written
bus: mhi: host: Fix conflict between power_up and SYSERR
can: kvaser_pciefd: refine error prone echo_skb_max handling logic
can: tcan4x5x: fix power regulator retrieval during probe
ceph: avoid kernel BUG for encrypted inode with unaligned file size
ceph: set superblock s_magic for IMA fsmagic matching
cgroup,freezer: fix incomplete freezing when attaching tasks
bus: firewall: Fix missing static inline annotations for stubs
ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330
ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard
ata: ahci: Disallow LPM for Asus B550-F motherboard
bus: fsl-mc: do not add a device-link for the UAPI used DPMCP device
bus: fsl-mc: fix GET/SET_TAILDROP command ids
ext4: inline: fix len overflow in ext4_prepare_inline_data
ext4: fix calculation of credits for extent tree modification
ext4: factor out ext4_get_maxbytes()
ext4: ensure i_size is smaller than maxbytes
ext4: only dirty folios when data journaling regular files
Input: ims-pcu - check record size in ims_pcu_flash_firmware()
Input: gpio-keys - fix possible concurrent access in gpio_keys_irq_timer()
f2fs: fix to do sanity check on ino and xnid
f2fs: prevent kernel warning due to negative i_nlink from corrupted image
f2fs: fix to do sanity check on sit_bitmap_size
hwmon: (ftsteutates) Fix TOCTOU race in fts_read()
NFC: nci: uart: Set tty->disc_data only in success path
net/sched: fix use-after-free in taprio_dev_notifier
net: ftgmac100: select FIXED_PHY
iommu/vt-d: Restore context entry setup order for aliased devices
fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var
EDAC/altera: Use correct write width with the INTTEST register
fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var
parisc/unaligned: Fix hex output to show 8 hex chars
vgacon: Add check for vc_origin address range in vgacon_scroll()
parisc: fix building with gcc-15
clk: meson-g12a: add missing fclk_div2 to spicc
ipc: fix to protect IPCS lookups using RCU
watchdog: fix watchdog may detect false positive of softlockup
RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction
mm: fix ratelimit_pages update error in dirty_ratio_handler()
soc: qcom: pmic_glink_altmode: fix spurious DP hotplug events
configfs-tsm-report: Fix NULL dereference of tsm_ops
firmware: arm_scmi: Ensure that the message-id supports fastchannel
mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk
mtd: nand: sunxi: Add randomizer configuration before randomizer enable
KVM: SVM: Clear current_vmcb during vCPU free for all *possible* CPUs
KVM: VMX: Flush shadow VMCS on emergency reboot
dm-mirror: fix a tiny race condition
dm-verity: fix a memory leak if some arguments are specified multiple times
mtd: rawnand: qcom: Fix read len for onfi param page
ftrace: Fix UAF when lookup kallsym after ftrace disabled
dm: lock limits when reading them
phy: fsl-imx8mq-usb: fix phy_tx_vboost_level_from_property()
net: ch9200: fix uninitialised access during mii_nway_restart
KVM: s390: rename PROT_NONE to PROT_TYPE_DUMMY
sysfb: Fix screen_info type check for VGA
video: screen_info: Relocate framebuffers behind PCI bridges
pwm: axi-pwmgen: fix missing separate external clock
staging: iio: ad5933: Correct settling cycles encoding per datasheet
mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS
ovl: Fix nested backing file paths
regulator: max14577: Add error check for max14577_read_reg()
remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach()
remoteproc: core: Release rproc->clean_table after rproc_attach() fails
remoteproc: k3-m4: Don't assert reset in detach routine
cifs: reset connections for all channels when reconnect requested
cifs: update dstaddr whenever channel iface is updated
cifs: dns resolution is needed only for primary channel
smb: client: add NULL check in automount_fullpath
Drivers: hv: Allocate interrupt and monitor pages aligned to system page boundary
uio_hv_generic: Use correct size for interrupt and monitor pages
uio_hv_generic: Align ring size to system page
PCI: cadence-ep: Correct PBA offset in .set_msix() callback
PCI: dwc: ep: Correct PBA offset in .set_msix() callback
PCI: Add ACS quirk for Loongson PCIe
PCI: Fix lock symmetry in pci_slot_unlock()
PCI: dw-rockchip: Remove PCIE_L0S_ENTRY check from rockchip_pcie_link_up()
PCI: dw-rockchip: Fix PHY function call sequence in rockchip_pcie_phy_deinit()
iio: accel: fxls8962af: Fix temperature scan element sign
accel/ivpu: Improve buffer object logging
accel/ivpu: Use firmware names from upstream repo
accel/ivpu: Use dma_resv_lock() instead of a custom mutex
accel/ivpu: Fix warning in ivpu_gem_bo_free()
dummycon: Trigger redraw when switching consoles with deferred takeover
mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
iio: imu: inv_icm42600: Fix temperature calculation
iio: adc: ad7944: mask high bits on direct read
iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build
iio: adc: ad7606_spi: fix reg write value mask
ACPICA: fix acpi operand cache leak in dswstate.c
ASoC: amd: yc: Add quirk for Lenovo Yoga Pro 7 14ASP9
clocksource: Fix the CPUs' choice in the watchdog per CPU verification
power: supply: collie: Fix wakeup source leaks on device unbind
mmc: Add quirk to disable DDR50 tuning
ACPICA: Avoid sequence overread in call to strncmp()
ASoC: tas2770: Power cycle amp on ISENSE/VSENSE change
ASoC: intel/sdw_utils: Assign initial value in asoc_sdw_rt_amp_spk_rtd_init()
ACPI: bus: Bail out if acpi_kobj registration fails
ACPI: Add missing prototype for non CONFIG_SUSPEND/CONFIG_X86 case
ACPICA: fix acpi parse and parseext cache leaks
ACPICA: Apply pack(1) to union aml_resource
ALSA: hda: cs35l41: Fix swapped l/r audio channels for Acer Helios laptops
power: supply: bq27xxx: Retrieve again when busy
pmdomain: core: Reset genpd->states to avoid freeing invalid data
ACPICA: utilities: Fix overflow check in vsnprintf()
platform-msi: Add msi_remove_device_irq_domain() in platform_device_msi_free_irqs_all()
ASoC: tegra210_ahub: Add check to of_device_get_match_data()
Make 'cc-option' work correctly for the -Wno-xyzzy pattern
gpiolib: of: Add polarity quirk for s5m8767
PM: runtime: fix denying of auto suspend in pm_suspend_timer_fn()
power: supply: max17040: adjust thermal channel scaling
ACPI: battery: negate current when discharging
net: macb: Check return value of dma_set_mask_and_coherent()
net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices
tipc: use kfree_sensitive() for aead cleanup
f2fs: use vmalloc instead of kvmalloc in .init_{,de}compress_ctx
bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem()
Bluetooth: btusb: Add new VID/PID 13d3/3584 for MT7922
i2c: designware: Invoke runtime suspend on quick slave re-registration
wifi: mt76: mt7996: drop fragments with multicast or broadcast RA
emulex/benet: correct command version selection in be_cmd_get_stats()
Bluetooth: btusb: Add new VID/PID 13d3/3630 for MT7925
wifi: mt76: mt76x2: Add support for LiteOn WN4516R,WN4519R
wifi: mt76: mt7921: add 160 MHz AP for mt7922 device
wifi: mt76: mt7925: introduce thermal protection
wifi: mac80211: validate SCAN_FLAG_AP in scan request during MLO
sctp: Do not wake readers in __sctp_write_space()
libbpf/btf: Fix string handling to support multi-split BTF
cpufreq: scmi: Skip SCMI devices that aren't used by the CPUs
i2c: tegra: check msg length in SMBUS block read
i2c: npcm: Add clock toggle recovery
clk: qcom: gcc-x1e80100: Set FORCE MEM CORE for UFS clocks
net: dlink: add synchronization for stats update
wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET
wifi: ath12k: fix a possible dead lock caused by ab->base_lock
wifi: ath11k: Fix QMI memory reuse logic
iommu/amd: Allow matching ACPI HID devices without matching UIDs
wifi: rtw89: leave idle mode when setting WEP encryption for AP mode
tcp: always seek for minimal rtt in tcp_rcv_rtt_update()
tcp: remove zero TCP TS samples for autotuning
tcp: fix initial tp->rcvq_space.space value for passive TS enabled flows
tcp: add receive queue awareness in tcp_rcv_space_adjust()
x86/sgx: Prevent attempts to reclaim poisoned pages
ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT
net: page_pool: Don't recycle into cache on PREEMPT_RT
xfrm: validate assignment of maximal possible SEQ number
net: atlantic: generate software timestamp just before the doorbell
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name()
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction()
bpf: Pass the same orig_call value to trampoline functions
net: stmmac: generate software timestamp just before the doorbell
pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction()
libbpf: Check bpf_map_skeleton link for NULL
pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get()
net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info
net: vertexcom: mse102x: Return code for mse102x_rx_pkt_spi
wireless: purelifi: plfxlc: fix memory leak in plfxlc_usb_wreq_asyn()
wifi: mac80211: do not offer a mesh path if forwarding is disabled
clk: rockchip: rk3036: mark ddrphy as critical
hid-asus: check ROG Ally MCU version and warn
wifi: iwlwifi: mvm: fix beacon CCK flag
f2fs: fix to bail out in get_new_segment()
netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
libbpf: Add identical pointer detection to btf_dedup_is_equiv()
scsi: lpfc: Fix lpfc_check_sli_ndlp() handling for GEN_REQUEST64 commands
scsi: smartpqi: Add new PCI IDs
iommu/amd: Ensure GA log notifier callbacks finish running before module unload
wifi: iwlwifi: pcie: make sure to lock rxq->read
wifi: rtw89: 8922a: fix TX fail with wrong VCO setting
wifi: mac80211_hwsim: Prevent tsf from setting if beacon is disabled
netdevsim: Mark NAPI ID on skb in nsim_rcv
net/mlx5: HWS, Fix IP version decision
bpf: Use proper type to calculate bpf_raw_tp_null_args.mask index
wifi: mac80211: VLAN traffic in multicast path
Revert "mac80211: Dynamically set CoDel parameters per station"
wifi: iwlwifi: Add missing MODULE_FIRMWARE for Qu-c0-jf-b0
net: bridge: mcast: update multicast contex when vlan state is changed
net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions
vxlan: Do not treat dst cache initialization errors as fatal
bnxt_en: Remove unused field "ref_count" in struct bnxt_ulp
wifi: ath12k: using msdu end descriptor to check for rx multicast packets
net: ethernet: ti: am65-cpsw: handle -EPROBE_DEFER
software node: Correct a OOB check in software_node_get_reference_args()
isofs: fix Y2038 and Y2156 issues in Rock Ridge TF entry
pinctrl: mcp23s08: Reset all pins to input at probe
wifi: ath12k: fix failed to set mhi state error during reboot with hardware grouping
scsi: lpfc: Use memcpy() for BIOS version
sock: Correct error checking condition for (assign|release)_proto_idx()
i40e: fix MMIO write access to an invalid page in i40e_clear_hw
ixgbe: Fix unreachable retry logic in combined and byte I2C write functions
RDMA/hns: initialize db in update_srq_db()
ice: fix check for existing switch rule
usbnet: asix AX88772: leave the carrier control to phylink
f2fs: fix to set atomic write status more clear
bpf, sockmap: Fix data lost during EAGAIN retries
net: ethernet: cortina: Use TOE/TSO on all TCP
octeontx2-pf: Add error log forcn10k_map_unmap_rq_policer()
wifi: ath11k: determine PM policy based on machine model
wifi: ath12k: fix link valid field initialization in the monitor Rx
wifi: ath12k: fix incorrect CE addresses
wifi: ath12k: Pass correct values of center freq1 and center freq2 for 160 MHz
net/mlx5: HWS, Harden IP version definer checks
fbcon: Make sure modelist not set on unregistered console
watchdog: da9052_wdt: respect TWDMIN
bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value
ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY
tee: Prevent size calculation wraparound on 32-bit kernels
Revert "bus: ti-sysc: Probe for l4_wkup and l4_cfg interconnect devices first"
fs/xattr.c: fix simple_xattr_list()
platform/x86/amd: pmc: Clear metrics table at start of cycle
platform/x86/amd: pmf: Prevent amd_pmf_tee_deinit() from running twice
platform/x86: dell_rbu: Fix list usage
platform/x86: dell_rbu: Stop overwriting data buffer
powerpc/vdso: Fix build of VDSO32 with pcrel
powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery
io_uring/kbuf: don't truncate end buffer for multiple buffer peeks
io_uring: fix task leak issue in io_wq_create()
drivers/rapidio/rio_cm.c: prevent possible heap overwrite
platform/loongarch: laptop: Get brightness setting from EC on probe
platform/loongarch: laptop: Unregister generic_sub_drivers on exit
platform/loongarch: laptop: Add backlight power control support
LoongArch: vDSO: Correctly use asm parameters in syscall wrappers
LoongArch: Avoid using $r0/$r1 as "mask" for csrxchg
LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset()
jffs2: check that raw node were preallocated before writing summary
jffs2: check jffs2_prealloc_raw_node_refs() result in few other places
cifs: deal with the channel loading lag while picking channels
cifs: serialize other channels when query server interfaces is pending
cifs: do not disable interface polling on failure
smb: improve directory cache reuse for readdir operations
scsi: storvsc: Increase the timeouts to storvsc_timeout
scsi: s390: zfcp: Ensure synchronous unit_add
nvme: always punt polled uring_cmd end_io work to task_work
net_sched: sch_sfq: reject invalid perturb period
net: clear the dst when changing skb protocol
mm: close theoretical race where stale TLB entries could linger
udmabuf: use sgtable-based scatterlist wrappers
x86/virt/tdx: Avoid indirect calls to TDX assembly functions
selftests/x86: Add a test to detect infinite SIGTRAP handler loop
ksmbd: fix null pointer dereference in destroy_previous_session
platform/x86: ideapad-laptop: use usleep_range() for EC polling
selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len
platform/x86/intel-uncore-freq: Fail module load when plat_info is NULL
sched_ext, sched/core: Don't call scx_group_set_weight() prematurely from sched_create_group()
atm: Revert atm_account_tx() if copy_from_iter_full() fails.
