Merge tag 'v6.18.25' into qcom-6.18.y by svankas · Pull Request #528 · qualcomm-linux/kernel

svankas · 2026-04-30T11:23:54Z

No description provided.

[ Upstream commit 7bae956 ] This machine is equipped with ALC287 and requires the quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN to fix the issue where the bass speakers are not configured and the speaker volume cannot be controlled. Link: https://bugzilla.kernel.org/show_bug.cgi?id=221210 Signed-off-by: Zhang Heng <zhangheng@kylinos.cn> Link: https://patch.msgid.link/20260313080624.1395362-1-zhangheng@kylinos.cn Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 59f68dc ] Fixes lack of audio output on the ASUS ROG Flow Z13-KJP GZ302EAC model, similar to the ASUS ROG Flow Z13 GZ302EA. Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260313172503.285846-1-matthew.schwartz@linux.dev Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit c03b7de ] The deeply nested loop in rkvdec_init_v4l2_vp9_count_tbl() needs a lot of registers, so when the clang register allocator runs out, it ends up spilling countless temporaries to the stack: drivers/media/platform/rockchip/rkvdec/rkvdec-vp9.c:966:12: error: stack frame size (1472) exceeds limit (1280) in 'rkvdec_vp9_start' [-Werror,-Wframe-larger-than] Marking this function as noinline_for_stack keeps it out of rkvdec_vp9_start(), giving the compiler more room for optimization. The resulting code is good enough that both the total stack usage and the loop get enough better to stay under the warning limit, though it's still slow, and would need a larger rework if this function ends up being called in a fast path. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5917212 ] clang-22 rightfully warns that the memcpy() in adapter_prepare() copies between different structures, crossing the boundary of nested structures inside it: In file included from sound/pci/asihpi/hpimsgx.c:13: In file included from include/linux/string.h:386: include/linux/fortify-string.h:569:4: error: call to '__write_overflow_field' declared with 'warning' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror,-Wattribute-warning] 569 | __write_overflow_field(p_size_field, size); The two structures seem to refer to the same layout, despite the separate definitions, so the code is in fact correct. Avoid the warning by copying the two inner structures separately. I see the same pattern happens in other functions in the same file, so there is a chance that this may come back in the future, but this instance is the only one that I saw in practice, hitting it multiple times per day in randconfig build. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://patch.msgid.link/20260318124016.3488566-1-arnd@kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit b6807cf ] __hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND; However, several other functions read or write hdev->req_status without holding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort path Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race. Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering). Signed-off-by: Cen Zhang <zzzccc427@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 1f182ec ] Add a DMI quirk for the Thin A15 B7VF fixing the issue where the internal microphone was not detected. Link: https://bugzilla.kernel.org/show_bug.cgi?id=220833 Signed-off-by: Zhang Heng <zhangheng@kylinos.cn> Link: https://patch.msgid.link/20260316080218.2931304-1-zhangheng@kylinos.cn Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 215e5fe ] sof_parse_token_sets() accepts array->size values that can be invalid for a vendor tuple array header. In particular, a zero size does not advance the parser state and can lead to non-progress parsing on malformed topology data. Validate array->size against the minimum header size and reject values smaller than sizeof(*array) before parsing. This preserves behavior for valid topologies and hardens malformed-input handling. Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Link: https://patch.msgid.link/20260319-sof-topology-array-size-fix-v1-1-f9191b16b1b7@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 7a57354 ] Add missing error handling for mcp251x_power_enable() calls in both mcp251x_open() and mcp251x_can_resume() functions. In mcp251x_open(), if power enable fails, jump to error path to close candev without attempting to disable power again. In mcp251x_can_resume(), properly check return values of power enable calls for both power and transceiver regulators. If any fails, return the error code to the PM framework and log the failure. This ensures the driver properly handles power control failures and maintains correct device state. Signed-off-by: Wenyuan Li <2063309626@qq.com> Link: https://patch.msgid.link/tencent_F3EFC5D7738AC548857B91657715E2D3AA06@qq.com [mkl: fix patch description] [mkl: mcp251x_can_resume(): replace goto by return] Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 2594196 ] Add a DMI quirk entry for ASUS HN7306EA in the ACP SoundWire legacy machine driver. Set driver_data to ASOC_SDW_ACP_DMIC for this board so the platform-specific DMIC quirk path is selected. Signed-off-by: Hasun Park <hasunpark@gmail.com> Link: https://patch.msgid.link/20260319163321.30326-1-hasunpark@gmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit b8bee48 ] The build can fail with: ERROR: modpost: "__auxiliary_driver_register" [sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! ERROR: modpost: "auxiliary_driver_unregister" [sound/usb/qcom/snd-usb-audio-qmi.ko] undefined! Select AUXILIARY_BUS when SND_USB_AUDIO_QMI is enabled. Signed-off-by: Frank Zhang <rmxpzlb@gmail.com> Link: https://patch.msgid.link/20260317102527.556248-1-rmxpzlb@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

…302EAC [ Upstream commit 0198d27 ] The ASUS ROG Flow Z13-KJP GZ302EAC model uses sys_vendor name ASUS rather than ASUSTeK COMPUTER INC., but it needs the same folio quirk as the other ROG Flow Z13. To keep things simple, just match on sys_vendor ASUS since it covers both. Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Reviewed-by: Denis Benato <denis.benato@linux.dev> Link: https://patch.msgid.link/20260312212246.1608080-1-matthew.schwartz@linux.dev Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5254d41 ] When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents). This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()). An example scenario: mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo sync xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c "fsync" /mnt/dir <power fail> After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0. Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size. A test case for fstests will follow soon. Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com> Link: https://lore.kernel.org/linux-btrfs/af8c15fa-4e41-4bb2-885c-0bc4e97532a6@gmail.com/ Signed-off-by: Filipe Manana <fdmanana@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 84d29bf ] The HP Omen 16-wf1xxx (board ID: 8C76) has the same WMI interface as other Victus S boards, but requires quirks for correctly switching thermal profile (similar to board 8C78). Add the DMI board name to victus_s_thermal_profile_boards[] table and map it to omen_v1_thermal_params. Testing on board 8C76 confirmed that platform profile is registered successfully and fan RPMs are readable and controllable. Tested-by: WJ Enderlava <jie7172585@gmail.com> Reported-by: WJ Enderlava <jie7172585@gmail.com> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221149 Signed-off-by: Krishna Chomal <krishna.chomal108@gmail.com> Link: https://patch.msgid.link/20260227154106.226809-1-krishna.chomal108@gmail.com Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

…_sync_file() [ Upstream commit a85b46d ] If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. Reviewed-by: Boris Burkov <boris@bur.io> Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 2f388b4 ] The HP Pavilion 15-eg0xxx with subsystem ID 0x103c87cb uses a Realtek ALC287 codec with a mute LED wired to GPIO pin 4 (mask 0x10). The existing ALC287_FIXUP_HP_GPIO_LED fixup already handles this correctly, but the subsystem ID was missing from the quirk table. GPIO pin confirmed via manual hda-verb testing: hda-verb SET_GPIO_MASK 0x10 hda-verb SET_GPIO_DIRECTION 0x10 hda-verb SET_GPIO_DATA 0x10 Signed-off-by: César Montoya <sprit152009@gmail.com> Link: https://patch.msgid.link/20260321153603.12771-1-sprit152009@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit bffcaad ] Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->master safely: - Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away. - Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths. This patch goes for extending the nf_conntrack_expect_lock section to address this issue for simplicity, in the cases that are described below this is just slightly extending the lock section. The add expectation command already holds a reference to the master conntrack from ctnetlink_create_expect(). However, the delete expectation command needs to grab the spinlock before looking up for the expectation. Expand the existing spinlock section to address this to cover the expectation lookup. Note that, the nf_ct_expect_iterate_net() calls already grabs the spinlock while iterating over the expectation table, which is correct. The get expectation command needs to grab the spinlock to ensure master conntrack does not go away. This also expands the existing spinlock section to cover the expectation lookup too. I needed to move the netlink skb allocation out of the spinlock to keep it GFP_KERNEL. For the expectation events, the IPEXP_DESTROY event is already delivered under the spinlock, just move the delivery of IPEXP_NEW under the spinlock too because the master conntrack event cache is reached through exp->master. While at it, add lockdep notations to help identify what codepaths need to grab the spinlock. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 4e9597f ] During a GPU page fault, the driver restores the SVM range and then maps it into the GPU page tables. The current implementation passes a GPU-page-size (4K-based) PFN to svm_range_restore_pages() to restore the range. SVM ranges are tracked using system-page-size PFNs. On systems where the system page size is larger than 4K, using GPU-page-size PFNs to restore the range causes two problems: Range lookup fails: Because the restore function receives PFNs in GPU (4K) units, the SVM range lookup does not find the existing range. This will result in a duplicate SVM range being created. VMA lookup failure: The restore function also tries to locate the VMA for the faulting address. It converts the GPU-page-size PFN into an address using the system page size, which results in an incorrect address on non-4K page-size systems. As a result, the VMA lookup fails with the message: "address 0xxxx VMA is removed". This patch passes the system-page-size PFN to svm_range_restore_pages() so that the SVM range is restored correctly on non-4K page systems. Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Donet Tom <donettom@linux.ibm.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 074fe39) Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit faceb5c ] HP Laptop 15-fd0xxx with ALC236 codec does not handle the toggling of the mute LED. This patch adds a quirk entry for subsystem ID 0x8dd7 using ALC236_FIXUP_HP_MUTE_LED_COEFBIT2 fixup, enabling correct mute LED behavior. Signed-off-by: Kshamendra Kumar Mishra <kshamendrakumarmishra@gmail.com> Link: https://patch.msgid.link/DHAB51ISUM96.2K9SZIABIDEQ0@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