wifi: rtw89: phy: add dummy C2H event handler for report of TAS power
cpufreq/amd-pstate: Add missing NULL ptr check in amd_pstate_update
Input: sparcspkr - avoid unannotated fall-through
wifi: ath12k: Clear affinity hint before calling ath12k_pci_free_irq() in error path
wifi: cfg80211: init wiphy_work before allocating rfkill fails
arm64: Restrict pagetable teardown to avoid false warning
ALSA: usb-audio: Rename ALSA kcontrol PCM and PCM1 for the KTMicro sound card
ALSA: hda/intel: Add Thinkpad E15 to PM deny list
ALSA: hda/realtek - Add mute LED support for HP Victus 16-s1xxx and HP Victus 15-fa1xxx
ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged
ALSA: hda/realtek: Fix built-in mic on ASUS VivoBook X513EA
ALSA: hda/realtek: Add quirk for Asus GU605C
iio: accel: fxls8962af: Fix temperature calculation
mm/hugetlb: unshare page tables during VMA split, not before
drm/amdgpu: read back register after written for VCN v4.0.5
kbuild: rust: add rustc-min-version support function
rust: compile libcore with edition 2024 for 1.87+
net: Fix checksum update for ILA adj-transport
bpf: Fix L4 csum update on IPv6 in CHECKSUM_COMPLETE
erofs: remove unused trace event erofs_destroy_inode
nfsd: use threads array as-is in netlink interface
sunrpc: handle SVC_GARBAGE during svc auth processing as auth error
drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()`
Kunit to check the longest symbol length
x86/tools: Drop duplicate unlikely() definition in insn_decoder_test.c
ipv6: remove leftover ip6 cookie initializer
ipv6: replace ipcm6_init calls with ipcm6_init_sk
smb: fix secondary channel creation issue with kerberos by populating hostname when adding channels
drm/msm/disp: Correct porch timing for SDM845
drm/msm/dsi/dsi_phy_10nm: Fix missing initial VCO rate
drm/msm: Fix CP_RESET_CONTEXT_STATE bitfield names
drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE
drm/ssd130x: fix ssd132x_clear_screen() columns
ionic: Prevent driver/fw getting out of sync on devcmd(s)
drm/nouveau/bl: increase buffer size to avoid truncate warning
drm/i915/pmu: Fix build error with GCOV and AutoFDO enabled
hwmon: (occ) Rework attribute registration for stack usage
hwmon: (occ) fix unaligned accesses
hwmon: (ltc4282) avoid repeated register write
pldmfw: Select CRC32 when PLDMFW is selected
aoe: clean device rq_list in aoedev_downdev()
io_uring/sqpoll: don't put task_struct on tctx setup failure
net: ice: Perform accurate aRFS flow match
ice: fix eswitch code memory leak in reset scenario
e1000e: set fixed clock frequency indication for Nahum 11 and Nahum 13
workqueue: Initialize wq_isolated_cpumask in workqueue_init_early()
ksmbd: add free_transport ops in ksmbd connection
net: netmem: fix skb_ensure_writable with unreadable skbs
bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start()
eth: bnxt: fix out-of-range access of vnic_info array
bnxt_en: Add a helper function to configure MRU and RSS
bnxt_en: Update MRU and RSS table of RSS contexts on queue reset
ptp: fix breakage after ptp_vclock_in_use() rework
ptp: allow reading of currently dialed frequency to succeed on free-running clocks
wifi: carl9170: do not ping device which has failed to load firmware
mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu().
atm: atmtcp: Free invalid length skb in atmtcp_c_send().
tcp: fix tcp_packet_delayed() for tcp_is_non_sack_preventing_reopen() behavior
tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer
tcp: fix passive TFO socket having invalid NAPI ID
eth: fbnic: avoid double free when failing to DMA-map FW msg
net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get()
ublk: santizize the arguments from userspace when adding a device
drm/xe: Wire up device shutdown handler
drm/xe/gt: Update handling of xe_force_wake_get return
drm/xe/bmg: Update Wa_16023588340
calipso: Fix null-ptr-deref in calipso_req_{set,del}attr().
mlxbf_gige: return EPROBE_DEFER if PHY IRQ is not available
net: atm: add lec_mutex
net: atm: fix /proc/net/atm/lec handling
EDAC/amd64: Correct number of UMCs for family 19h models 70h-7fh
dt-bindings: i2c: nvidia,tegra20-i2c: Specify the required properties
smb: Log an error when close_all_cached_dirs fails
serial: sh-sci: Clean sci_ports[0] after at earlycon exit
serial: sh-sci: Increment the runtime usage counter for the earlycon device
smb: client: fix first command failure during re-negotiation
smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma()
s390/pci: Fix __pcilg_mio_inuser() inline assembly
perf: Fix sample vs do_exit()
perf: Fix cgroup state vs ERROR
perf/core: Fix WARN in perf_cgroup_switch()
arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth()
scsi: elx: efct: Fix memory leak in efct_hw_parse_filter()
RISC-V: KVM: Fix the size parameter check in SBI SFENCE calls
RISC-V: KVM: Don't treat SBI HFENCE calls as NOPs
gpio: pca953x: fix wrong error probe return value
perf evsel: Missed close() when probing hybrid core PMUs
perf test: Directory file descriptor leak
gpio: mlxbf3: only get IRQ for device instance 0
cifs: Remove duplicate fattr->cf_dtype assignment from wsl_to_fattr() function
bpftool: Fix cgroup command to only show cgroup bpf programs
Linux 6.12.35
Change-Id: Ida57d269272a624bedb979bfad0b3c5e7df7e846
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
GKI (arm64) relevant 105 out of 506 changes, affecting 145 files +1290/-523
623074162b sched: Fix trace_sched_switch(.prev_state) [1 file, +4/-2]
781bbc8252 perf/core: Fix broken throttling when max_samples_per_tick=1 [1 file, +8/-8]
451a18d71b sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks [1 file, +6/-0]
5b814cde62 brd: fix aligned_sector from brd_do_discard() [1 file, +1/-1]
48e11bcee9 brd: fix discard end sector [1 file, +6/-3]
9cfca45aec erofs: fix file handle encoding for 64-bit NIDs [1 file, +36/-8]
65115472f7 erofs: avoid using multiple devices with different type [1 file, +4/-1]
58beaa1aee rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture [3 files, +10/-6]
5ed92ad1b7 crypto: xts - Only add ecb if it is not already there [1 file, +2/-2]
e9ecaeaf41 kunit: Fix wrong parameter to kunit_deactivate_static_stub() [1 file, +1/-1]
9c094deb6b crypto: api - Redo lookup on EEXIST [1 file, +11/-2]
81d72f9241 PM: EM: Fix potential division-by-zero error in em_compute_costs() [1 file, +4/-0]
0426e92970 PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks() [1 file, +3/-0]
77d45ba1be PM: sleep: Print PM debug messages during hibernation [3 files, +11/-1]
45844a9403 ALSA: core: fix up bus match const issues. [4 files, +8/-8]
fa65c89f3f arm64/fpsimd: Avoid RES0 bits in the SME trap handler [2 files, +9/-7]
6103f9ba51 arm64/fpsimd: Discard stale CPU state when handling SME traps [1 file, +2/-0]
945d247d1c arm64/fpsimd: Don't corrupt FPMR when streaming mode changes [1 file, +3/-3]
55d52af498 arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP [1 file, +1/-1]
2756dac036 arm64/fpsimd: Reset FPMR upon exec() [1 file, +3/-0]
f5ffc750db arm64/fpsimd: Fix merging of FPSIMD state during signal return [1 file, +1/-1]
0860d48b70 firmware: psci: Fix refcount leak in psci_dt_init [1 file, +3/-1]
64a9ee6e11 arm64/fpsimd: Avoid warning when sve_to_fpsimd() is unused [1 file, +2/-2]
b3cfc1f9f5 arm64/fpsimd: Do not discard modified SVE state [3 files, +47/-17]
e55f46a11b overflow: Fix direct struct member initialization in _DEFINE_FLEX() [1 file, +3/-3]
671dd1fb87 bpf: Check link_create.flags parameter for multi_kprobe [1 file, +3/-0]
3a8e680f7d bpf, sockmap: fix duplicated data transmission [1 file, +9/-5]
3d25fa2d7f bpf, sockmap: Fix panic when calling skb_linearize [1 file, +16/-15]
44a51592ac f2fs: zone: fix to avoid inconsistence in between SIT and SSA [1 file, +3/-0]
4f51fb0d25 page_pool: Track DMA-mapped pages and unmap them when destroying the pool [5 files, +147/-18]
88f65bb66d iommu: Protect against overflow in iommu_pgsize() [1 file, +3/-1]
04daca6012 f2fs: clean up w/ fscrypt_is_bounce_page() [1 file, +1/-1]
4248ba53e4 f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed() [1 file, +1/-1]
c1f418cc27 bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps [1 file, +16/-11]
e53a8dcd36 tracing: Move histogram trigger variables from stack to per CPU structure [1 file, +105/-15]
69a995644a efi/libstub: Describe missing 'out' parameter in efi_load_initrd [1 file, +1/-0]
709412b92a tracing: Fix error handling in event_trigger_parse() [1 file, +2/-2]
c98cdf6795 bpf: Fix WARN() in get_bpf_raw_tp_regs [1 file, +1/-1]
e0657136ae scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort() [1 file, +0/-6]
6bfb154f95 kernfs: Relax constraint in draining guard [2 files, +5/-3]
df00f9147e Bluetooth: ISO: Fix not using SID from adv report [5 files, +75/-14]
1d249cc92d bpf: Revert "bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-uprobe attach logic" [1 file, +2/-0]
1750c3f1d9 Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach() [1 file, +1/-1]
15c0250dae bpf, sockmap: Avoid using sk_socket after free when sending [1 file, +8/-0]
30a9e834c7 net: usb: aqc111: fix error handling of usbnet read calls [1 file, +8/-2]
7893a41dea vsock/virtio: fix `rx_bytes` accounting for stream sockets [2 files, +17/-10]
2bc6dffb4b bpf: Avoid __bpf_prog_ret0_warn when jit fails [1 file, +1/-1]
ddc654e89a net: phy: clear phydev->devlink when the link is deleted [1 file, +3/-1]
f15ed37dd3 net: phy: fix up const issues in to_mdio_device() and to_phy_device() [2 files, +2/-8]
532601e783 f2fs: use d_inode(dentry) cleanup dentry->d_inode [2 files, +6/-6]
0befc3005d f2fs: fix to correct check conditions in f2fs_cross_rename [1 file, +1/-1]
2eeb181e76 dm: don't change md if dm_table_set_restrictions() fails [1 file, +12/-10]
48e0b54be4 dm: free table mempools if not used in __bind [1 file, +4/-4]
17e4b0fcd2 PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus() [1 file, +1/-1]
0a3e2ec508 PCI: endpoint: Retain fixed-size BAR size as well as aligned size [2 files, +18/-7]
9f40ae8310 USB: gadget: udc: fix const issue in gadget_match_driver() [1 file, +1/-1]
4bd30962f3 USB: typec: fix const issue in typec_match() [1 file, +1/-1]
3091d4c0d0 loop: add file_start_write() and file_end_write() [1 file, +6/-2]
90891eadb8 Fix sock_exceed_buf_limit not being triggered in __sk_mem_raise_allocated [1 file, +4/-4]
e869a85acc page_pool: Fix use-after-free in page_pool_recycle_in_ring [1 file, +14/-13]
c762fc79d7 net: tipc: fix refcount warning in tipc_aead_encrypt [1 file, +5/-1]
b788cebf72 Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION [1 file, +2/-1]
4399f59a94 net: fix udp gso skb_segment after pull from frag_list [1 file, +5/-0]
0cffc6e40d PM: sleep: Fix power.is_suspended cleanup for direct-complete devices [1 file, +2/-1]
f34dc858e6 netfilter: nf_nat: also check reverse tuple to obtain clashing entry [1 file, +9/-3]
4f0fcdb835 wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements [4 files, +83/-32]
933466fc50 wireguard: device: enable threaded NAPI [1 file, +1/-0]
1be1f3b848 iov_iter: use iov_offset for length calculation in iov_iter_aligned_bvec [1 file, +1/-1]
1d79230719 path_overmount(): avoid false negatives [1 file, +13/-6]
e1d02fe504 fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2) [1 file, +1/-1]
9c1ddfeb66 do_change_type(): refuse to operate on unmounted/not ours mounts [1 file, +4/-0]
80f7c5be4f pmdomain: core: Introduce dev_pm_genpd_rpm_always_on() [2 files, +42/-0]
3464a707d1 scsi: core: ufs: Fix a hang in the error handler [1 file, +6/-1]
99e3d69853 Bluetooth: hci_core: fix list_for_each_entry_rcu usage [1 file, +3/-8]