…piry [ Upstream commit d3c0037 ] New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f - This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this fails: nft reports a clashing element. The reported clash is of following form: We successfully re-inserted a . b c . d Then we try to insert a . d avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation. It skips the element and moves to next. Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*, i.e. we return the already reinserted "a . b", even though the last field is different and the entry should not have been matched. No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. Bisection points to 7711f4b ("netfilter: nft_set_pipapo: fix range overlap detection") but that fix merely uncovers this bug. Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate. The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map. Link: https://lore.kernel.org/netfilter-devel/20260321152506.037f68c0@elisabeth/ Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit bac1e57 ] Similar to commit 7b50991 ("ALSA hda/realtek: Add quirk for Framework F111:000C") and previous quirks for Framework systems with Realtek codecs. 000F is another new platform with an ALC285 which needs the same quirk. Signed-off-by: Dustin L. Howett <dustin@howett.net> Link: https://patch.msgid.link/20260327-framework-alsa-000f-v1-1-74013aba1c00@howett.net Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 0fd56fa ] wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow. Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn> Link: https://patch.msgid.link/20260323080845.40033-1-pengpeng@iscas.ac.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit b9eff97 ] Component has "card_aux_list" which is added/deled in bind/unbind aux dev function (A), and used in for_each_card_auxs() loop (B). static void soc_unbind_aux_dev(...) { ... for_each_card_auxs_safe(...) { ... (A) list_del(&component->card_aux_list); } ^^^^^^^^^^^^^ } static int soc_bind_aux_dev(...) { ... for_each_card_pre_auxs(...) { ... (A) list_add(&component->card_aux_list, ...); } ^^^^^^^^^^^^^ ... } #define for_each_card_auxs(card, component) \ (B) list_for_each_entry(component, ..., card_aux_list) ^^^^^^^^^^^^^ But it has been used without calling INIT_LIST_HEAD(). > git grep card_aux_list sound/soc sound/soc/soc-core.c: list_del(&component->card_aux_list); sound/soc/soc-core.c: list_add(&component->card_aux_list, ...); call missing INIT_LIST_HEAD() for it. Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/87341mxa8l.wl-kuninori.morimoto.gx@renesas.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit ea31be8 ] There is another Book2 Pro model (NP950QED) that seems equipped with the same speaker module as the non-360 model, which requires ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS quirk. Reported-by: Throw <zakkabj@gmail.com> Link: https://patch.msgid.link/20260330162249.147665-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit bc5b4e5 ] The NeuralDSP Quad Cortex does not support DSD playback. We need this product-specific entry with zero quirks because otherwise it falls through to the vendor-specific entry which marks it as supporting DSD playback. Cc: Yue Wang <yuleopen@gmail.com> Cc: Jaroslav Kysela <perex@perex.cz> Cc: Takashi Iwai <tiwai@suse.com> Signed-off-by: Phil Willoughby <willerz@gmail.com> Link: https://patch.msgid.link/20260328080921.3310-1-willerz@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit e6c8882 ] The Pin Complex 0x17 (bass/woofer speakers) is incorrectly reported as unconnected in the BIOS (pin default 0x411111f0 = N/A). This causes the kernel to configure speaker_outs=0, meaning only the tweeters (pin 0x14) are used. The result is very low, tinny audio with no bass. The existing quirk ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN (already present in patch_realtek.c for SSID 0x17aa3801) fixes the issue completely. Reported-by: Garcicasti <andresgarciacastilla@gmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=221298 Signed-off-by: songxiebing <songxiebing@kylinos.cn> Link: https://patch.msgid.link/20260331033650.285601-1-songxiebing@kylinos.cn Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

…l stack size to GPU page size [ Upstream commit 78746a4 ] The control stack size is calculated based on the number of CUs and waves, and is then aligned to PAGE_SIZE. When the resulting control stack size is aligned to 64 KB, GPU hangs and queue preemption failures are observed while running RCCL unit tests on systems with more than two GPUs. amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with doorbell_id: 80030008 amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues amdgpu 0048:0f:00.0: amdgpu: GPU reset begin!. Source: 4 amdgpu 0048:0f:00.0: amdgpu: Queue preemption failed for queue with doorbell_id: 80030008 amdgpu 0048:0f:00.0: amdgpu: Failed to evict process queues amdgpu 0048:0f:00.0: amdgpu: Failed to restore process queues This issue is observed on both 4 KB and 64 KB system page-size configurations. This patch fixes the issue by aligning the control stack size to AMDGPU_GPU_PAGE_SIZE instead of PAGE_SIZE, so the control stack size will not be 64 KB on systems with a 64 KB page size and queue preemption works correctly. Additionally, In the current code, wg_data_size is aligned to PAGE_SIZE, which can waste memory if the system page size is large. In this patch, wg_data_size is aligned to AMDGPU_GPU_PAGE_SIZE. The cwsr_size, calculated from wg_data_size and the control stack size, is aligned to PAGE_SIZE. Reviewed-by: Felix Kuehling <felix.kuehling@amd.com> Signed-off-by: Donet Tom <donettom@linux.ibm.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit a3e1443) Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 78ec5bf ] When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. Signed-off-by: Fredric Cover <FredTheDude@proton.me> Reviewed-by: Henrique Carvalho <[2]henrique.carvalho@suse.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 8ec017c ] The HP Laptop 15-fc0xxx (subsystem ID 0x103c8dc9) has an internal DMIC connected to the AMD ACP6x audio coprocessor. Add a DMI quirk entry so the internal microphone is properly detected on this model. Tested on HP Laptop 15-fc0237ns with Fedora 43 (kernel 6.19.9). Signed-off-by: Gilson Marquato Júnior <gilsonmandalogo@hotmail.com> Link: https://patch.msgid.link/20260330-hp-15-fc0xxx-dmic-v2-v1-1-6dd6f53a1917@hotmail.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 217d5bc ] The Lenovo Yoga Pro 7 14IMH9 (DMI: 83E2) shares PCI SSID 17aa:3847 with the Legion 7 16ACHG6, but has a different codec subsystem ID (17aa:38cf). The existing SND_PCI_QUIRK for 17aa:3847 applies ALC287_FIXUP_LEGION_16ACHG6, which attempts to initialize an external I2C amplifier (CLSA0100) that is not present on the Yoga Pro 7 14IMH9. As a result, pin 0x17 (bass speakers) is connected to DAC 0x06 which has no volume control, making hardware volume adjustment completely non-functional. Audio is either silent or at maximum volume regardless of the slider position. Add a HDA_CODEC_QUIRK entry using the codec subsystem ID (17aa:38cf) to correctly identify the Yoga Pro 7 14IMH9 and apply ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN, which redirects pin 0x17 to DAC 0x02 and restores proper volume control. The existing Legion entry is preserved unchanged. This follows the same pattern used for 17aa:386e, where Legion Y9000X and Yoga Pro 7 14ARP8 share a PCI SSID but are distinguished via HDA_CODEC_QUIRK. Link: https://github.com/nomad4tech/lenovo-yoga-pro-7-linux Tested-by: Alexander Savenko <alex.sav4387@gmail.com> Signed-off-by: Alexander Savenko <alex.sav4387@gmail.com> Link: https://patch.msgid.link/20260331082929.44890-1-alex.sav4387@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org>