9df3e5e7f7 Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete [3 files, +12/-30]
84ab1283eb Bluetooth: MGMT: Remove unused mgmt_pending_find_data [2 files, +0/-21]
4e83f2dbb2 Bluetooth: MGMT: Protect mgmt_pending list with its own lock [5 files, +80/-59]
d1bc80da75 net_sched: sch_sfq: fix a potential crash on gso_skb handling [1 file, +4/-1]
1e0de7582c net: Fix TOCTOU issue in sk_is_readable() [1 file, +5/-2]
78fa7b723e macsec: MACsec SCI assignment for ES = 0 [1 file, +34/-6]
b02d9d2732 net/mdiobus: Fix potential out-of-bounds read/write access [1 file, +6/-0]
31bf7b2b92 net/mdiobus: Fix potential out-of-bounds clause 45 read/write access [1 file, +6/-0]
842f7c3154 Bluetooth: Fix NULL pointer deference on eir_get_service_data [1 file, +6/-4]
907ef6e12f Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance [1 file, +15/-5]
2af40d795d Bluetooth: eir: Fix possible crashes on eir_create_adv_data [3 files, +8/-6]
7a41744e38 Bluetooth: MGMT: Fix sparse errors [1 file, +2/-2]
e3f6745006 net_sched: prio: fix a race in prio_tune() [1 file, +1/-1]
180b12eafa net_sched: tbf: fix a race in tbf_change() [1 file, +1/-1]
0a2500782f fs/filesystems: Fix potential unsigned integer underflow in fs_name() [1 file, +9/-5]
f351bb3085 perf: Ensure bpf_perf_link path is properly serialized [1 file, +30/-4]
a5c7b61eed block: use q->elevator with ->elevator_lock held in elv_iosched_show() [1 file, +1/-2]
af8c13f9ee io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() [2 files, +14/-7]
0fccb6773b block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work [1 file, +5/-2]
48f33ec141 io_uring: consistently use rcu semantics with sqpoll thread [4 files, +38/-15]
a9022c8631 bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP [1 file, +1/-1]
4b1ef15ffd block: Fix bvec_set_folio() for very large folios [1 file, +5/-2]
84e9f0a2c2 ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1 [1 file, +1/-0]
c29d531870 posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() [1 file, +9/-0]
657003ced7 usb: Flush altsetting 0 endpoints before reinitializating them after reset. [1 file, +14/-2]
7bdd712abe usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work [1 file, +71/-20]
b8df8cb8f7 ring-buffer: Do not trigger WARN_ON() due to a commit_overrun [1 file, +18/-8]
e09c0600be ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() [1 file, +1/-3]
2d6a6cfe96 ring-buffer: Move cpus_read_lock() outside of buffer->mutex [1 file, +6/-5]
5ed1d7a700 net: usb: aqc111: debug info before sanitation [1 file, +4/-4]
ab20b0bdb0 overflow: Introduce __DEFINE_FLEX for having no initializer [1 file, +19/-6]
Changes in 6.12.34
tools/x86/kcpuid: Fix error handling
x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in mwait_idle_with_hints() and prefer_mwait_c1_over_halt()
crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()
sched: Fix trace_sched_switch(.prev_state)
perf/x86/amd/uncore: Remove unused 'struct amd_uncore_ctx::node' member
perf/x86/amd/uncore: Prevent UMC counters from saturating
gfs2: replace sd_aspace with sd_inode
gfs2: gfs2_create_inode error handling fix
perf/core: Fix broken throttling when max_samples_per_tick=1
crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare()
crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
powerpc: do not build ppc_save_regs.o always
powerpc/crash: Fix non-smp kexec preparation
sched/core: Tweak wait_task_inactive() to force dequeue sched_delayed tasks
x86/microcode/AMD: Do not return error when microcode update is not necessary
crypto: sun8i-ce - undo runtime PM changes during driver removal
x86/cpu: Sanitize CPUID(0x80000000) output
x86/insn: Fix opcode map (!REX2) superscript tags
brd: fix aligned_sector from brd_do_discard()
brd: fix discard end sector
kselftest: cpufreq: Get rid of double suspend in rtcwake case
crypto: marvell/cesa - Handle zero-length skcipher requests
crypto: marvell/cesa - Avoid empty transfer descriptor
erofs: fix file handle encoding for 64-bit NIDs
erofs: avoid using multiple devices with different type
powerpc/pseries/iommu: Fix kmemleak in TCE table userspace view
btrfs: scrub: update device stats when an error is detected
btrfs: scrub: fix a wrong error type when metadata bytenr mismatches
btrfs: fix invalid data space release when truncating block in NOCOW mode
rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture
crypto: lrw - Only add ecb if it is not already there
crypto: xts - Only add ecb if it is not already there
crypto: sun8i-ce - move fallback ahash_request to the end of the struct
kunit: Fix wrong parameter to kunit_deactivate_static_stub()
crypto: api - Redo lookup on EEXIST
ACPICA: exserial: don't forget to handle FFixedHW opregions for reading
ASoC: tas2764: Enable main IRQs
ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY()
EDAC/skx_common: Fix general protection fault
EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo channel 0
spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
spi: tegra210-quad: remove redundant error handling code
spi: tegra210-quad: modify chip select (CS) deactivation
power: reset: at91-reset: Optimize at91_reset()
PM: EM: Fix potential division-by-zero error in em_compute_costs()
ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type
ASoC: SOF: amd: add missing acp descriptor field
PM: wakeup: Delete space in the end of string shown by pm_show_wakelocks()
ACPI: resource: fix a typo for MECHREVO in irq1_edge_low_force_override[]
x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges()
PM: sleep: Print PM debug messages during hibernation
thermal/drivers/mediatek/lvts: Fix debugfs unregister on failure
ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
spi: sh-msiof: Fix maximum DMA transfer size
ASoC: apple: mca: Constrain channels according to TDM mask
ALSA: core: fix up bus match const issues.
drm/vmwgfx: Add seqno waiter for sync_files
drm/vmwgfx: Add error path for xa_store in vmw_bo_add_detached_resource
drm/vmwgfx: Fix dumb buffer leak
drm/xe/d3cold: Set power state to D3Cold during s2idle/s3
drm/vc4: tests: Use return instead of assert
drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table
media: rkvdec: Fix frame size enumeration
arm64/fpsimd: Avoid RES0 bits in the SME trap handler
arm64/fpsimd: Discard stale CPU state when handling SME traps
arm64/fpsimd: Don't corrupt FPMR when streaming mode changes
arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP
arm64/fpsimd: Reset FPMR upon exec()
arm64/fpsimd: Fix merging of FPSIMD state during signal return
drm/panthor: Fix GPU_COHERENCY_ACE[_LITE] definitions
drm/panthor: Update panthor_mmu::irq::mask when needed
perf: arm-ni: Unregister PMUs on probe failure
perf: arm-ni: Fix missing platform_set_drvdata()
drm/panel: samsung-sofef00: Drop s6e3fc2x01 support
drm/bridge: lt9611uxc: Fix an error handling path in lt9611uxc_probe()
fs/ntfs3: handle hdr_first_de() return value
fs/ntfs3: Add missing direct_IO in ntfs_aops_cmpr
kunit/usercopy: Disable u64 test on 32-bit SPARC
watchdog: exar: Shorten identity name to fit correctly
m68k: mac: Fix macintosh_config for Mac II
firmware: psci: Fix refcount leak in psci_dt_init
arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
arm64/fpsimd: Avoid warning when sve_to_fpsimd() is unused
selftests/seccomp: fix syscall_restart test for arm compat
drm/msm/dpu: enable SmartDMA on SM8150
drm/msm/dpu: enable SmartDMA on SC8180X
drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
drm/vkms: Adjust vkms_state->active_planes allocation type
drm/tegra: rgb: Fix the unbound reference count
firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
arm64/fpsimd: Do not discard modified SVE state
overflow: Fix direct struct member initialization in _DEFINE_FLEX()
scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create()
selftests/seccomp: fix negative_ENOSYS tracer tests on arm32
drm/msm/a6xx: Disable rgb565_predicator on Adreno 7c3
drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr
drm/mediatek: Fix kobject put for component sub-drivers
drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err
media: verisilicon: Free post processor buffers on error
svcrdma: Reduce the number of rdma_rw contexts per-QP
xen/x86: fix initial memory balloon target
wifi: ath11k: fix node corruption in ar->arvifs list
wifi: ath12k: Fix memory leak during vdev_id mismatch
wifi: ath12k: Fix invalid memory access while forming 802.11 header
IB/cm: use rwlock for MAD agent lock
bpf: Check link_create.flags parameter for multi_kprobe
selftests/bpf: Fix bpf_nf selftest failure
bpf: fix ktls panic with sockmap
bpf, sockmap: fix duplicated data transmission
bpf, sockmap: Fix panic when calling skb_linearize
f2fs: zone: fix to avoid inconsistence in between SIT and SSA
wifi: ath12k: fix cleanup path after mhi init
wifi: ath12k: Fix WMI tag for EHT rate in peer assoc
wifi: ath12k: Fix buffer overflow in debugfs
f2fs: clean up unnecessary indentation
f2fs: prevent the current section from being selected as a victim during GC
f2fs: fix to do sanity check on sbi->total_valid_block_count
page_pool: Move pp_magic check into helper functions
page_pool: Track DMA-mapped pages and unmap them when destroying the pool
net: ncsi: Fix GCPS 64-bit member variables
libbpf: Fix buffer overflow in bpf_object__init_prog
net/mlx5: Avoid using xso.real_dev unnecessarily
xfrm: Use xdo.dev instead of xdo.real_dev
wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT
wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally
wifi: rtw88: do not ignore hardware read error during DPK
wifi: ath12k: fix invalid access to memory
wifi: ath12k: Add MSDU length validation for TKIP MIC error
wifi: ath12k: Fix the QoS control field offset to build QoS header
wifi: ath12k: fix node corruption in ar->arvifs list
RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
libbpf: Fix event name too long error
libbpf: Remove sample_period init in perf_buffer
Use thread-safe function pointer in libbpf_print
iommu: Protect against overflow in iommu_pgsize()
bonding: assign random address if device address is same as bond
f2fs: clean up w/ fscrypt_is_bounce_page()
f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels
libbpf: Use proper errno value in linker
bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps
netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it
netfilter: nft_quota: match correctly when the quota just depleted
netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
tracing: Move histogram trigger variables from stack to per CPU structure
clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs
clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
bpftool: Fix regression of "bpftool cgroup tree" EINVAL on older kernels
clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
wifi: iwlfiwi: mvm: Fix the rate reporting
efi/libstub: Describe missing 'out' parameter in efi_load_initrd
selftests/bpf: Fix caps for __xlated/jited_unpriv
tracing: Rename event_trigger_alloc() to trigger_data_alloc()
tracing: Fix error handling in event_trigger_parse()
of: unittest: Unlock on error in unittest_data_add()
ktls, sockmap: Fix missing uncharge operation
libbpf: Use proper errno value in nlattr
pinctrl: at91: Fix possible out-of-boundary access
bpf: Fix WARN() in get_bpf_raw_tp_regs
dt-bindings: soc: fsl,qman-fqd: Fix reserved-memory.yaml reference
clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
s390/bpf: Store backchain even for leaf progs