…ncer) [ Upstream commit a4337a2 ] The 1kOhm pull down and hardware debouncer are features of the revision 0.92 of the Chassis specification. Fix that in the code accordingly. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 129a45f upstream. gcc 15 complains about an uninitialized variable val that is passed by reference into fuse_conn_limit_write: control.c: In function ‘fuse_conn_congestion_threshold_write’: include/asm-generic/rwonce.h:55:37: warning: ‘val’ may be used uninitialized [-Wmaybe-uninitialized] 55 | *(volatile typeof(x) *)&(x) = (val); \ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~ include/asm-generic/rwonce.h:61:9: note: in expansion of macro ‘__WRITE_ONCE’ 61 | __WRITE_ONCE(x, val); \ | ^~~~~~~~~~~~ control.c:178:9: note: in expansion of macro ‘WRITE_ONCE’ 178 | WRITE_ONCE(fc->congestion_threshold, val); | ^~~~~~~~~~ control.c:166:18: note: ‘val’ was declared here 166 | unsigned val; | ^~~ Unfortunately there's enough macro spew involved in kstrtoul_from_user that I think gcc gives up on its analysis and sprays the above warning. AFAICT it's not actually a bug, but we could just zero-initialize the variable to enable using -Wmaybe-uninitialized to find real problems. Previously we would use some weird uninitialized_var annotation to quiet down the warnings, so clearly this code has been like this for quite some time. Cc: stable@vger.kernel.org # v5.9 Fixes: 3f649ab ("treewide: Remove uninitialized_var() usage") Signed-off-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…lized commit da6fcc6 upstream. Use fuse_get_dev() not __fuse_get_dev() on the old fd, since in the case of synchronous INIT the caller will want to wait for the device file to be available for cloning, just like I/O wants to wait instead of returning an error. Fixes: dfb84c3 ("fuse: allow synchronous FUSE_INIT") Cc: stable@vger.kernel.org # v6.18 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d07b26f upstream. Both ACE-walk loops in smb_check_perm_dacl() only guard against an under-sized remaining buffer, not against an ACE whose declared `ace->size` is smaller than the struct it claims to describe: if (offsetof(struct smb_ace, access_req) > aces_size) break; ace_size = le16_to_cpu(ace->size); if (ace_size > aces_size) break; The first check only requires the 4-byte ACE header to be in bounds; it does not require access_req (4 bytes at offset 4) to be readable. An attacker who has set a crafted DACL on a file they own can declare ace->size == 4 with aces_size == 4, pass both checks, and then granted |= le32_to_cpu(ace->access_req); /* upper loop */ compare_sids(&sid, &ace->sid); /* lower loop */ reads access_req at offset 4 (OOB by up to 4 bytes) and ace->sid at offset 8 (OOB by up to CIFS_SID_BASE_SIZE + SID_MAX_SUB_AUTHORITIES * 4 bytes). Tighten both loops to require ace_size >= offsetof(struct smb_ace, sid) + CIFS_SID_BASE_SIZE which is the smallest valid on-wire ACE layout (4-byte header + 4-byte access_req + 8-byte sid base with zero sub-auths). Also reject ACEs whose sid.num_subauth exceeds SID_MAX_SUB_AUTHORITIES before letting compare_sids() dereference sub_auth[] entries. parse_sec_desc() already enforces an equivalent check (lines 441-448); smb_check_perm_dacl() simply grew weaker validation over time. Reachability: authenticated SMB client with permission to set an ACL on a file. On a subsequent CREATE against that file, the kernel walks the stored DACL via smb_check_perm_dacl() and triggers the OOB read. Not pre-auth, and the OOB read is not reflected to the attacker, but KASAN reports and kernel state corruption are possible. Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6551300 upstream. Commit 77ffbca ("smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()") addressed the kthread_run() failure path. The earlier alloc_transport() == NULL path in the same function has the same leak, is reachable pre-authentication via any TCP connect to port 445, and was empirically reproduced on UML (ARCH=um, v7.0-rc7): a small number of forced allocation failures were sufficient to put ksmbd into a state where every subsequent connection attempt was rejected for the remainder of the boot. ksmbd_kthread_fn() increments active_num_conn before calling ksmbd_tcp_new_connection() and discards the return value, so when alloc_transport() returns NULL the socket is released and -ENOMEM returned without decrementing the counter. Each such failure permanently consumes one slot from the max_connections pool; once cumulative failures reach the cap, atomic_inc_return() hits the threshold on every subsequent accept and every new connection is rejected. The counter is only reset by module reload. An unauthenticated remote attacker can drive the server toward the memory pressure that makes alloc_transport() fail by holding open connections with large RFC1002 lengths up to MAX_STREAM_PROT_LEN (0x00FFFFFF); natural transient allocation failures on a loaded host produce the same drift more slowly. Mirror the existing rollback pattern in ksmbd_kthread_fn(): on the alloc_transport() failure path, decrement active_num_conn gated on server_conf.max_connections. Repro details: with the patch reverted, forced alloc_transport() NULL returns leaked counter slots and subsequent connection attempts -- including legitimate connects issued after the forced-fail window had closed -- were all rejected with "Limit the maximum number of connections". With this patch applied, the same connect sequence produces no rejections and the counter cycles cleanly between zero and one on every accept. Fixes: 0d0d468 ("ksmbd: add max connections parameter") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce23158 upstream. The global max_connections check in ksmbd's TCP accept path counts the newly accepted connection with atomic_inc_return(), but then rejects the connection when the result is greater than or equal to server_conf.max_connections. That makes the effective limit one smaller than configured. For example: - max_connections=1 rejects the first connection - max_connections=2 allows only one connection The per-IP limit in the same function uses <= correctly because it counts only pre-existing connections. The global limit instead checks the post-increment total, so it should reject only when that total exceeds the configured maximum. Fix this by changing the comparison from >= to >, so exactly max_connections simultaneous connections are allowed and the next one is rejected. This matches the documented meaning of max_connections in fs/smb/server/ksmbd_netlink.h as the "Number of maximum simultaneous connections". Fixes: 0d0d468 ("ksmbd: add max connections parameter") Cc: stable@vger.kernel.org Signed-off-by: DaeMyung Kang <charsyam@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2757ad3 upstream. parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. Fixes: e2f8fbf ("cifs: get mode bits from special sid on stat") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a58c5af upstream. smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL and the default QUERY_INFO path. The QUERY_INFO branch clamps qi.input_buffer_length to the server-reported OutputBufferLength and then copies qi.input_buffer_length bytes from qi_rsp->Buffer to userspace, but it never verifies that the flexible-array payload actually fits within rsp_iov[1].iov_len. A malicious server can return OutputBufferLength larger than the actual QUERY_INFO response, causing copy_to_user() to walk past the response buffer and expose adjacent kernel heap to userspace. Guard the QUERY_INFO copy with a bounds check on the actual Buffer payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length) rather than an open-coded addition so the guard cannot overflow on 32-bit builds. Fixes: f5778c3 ("SMB3: Allow SMB3 FSCTL queries to be sent to server from tools") Cc: stable@vger.kernel.org Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6a6aa8 upstream. ipc_validate_msg() computes the expected message size for each response type by adding (or multiplying) attacker-controlled fields from the daemon response to a fixed struct size in unsigned int arithmetic. Three cases can overflow: KSMBD_EVENT_RPC_REQUEST: msg_sz = sizeof(struct ksmbd_rpc_command) + resp->payload_sz; KSMBD_EVENT_SHARE_CONFIG_REQUEST: msg_sz = sizeof(struct ksmbd_share_config_response) + resp->payload_sz; KSMBD_EVENT_LOGIN_REQUEST_EXT: msg_sz = sizeof(struct ksmbd_login_response_ext) + resp->ngroups * sizeof(gid_t); resp->payload_sz is __u32 and resp->ngroups is __s32. Each addition can wrap in unsigned int; the multiplication by sizeof(gid_t) mixes signed and size_t, so a negative ngroups is converted to SIZE_MAX before the multiply. A wrapped value of msg_sz that happens to equal entry->msg_sz bypasses the size check on the next line, and downstream consumers (smb2pdu.c:6742 memcpy using rpc_resp->payload_sz, kmemdup in ksmbd_alloc_user using resp_ext->ngroups) then trust the unverified length. Use check_add_overflow() on the RPC_REQUEST and SHARE_CONFIG_REQUEST paths to detect integer overflow without constraining functional payload size; userspace ksmbd-tools grows NDR responses in 4096-byte chunks for calls like NetShareEnumAll, so a hard transport cap is unworkable on the response side. For LOGIN_REQUEST_EXT, reject resp->ngroups outside the signed [0, NGROUPS_MAX] range up front and report the error from ipc_validate_msg() so it fires at the IPC boundary; with that bound the subsequent multiplication and addition stay well below UINT_MAX. The now-redundant ngroups check and pr_err in ksmbd_alloc_user() are removed. This is the response-side analogue of aab98e2 ("ksmbd: fix integer overflows on 32 bit systems"), which hardened the request side. Fixes: 0626e66 ("cifsd: add server handler for central processing and tranport layers") Fixes: a77e0e0 ("ksmbd: add support for supplementary groups") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3e4e2ea upstream. smb_inherit_dacl() trusts the on-disk num_aces value from the parent directory's DACL xattr and uses it to size a heap allocation: aces_base = kmalloc(sizeof(struct smb_ace) * num_aces * 2, ...); num_aces is a u16 read from le16_to_cpu(parent_pdacl->num_aces) without checking that it is consistent with the declared pdacl_size. An authenticated client whose parent directory's security.NTACL is tampered (e.g. via offline xattr corruption or a concurrent path that bypasses parse_dacl()) can present num_aces = 65535 with minimal actual ACE data. This causes a ~8 MB allocation (not kzalloc, so uninitialized) that the subsequent loop only partially populates, and may also overflow the three-way size_t multiply on 32-bit kernels. Additionally, the ACE walk loop uses the weaker offsetof(struct smb_ace, access_req) minimum size check rather than the minimum valid on-wire ACE size, and does not reject ACEs whose declared size is below the minimum. Reproduced on UML + KASAN + LOCKDEP against the real ksmbd code path. A legitimate mount.cifs client creates a parent directory over SMB (ksmbd writes a valid security.NTACL xattr), then the NTACL blob on the backing filesystem is rewritten to set num_aces = 0xFFFF while keeping the posix_acl_hash bytes intact so ksmbd_vfs_get_sd_xattr()'s hash check still passes. A subsequent SMB2 CREATE of a child under that parent drives smb2_open() into smb_inherit_dacl() (share has "vfs objects = acl_xattr" set), which fails the page allocator: WARNING: mm/page_alloc.c:5226 at __alloc_frozen_pages_noprof+0x46c/0x9c0 Workqueue: ksmbd-io handle_ksmbd_work __alloc_frozen_pages_noprof+0x46c/0x9c0 ___kmalloc_large_node+0x68/0x130 __kmalloc_large_node_noprof+0x24/0x70 __kmalloc_noprof+0x4c9/0x690 smb_inherit_dacl+0x394/0x2430 smb2_open+0x595d/0xabe0 handle_ksmbd_work+0x3d3/0x1140 With the patch applied the added guard rejects the tampered value with -EINVAL before any large allocation runs, smb2_open() falls back to smb2_create_sd_buffer(), and the child is created with a default SD. No warning, no splat. Fix by: 1. Validating num_aces against pdacl_size using the same formula applied in parse_dacl(). 2. Replacing the raw kmalloc(sizeof * num_aces * 2) with kmalloc_array(num_aces * 2, sizeof(...)) for overflow-safe allocation. 3. Tightening the per-ACE loop guard to require the minimum valid ACE size (offsetof(smb_ace, sid) + CIFS_SID_BASE_SIZE) and rejecting under-sized ACEs, matching the hardening in smb_check_perm_dacl() and parse_dacl(). v1 -> v2: - Replace the synthetic test-module splat in the changelog with a real-path UML + KASAN reproduction driven through mount.cifs and SMB2 CREATE; Namjae flagged the kcifs3_test_inherit_dacl_old name in v1 since it does not exist in ksmbd. - Drop the commit-hash citation from the code comment per Namjae's review; keep the parse_dacl() pointer. Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 30010c9 upstream. smb2_get_ea() applies 4-byte alignment padding via memset() after writing each EA entry. The bounds check on buf_free_len is performed before the value memcpy, but the alignment memset fires unconditionally afterward with no check on remaining space. When the EA value exactly fills the remaining buffer (buf_free_len == 0 after value subtraction), the alignment memset writes 1-3 NUL bytes past the buf_free_len boundary. In compound requests where the response buffer is shared across commands, the first command (e.g., READ) can consume most of the buffer, leaving a tight remainder for the QUERY_INFO EA response. The alignment memset then overwrites past the physical kvmalloc allocation into adjacent kernel heap memory. Add a bounds check before the alignment memset to ensure buf_free_len can accommodate the padding bytes. This is the same bug pattern fixed by commit beef263 ("ksmbd: fix potencial OOB in get_file_all_info() for compound requests") and commit fda9522 ("ksmbd: fix OOB write in QUERY_INFO for compound requests"), both of which added bounds checks before unconditional writes in QUERY_INFO response handlers. Cc: stable@vger.kernel.org Fixes: e2b76ab ("ksmbd: add support for read compound") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 299f962 upstream. set_posix_acl_entries_dacl() and set_ntacl_dacl() accumulate ACE sizes in u16 variables. When a file has many POSIX ACL entries, the accumulated size can wrap past 65535, causing the pointer arithmetic (char *)pndace + *size to land within already-written ACEs. Subsequent writes then overwrite earlier entries, and pndacl->size gets a truncated value. Use check_add_overflow() at each accumulation point to detect the wrap before it corrupts the buffer, consistent with existing check_mul_overflow() usage elsewhere in smbacl.c. Cc: stable@vger.kernel.org Fixes: e2f3448 ("cifsd: add server-side procedures for SMB3") Signed-off-by: Tristan Madani <tristan@talencesecurity.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit def036e upstream. rcount is intended to be connection-specific: 2 for curr_conn, 1 for every other connection sharing the same session. However, it is initialised only once before the hash iteration and is never reset. After the loop visits curr_conn, later sibling connections are also checked against rcount == 2, so a sibling with req_running == 1 is incorrectly treated as idle. This makes the outcome depend on the hash iteration order: whether a given sibling is checked against the loose (< 2) or the strict (< 1) threshold is decided by whether it happens to be visited before or after curr_conn. The function's contract is "wait until every connection sharing this session is idle" so that destroy_previous_session() can safely tear the session down. The latched rcount violates that contract and reopens the teardown race window the wait logic was meant to close: destroy_previous_session() may proceed before sibling channels have actually quiesced, overlapping session teardown with in-flight work on those connections. Recompute rcount inside the loop so each connection is compared against its own threshold regardless of iteration order. This is a code-inspection fix for an iteration-order-dependent logic error; a targeted reproducer would require SMB3 multichannel with in-flight work on a sibling channel landing after curr_conn in hash order, which is not something that can be triggered reliably. Fixes: 76e98a1 ("ksmbd: fix race condition between destroy_previous_session() and smb2 operations()") Cc: stable@vger.kernel.org Signed-off-by: DaeMyung Kang <charsyam@gmail.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6689f01 upstream. inode_switch_wbs_work_fn() has a loop like: wb_get(new_wb); while (1) { list = llist_del_all(&new_wb->switch_wbs_ctxs); /* Nothing to do? */ if (!list) break; ... process the items ... } Now adding of items to the list looks like: wb_queue_isw() if (llist_add(&isw->list, &wb->switch_wbs_ctxs)) queue_work(isw_wq, &wb->switch_work); Because inode_switch_wbs_work_fn() loops when processing isw items, it can happen that wb->switch_work is pending while wb->switch_wbs_ctxs is empty. This is a problem because in that case wb can get freed (no isw items -> no wb reference) while the work is still pending causing use-after-free issues. We cannot just fix this by cancelling work when freeing wb because that could still trigger problematic 0 -> 1 transitions on wb refcount due to wb_get() in inode_switch_wbs_work_fn(). It could be all handled with more careful code but that seems unnecessarily complex so let's avoid that until it is proven that the looping actually brings practical benefit. Just remove the loop from inode_switch_wbs_work_fn() instead. That way when wb_queue_isw() queues work, we are guaranteed we have added the first item to wb->switch_wbs_ctxs and nobody is going to remove it (and drop the wb reference it holds) until the queued work runs. Fixes: e1b849c ("writeback: Avoid contention on wb->list_lock when switching inodes") CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20260413093618.17244-2-jack@suse.cz Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 39d4ee1 upstream. In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab — a destroyed slab cache — to call kmem_cache_free(), causing a use-after-free. This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix. Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning — page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation. Fixes: 4c8ff70 ("f2fs: support data compression") Cc: stable@vger.kernel.org Signed-off-by: George Saad <geoo115@gmail.com> Reviewed-by: Chao Yu <chao@kernel.org> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4513d3e upstream. It(ID 31b2:0111 JU Jiu) reports a MIN value -12800 for volume control, but will mute when setting it less than -10880. Thanks to my girlfriend Kagura for reporting this issue. Cc: Kagura <me@mail.kagurach.uk> Cc: stable@vger.kernel.org Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev> Link: https://patch.msgid.link/20260402-syy-v1-1-068d3bc30ddc@linux.dev Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 67f4c61 upstream. Fix speaker output on the Lenovo Legion S7 15IMH05. Cc: stable@vger.kernel.org Signed-off-by: Eric Naim <dnaim@cachyos.org> Link: https://patch.msgid.link/20260413154818.351597-1-dnaim@cachyos.org Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 80bb50e upstream. The caiaq driver stores a pointer to the parent USB device in cdev->chip.dev but never takes a reference on it. The card's private_free callback, snd_usb_caiaq_card_free(), can run asynchronously via snd_card_free_when_closed() after the USB device has already been disconnected and freed, so any access to cdev->chip.dev in that path dereferences a freed usb_device. On top of the refcounting issue, the current card_free implementation calls usb_reset_device(cdev->chip.dev). A reset in a free callback is inappropriate: the device is going away, the call takes the device lock in a teardown context, and the reset races with the disconnect path that the callback is already cleaning up after. Take a reference on the USB device in create_card() with usb_get_dev(), drop it with usb_put_dev() in the free callback, and remove the usb_reset_device() call. Fixes: b04dcbb ("ALSA: caiaq: Use snd_card_free_when_closed() at disconnection") Cc: stable@vger.kernel.org Cc: Andrey Konovalov <andreyknvl@gmail.com> Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com> Link: https://patch.msgid.link/20260413034941.1131465-3-berkcgoksel@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2c054e1 upstream. In tpacket_snd(), when PACKET_VNET_HDR is enabled, vnet_hdr points directly into the mmap'd TX ring buffer shared with userspace. The kernel validates the header via __packet_snd_vnet_parse() but then re-reads all fields later in virtio_net_hdr_to_skb(). A concurrent userspace thread can modify the vnet_hdr fields between validation and use, bypassing all safety checks. The non-TPACKET path (packet_snd()) already correctly copies vnet_hdr to a stack-local variable. All other vnet_hdr consumers in the kernel (tun.c, tap.c, virtio_net.c) also use stack copies. The TPACKET TX path is the only caller of virtio_net_hdr_to_skb() that reads directly from user-controlled shared memory. Fix this by copying vnet_hdr from the mmap'd ring buffer to a stack-local variable before validation and use, consistent with the approach used in packet_snd() and all other callers. Fixes: 1d036d2 ("packet: tpacket_snd gso and checksum offload") Signed-off-by: Bingquan Chen <patzilla007@gmail.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Link: https://patch.msgid.link/20260418112006.78823-1-patzilla007@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…iled commit abe4a6d upstream. When retrieving the PEK CSR, don't attempt to copy the blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff898144612e20 by task syz.9.219/21405 CPU: 14 UID: 0 PID: 21405 Comm: syz.9.219 Tainted: G U O 7.0.0-smp-DEV qualcomm-linux#28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pek_csr+0x31f/0x590 ../drivers/crypto/ccp/sev-dev.c:1872 sev_ioctl+0x3a4/0x490 ../drivers/crypto/ccp/sev-dev.c:2562 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error. Reported-by: Alexander Potapenko <glider@google.com> Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com> Fixes: e799035 ("crypto: ccp: Implement SEV_PEK_CSR ioctl command") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…nd failed commit e76239f upstream. When retrieving the PDH cert, don't attempt to copy the blobs to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 2084 at addr ffff8885c4ab8aa0 by task syz.0.186/21033 CPU: 51 UID: 0 PID: 21033 Comm: syz.0.186 Tainted: G U O 7.0.0-smp-DEV qualcomm-linux#28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 34.84.12-0 11/17/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_pdh_export+0x3d3/0x7c0 ../drivers/crypto/ccp/sev-dev.c:2347 sev_ioctl+0x2a2/0x490 ../drivers/crypto/ccp/sev-dev.c:2568 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error. Reported-by: Alexander Potapenko <glider@google.com> Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com> Fixes: 76a2b52 ("crypto: ccp: Implement SEV_PDH_CERT_EXPORT ioctl command") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4f685db upstream. When retrieving the ID for the CPU, don't attempt to copy the ID blob to userspace if the firmware command failed. If the failure was due to an invalid length, i.e. the userspace buffer+length was too small, copying the number of bytes _firmware_ requires will overflow the kernel-allocated buffer and leak data to userspace. BUG: KASAN: slab-out-of-bounds in instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] BUG: KASAN: slab-out-of-bounds in _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 Read of size 64 at addr ffff8881867f5960 by task syz.0.906/24388 CPU: 130 UID: 0 PID: 24388 Comm: syz.0.906 Tainted: G U O 7.0.0-smp-DEV qualcomm-linux#28 PREEMPTLAZY Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.62.0-0 11/19/2025 Call Trace: <TASK> dump_stack_lvl+0xc5/0x110 ../lib/dump_stack.c:120 print_address_description ../mm/kasan/report.c:378 [inline] print_report+0xbc/0x260 ../mm/kasan/report.c:482 kasan_report+0xa2/0xe0 ../mm/kasan/report.c:595 check_region_inline ../mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 ../mm/kasan/generic.c:200 instrument_copy_to_user ../include/linux/instrumented.h:129 [inline] _inline_copy_to_user ../include/linux/uaccess.h:205 [inline] _copy_to_user+0x66/0xa0 ../lib/usercopy.c:26 copy_to_user ../include/linux/uaccess.h:236 [inline] sev_ioctl_do_get_id2+0x361/0x490 ../drivers/crypto/ccp/sev-dev.c:2222 sev_ioctl+0x25f/0x490 ../drivers/crypto/ccp/sev-dev.c:2575 vfs_ioctl ../fs/ioctl.c:51 [inline] __do_sys_ioctl ../fs/ioctl.c:597 [inline] __se_sys_ioctl+0x11d/0x1b0 ../fs/ioctl.c:583 do_syscall_x64 ../arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe0/0x800 ../arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> WARN if the driver says the command succeeded, but the firmware error code says otherwise, as __sev_do_cmd_locked() is expected to return -EIO on any firwmware error. Reported-by: Alexander Potapenko <glider@google.com> Reported-by: Sebastian Alba Vives <sebasjosue84@gmail.com> Fixes: d6112ea ("crypto: ccp - introduce SEV_GET_ID2 command") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ac33733 upstream. In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic. Fixes: 8a7a3eb ("KEYS: RxRPC: Use key preparsing") Fixes: 84924aa ("rxrpc: Fix checker warning") Reported-by: Anderson Nascimento <anderson@allelesecurity.com> Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Jeffrey Altman <jaltman@auristor.com> cc: Simon Horman <horms@kernel.org> cc: linux-afs@lists.infradead.org cc: stable@kernel.org Link: https://patch.msgid.link/20260422161438.2593376-7-dhowells@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Link: https://lore.kernel.org/r/20260424132430.006424517@linuxfoundation.org Tested-by: Pavel Machek (CIP) <pavel@nabladev.com> Tested-by: Florian Fainelli <florian.fainelli@broadcom.com> Tested-by: Peter Schneider <pschneider1968@googlemail.com> Tested-by: Mark Brown <broonie@kernel.org> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Brett A C Sheffield <bacs@librecast.net> Tested-by: Miguel Ojeda <ojeda@kernel.org> Tested-by: Wentao Guan <guanwentao@uniontech.com> Tested-by: Dileep Malepu <dileep.debian@gmail.com> Tested-by: Barry K. Nathan <barryn@pobox.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