wifi: rtw89: pci: enlarge retry times of RX tag to 1000
wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds
wifi: rtw89: fix firmware scan delay unit for WiFi 6 chips
iommu: remove duplicate selection of DMAR_TABLE
wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
hisi_acc_vfio_pci: fix XQE dma address error
hisi_acc_vfio_pci: add eq and aeq interruption restore
hisi_acc_vfio_pci: bugfix live migration function without VF device driver
wifi: ath9k_htc: Abort software beacon handling if disabled
scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort()
kernfs: Relax constraint in draining guard
Bluetooth: ISO: Fix not using SID from adv report
wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init()
wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
wifi: mt76: mt7925: prevent multiple scan commands
wifi: mt76: mt7925: refine the sniffer commnad
wifi: mt76: mt7925: ensure all MCU commands wait for response
wifi: mt76: mt7996: set EHT max ampdu length capability
wifi: mt76: mt7996: fix RX buffer size of MCU event
bpf: Revert "bpf: remove unnecessary rcu_read_{lock,unlock}() in multi-uprobe attach logic"
netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds
netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result discrepancy
vfio/type1: Fix error unwind in migration dirty bitmap allocation
Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
Bluetooth: btintel: Check dsbr size from EFI variable
bpf, sockmap: Avoid using sk_socket after free when sending
netfilter: nf_tables: nft_fib: consistent l3mdev handling
netfilter: nft_tunnel: fix geneve_opt dump
RISC-V: KVM: lock the correct mp_state during reset
net: usb: aqc111: fix error handling of usbnet read calls
vsock/virtio: fix `rx_bytes` accounting for stream sockets
RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
net: lan966x: Fix 1-step timestamping over ipv4 or ipv6
net: xilinx: axienet: Fix Tx skb circular buffer occupancy check in dmaengine xmit
bpf: Avoid __bpf_prog_ret0_warn when jit fails
net: phy: clear phydev->devlink when the link is deleted
net: phy: fix up const issues in to_mdio_device() and to_phy_device()
net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
net: lan743x: Fix PHY reset handling during initialization and WOL
net: phy: mscc: Fix memory leak when using one step timestamping
octeontx2-pf: QOS: Perform cache sync on send queue teardown
octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback
calipso: Don't call calipso functions for AF_INET sk.
net: openvswitch: Fix the dead loop of MPLS parse
net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
f2fs: use d_inode(dentry) cleanup dentry->d_inode
f2fs: fix to correct check conditions in f2fs_cross_rename
arm64: dts: qcom: x1e80100: Mark usb_2 as dma-coherent
arm64: dts: qcom: sm8650: setup gpu thermal with higher temperatures
arm64: dts: qcom: sm8650: add missing cpu-cfg interconnect path in the mdss node
arm64: dts: qcom: x1e80100-romulus: Keep L12B and L15B always on
arm64: dts: qcom: sdm845-starqltechn: remove wifi
arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake
arm64: dts: qcom: sdm845-starqltechn: refactor node order
arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios
arm64: dts: qcom: sm8350: Reenable crypto & cryptobam
arm64: dts: qcom: sm8250: Fix CPU7 opp table
arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies
arm64: dts: qcom: ipq9574: Fix USB vdd info
arm64: dts: rockchip: Move SHMEM memory to reserved memory on rk3588
ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
ARM: dts: at91: at91sam9263: fix NAND chip selects
arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power domains
arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect GPIO
arm64: dts: mt8183: Add port node to mt8183.dtsi
arm64: dts: imx8mm-beacon: Fix RTC capacitive load
arm64: dts: imx8mn-beacon: Fix RTC capacitive load
arm64: dts: imx8mp-beacon: Fix RTC capacitive load
arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI audio
arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI audio
arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles
arm64: dts: mt6359: Add missing 'compatible' property to regulators node
arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3566-rock3c
arm64: dts: rockchip: Update eMMC for NanoPi R5 series
arm64: tegra: Drop remaining serial clock-names and reset-names
arm64: tegra: Add uartd serial alias for Jetson TX1 module
arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E
soc: qcom: smp2p: Fix fallback to qcom,ipc parse
Squashfs: check return result of sb_min_blocksize
ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
nilfs2: add pointer check for nilfs_direct_propagate()
nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
bus: fsl-mc: fix double-free on mc_dev
dt-bindings: vendor-prefixes: Add Liontron name
ARM: dts: qcom: apq8064: add missing clocks to the timer node
ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device
ARM: dts: qcom: apq8064: move replicator out of soc node
arm64: defconfig: mediatek: enable PHY drivers
arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou
arm64: dts: qcom: qcm2290: fix (some) of QUP interconnects
arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups
arm64: dts: mt6359: Rename RTC node to match binding expectations
ARM: aspeed: Don't select SRAM
soc: aspeed: lpc: Fix impossible judgment condition
soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
randstruct: gcc-plugin: Remove bogus void member
randstruct: gcc-plugin: Fix attribute addition
perf build: Warn when libdebuginfod devel files are not available
perf ui browser hists: Set actions->thread before calling do_zoom_thread()
dm: don't change md if dm_table_set_restrictions() fails
dm: free table mempools if not used in __bind
backlight: pm8941: Add NULL check in wled_configure()
x86/irq: Ensure initial PIR loads are performed exactly once
mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
hwmon: (asus-ec-sensors) check sensor index in read_string()
perf symbol-minimal: Fix double free in filename__read_build_id
dm: fix dm_blk_report_zones
dm-flakey: error all IOs when num_features is absent
dm-flakey: make corrupting read bios work
perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids()
perf tests: Fix 'perf report' tests installation
perf intel-pt: Fix PEBS-via-PT data_src
perf scripts python: exported-sql-viewer.py: Fix pattern matching with Python 3
remoteproc: qcom_wcnss_iris: Add missing put_device() on error in probe
remoteproc: k3-r5: Drop check performed in k3_r5_rproc_{mbox_callback/kick}
remoteproc: k3-dsp: Drop check performed in k3_dsp_rproc_{mbox_callback/kick}
rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send()
mfd: exynos-lpass: Fix an error handling path in exynos_lpass_probe()
mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove()
mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
perf tests switch-tracking: Fix timestamp comparison
mailbox: imx: Fix TXDB_V2 sending
mailbox: mtk-cmdq: Refine GCE_GCTL_VALUE setting
perf symbol: Fix use-after-free in filename__read_build_id
perf record: Fix incorrect --user-regs comments
perf trace: Always print return value for syscalls returning a pid
nfs: clear SB_RDONLY before getting superblock
nfs: ignore SB_RDONLY when remounting nfs
perf trace: Set errpid to false for rseq and set_robust_list
perf callchain: Always populate the addr_location map when adding IP
cifs: Fix validation of SMB1 query reparse point response
rust: alloc: add missing invariant in Vec::set_len()
rtc: sh: assign correct interrupts with DT
phy: rockchip: samsung-hdptx: Fix clock ratio setup
phy: rockchip: samsung-hdptx: Do no set rk_hdptx_phy->rate in case of errors
PCI: Print the actual delay time in pci_bridge_wait_for_secondary_bus()
PCI: rcar-gen4: set ep BAR4 fixed size
PCI: cadence: Fix runtime atomic count underflow
PCI: apple: Use gpiod_set_value_cansleep in probe flow
phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
dmaengine: ti: Add NULL check in udma_probe()
PCI/ACPI: Fix allocated memory release on error in pci_acpi_scan_root()
PCI/DPC: Initialize aer_err_info before using it
PCI/DPC: Log Error Source ID only when valid
rtc: loongson: Add missing alarm notifications for ACPI RTC events
PCI: endpoint: Retain fixed-size BAR size as well as aligned size
usb: renesas_usbhs: Reorder clock handling and power management in probe
serial: Fix potential null-ptr-deref in mlb_usio_probe()
thunderbolt: Fix a logic error in wake on connect
iio: filter: admv8818: fix band 4, state 15
iio: filter: admv8818: fix integer overflow
iio: filter: admv8818: fix range calculation
iio: filter: admv8818: Support frequencies >= 2^32
iio: adc: ad7124: Fix 3dB filter frequency reading
usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink()
MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
coresight: Fixes device's owner field for registered using coresight_init_driver()
coresight: catu: Introduce refcount and spinlock for enabling/disabling
counter: interrupt-cnt: Protect enable/disable OPs with mutex
fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt()
coresight: prevent deactivate active config while enabling the config
vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
mei: vsc: Cast tx_buf to (__be32 *) when passed to cpu_to_be32_array()
iio: adc: PAC1934: fix typo in documentation link
iio: adc: mcp3911: fix device dependent mappings for conversion result registers
USB: gadget: udc: fix const issue in gadget_match_driver()
USB: typec: fix const issue in typec_match()
loop: add file_start_write() and file_end_write()
drm/xe: Make xe_gt_freq part of the Documentation
Fix sock_exceed_buf_limit not being triggered in __sk_mem_raise_allocated
page_pool: Fix use-after-free in page_pool_recycle_in_ring
net: stmmac: platform: guarantee uniqueness of bus_id
gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
net: tipc: fix refcount warning in tipc_aead_encrypt
driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
net/mlx4_en: Prevent potential integer overflow calculating Hz
net: lan966x: Make sure to insert the vlan tags also in host mode
spi: bcm63xx-spi: fix shared reset
spi: bcm63xx-hsspi: fix shared reset
Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
ice: fix Tx scheduler error handling in XDP callback
ice: create new Tx scheduler nodes for new queues only
ice: fix rebuilding the Tx scheduler tree for large queue counts
idpf: fix a race in txq wakeup
idpf: avoid mailbox timeout delays during reset
net: dsa: tag_brcm: legacy: fix pskb_may_pull length
net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping
net: stmmac: make sure that ptp_rate is not 0 before configuring EST
drm/i915/guc: Check if expecting reply before decrementing outstanding_submission_g2h
drm/i915/psr: Fix using wrong mask in REG_FIELD_PREP
drm/i915/guc: Handle race condition where wakeref count drops below 0
net: fix udp gso skb_segment after pull from frag_list
net: wwan: t7xx: Fix napi rx poll issue
vmxnet3: correctly report gso type for UDP tunnels
selftests: net: build net/lib dependency in all target
PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
nvme: fix command limits status code
gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
drm/panel-simple: fix the warnings for the Evervision VGG644804
netfilter: nf_set_pipapo_avx2: fix initial map fill
netfilter: nf_nat: also check reverse tuple to obtain clashing entry
net: ti: icssg-prueth: Fix swapped TX stats for MII interfaces.