* refs/heads/a256b1e Linux 6.18.25 rxrpc: Fix missing validation of ticket length in non-XDR key preparsing crypto: ccp: Don't attempt to copy ID to userspace if PSP command failed crypto: ccp: Don't attempt to copy PDH cert to userspace if PSP command failed crypto: ccp: Don't attempt to copy CSR to userspace if PSP command failed net/packet: fix TOCTOU race on mmap'd vnet_hdr in tpacket_snd() ALSA: caiaq: take a reference on the USB device in create_card() ALSA: hda/realtek: Add quirk for Legion S7 15IMH ALSA: usb-audio: apply quirk for MOONDROP JU Jiu f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() writeback: Fix use after free in inode_switch_wbs_work_fn() ksmbd: reset rcount per connection in ksmbd_conn_wait_idle_sess_id() ksmbd: use check_add_overflow() to prevent u16 DACL size overflow ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() ksmbd: validate response sizes in ipc_validate_msg() smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path smb: client: require a full NFS mode SID before reading mode bits smb: server: fix max_connections off-by-one in tcp accept path smb: server: fix active_num_conn leak on transport allocation failure ksmbd: require minimum ACE size in smb_check_perm_dacl() fuse: fuse_dev_ioctl_clone() should wait for device file to be initialized fuse: quiet down complaints in fuse_conn_limit_write fuse: Check for large folio with SPLICE_F_MOVE fuse: abort on fatal signal during sync init fuse: reject oversized dirents in page cache f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer f2fs: fix to avoid memory leak in f2fs_rename() f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() f2fs: fix to do sanity check on dcc->discard_cmd_cnt conditionally fs/ntfs3: validate rec->used in journal-replay file record check scripts/dtc: Remove unused dts_version in dtc-lexer.l lib/crypto: tests: Drop the default to CRYPTO_SELFTESTS kunit: configs: Enable all crypto library tests in all_tests.config lib/crypto: tests: Introduce CRYPTO_LIB_ENABLE_ALL_FOR_KUNIT lib/crypto: tests: Add a .kunitconfig file kunit: configs: Enable all CRC tests in all_tests.config lib/crc: tests: Add a .kunitconfig file lib/crc: tests: Add CRC_ENABLE_ALL_FOR_KUNIT lib/crc: tests: Make crc_kunit test only the enabled CRC variants sched/debug: Fix avg_vruntime() usage arm64: errata: Work around early CME DVMSync acknowledgement arm64: cputype: Add C1-Pro definitions arm64: tlb: Pass the corresponding mm to __tlbi_sync_s1ish() arm64: tlb: Introduce __tlbi_sync_s1ish_{kernel,batch}() for TLB maintenance arm64: tlb: Optimize ARM64_WORKAROUND_REPEAT_TLBI arm64: tlb: Allow XZR argument to TLBI ops ksmbd: validate owner of durable handle on reconnect ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger scripts: generate_rust_analyzer.py: define scripts crypto: krb5enc - fix async decrypt skipping hash verification crypto: krb5enc - fix sleepable flag handling in encrypt dispatch drm/amdgpu: replace PASID IDR with XArray net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers ipv6: add NULL checks for idev in SRv6 paths crypto: authencesn - Fix src offset when decrypting in-place Linux 6.18.24 dma-mapping: handle DMA_ATTR_CPU_CACHE_CLEAN in trace output dma-debug: Allow multiple invocations of overlapping entries mm/userfaultfd: fix hugetlb fault mutex hash calculation media: hackrf: fix to not free memory after the device is registered in hackrf_probe() media: vidtv: fix pass-by-value structs causing MSAN warnings nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map media: as102: fix to not free memory after the device is registered in as102_usb_probe() wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit bcache: fix cached_dev.sb_bio use-after-free and crash ALSA: 6fire: fix use-after-free on disconnect hwmon: (powerz) Fix use-after-free on USB disconnect media: em28xx: fix use-after-free in em28xx_v4l2_open() media: mediatek: vcodec: fix use-after-free in encoder release path media: vidtv: fix nfeeds state corruption on start_streaming failure mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() mm/kasan: fix double free for kasan pXds ASoC: qcom: q6apm: move component registration to unmanaged version KVM: x86: Use scratch field in MMIO fragment to hold small write values x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache x86: rename and clean up __copy_from_user_inatomic_nocache() x86-64: rename misleadingly named '__copy_user_nocache()' function checkpatch: add support for Assisted-by tag ocfs2: fix out-of-bounds write in ocfs2_write_end_inline ocfs2: validate inline data i_size during inode read ocfs2: add inline inode consistency check to ocfs2_validate_inode_block() KVM: x86: Use __DECLARE_FLEX_ARRAY() for UAPI structures with VLAs KVM: Remove subtle "struct kvm_stats_desc" pseudo-overlay selftests/bpf: Test refinement of single-value tnum KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES migrate test PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup ocfs2: handle invalid dinode in ocfs2_group_extend ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY ocfs2: fix possible deadlock between unlink and dio_end_io_write media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections arm64: mm: Handle invalid large leaf mappings correctly dcache: Limit the minimal number of bucket to two ALSA: ctxfi: Limit PTP to a single page Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race USB: serial: option: add Telit Cinterion FN990A MBIM composition staging: sm750fb: fix division by zero in ps_to_hz() wifi: rtw88: fix device leak on probe failure scripts: generate_rust_analyzer.py: avoid FD leak fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO usb: port: add delay after usb_hub_set_port_power() usb: gadget: f_hid: don't call cdev_init while cdev in use USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen usb: storage: Expand range of matched versions for VL817 quirks entry usb: typec: fusb302: Switch to threaded IRQ handler usbip: validate number_of_packets in usbip_pack_ret_submit() smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc ksmbd: require 3 sub-authorities before reading sub_auth[2] ksmbd: validate EaNameLength in smb2_get_ea() smb: client: fix OOB reads parsing symlink error response smb: client: fix off-by-8 bounds check in check_wsl_eas() usb: gadget: renesas_usb3: validate endpoint index in standard request handlers usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO ALSA: fireworks: bound device-supplied status before string array lookup ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 drm/vc4: platform_get_irq_byname() returns an int NFC: digital: Bounds check NFC-A cascade depth in SDD response handler net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() HID: core: clamp report_size in s32ton() to avoid undefined shift HID: alps: fix NULL pointer dereference in alps_raw_event() staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() i2c: s3c24xx: check the size of the SMBUS message before using it can: raw: fix ro->uniq use-after-free in raw_rcv() nfc: llcp: add missing return after LLCP_CLOSED checks netfilter: conntrack: add missing netlink policy validations crypto: algif_aead - Fix minimum RX size check for decryption crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl sched/deadline: Use revised wakeup rule for dl_server perf/x86/intel/uncore: Skip discovery table for offline dies crypto: af_alg - limit RX SG extraction by receive buffer budget gpio: tegra: fix irq_release_resources calling enable instead of disable l2tp: Drop large packets with UDP encap net: ipa: fix event ring index not programmed for IPA v5.0+ net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ devlink: Fix incorrect skb socket family dumping af_unix: read UNIX_DIAG_VFS data under unix_state_lock net: txgbe: leave space for null terminators on property_entry net: ioam6: fix OOB and missing lock net: mdio: realtek-rtl9300: use scoped device_for_each_child_node loop ASoC: amd: acp: update DMI quirk and add ACP DMIC for Lenovo platforms ASoC: SDCA: Fix overwritten var within for loop netfilter: nfnetlink_queue: make hash table per queue netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation netfilter: ip6t_eui64: reject invalid MAC header for all packets netfilter: xt_multiport: validate range encoding in checkentry netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator ipvs: fix NULL deref in ip_vs_add_service error path selftests: net: bridge_vlan_mcast: wait for h1 before querier check drm/xe: Fix bug in idledly unit conversion ASoC: Intel: avs: Fix memory leak in avs_register_i2s_test_boards() xfrm_user: fix info leak in build_mapping() xfrm: fix refcount leak in xfrm_migrate_policy_find xfrm: Wait for RCU readers during policy netns exit xsk: validate MTU against usable frame size on bind xsk: fix XDP_UMEM_SG_FLAG issues xsk: respect tailroom for ZC setups xsk: tighten UMEM headroom validation to account for tailroom and min frame e1000: check return value of e1000_read_eeprom ixgbevf: add missing negotiate_features op to Hyper-V ops table ixgbe: stop re-reading flash on every get_drvinfo for e610 ice: ptp: don't WARN when controlling PF is unavailable tracing/probe: reject non-closed empty immediate strings dt-bindings: net: Fix Tegra234 MGBE PTP clock net: stmmac: Fix PTP ref clock for Tegra234 nfc: s3fwrn5: allocate rx skb before consuming bytes net: increase IP_TUNNEL_RECURSION_LIMIT to 5 ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv4: nexthop: allocate skb dynamically in rtm_get_nexthop() ipv4: nexthop: avoid duplicate NHA_HW_STATS_ENABLE on nexthop group dump rtnetlink: add missing netlink_ns_capable() check for peer netns bridge: guard local VLAN-0 FDB helpers against NULL vlan group ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() net: airoha: Fix memory leak in airoha_qdma_rx_process() net: lapbether: handle NETDEV_PRE_TYPE_CHANGE net: sched: act_csum: validate nested VLAN headers eventpoll: defer struct eventpoll free to RCU grace period drm/vc4: Protect madv read in vc4_gem_object_mmap() with madv_lock drm/vc4: Fix a memory leak in hang state error path drm/vc4: Fix memory leak of BO array in hang state drm/vc4: Release runtime PM reference after binding V3D dma-debug: suppress cacheline overlap warning when arch has no DMA alignment requirement dma-debug: track cache clean flag in entries dma-mapping: add DMA_ATTR_CPU_CACHE_CLEAN xfrm: account XFRMA_IF_ID in aevent size calculation HID: amd_sfh: don't log error when device discovery fails with -EOPNOTSUPP PCI: hv: Set default NUMA node to 0 for devices without affinity info ARM: dts: microchip: sam9x7: fix gpio-lines count for pioB arm64: dts: qcom: monaco: Reserve full Gunyah metadata region tools/power turbostat: Fix --show/--hide for individual cpuidle counters tools/power/turbostat: Fix microcode patch level output for AMD/Hygon soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei arm64: dts: qcom: monaco: Fix UART10 pinconf arm64: dts: imx93-tqma9352: improve eMMC pad configuration arm64: dts: imx91-tqma9131: improve eMMC pad configuration arm64: dts: imx93-9x9-qsb: change usdhc tuning step for eMMC and SD arm64: dts: imx8mq: Set the correct gpu_ahb clock frequency arm64: dts: qcom: qcm6490-idp: Fix WCD9370 reset GPIO polarity arm64: dts: qcom: hamoa/x1: fix idle exit latency soc: aspeed: socinfo: Mask table entries for accurate SoC ID matching ASoC: stm32_sai: fix incorrect BCLK polarity for DSP_A/B, LEFT_J x86: shadow stacks: proper error handling for mmap lock net: sfp: add quirks for Hisense and HSGQ GPON ONT SFP modules wifi: brcmfmac: validate bsscfg indices in IF events ata: ahci: force 32-bit DMA for JMicron JMB582/JMB585 HID: roccat: fix use-after-free in roccat_report_event ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IAH10 HID: quirks: add HID_QUIRK_ALWAYS_POLL for 8BitDo Pro 3 HID: Intel-thc-hid: Intel-quickspi: Add NVL Device IDs platform/x86/amd: pmc: Add Thinkpad L14 Gen3 to quirk_s2idle_bug pinctrl: intel: Fix the revision for new features (1kOhm PD, HW debouncer) ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7 14IMH9 ASoC: amd: yc: Add DMI entry for HP Laptop 15-fc0xxx fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath drm/amdkfd: Fix queue preemption/eviction failures by aligning control stack size to GPU page size ALSA: hda/realtek: Add quirk for Lenovo Yoga Slim 7 14AKP10 ALSA: usb-audio: Fix quirk flags for NeuralDSP Quad Cortex ALSA: hda/realtek: Add quirk for Samsung Book2 Pro 360 (NP950QED) ASoC: soc-core: call missing INIT_LIST_HEAD() for card_aux_list wifi: wl1251: validate packet IDs before indexing tx_frames ALSA: hda/realtek: add quirk for Framework F111:000F netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry ALSA: hda/realtek: add HP Laptop 15-fd0xxx mute LED quirk drm/amdgpu: Handle GPU page faults correctly on non-4K page systems netfilter: ctnetlink: ensure safe access to master conntrack ALSA: hda/realtek: Add mute LED quirk for HP Pavilion 15-eg0xxx btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() platform/x86: hp-wmi: Add support for Omen 16-wf1xxx (8C76) btrfs: fix zero size inode with non-zero size after log replay platform/x86: asus-nb-wmi: add DMI quirk for ASUS ROG Flow Z13-KJP GZ302EAC ALSA:usb:qcom: add AUXILIARY_BUS to Kconfig dependencies ASoC: amd: acp: add ASUS HN7306EA quirk for legacy SDW machine can: mcp251x: add error handling for power enable in open and resume ASoC: SOF: topology: reject invalid vendor array size in token parser ASoC: amd: yc: Add DMI quirk for Thin A15 B7VF Bluetooth: hci_sync: annotate data-races around hdev->req_status ALSA: asihpi: avoid write overflow check warning media: rkvdec: reduce stack usage in rkvdec_init_v4l2_vp9_count_tbl() ALSA: hda/realtek: Add quirk for ASUS ROG Flow Z13-KJP GZ302EAC ALSA: hda/realtek: add quirk for Lenovo Yoga 7 2-in-1 16AKP10 ALSA: hda/realtek: Add HP ENVY Laptop 13-ba0xxx quirk ASoC: amd: yc: Add DMI quirk for ASUS EXPERTBOOK BM1403CDA RDMA/irdma: Fix double free related to rereg_user_mr dmaengine: idxd: Fix lockdep warnings when calling idxd_device_config() Linux 6.18.23 x86/CPU: Fix FPDSS on Zen1 net: skb: fix cross-cache free of KFENCE-allocated skb head rxrpc: proc: size address buffers for %pISpc output rxrpc: only handle RESPONSE during service challenge rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() rxrpc: Fix leak of rxgk context in rxgk_verify_response() rxrpc: Fix integer overflow in rxgk_verify_response() rxrpc: Fix missing error checks for rxkad encryption/decryption failure rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) rxrpc: fix reference count leak in rxrpc_server_keyring() rxrpc: fix oversized RESPONSE authenticator length check rxrpc: fix RESPONSE authenticator parser OOB read rxrpc: reject undecryptable rxkad response tickets rxrpc: Only put the call ref if one was acquired rxrpc: Fix to request an ack if window is limited rxrpc: Fix key reference count leak from call->key rxrpc: Fix rack timer warning to report unexpected mode rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial rxrpc: Fix RxGK token loading to check bounds rxrpc: Fix call removal to use RCU safe deletion rxrpc: Fix anonymous key handling rxrpc: Fix key parsing memleak rxrpc: Fix key quota calculation for multitoken keys net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() net: lan966x: fix page pool leak in error paths net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() idpf: set the payload size before calling the async handler idpf: improve locking around idpf_vc_xn_push_free() idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() net: stmmac: fix integer underflow in chain mode net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure mmc: vub300: fix use-after-free on disconnect mmc: vub300: fix NULL-deref on disconnect mm/damon/stat: deallocate damon_call() failure leaking damon_ctx mm/damon/sysfs: dealloc repeat_call_control if damon_call() fails mm/memory_hotplug: maintain N_NORMAL_MEMORY during hotplug igb: remove napi_synchronize() in igb_down() pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled net/mlx5: Update the list of the PCI supported devices drm/i915/psr: Do not use pipe_src as borders for SU area drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat batman-adv: hold claim backbone gateways by reference net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption EDAC/mc: Fix error path ordering in edac_mc_alloc() X.509: Fix out-of-bounds access when parsing extensions batman-adv: reject oversized global TT response buffers nfc: pn533: allocate rx skb before consuming bytes arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity arm64: dts: renesas: sparrow-hawk: Reserve first 128 MiB of DRAM arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Revert "arm64: dts: rockchip: Further describe the WiFi for the Pinebook Pro" platform/x86/intel-uncore-freq: Handle autonomous UFS status bit platform/x86: ISST: Reset core count to 0 wifi: brcmsmac: Fix dma_free_coherent() size tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG xfrm: hold dev ref until after transport_finish NF_HOOK xfrm: clear trailing padding in build_polexpire() modpost: Declare extra_warn with unused attribute workqueue: Add pool_workqueue to pending_pwqs list when unplugging multiple inactive works firmware: thead: Fix buffer overflow and use standard endian macros netfilter: nft_ct: fix use-after-free in timeout object destroy i2c: imx: zero-initialize dma_slave_config for eDMA af_unix: Give up GC if MSG_PEEK intervened. af_unix: Simplify GC state. af_unix: Count cyclic SCC. btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() btrfs: remove pointless out labels from extent-tree.c MIPS: mm: Rewrite TLB uniquification for the hidden bit feature MIPS: mm: Suppress TLB uniquification on EHINV hardware MIPS: Always record SEGBITS in cpu_data.vmbits Input: uinput - take event lock when submitting FF request "event" Input: uinput - fix circular locking dependency with ff-core seg6: separate dst_cache for input and output paths in seg6 lwtunnel mptcp: fix slab-use-after-free in __inet_lookup_established Revert "mptcp: add needs_id for netlink appending addr" Revert "ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone" net: rfkill: prevent unlimited numbers of rfkill events from being created xfrm_user: fix info leak in build_report() wifi: rt2x00usb: fix devres lifetime usb: typec: ucsi: skip connector validation before init Linux 6.18.22 sched_ext: Fix stale direct dispatch state in ddsp_dsq_id sched_ext: Refactor do_enqueue_task() local and global DSQ paths mm/memory: fix PMD/PUD checks in follow_pfnmap_start() mm: replace READ_ONCE() with standard page table accessors scsi: target: tcm_loop: Drain commands in target_reset handler scsi: target: file: Use kzalloc_flex for aio_cmd net: correctly handle tunneled traffic on IPV6_CSUM GSO fallback net: mana: fix use-after-free in add_adev() error path drm/amd/display: Fix DCE LVDS handling drm/amd/pm: disable OD_FAN_CURVE if temp or pwm range invalid for smu v13 wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free kallsyms: prevent module removal when printing module name and buildid kallsyms: cleanup code for appending the module buildid kallsyms: clean up modname and modbuildid initialization in kallsyms_lookup_buildid() kallsyms: clean up @namebuf initialization in kallsyms_lookup_buildid() usb: gadget: f_uac1_legacy: validate control request size usb: gadget: f_hid: move list and spinlock inits from bind to alloc usb: gadget: f_rndis: Fix net_device lifecycle with device_move usb: gadget: f_subset: Fix net_device lifecycle with device_move usb: gadget: f_eem: Fix net_device lifecycle with device_move usb: gadget: f_ecm: Fix net_device lifecycle with device_move usb: gadget: f_rndis: Protect RNDIS options with mutex usb: gadget: f_subset: Fix unbalanced refcnt in geth_free usb: gadget: uvc: fix NULL pointer dereference during unbind race usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop ice: Fix memory leak in ice_set_ringparam() HID: appletb-kbd: add .resume method in PM usb: typec: ucsi: validate connector number in ucsi_notify_common() usb: gadget: dummy_hcd: fix premature URB completion when ZLP follows partial transfer USB: dummy-hcd: Fix interrupt synchronization error USB: dummy-hcd: Fix locking/synchronization error thunderbolt: Fix property read in nhi_wake_supported() usb: typec: thunderbolt: Set enter_vdo during initialization misc: fastrpc: check qcom_scm_assign_mem() return in rpmsg_probe misc: fastrpc: possible double-free of cctx->remote_heap thermal: core: Fix thermal zone device registration error path thermal: core: Address thermal zone removal races with resume gpio: Fix resource leaks on errors in gpiochip_add_data_with_key() gpio: mxc: map Both Edge pad wakeup to Rising Edge sched_ext: Fix is_bpf_migration_disabled() false negative on non-PREEMPT_RCU cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path virtio_net: clamp rss_max_key_size to NETDEV_RSS_KEY_LEN net: ethernet: mtk_ppe: avoid NULL deref when gmac0 is disabled net: ftgmac100: fix ring allocation unwind on open failure vxlan: validate ND option lengths in vxlan_na_create crypto: tegra - Add missing CRYPTO_ALG_ASYNC counter: rz-mtu3-cnt: do not use struct rz_mtu3_channel's dev member counter: rz-mtu3-cnt: prevent counter from being toggled multiple times vt: resize saved unicode buffer on alt screen exit after resize vt: discard stale unicode buffer on alt screen exit after resize gpib: Fix fluke driver s390 compile issue netfilter: ipset: drop logically empty buckets in mtype_del nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy nvmem: imx: assign nvmem_cell_info::raw_len s390/cpum_sf: Cap sampling rate to prevent lsctl exception s390/zcrypt: Fix memory leak with CCA cards used as accelerator spi: cadence-qspi: Fix exec_mem_op error handling dt-bindings: connector: add pd-disable dependency firmware: microchip: fail auto-update probe if no flash found comedi: me4000: Fix potential overrun of firmware buffer comedi: me_daq: Fix potential overrun of firmware buffer comedi: ni_atmio16d: Fix invalid clean-up after failed attach comedi: Reinit dev->spinlock between attachments to low-level drivers comedi: dt2815: add hardware detection to prevent crash cdc-acm: new quirk for EPSON HMD bridge: br_nd_send: validate ND option lengths ASoC: qcom: sc7280: make use of common helpers io_uring: protect remaining lockless ctx->rings accesses with RCU usb: core: use dedicated spinlock for offload state usb: cdns3: gadget: fix state inconsistency on gadget init failure usb: cdns3: gadget: fix NULL pointer dereference in ep_queue usb: core: phy: avoid double use of 'usb3-phy' usb: dwc2: gadget: Fix spin_lock/unlock mismatch in dwc2_hsotg_udc_stop() usb: ehci-brcm: fix sleep during atomic usb: host: xhci-sideband: delegate offload_usage tracking to class drivers usb: misc: usbio: Fix URB memory leak on submit failure usb: usbtmc: Flush anchored URBs in usbtmc_release usb: ulpi: fix double free in ulpi_register_interface() error path usb: quirks: add DELAY_INIT quirk for another Silicon Motion flash drive gpib: lpvo_usb: fix memory leak on disconnect mei: me: reduce the scope on unexpected reset iio: gyro: mpu3050: Fix out-of-sequence free_irq() iio: gyro: mpu3050: Move iio_device_register() to correct location iio: gyro: mpu3050: Fix irq resource leak iio: gyro: mpu3050: Fix incorrect free_irq() variable iio: imu: st_lsm6dsx: Set FIFO ODR for accelerometer and gyroscope only iio: imu: bmi160: Remove potential undefined behavior in bmi160_config_pin() iio: light: veml6070: fix veml6070_read() return value iio: light: vcnl4035: fix scan buffer on big-endian iio: imu: adis16550: fix swapped gyro/accel filter functions iio: dac: ad5770r: fix error return in ad5770r_read_raw() iio: accel: adxl313: add missing error check in predisable iio: accel: adxl380: fix FIFO watermark bit 8 always written as 0 iio: accel: fix ADXL355 temperature signature value iio: adc: aspeed: clear reference voltage bits before configuring vref iio: adc: ade9000: move mutex init before IRQ registration iio: adc: ade9000: fix wrong register in CALIBBIAS case for active power iio: adc: ade9000: fix wrong return type in streaming push iio: adc: ti-ads7950: do not clobber gpio state in ti_ads7950_get() iio: adc: ti-ads7950: normalize return value of gpio_get Input: xpad - add support for Razer Wolverine V3 Pro Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless mode Input: bcm5974 - recover from failed mode switch Input: i8042 - add TUXEDO InfinityBook Max 16 Gen10 AMD to i8042 quirk table Input: synaptics-rmi4 - fix a locking bug in an error path USB: core: add NO_LPM quirk for Razer Kiyo Pro webcam USB: serial: option: add support for Rolling Wireless RW135R-GL USB: serial: io_edgeport: add support for Blackbox IC135A drm/amdgpu/pm: drop SMU driver if version not matched messages drm/amdgpu: Change AMDGPU_VA_RESERVED_TRAP_SIZE to 64KB drm/amdgpu: validate doorbell_offset in user queue creation drm/amdgpu: Fix wait after reset sequence in S4 drm/i915/dp: Use crtc_state->enhanced_framing properly on ivb/hsw CPU eDP drm/i915/dsi: Don't do DSC horizontal timing adjustments in command mode drm/ast: dp501: Fix initialization of SCU2C iio: adc: ti-ads1119: Replace IRQF_ONESHOT with IRQF_NO_THREAD iio: adc: ti-ads1119: Reinit completion before wait_for_completion_timeout() iio: adc: ti-ads1119: Fix unbalanced pm reference count in ds1119_single_conversion() iio: adc: ti-adc161s626: use DMA-safe memory for spi_read() iio: adc: ti-adc161s626: fix buffer read on big-endian iio: orientation: hid-sensor-rotation: add timestamp hack to not break userspace iio: orientation: hid-sensor-rotation: fix quaternion alignment iio: add IIO_DECLARE_QUATERNION() macro gpib: fix use-after-free in IO ioctl handlers drm/amdgpu: fix the idr allocation flags x86/kexec: Disable KCOV instrumentation after load_segments() mips: mm: Allocate tlb_vpn array atomically hwmon: (occ) Fix division by zero in occ_show_power_1() MIPS: Fix the GCC version check for `__multi3' workaround MIPS: SiByte: Bring back cache initialisation ksmbd: fix OOB write in QUERY_INFO for compound requests Bluetooth: hci_sync: fix stack buffer overflow in hci_le_big_create_sync Bluetooth: SMP: force responder MITM requirements before building the pairing response Bluetooth: SMP: derive legacy responder STK authentication from MITM state io_uring/net: fix slab-out-of-bounds read in io_bundle_nbufs() ALSA: hda/realtek: add quirk for HP Victus 15-fb0xxx ALSA: hda/realtek: Add quirk for ASUS ROG Strix SCAR 15 ALSA: ctxfi: Fix missing SPDIFI1 index handling ALSA: caiaq: fix stack out-of-bounds read in init_card lib/crypto: chacha: Zeroize permuted_state before it leaves scope sched_ext: Fix inconsistent NUMA node lookup in scx_select_cpu_dfl() drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw() USB: serial: option: add MeiG Smart SRM825WN wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation rust_binder: use AssertSync for BINDER_VM_OPS drm/ioc32: stop speculation on the drm_compat_ioctl path ACPI: RIMT: Add dependency between iommu and devices riscv: Reset pmm when PR_TAGGED_ADDR_ENABLE is not set riscv: kgdb: fix several debug register assignment bugs perf/x86: Fix potential bad container_of in intel_pmu_hw_config sched/fair: Fix zero_vruntime tracking fix mips: ralink: update CPU clock index hwmon: (asus-ec-sensors) Fix T_Sensor for PRIME X670E-PRO WIFI drm/sysfb: Fix efidrm error handling and memory type mismatch hwmon: (occ) Fix missing newline in occ_show_extended() spi: amlogic: spifc-a4: unregister ECC engine on probe failure and remove() callback hwmon: (tps53679) Fix device ID comparison and printing in tps53676_identify() drm/xe/pxp: Clear restart flag in pxp_start after jumping back drm/xe/pxp: Remove incorrect handling of impossible state during suspend drm/xe/pxp: Clean up termination status on failure spi: stm32-ospi: Fix reset control leak on probe error spi: stm32-ospi: Fix resource leak in remove() callback dt-bindings: gpio: fix microchip #interrupt-cells hwmon: (ltc4286) Add missing MODULE_IMPORT_NS("PMBUS") hwmon: (pxe1610) Check return value of page-select write in probe hwmon: (tps53679) Fix array access with zero-length block read io_uring/rsrc: reject zero-length fixed buffer import accel/qaic: Handle DBC deactivation if the owner went away gpiolib: clear requested flag if line is invalid gpio: rename gpio_chip_hwgpio() to gpiod_hwgpio() iio: imu: bno055: fix BNO055_SCAN_CH_COUNT off by one Revert "drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug" bpf: Reject sleepable kprobe_multi programs at attach time bpf: reject direct access to nullable PTR_TO_BUF pointers eth: fbnic: Increase FBNIC_QUEUE_SIZE_MIN to 64 ipv6: avoid overflows in ip6_datagram_send_ctl() net: hsr: fix VLAN add unwind on slave errors net/sched: cls_flow: fix NULL pointer dereference on shared blocks net/sched: cls_fw: fix NULL pointer dereference on shared blocks net/x25: Fix overflow when accumulating packets net/x25: Fix potential double free of skb bnxt_en: Restore default stat ctxs for ULP when resource is available net/mlx5: Fix switchdev mode rollback in case of failure net/mlx5: Avoid "No data available" when FW version queries fail net/mlx5: lag: Check for LAG device before creating debugfs net: macb: properly unregister fixed rate clocks net: macb: fix clk handling on PCI glue driver removal net/sched: sch_netem: fix out-of-bounds access in packet corruption bpf: sockmap: Fix use-after-free of sk->sk_socket in sk_psock_verdict_data_ready(). rds: ib: reject FRMR registration before IB connection is established Bluetooth: MGMT: validate mesh send advertising payload length Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync Bluetooth: MGMT: validate LTK enc_size on load Bluetooth: hci_h4: Fix race during initialization Bluetooth: SCO: fix race conditions in sco_sock_connect() Bluetooth: hci_sync: call destroy in hci_cmd_sync_run if immediate netfilter: nf_tables: reject immediate NF_QUEUE verdict netfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP netfilter: ctnetlink: ignore explicit helper on new expectations netfilter: nf_conntrack_expect: store netns and zone in expectation netfilter: nf_conntrack_expect: use expect->helper netfilter: nf_conntrack_expect: honor expectation helper field netfilter: ctnetlink: zero expect NAT fields when CTA_EXPECT_NAT absent netfilter: nf_conntrack_helper: pass helper to expect cleanup netfilter: ipset: use nla_strcmp for IPSET_ATTR_NAME attr netfilter: x_tables: ensure names are nul-terminated netfilter: nfnetlink_log: account for netlink header size netfilter: flowtable: strictly check for maximum number of actions ALSA: usb-audio: Exclude Scarlett 2i2 1st Gen (8016) from SKIP_IFACE_SETUP net: stmmac: skip VLAN restore when VLAN hash ops are missing mptcp: fix soft lockup in mptcp_recvmsg() mptcp: add eat_recv_skb helper net: ipv6: flowlabel: defer exclusive option free until RCU teardown bpf: Fix regsafe() for pointers to packet ASoC: Intel: boards: fix unmet dependency on PINCTRL net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets net: xilinx: axienet: Correct BD length masks to match AXIDMA IP spec NFC: pn533: bound the UART receive buffer net: bonding: fix use-after-free in bond_xmit_broadcast() crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption crypto: algif_aead - Revert to operating out-of-place bnxt_en: set backing store type from query type net: sched: cls_api: fix tc_chain_fill_node to initialize tcm_info to zero to prevent an info-leak net: use skb_header_pointer() for TCPv4 GSO frag_off check net: introduce mangleid_features net: airoha: Add missing cleanup bits in airoha_qdma_cleanup_rx_queue() ipv6: prevent possible UaF in addrconf_permanent_addr() ASoC: ep93xx: Fix unchecked clk_prepare_enable() and add rollback on failure ALSA: usb-audio: Exclude Scarlett Solo 1st Gen from SKIP_IFACE_SETUP net: enetc: do not allow VF to configure the RSS key net: enetc: check whether the RSS algorithm is Toeplitz net: sfp: Fix Ubiquiti U-Fiber Instant SFP module on mvneta net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() bridge: br_nd_send: linearize skb before parsing ND options eth: fbnic: Account for page fragments when updating BDQ tail ip6_tunnel: clear skb2->cb[] in ip4ip6_err() ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() tg3: Fix race for querying speed/duplex net/ipv6: ioam6: prevent schema length wraparound in trace fill net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak net: qrtr: replace qrtr_tx_flow radix_tree with xarray to fix memory leak net: enetc: reset PIR and CIR if they are not equal when initializing TX ring net: fec: fix the PTP periodic output sysfs interface netdevsim: fix build if SKB_EXTENSIONS=n net: mana: Fix RX skb truesize accounting crypto: af-alg - fix NULL pointer dereference in scatterwalk crypto: deflate - fix spurious -ENOSPC crypto: caam - fix overflow on long hmac keys crypto: caam - fix DMA corruption on long hmac keys wifi: ath11k: Pass the correct value of each TID during a stop AMPDU session wifi: iwlwifi: mld: correctly set wifi generation data wifi: iwlwifi: disable EHT if the device doesn't allow it wifi: iwlwifi: cfg: add new device names wifi: iwlwifi: mvm: don't send a 6E related command when not supported wifi: iwlwifi: mld: Fix MLO scan timing wifi: iwlwifi: fix remaining kernel-doc warnings dt-bindings: auxdisplay: ht16k33: Use unevaluatedProperties to fix common property warning spi: geni-qcom: Check DMA interrupts early in ISR smb: client: fix generic/694 due to wrong ->i_blocks btrfs: reject root items with drop_progress and zero drop_level i2c: tegra: Don't mark devices with pins as IRQ safe btrfs: reserve enough transaction items for qgroup ioctls HID: multitouch: Check to ensure report responses match the request HID: core: Mitigate potential OOB by removing bogus memset() HID: logitech-hidpp: Prevent use-after-free on force feedback initialisation failure objtool: Fix Clang jump table detection tg3: replace placeholder MAC address with device property btrfs: don't take device_list_mutex when querying zone info atm: lec: fix use-after-free in sock_def_readable() HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq wifi: mac80211: check tdls flag in ieee80211_tdls_oper HID: logitech-hidpp: Enable MX Master 4 over bluetooth arm64/scs: Fix handling of advance_loc4 Conflicts: drivers/misc/fastrpc.c sound/soc/qcom/qdsp6/q6apm.c Signed-off-by: Sivasri Kumar, Vanka <svanka@qti.qualcomm.com>