net: dsa: b53: do not enable RGMII delay on bcm63xx
net: dsa: b53: allow RGMII for bcm63xx RGMII ports
net: dsa: b53: do not touch DLL_IQQD on bcm53115
wifi: cfg80211/mac80211: correctly parse S1G beacon optional elements
net: wwan: mhi_wwan_mbim: use correct mux_id for multiplexing
wireguard: device: enable threaded NAPI
seg6: Fix validation of nexthop addresses
riscv: misaligned: fix sleeping function called during misaligned access handling
scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()
ASoC: codecs: hda: Fix RPM usage count underflow
ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
ASoC: Intel: avs: Verify content returned by parse_int_array()
ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init
iov_iter: use iov_offset for length calculation in iov_iter_aligned_bvec
path_overmount(): avoid false negatives
fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
do_change_type(): refuse to operate on unmounted/not ours mounts
tools/power turbostat: Fix AMD package-energy reporting
ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3315
ALSA: hda/realtek: fix micmute LEDs on HP Laptops with ALC3247
ALSA: hda/realtek: Add support for various HP Laptops using CS35L41 HDA
ALSA: hda/realtek - Support mute led function for HP platform
ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup
ALSA: hda/realtek: Add support for HP Agusta using CS35L41 HDA
Input: synaptics-rmi - fix crash with unsupported versions of F34
pmdomain: core: Introduce dev_pm_genpd_rpm_always_on()
mmc: sdhci-of-dwcmshc: add PD workaround on RK3576
arm64: dts: qcom: x1e80100: Apply consistent critical thermal shutdown
arm64: dts: qcom: x1e80100: Add GPU cooling
pinctrl: samsung: refactor drvdata suspend & resume callbacks
pinctrl: samsung: add dedicated SoC eint suspend/resume callbacks
pinctrl: samsung: add gs101 specific eint suspend/resume callbacks
dt-bindings: pwm: adi,axi-pwmgen: Increase #pwm-cells to 3
dt-bindings: pwm: Correct indentation and style in DTS example
dt-bindings: pwm: adi,axi-pwmgen: Fix clocks
serial: sh-sci: Move runtime PM enable to sci_probe_single()
scsi: core: ufs: Fix a hang in the error handler
Bluetooth: hci_core: fix list_for_each_entry_rcu usage
Bluetooth: btintel_pcie: Fix driver not posting maximum rx buffers
Bluetooth: btintel_pcie: Increase the tx and rx descriptor count
Bluetooth: btintel_pcie: Reduce driver buffer posting to prevent race condition
Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
Bluetooth: MGMT: Remove unused mgmt_pending_find_data
Bluetooth: MGMT: Protect mgmt_pending list with its own lock
net: dsa: b53: fix untagged traffic sent via cpu tagged with VID 0
ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use()
ath10k: snoc: fix unbalanced IRQ enable in crash recovery
wifi: ath11k: convert timeouts to secs_to_jiffies()
wifi: ath11k: avoid burning CPU in ath11k_debugfs_fw_stats_request()
wifi: ath11k: don't use static variables in ath11k_debugfs_fw_stats_process()
wifi: ath11k: don't wait when there is no vdev started
wifi: ath11k: move some firmware stats related functions outside of debugfs
wifi: ath11k: validate ath11k_crypto_mode on top of ath11k_core_qmi_firmware_ready
wifi: ath12k: refactor ath12k_hw_regs structure
wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850
regulator: max20086: Fix refcount leak in max20086_parse_regulators_dt()
spi: omap2-mcspi: Disable multi mode when CS should be kept asserted after message
spi: omap2-mcspi: Disable multi-mode when the previous message kept CS asserted
pinctrl: qcom: pinctrl-qcm2290: Add missing pins
scsi: iscsi: Fix incorrect error path labels for flashnode operations
net_sched: sch_sfq: fix a potential crash on gso_skb handling
powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap
powerpc/vas: Return -EINVAL if the offset is non-zero in mmap()
drm/meson: use unsigned long long / Hz for frequency types
drm/meson: fix debug log statement when setting the HDMI clocks
drm/meson: use vclk_freq instead of pixel_freq in debug print
drm/meson: fix more rounding issues with 59.94Hz modes
i40e: return false from i40e_reset_vf if reset is in progress
i40e: retry VFLR handling if there is ongoing VF reset
ACPI: CPPC: Fix NULL pointer dereference when nosmp is used
net: Fix TOCTOU issue in sk_is_readable()
macsec: MACsec SCI assignment for ES = 0
net/mdiobus: Fix potential out-of-bounds read/write access
net/mdiobus: Fix potential out-of-bounds clause 45 read/write access
Bluetooth: Fix NULL pointer deference on eir_get_service_data
Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
Bluetooth: MGMT: Fix sparse errors
net/mlx5: Ensure fw pages are always allocated on same NUMA
net/mlx5: Fix ECVF vports unload on shutdown flow
net/mlx5: Fix return value when searching for existing flow group
net/mlx5: HWS, fix missing ip_version handling in definer
net/mlx5e: Fix leak of Geneve TLV option object
net_sched: prio: fix a race in prio_tune()
net_sched: red: fix a race in __red_change()
net_sched: tbf: fix a race in tbf_change()
net_sched: ets: fix a race in ets_qdisc_change()
net: drv: netdevsim: don't napi_complete() from netpoll
btrfs: exit after state insertion failure at btrfs_convert_extent_bit()
fs/filesystems: Fix potential unsigned integer underflow in fs_name()
gfs2: pass through holder from the VFS for freeze/thaw
btrfs: exit after state split error at set_extent_bit()
nvmet-fcloop: access fcpreq only when holding reqlock
perf: Ensure bpf_perf_link path is properly serialized
block: use q->elevator with ->elevator_lock held in elv_iosched_show()
io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()
block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work
io_uring: consistently use rcu semantics with sqpoll thread
bio: Fix bio_first_folio() for SPARSEMEM without VMEMMAP
block: Fix bvec_set_folio() for very large folios
objtool/rust: relax slice condition to cover more `noreturn` Rust functions
tools/resolve_btfids: Fix build when cross compiling kernel with clang.
Revert "wifi: mwifiex: Fix HT40 bandwidth issue."
ALSA: usb-audio: Add implicit feedback quirk for RODE AI-1
HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse()
posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()
nvmem: zynqmp_nvmem: unbreak driver after cleanup
usb: usbtmc: Fix read_stb function and get_stb ioctl
VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify
tty: serial: 8250_omap: fix TX with DMA for am33xx
usb: misc: onboard_usb_dev: Fix usb5744 initialization sequence
usb: cdnsp: Fix issue with detecting command completion event
usb: cdnsp: Fix issue with detecting USB 3.2 speed
usb: Flush altsetting 0 endpoints before reinitializating them after reset.
usb: typec: tcpm/tcpci_maxim: Fix bounds check in process_rx()
usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work
9p: Add a migrate_folio method
ring-buffer: Do not trigger WARN_ON() due to a commit_overrun
ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set()
ring-buffer: Move cpus_read_lock() outside of buffer->mutex
xfs: don't assume perags are initialised when trimming AGs
xen/arm: call uaccess_ttbr0_enable for dm_op hypercall
x86/iopl: Cure TIF_IO_BITMAP inconsistencies
x86/fred/signal: Prevent immediate repeat of single step trap on return from SIGTRAP handler
calipso: unlock rcu before returning -EAFNOSUPPORT
regulator: dt-bindings: mt6357: Drop fixed compatible requirement
usb: misc: onboard_usb_dev: fix build warning for CONFIG_USB_ONBOARD_DEV_USB5744=n
net: usb: aqc111: debug info before sanitation
overflow: Introduce __DEFINE_FLEX for having no initializer
gfs2: Don't clear sb->s_fs_info in gfs2_sys_fs_add
drm/meson: Use 1000ULL when operating with mode->clock
thermal/drivers/mediatek/lvts: Remove unused lvts_debugfs_exit
Linux 6.12.34
Change-Id: I679f0f1ddcf9bf8a0b86089ccb7b78536f5bc441
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
In the case of SME-in-driver, the driver can internally choose to
update the links based on the AP MLD recommendation and do link
reconfiguration negotiation with AP MLD.
(e.g., After the driver processing the BSS Transition Management request
frame received from the AP MLD with Neighbor Report containing
Multi-Link element with recommended links information chooses to do link
reconfiguration negotiation with AP MLD).
To support this, extend cfg80211_mlo_reconf_add_done() and
NL80211_CMD_ASSOC_MLO_RECONF to indicate added links information for
driver-initiated link reconfiguration requests. For removed links,
the driver indicates links information using the
NL80211_CMD_LINKS_REMOVED event for driver-initiated cases, the same as
supplicant initiated cases.
For the driver-initiated case, cfg80211 will receive link
reconfiguration result asynchronously from driver so holding BSSes of
the accepted add links is needed in the event path. Also, no need of
unhold call for the rejected add link BSSes since there was no hold call
happened previously.
Once the supplicant receives the NL80211_CMD_ASSOC_MLO_RECONF event,
it needs to process the information about newly added links and install
per-link group keys (e.g., GTK/IGTK/BIGTK etc.).
In case of the SME-in-driver, using a vendor interface etc. to notify
the supplicant to initiate a link reconfiguration request and then
supplicant sending command to the cfg80211 can lead to race conditions.
The correct design to avoid this is that the driver indicates the
cfg80211 directly with the results of the link reconfiguration
negotiation.
Signed-off-by: Kavita Kavita <quic_kkavita@quicinc.com>
Link: https://patch.msgid.link/20250604105757.2542-3-quic_kkavita@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Bug: 423444463
(cherry picked from commit 7c598c653ad465138ecc2fe64492633c541effef
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git
main)
Change-Id: Ib2c7d38113f76bc46dc72f339ffdba5d3dd81988
Signed-off-by: Kavita Kavita <quic_kkavita@quicinc.com>
[ Upstream commit 1e1f706fc2ce90eaaf3480b3d5f27885960d751c ]
S1G beacons are not traditional beacons but a type of extension frame.
Extension frames contain the frame control and duration fields, followed
by zero or more optional fields before the frame body. These optional
fields are distinct from the variable length elements.
The presence of optional fields is indicated in the frame control field.
To correctly locate the elements offset, the frame control must be parsed
to identify which optional fields are present. Currently, mac80211 parses
S1G beacons based on fixed assumptions about the frame layout, without
inspecting the frame control field. This can result in incorrect offsets
to the "variable" portion of the frame.
Properly parse S1G beacon frames by using the field lengths defined in
IEEE 802.11-2024, section 9.3.4.3, ensuring that the elements offset is
calculated accurately.
Fixes: 9eaffe5078 ("cfg80211: convert S1G beacon to scan results")
Fixes: cd418ba63f ("mac80211: convert S1G beacon to scan results")
Signed-off-by: Lachlan Hodges <lachlan.hodges@morsemicro.com>
Link: https://patch.msgid.link/20250603053538.468562-1-lachlan.hodges@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 023c1f2f0609218103cbcb48e0104b144d4a16dc upstream.
Currently during the multi-link element defragmentation process, the
multi-link element length added to the total IEs length when calculating
the length of remaining IEs after the multi-link element in
cfg80211_defrag_mle(). This could lead to out-of-bounds access if the
multi-link element or its corresponding fragment elements are the last
elements in the IEs buffer.
To address this issue, correctly calculate the remaining IEs length by
deducting the multi-link element end offset from total IEs end offset.
Cc: stable@vger.kernel.org
Fixes: 2481b5da9c ("wifi: cfg80211: handle BSS data contained in ML probe responses")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently during the multi-link element defragmentation process, the
multi-link element length added to the total IEs length when calculating
the length of remaining IEs after the multi-link element in
cfg80211_defrag_mle(). This could lead to out-of-bounds access if the
multi-link element or its corresponding fragment elements are the last
elements in the IEs buffer.
To address this issue, correctly calculate the remaining IEs length by
deducting the multi-link element end offset from total IEs end offset.