ekanshibu · 2026-05-05T06:21:22Z

 	return 0;
 err_invoke:
 	fl->cctx->audio_init_mem = false;
+err_map:


remove line 1482 to 1485

aiyapate · 2026-05-06T10:41:17Z

@@ -773,7 +773,11 @@ static int apm_probe(gpr_device_t *gdev)
 		return ret;
 	}

-	return devm_of_platform_populate(dev);
+	ret = devm_of_platform_populate(dev);


As per upstream this should be "of_platform_populate" and not "devm_of_platform_populate".
PR that has this change: svankas@30383b7

Zhang Heng and others added 30 commits April 22, 2026 13:22

Darrick J. Wong and others added 24 commits April 27, 2026 07:27

svankas requested review from a team, ndechesne, sgaud-quic and shashim-quic April 30, 2026 11:23

ekanshibu suggested changes May 5, 2026

View reviewed changes

aiyapate reviewed May 6, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge tag 'v6.18.25' into qcom-6.18.y#528

Merge tag 'v6.18.25' into qcom-6.18.y#528
svankas wants to merge 616 commits intoqualcomm-linux:qcom-6.18.yfrom
svankas:6.18.25-lts

svankas commented Apr 30, 2026

Uh oh!

ekanshibu May 5, 2026

Uh oh!

aiyapate May 6, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

19 participants

Conversation

svankas commented Apr 30, 2026

Uh oh!

ekanshibu May 5, 2026

Choose a reason for hiding this comment

Uh oh!

aiyapate May 6, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

19 participants