Cc: stable@vger.kernel.org
Fixes: 2481b5da9c ("wifi: cfg80211: handle BSS data contained in ML probe responses")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Link: https://patch.msgid.link/20250424-fix_mle_defragmentation_oob_access-v1-1-84412a1743fa@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Bug: 417641649
Change-Id: Ib1a92abf3ba3aee4ced14fee05d17ea2a4ae2fec
(cherry picked from commit 023c1f2f0609218103cbcb48e0104b144d4a16dc)
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Steps on the way to 6.12.20
Resolves merge conflicts in:
mm/userfaultfd.c
Change-Id: I315faea2e1375e21d4c743d33f28f7f2dd56fd14
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
GKI (arm64) relevant 48 out of 271 changes, affecting 92 files +576/-223
5b414ed3bb Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'" [1 file, +2/-2]
48a934fc47 Revert "mm/page_alloc.c: don't show protection in zone's ->lowmem_reserve[] for empty zone" [1 file, +1/-2]
88310caff6 Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() [1 file, +2/-0]
7841180342 Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected() [1 file, +3/-0]
2d448dbd47 userfaultfd: do not block on locking a large folio with raised refcount [1 file, +16/-1]
f57e89c1cb block: fix conversion of GPT partition name to 7-bit [1 file, +1/-1]
9426f38372 mm/page_alloc: fix uninitialized variable [1 file, +1/-0]
79636d2981 mm: abort vma_modify() on merge out of memory failure [1 file, +8/-4]
605f53f13b mm: don't skip arch_sync_kernel_mappings() in error paths [2 files, +6/-4]
9ed33c7bac mm: fix finish_fault() handling for large folios [1 file, +10/-5]
576a2f4c43 hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio [1 file, +4/-1]
2e66d69941 mm: memory-hotplug: check folio ref count first in do_migrate_range [1 file, +7/-13]
3c63fb6ef7 nvme-pci: use sgls for all user requests if possible [2 files, +13/-4]
9dedafd86e nvme-ioctl: fix leaked requests on mapping error [1 file, +8/-4]
084819b0d8 net: gso: fix ownership in __udp_gso_segment [1 file, +6/-2]
1688acf477 perf/core: Fix pmus_lock vs. pmus_srcu ordering [1 file, +2/-2]
a899adf706 HID: hid-steam: Fix use-after-free when detaching device [1 file, +1/-1]
8aa8a40c76 ppp: Fix KMSAN uninit-value warning with bpf [1 file, +19/-9]
b71cd95764 ethtool: linkstate: migrate linkstate functions to support multi-PHY setups [1 file, +15/-8]
9c1d09cdbc net: ethtool: plumb PHY stats to PHY drivers [7 files, +167/-2]
639c703529 net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device [9 files, +19/-18]
30e8aee778 vlan: enforce underlying device type [1 file, +2/-1]
5d609f0d2f exfat: fix just enough dentries but allocate a new cluster to dir [1 file, +1/-1]
c897b8ec46 exfat: fix soft lockup in exfat_clear_bitmap [3 files, +16/-7]
611015122d exfat: short-circuit zero-byte writes in exfat_file_write_iter [1 file, +1/-1]
2b484789e9 net-timestamp: support TCP GSO case for a few missing flags [1 file, +7/-4]
b08e290324 ublk: set_params: properly check if parameters can be applied [1 file, +5/-2]
b5741e4b9e sched/fair: Fix potential memory corruption in child_cfs_rq_on_list [1 file, +4/-2]
39c2b2767e xhci: Restrict USB4 tunnel detection for USB3 devices to Intel hosts [1 file, +8/-0]
4ea3319f3e usb: hub: lack of clearing xHC resources [1 file, +33/-0]
0cab185c73 usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader [1 file, +4/-0]
079a3e52f3 usb: typec: ucsi: Fix NULL pointer access [1 file, +7/-6]
840afbea3f usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails [1 file, +2/-2]
ced69d88eb usb: dwc3: Set SUSPENDENABLE soon after phy init [3 files, +45/-30]
35db1f1829 usb: dwc3: gadget: Prevent irq storm when TH re-executes [2 files, +13/-13]
b387312527 usb: typec: ucsi: increase timeout for PPM reset operations [1 file, +1/-1]
4bf6c57a89 usb: gadget: Set self-powered based on MaxPower and bmAttributes [1 file, +11/-5]
dcd7ffdefb usb: gadget: Fix setting self-powered state on suspend [1 file, +2/-1]
395011ee82 usb: gadget: Check bmAttributes only if configuration is valid [1 file, +1/-1]
012b98cdb5 acpi: typec: ucsi: Introduce a ->poll_cci method [7 files, +25/-12]
d7015bb3c5 xhci: pci: Fix indentation in the PCI device ID definitions [1 file, +4/-4]
ea39f99864 usb: xhci: Enable the TRB overfetch quirk on VIA VL805 [3 files, +10/-5]
4e8df56636 char: misc: deallocate static minor in error path [1 file, +1/-1]
b50e18791f drivers: core: fix device leak in __fw_devlink_relax_cycles() [1 file, +1/-0]
a684bad77e mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear() [16 files, +46/-28]
6ad9643aa5 fs/netfs/read_pgpriv2: skip folio queues without `marks3` [1 file, +3/-2]
5bc6e5b10f fs/netfs/read_collect: fix crash due to uninitialized `prev` variable [1 file, +11/-10]
86b7ebddab uprobes: Fix race in uprobe_free_utask [1 file, +1/-1]
Changes in 6.12.19
x86/amd_nb: Use rdmsr_safe() in amd_get_mmconfig_range()
rust: block: fix formatting in GenDisk doc
drm/i915/dsi: convert to struct intel_display
drm/i915/dsi: Use TRANS_DDI_FUNC_CTL's own port width macro
gpio: vf610: use generic device_get_match_data()
gpio: vf610: add locking to gpio direction functions
cifs: Remove symlink member from cifs_open_info_data union
smb311: failure to open files of length 1040 when mounting with SMB3.1.1 POSIX extensions
btrfs: fix data overwriting bug during buffered write when block size < page size
x86/microcode/AMD: Add some forgotten models to the SHA check
loongarch: Use ASM_REACHABLE
rust: workqueue: remove unneeded ``#[allow(clippy::new_ret_no_self)]`
rust: sort global Rust flags
rust: types: avoid repetition in `{As,From}Bytes` impls
rust: enable `clippy::undocumented_unsafe_blocks` lint
rust: enable `clippy::unnecessary_safety_comment` lint
rust: enable `clippy::unnecessary_safety_doc` lint
rust: enable `clippy::ignored_unit_patterns` lint
rust: enable `rustdoc::unescaped_backticks` lint
rust: init: remove unneeded `#[allow(clippy::disallowed_names)]`
rust: sync: remove unneeded `#[allow(clippy::non_send_fields_in_send_ty)]`
rust: introduce `.clippy.toml`
rust: replace `clippy::dbg_macro` with `disallowed_macros`
rust: provide proper code documentation titles
rust: enable Clippy's `check-private-items`
Documentation: rust: add coding guidelines on lints
rust: start using the `#[expect(...)]` attribute
Documentation: rust: discuss `#[expect(...)]` in the guidelines
rust: error: make conversion functions public
rust: error: optimize error type to use nonzero
rust: alloc: add `Allocator` trait
rust: alloc: separate `aligned_size` from `krealloc_aligned`
rust: alloc: rename `KernelAllocator` to `Kmalloc`
rust: alloc: implement `ReallocFunc`
rust: alloc: make `allocator` module public
rust: alloc: implement `Allocator` for `Kmalloc`
rust: alloc: add module `allocator_test`
rust: alloc: implement `Vmalloc` allocator
rust: alloc: implement `KVmalloc` allocator
rust: alloc: add __GFP_NOWARN to `Flags`
rust: alloc: implement kernel `Box`
rust: treewide: switch to our kernel `Box` type
rust: alloc: remove extension of std's `Box`
rust: alloc: add `Box` to prelude
rust: alloc: introduce `ArrayLayout`
rust: alloc: implement kernel `Vec` type
rust: alloc: implement `IntoIterator` for `Vec`
rust: alloc: implement `collect` for `IntoIter`
rust: treewide: switch to the kernel `Vec` type
rust: alloc: remove `VecExt` extension
rust: alloc: add `Vec` to prelude
rust: error: use `core::alloc::LayoutError`
rust: error: check for config `test` in `Error::name`
rust: alloc: implement `contains` for `Flags`
rust: alloc: implement `Cmalloc` in module allocator_test
rust: str: test: replace `alloc::format`
rust: alloc: update module comment of alloc.rs
kbuild: rust: remove the `alloc` crate and `GlobalAlloc`
MAINTAINERS: add entry for the Rust `alloc` module
drm/panic: avoid reimplementing Iterator::find
drm/panic: remove unnecessary borrow in alignment_pattern
drm/panic: prefer eliding lifetimes
drm/panic: remove redundant field when assigning value
drm/panic: correctly indent continuation of line in list item
drm/panic: allow verbose boolean for clarity
drm/panic: allow verbose version check
rust: kbuild: expand rusttest target for macros
rust: fix size_t in bindgen prototypes of C builtins
rust: map `__kernel_size_t` and friends also to usize/isize
rust: use custom FFI integer types
rust: alloc: Fix `ArrayLayout` allocations
Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
tracing: tprobe-events: Fix a memory leak when tprobe with $retval
tracing: tprobe-events: Reject invalid tracepoint name
stmmac: loongson: Pass correct arg to PCI function
LoongArch: Convert unreachable() to BUG()
LoongArch: Use polling play_dead() when resuming from hibernation
LoongArch: Set max_pfn with the PFN of the last page
LoongArch: KVM: Add interrupt checking for AVEC
LoongArch: KVM: Reload guest CSR registers after sleep
LoongArch: KVM: Fix GPA size issue about VM
HID: appleir: Fix potential NULL dereference at raw event handle
ksmbd: fix type confusion via race condition when using ipc_msg_send_request
ksmbd: fix out-of-bounds in parse_sec_desc()
ksmbd: fix use-after-free in smb2_lock
ksmbd: fix bug on trap in smb2_lock
gpio: rcar: Use raw_spinlock to protect register access
gpio: aggregator: protect driver attr handlers against module unload
ALSA: seq: Avoid module auto-load handling at event delivery
ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform
ALSA: hda/realtek: update ALC222 depop optimize
btrfs: fix a leaked chunk map issue in read_one_chunk()
hwmon: (peci/dimmtemp) Do not provide fake thresholds data
drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
drm/amdkfd: Fix NULL Pointer Dereference in KFD queue
drm/amd/pm: always allow ih interrupt from fw
drm/imagination: avoid deadlock on fence release
drm/imagination: Hold drm_gem_gpuva lock for unmap
drm/imagination: only init job done fences once
drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
Revert "mm/page_alloc.c: don't show protection in zone's ->lowmem_reserve[] for empty zone"
Revert "selftests/mm: remove local __NR_* definitions"
platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
x86/boot: Sanitize boot params before parsing command line
x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
x86/cpu: Validate CPUID leaf 0x2 EDX output
x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
drm/xe: Add staging tree for VM binds
drm/xe/hmm: Style- and include fixes
drm/xe/hmm: Don't dereference struct page pointers without notifier lock
drm/xe/vm: Fix a misplaced #endif
drm/xe/vm: Validate userptr during gpu vma prefetching
mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr
drm/xe: Fix GT "for each engine" workarounds
drm/xe: Fix fault mode invalidation with unbind
drm/xe/userptr: properly setup pfn_flags_mask
drm/xe/userptr: Unmap userptrs in the mmu notifier
Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()
Bluetooth: Add check for mgmt_alloc_skb() in mgmt_device_connected()
wifi: cfg80211: regulatory: improve invalid hints checking
wifi: nl80211: reject cooked mode if it is set along with other flags
selftests/damon/damos_quota_goal: handle minimum quota that cannot be further reduced
selftests/damon/damos_quota: make real expectation of quota exceeds
selftests/damon/damon_nr_regions: set ops update for merge results check to 100ms
selftests/damon/damon_nr_regions: sort collected regiosn before checking with min/max boundaries
rapidio: add check for rio_add_net() in rio_scan_alloc_net()
rapidio: fix an API misues when rio_add_net() fails
dma: kmsan: export kmsan_handle_dma() for modules
s390/traps: Fix test_monitor_call() inline assembly
NFS: fix nfs_release_folio() to not deadlock via kcompactd writeback
userfaultfd: do not block on locking a large folio with raised refcount
block: fix conversion of GPT partition name to 7-bit
mm/page_alloc: fix uninitialized variable
mm: abort vma_modify() on merge out of memory failure
mm: memory-failure: update ttu flag inside unmap_poisoned_folio
mm: don't skip arch_sync_kernel_mappings() in error paths
mm: fix finish_fault() handling for large folios
hwpoison, memory_hotplug: lock folio before unmap hwpoisoned folio
mm: memory-hotplug: check folio ref count first in do_migrate_range
wifi: iwlwifi: mvm: clean up ROC on failure
wifi: iwlwifi: mvm: don't try to talk to a dead firmware
wifi: iwlwifi: limit printed string from FW file
wifi: iwlwifi: Free pages allocated when failing to build A-MSDU
wifi: iwlwifi: Fix A-MSDU TSO preparation
HID: google: fix unused variable warning under !CONFIG_ACPI
HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()
HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()
coredump: Only sort VMAs when core_sort_vma sysctl is set
nvme-pci: add support for sgl metadata
nvme-pci: use sgls for all user requests if possible
nvme-ioctl: fix leaked requests on mapping error
wifi: mac80211: Support parsing EPCS ML element
wifi: mac80211: fix MLE non-inheritance parsing
wifi: mac80211: fix vendor-specific inheritance
drm/fbdev-helper: Move color-mode lookup into 4CC format helper
drm/fbdev: Add memory-agnostic fbdev client
drm: Add client-agnostic setup helper
drm/fbdev-ttm: Support struct drm_driver.fbdev_probe
drm/nouveau: Run DRM default client setup
drm/nouveau: select FW caching
bluetooth: btusb: Initialize .owner field of force_poll_sync_fops
nvme-tcp: add basic support for the C2HTermReq PDU
nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
nvmet-tcp: Fix a possible sporadic response drops in weakly ordered arch
ALSA: hda/realtek: Remove (revert) duplicate Ally X config
net: gso: fix ownership in __udp_gso_segment
caif_virtio: fix wrong pointer check in cfv_probe()
perf/core: Fix pmus_lock vs. pmus_srcu ordering
hwmon: (pmbus) Initialise page count in pmbus_identify()
hwmon: (ntc_thermistor) Fix the ncpXXxh103 sensor table
hwmon: (ad7314) Validate leading zero bits and return error
tracing: probe-events: Remove unused MAX_ARG_BUF_LEN macro
drm/imagination: Fix timestamps in firmware traces
ALSA: usx2y: validate nrpacks module parameter on probe
llc: do not use skb_get() before dev_queue_xmit()
hwmon: fix a NULL vs IS_ERR_OR_NULL() check in xgene_hwmon_probe()
drm/sched: Fix preprocessor guard
be2net: fix sleeping while atomic bugs in be_ndo_bridge_getlink
net: hns3: make sure ptp clock is unregister and freed if hclge_ptp_get_cycle returns an error
drm/i915/color: Extract intel_color_modeset()
drm/i915: Plumb 'dsb' all way to the plane hooks
drm/xe: Remove double pageflip
HID: hid-steam: Fix use-after-free when detaching device
net: ipa: Fix v4.7 resource group names
net: ipa: Fix QSB data for v4.7
net: ipa: Enable checksum for IPA_ENDPOINT_AP_MODEM_{RX,TX} for v4.7
ppp: Fix KMSAN uninit-value warning with bpf
ethtool: linkstate: migrate linkstate functions to support multi-PHY setups
net: ethtool: plumb PHY stats to PHY drivers
net: ethtool: netlink: Allow NULL nlattrs when getting a phy_device
vlan: enforce underlying device type
x86/sgx: Fix size overflows in sgx_encl_create()
exfat: fix just enough dentries but allocate a new cluster to dir
exfat: fix soft lockup in exfat_clear_bitmap
exfat: short-circuit zero-byte writes in exfat_file_write_iter
net-timestamp: support TCP GSO case for a few missing flags
ublk: set_params: properly check if parameters can be applied
sched/fair: Fix potential memory corruption in child_cfs_rq_on_list
nvme-tcp: fix signedness bug in nvme_tcp_init_connection()
net: dsa: mt7530: Fix traffic flooding for MMIO devices
mctp i3c: handle NULL header address
net: ipv6: fix dst ref loop in ila lwtunnel
net: ipv6: fix missing dst ref drop in ila lwtunnel
gpio: rcar: Fix missing of_node_put() call
Revert "drivers/card_reader/rtsx_usb: Restore interrupt based detection"
usb: renesas_usbhs: Call clk_put()
xhci: Restrict USB4 tunnel detection for USB3 devices to Intel hosts
usb: renesas_usbhs: Use devm_usb_get_phy()
usb: hub: lack of clearing xHC resources
usb: quirks: Add DELAY_INIT and NO_LPM for Prolific Mass Storage Card Reader
usb: typec: ucsi: Fix NULL pointer access
usb: renesas_usbhs: Flush the notify_hotplug_work
usb: gadget: u_ether: Set is_suspend flag if remote wakeup fails
usb: atm: cxacru: fix a flaw in existing endpoint checks
usb: dwc3: Set SUSPENDENABLE soon after phy init
usb: dwc3: gadget: Prevent irq storm when TH re-executes
usb: typec: ucsi: increase timeout for PPM reset operations
usb: typec: tcpci_rt1711h: Unmask alert interrupts to fix functionality
usb: gadget: Set self-powered based on MaxPower and bmAttributes
usb: gadget: Fix setting self-powered state on suspend
usb: gadget: Check bmAttributes only if configuration is valid
kbuild: userprogs: use correct lld when linking through clang
acpi: typec: ucsi: Introduce a ->poll_cci method
rust: finish using custom FFI integer types
rust: map `long` to `isize` and `char` to `u8`
xhci: pci: Fix indentation in the PCI device ID definitions
usb: xhci: Enable the TRB overfetch quirk on VIA VL805
KVM: SVM: Set RFLAGS.IF=1 in C code, to get VMRUN out of the STI shadow
KVM: SVM: Save host DR masks on CPUs with DebugSwap
KVM: SVM: Drop DEBUGCTL[5:2] from guest's effective value
KVM: SVM: Suppress DEBUGCTL.BTF on AMD
KVM: x86: Snapshot the host's DEBUGCTL in common x86
KVM: SVM: Manually context switch DEBUGCTL if LBR virtualization is disabled
KVM: x86: Snapshot the host's DEBUGCTL after disabling IRQs
KVM: x86: Explicitly zero EAX and EBX when PERFMON_V2 isn't supported by KVM
cdx: Fix possible UAF error in driver_override_show()
mei: me: add panther lake P DID
mei: vsc: Use "wakeuphostint" when getting the host wakeup GPIO
intel_th: pci: Add Arrow Lake support
intel_th: pci: Add Panther Lake-H support
intel_th: pci: Add Panther Lake-P/U support
char: misc: deallocate static minor in error path
drivers: core: fix device leak in __fw_devlink_relax_cycles()
slimbus: messaging: Free transaction ID in delayed interrupt scenario
bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock
eeprom: digsy_mtc: Make GPIO lookup table match the device
drivers: virt: acrn: hsm: Use kzalloc to avoid info leak in pmcmd_ioctl
iio: filter: admv8818: Force initialization of SDO
iio: light: apds9306: fix max_scale_nano values
iio: dac: ad3552r: clear reset status flag
iio: adc: ad7192: fix channel select
iio: adc: at91-sama5d2_adc: fix sama7g5 realbits value
mm: hugetlb: Add huge page size param to huge_ptep_get_and_clear()
arm64: hugetlb: Fix huge_ptep_get_and_clear() for non-present ptes
fs/netfs/read_pgpriv2: skip folio queues without `marks3`
fs/netfs/read_collect: fix crash due to uninitialized `prev` variable
kbuild: hdrcheck: fix cross build with clang
ALSA: hda: realtek: fix incorrect IS_REACHABLE() usage
nvme-tcp: Fix a C2HTermReq error message
docs: rust: remove spurious item in `expect` list
Revert "KVM: e500: always restore irqs"
Revert "KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults"
Revert "KVM: PPC: e500: Mark "struct page" pfn accessed before dropping mmu_lock"
Revert "KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map()"
KVM: e500: always restore irqs
uprobes: Fix race in uprobe_free_utask
selftests/bpf: Clean up open-coded gettid syscall invocations
x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
wifi: iwlwifi: pcie: Fix TSO preparation
Linux 6.12.19
Change-Id: Ia0c2b2c6a95b53a66e21505ed6ba756c6b0a2388
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 72d520476a2fab6f3489e8388ab524985d6c4b90 ]
A wiphy_work can be queued from the moment the wiphy is allocated and
initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the
rdev::wiphy_work is getting queued.
If wiphy_free is called before the rdev::wiphy_work had a chance to run,
the wiphy memory will be freed, and then when it eventally gets to run
it'll use invalid memory.
Fix this by canceling the work before freeing the wiphy.
Fixes: a3ee4dc84c ("wifi: cfg80211: add a work abstraction with special semantics")
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20250306123626.efd1d19f6e07.I48229f96f4067ef73f5b87302335e2fd750136c9@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 59b348be7597c4a9903cb003c69e37df20c04a30 upstream.
Syzbot keeps reporting an issue [1] that occurs when erroneous symbols
sent from userspace get through into user_alpha2[] via
regulatory_hint_user() call. Such invalid regulatory hints should be
rejected.
While a sanity check from commit 47caf685a6 ("cfg80211: regulatory:
reject invalid hints") looks to be enough to deter these very cases,
there is a way to get around it due to 2 reasons.
1) The way isalpha() works, symbols other than latin lower and
upper letters may be used to determine a country/domain.
For instance, greek letters will also be considered upper/lower
letters and for such characters isalpha() will return true as well.
However, ISO-3166-1 alpha2 codes should only hold latin
characters.
2) While processing a user regulatory request, between
reg_process_hint_user() and regulatory_hint_user() there happens to
be a call to queue_regulatory_request() which modifies letters in
request->alpha2[] with toupper(). This works fine for latin symbols,
less so for weird letter characters from the second part of _ctype[].
Syzbot triggers a warning in is_user_regdom_saved() by first sending
over an unexpected non-latin letter that gets malformed by toupper()
into a character that ends up failing isalpha() check.
Prevent this by enhancing is_an_alpha2() to ensure that incoming
symbols are latin letters and nothing else.
[1] Syzbot report:
------------[ cut here ]------------
Unexpected user alpha2: A�
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 is_user_regdom_saved net/wireless/reg.c:440 [inline]
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_alpha2 net/wireless/reg.c:3424 [inline]
WARNING: CPU: 1 PID: 964 at net/wireless/reg.c:442 restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
Modules linked in:
CPU: 1 UID: 0 PID: 964 Comm: kworker/1:2 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_power_efficient crda_timeout_work
RIP: 0010:is_user_regdom_saved net/wireless/reg.c:440 [inline]
RIP: 0010:restore_alpha2 net/wireless/reg.c:3424 [inline]
RIP: 0010:restore_regulatory_settings+0x3c0/0x1e50 net/wireless/reg.c:3516
...
Call Trace:
<TASK>
crda_timeout_work+0x27/0x50 net/wireless/reg.c:542
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Reported-by: syzbot+e10709ac3c44f3d4e800@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e10709ac3c44f3d4e800
Fixes: 09d989d179 ("cfg80211: add regulatory hint disconnect support")
Cc: stable@kernel.org
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20250228134659.1577656-1-n.zhandarovich@fintech.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The kernel performs several regulatory checks for AP mode in
nl80211/cfg80211. These checks include radar detection,
verification of whether the sub-channel is disabled, and
an examination to determine if the channel is a DFS channel
(both DFS usable and DFS available). These checks are
performed across a frequency range, examining each sub-channel.
However, these checks are also performed on subchannels that
have been punctured which should not be examined as they are
not in use.
This leads to the issue where the AP stops because one of
the 20 MHz sub-channels is disabled or radar detected on
the channel, even when the sub-channel is punctured.
To address this issue, add a condition check wherever
regulatory checks exist for AP mode in nl80211/cfg80211.
This check identifies punctured channels and, upon finding
them, skips the regulatory checks for those channels.
Co-developed-by: Manaswini Paluri <quic_mpaluri@quicinc.com>
Signed-off-by: Manaswini Paluri <quic_mpaluri@quicinc.com>
Signed-off-by: Kavita Kavita <quic_kkavita@quicinc.com>
Link: https://patch.msgid.link/20250109050409.25351-1-quic_kkavita@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Bug: 395802076
Change-Id: Id56c9bbe6ce6b2d33b625f54f7498c1df009d6ee
(cherry picked from commit 9add053591ed9d126b6f071236e33e762c439fa8)
Signed-off-by: Kavita Kavita <quic_kkavita@quicinc.com>
This allows users to prevent a vif from affecting radios other than the
configured ones. This can be useful in cases where e.g. an AP is running
on one radio, and triggering a scan on another radio should not disturb it.
Changing the allowed radios list for a vif is supported, but only while
it is down.
While it is possible to achieve the same by always explicitly specifying
a frequency list for scan requests and ensuring that the wrong channel/band
is never accidentally set on an unrelated interface, this change makes
multi-radio wiphy setups a lot easier to deal with for CLI users.
By itself, this patch only enforces the radio mask for scanning requests
and remain-on-channel. Follow-up changes build on this to limit configured
frequencies.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/eefcb218780f71a1549875d149f1196486762756.1728462320.git-series.nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Bug: 395802076
Change-Id: I0f9868264710a2ccf14582a4a209e762204cc7ea
(cherry picked from commit 3607798ad9bdef35ad08489a8239390fccaac6b5)
Signed-off-by: Kavita Kavita <quic_kkavita@quicinc.com>
[ Upstream commit 1a0d24775cdee2b8dc14bfa4f4418c930ab1ac57 ]
In 'cfg80211_scan_6ghz()', an instances of 'struct cfg80211_colocated_ap'
are allocated as if they would have 'ssid' as trailing VLA member. Since
this is not so, extra IEEE80211_MAX_SSID_LEN bytes are not needed.
Briefly tested with KUnit.
Fixes: c8cb5b854b ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Link: https://patch.msgid.link/20250113155417.552587-1-dmantipov@yandex.ru
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b5c32ff6a3a38c74facdd1fe34c0d709a55527fd ]
Currently, during link deletion, the link ID is first removed from the
valid_links bitmap before performing any clean-up operations. However, some
functions require the link ID to remain in the valid_links bitmap. One
such example is cfg80211_cac_event(). The flow is -
nl80211_remove_link()
cfg80211_remove_link()
ieee80211_del_intf_link()
ieee80211_vif_set_links()
ieee80211_vif_update_links()
ieee80211_link_stop()
cfg80211_cac_event()
cfg80211_cac_event() requires link ID to be present but it is cleared
already in cfg80211_remove_link(). Ultimately, WARN_ON() is hit.
Therefore, clear the link ID from the bitmap only after completing the link
clean-up.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20241121-mlo_dfs_fix-v2-1-92c3bf7ab551@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f1d3334d604cc32db63f6e2b3283011e02294e54 ]
With the __counted_by annocation in cfg80211_scan_request struct,
the "n_channels" struct member must be set before accessing the
"channels" array. Failing to do so will trigger a runtime warning
when enabling CONFIG_UBSAN_BOUNDS and CONFIG_FORTIFY_SOURCE.
Fixes: e3eac9f32e ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by")
Signed-off-by: Haoyu Li <lihaoyu499@gmail.com>
Link: https://patch.msgid.link/20241203152049.348806-1-lihaoyu499@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 9c46a3a5b394d6d123866aa44436fc2cd342eb0d upstream.
The channels array in the cfg80211_scan_request has a __counted_by
attribute attached to it, which points to the n_channels variable. This
attribute is used in bounds checking, and if it is not set before the
array is filled, then the bounds sanitizer will issue a warning or a
kernel panic if CONFIG_UBSAN_TRAP is set.
This patch sets the size of allocated memory as the initial value for
n_channels. It is updated with the actual number of added elements after
the array is filled.
Fixes: aa4ec06c45 ("wifi: cfg80211: use __counted_by where appropriate")
Cc: stable@vger.kernel.org
Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Link: https://patch.msgid.link/20241029-nl80211_parse_sched_scan-bounds-checker-fix-v2-1-c804b787341f@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b4ebb58cb9a4b1b5cb5278b09d6afdcd71b2a6b4 ]
Currently, when the driver attempts to connect to an AP MLD with multiple
APs, the cfg80211_mlme_check_mlo_compat() function requires the Medium
Synchronization Delay values from different APs of the same AP MLD to be
equal, which may result in connection failures.
This is because when the driver receives a multi-link probe response from
an AP MLD with multiple APs, cfg80211 updates the Elements for each AP
based on the multi-link probe response. If the Medium Synchronization Delay
is set in the multi-link probe response, the Elements for each AP belonging
to the same AP MLD will have the Medium Synchronization Delay set
simultaneously. If non-multi-link probe responses are received from
different APs of the same MLD AP, cfg80211 will still update the Elements
based on the non-multi-link probe response. Since the non-multi-link probe
response does not set the Medium Synchronization Delay
(IEEE 802.11be-2024-35.3.4.4), if the Elements from a non-multi-link probe
response overwrite those from a multi-link probe response that has set the
Medium Synchronization Delay, the Medium Synchronization Delay values for
APs belonging to the same AP MLD will not be equal. This discrepancy causes
the cfg80211_mlme_check_mlo_compat() function to fail, leading to
connection failures. Commit ccb964b4ab
("wifi: cfg80211: validate MLO connections better") did not take this into
account.
To address this issue, remove this validity check.
Fixes: ccb964b4ab ("wifi: cfg80211: validate MLO connections better")
Signed-off-by: Lingbo Kong <quic_lingbok@quicinc.com>
Link: https://patch.msgid.link/20241031134223.970-1-quic_lingbok@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bd9813d13be439851a7ff3e6372e53caa6e387a6 ]
Currently, wiphy_verify_combinations() fails for the multi-radio per wiphy
due to the condition check on new global interface combination that DFS
only works on one channel. In a multi-radio scenario, new global interface
combination encompasses the capabilities of all radio combinations, so it
supports more than one channel with DFS. For multi-radio per wiphy,
interface combination verification needs to be performed for radio specific
interface combinations. This is necessary as the new global interface
combination combines the capabilities of all radio combinations.
Fixes: a01b1e9f99 ("wifi: mac80211: add support for DFS with multiple radios")
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Link: https://patch.msgid.link/20240917140239.886083-1-quic_periyasa@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
wireless fixes for v6.12-rc5
The first set of wireless fixes for v6.12. We have been busy and have
not been able to send this earlier, so there are more fixes than
usual. The fixes are all over, both in stack and in drivers, but
nothing special really standing out.
Currently, in cfg80211_parse_ml_elem_sta_data(), when RNR element
indicates a BSS that operates in a channel that current regulatory
domain doesn't support, a NULL value is returned by
ieee80211_get_channel_khz() and assigned to this BSS entry's channel
field. Later in cfg80211_inform_single_bss_data(), the reported
BSS entry's channel will be wrongly overridden by transmitted BSS's.
This could result in connection failure that when wpa_supplicant
tries to select this reported BSS entry while it actually resides in
an unsupported channel.
Since this channel is not supported, it is reasonable to skip such
entries instead of reporting wrong information.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Link: https://patch.msgid.link/20240923021644.12885-1-quic_chenhuan@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
asm/unaligned.h is always an include of asm-generic/unaligned.h;
might as well move that thing to linux/unaligned.h and include
that - there's nothing arch-specific in that header.
auto-generated by the following:
for i in `git grep -l -w asm/unaligned.h`; do
sed -i -e "s/asm\/unaligned.h/linux\/unaligned.h/" $i
done
for i in `git grep -l -w asm-generic/unaligned.h`; do
sed -i -e "s/asm-generic\/unaligned.h/linux\/unaligned.h/" $i
done
git mv include/asm-generic/unaligned.h include/linux/unaligned.h
git mv tools/include/asm-generic/unaligned.h tools/include/linux/unaligned.h
sed -i -e "/unaligned.h/d" include/asm-generic/Kbuild
sed -i -e "s/__ASM_GENERIC/__LINUX/" include/linux/unaligned.h tools/include/linux/unaligned.h
Currently, during starting a radar detection, no link id information is
parsed and passed down. In order to support starting radar detection
during Multi Link Operation, it is required to pass link id as well.
Add changes to first parse and then pass link id in the start radar
detection path.
Additionally, update notification APIs to allow drivers/mac80211 to
pass the link ID.
However, everything is handled at link 0 only until all API's are ready to
handle it per link.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20240906064426.2101315-6-quic_adisi@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
A few members related to DFS handling are currently under per wireless
device data structure. However, in order to support DFS with MLO, there is
a need to have them on a per-link manner.
Hence, as a preliminary step, move members cac_started, cac_start_time
and cac_time_ms to be on a per-link basis.
Since currently, link ID is not known at all places, use default value of
0 for now.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20240906064426.2101315-5-quic_adisi@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
rdev_end_cac trace event is linked with wiphy_netdev_evt event class.
There is no option to pass link ID currently to wiphy_netdev_evt class.
A subsequent change would pass link ID to rdev_end_cac event and hence
it can no longer derive the event class from wiphy_netdev_evt.
Therefore, unlink rdev_end_cac event from wiphy_netdev_evt and define it's
own independent trace event. Link ID would be passed in subsequent change.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20240906064426.2101315-4-quic_adisi@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
following:
[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
<...skipped...>
[ T4985] Call Trace:
[ T4985] <TASK>
[ T4985] dump_stack_lvl+0x1c2/0x2a0
[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10
[ T4985] ? __pfx__printk+0x10/0x10
[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150
[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260
<...the rest is not too useful...>
Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
(void *)&creq->channels[n_channels]', UBSAN treats the latter as
off-by-one error. Fix this by using pointer arithmetic rather than
an expression with explicit array indexing and use convenient
'struct_size()' to simplify the math here and in 'kzalloc()' above.
Fixes: 5ba63533bb ("cfg80211: fix alignment problem in scan request")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
[fix coding style for multi-line calculation]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
"Interface can't change network namespaces" is rather an attribute,
not a feature, and it can't be changed via Ethtool.
Make it a "cold" private flag instead of a netdev_feature and free
one more bit.
Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
When starting CAC in a mode other than AP mode, it return a
"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]"
caused by the chandef.chan being null at the end of CAC.
Solution: Ensure the channel definition is set for the different modes
when starting CAC to avoid getting a NULL 'chan' at the end of CAC.
Call Trace:
? show_regs.part.0+0x14/0x16
? __warn+0x67/0xc0
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? report_bug+0xa7/0x130
? exc_overflow+0x30/0x30
? handle_bug+0x27/0x50
? exc_invalid_op+0x18/0x60
? handle_exception+0xf6/0xf6
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]
? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]
? process_one_work+0x165/0x280
? worker_thread+0x120/0x3f0
? kthread+0xc2/0xf0
? process_one_work+0x280/0x280
? kthread_complete_and_exit+0x20/0x20
? ret_from_fork+0x19/0x24
Reported-by: Kretschmer Mathias <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Issam Hamdi <ih@simonwunderlich.de>
Link: https://patch.msgid.link/20240816142418.3381951-1-ih@simonwunderlich.de
[shorten subject, remove OCB, reorder cases to match previous list]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Greg Kroah-Hartman
Edward Adam Davis
Kavita Kavita
Lachlan Hodges
Anjaneyulu
Veerendranath Jakkam
Johannes Berg
Ilan Peer
Miri Korenblit
Vitaliy Shevtsov
Nikita Zhandarovich
Benjamin Berg
Felix Fietkau
Dmitry Antipov
Kees Cook
Zichen Xie
Aditya Kumar Singh
Haoyu Li
Lin Ma
Aleksei Vetrov
Lingbo Kong
Karthikeyan Periyasamy
David S. Miller
Eric Dumazet
Remi Pommarel
Chenming Huang
Al Viro
Jakub Kicinski
Alexander Lobakin
Issam Hamdi
Yu Jiaoliang