The rework of this mechanism added a 'use_nsec' member to struct
system_counterval. get_device_system_crosststamp() instantiates that
struct on the stack and hands a pointer to the driver callback.
Only the drivers which set use_nsec to true, initialize that field, but
all others ignore it. As get_device_system_crosststamp() does not
initialize the struct, the use_nsec field contains random stack content
in those cases. That causes a miscalulation usually resulting in a
failing range check in the best case.
Initialize the structure before handing it to the drivers to cure that.
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEQp8+kY+LLUocC4bMphj1TA10mKEFAmiGFA4THHRnbHhAbGlu
dXRyb25peC5kZQAKCRCmGPVMDXSYoRcsEACvQI0LmKTOigzSZvBT1CZnGcwpeqYi
Ez0v/w+tpyfbwQgf9kxR+ZbjNdwqCYFnR8PZPFKFuvsanWRTIcYaTkIQWvDhcEX/
U4AFI3VkdZUFckCEY/fv7j3/jkp7pbLVHMq001Z9xaMMcE+ox1AlHpEW0Khd3gqL
VFLXU5S7Q9H6J6ujjFAXAMuhgjk6WOz8q+ew3hnc3dxwyuEBAz83jOScH/be3dTl
10ydzoxFEa+ZlacAHX+SqZ7nhS7ExxNlwlUuTYj/EkBCQ8UIoS93YLA5bYMcWCao
W5rs6vFJmMO6NR6lkqwfKmKyjovx79jHMVNKoxydZGvkqcNMtfc/eUfByxAkyCDP
gmTCFwgKVGdjGsYwkGqafejmJt5OFrD1hMyWfBhGWQ/Z8CXuuJNEa/8trSyUK/CS
DFD1InOLltbYuw7rY5gRxb+xmgBTxUMj8gF/hXYs7wNzJqNJXXNae/2Sue+Xi+mV
iieEF8UonmpMe9k9w3+fFGGDWYa4lYnT5O3VMQ0nEjj6dt5RVQqRvjTa+GtQJzUs
h4fUs+BIKyCkh6DgRKyIsDruzryOSnZ+vqMcGMm0gvPttc3cGYksLiQVlWYjQhxs
pTFrHNGOSXMT5WBQ7KWKzGypHlf3WYhVWk1+dmPJedrdyr23AfgKAGM6zva1Oqjc
81w9DvppBL0sOA==
=j6Po
-----END PGP SIGNATURE-----
Merge tag 'timers-urgent-2025-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
"A single fix for the PTP systemcounter mechanism:
The rework of this mechanism added a 'use_nsec' member to struct
system_counterval. get_device_system_crosststamp() instantiates that
struct on the stack and hands a pointer to the driver callback.
Only the drivers which set use_nsec to true, initialize that field,
but all others ignore it. As get_device_system_crosststamp() does not
initialize the struct, the use_nsec field contains random stack
content in those cases. That causes a miscalulation usually resulting
in a failing range check in the best case.
Initialize the structure before handing it to the drivers to cure
that"
* tag 'timers-urgent-2025-07-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timekeeping: Zero initialize system_counterval when querying time from phc drivers
One last fix for v6.16, removing some hard coding to avoid data
corruption on some NAND devices in the QPIC driver.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmiFSgwACgkQJNaLcl1U
h9BChwf9Epc80iYZruJgP+o0wZTVMUDSU3gdVP6Zl177M4G7adGn4piW7CamJxgn
HcrlZNN9PNCLgIjw5n6w6ZRTXGU0Jd/3+gyZ39kB6Hn+1HDQMLJhz4hOibdotolu
KRbZy/j4beTgDFJSSgG0Vnqo/f8Ew+XGHBzhAflbxp3s/jgju4OCIyCpB8MBo98R
HLgQ+uJ+vpJp3sDleACF0LrQxYrGe7/GjFaoCGfHA2+pvi0pt17Oc/CVMCjRi/bs
ojlSm7myg9Os0/Q2wv/3JPCGaLHPvZ/nWQ3blEQjoXsu0fxZbPjz/pWDNLYa8UV1
CfUlNT4+dmgHrQEcmX4ysVHGpFAqLg==
=Cu4n
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v6.16-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fix from Mark Brown:
"One last fix for v6.16, removing some hard coding to avoid data
corruption on some NAND devices in the QPIC driver"
* tag 'spi-fix-v6.16-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: spi-qpic-snand: don't hardcode ECC steps
qup: avoid potential hang when waiting for bus idle
tegra: improve ACPI reset error handling
virtio: use interruptible wait to prevent hang during transfer
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEOZGx6rniZ1Gk92RdFA3kzBSgKbYFAmiFQ4YACgkQFA3kzBSg
KbZO3BAArkTbL/wlJHHheexhXgK8ZJQC8aBR4AfFWgUIU9uPvJ4sR+OFkL62oqDH
eAbVOaUXmD1KpqC+TwhGWGl6c+QYB8xfuEzI10TYs7S8DqGkU3AhYtFPwmjYL4xq
LChLGmjvZdt7WeKqvrcCWczcI4NJJFQlBe9K/lEdhbI/CUKUxvUM0AHo0nmmrXoi
3Rl/EcWyC8T2S5+42oXmUtNn9uvEQKzcSKj3XC3qmEE6kXrtnKthUhkJ/5eOl7OJ
+Uvccn6DecxwNrL5uwPXT5af+NgPILLkAvnnV2HBdIdR4aanZ4BV7XmOCgG5OmCE
MMjY52eXg/gG7b+CHsa0GtajHspTo4xzgrrbX0qIyiUO7RRROifBmgy9XhKrU1Tw
AeH41Z5JrIRdD0D7d2GgLAHro83ckJCZLrsQRB/2cgx02HrWTFngvse7MN+QOSZ9
RwCez8BKoETd2rf1r5PXYqf+24jKp+wKrG6+H/al3RCUOUKeH1fE/eojNc7rcpYM
5Ner5BRKTSSztk06KyOo/cT9wiiQTbQ093kKZdBl0cEpyeP48TJFoPlI9WTCdW+t
e0rIoC2+GVwb2W08KTwlsjLcyWyvr/yHGmSWjKI1LvvLTwsce5RRGXHSpbR+fRrj
FZBjYklq3rn3eY3mBZeVdeWAb+5lgYVExdtgIMLVzn3ClHzlsLk=
=rpOM
-----END PGP SIGNATURE-----
Merge tag 'i2c-for-6.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
- qup: avoid potential hang when waiting for bus idle
- tegra: improve ACPI reset error handling
- virtio: use interruptible wait to prevent hang during transfer
* tag 'i2c-for-6.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: qup: jump out of the loop in case of timeout
i2c: virtio: Avoid hang by using interruptible completion wait
i2c: tegra: Fix reset error handling with ACPI
- Mark Allwinner A523 MBUS clock as critical to avoid system
stalls
- Fix names of CSI related clocks on Allwinner V3s. This
includes changes to the driver, DT bindings and DT files.
- Fix parents of TCON clock on Allwinner V3s
-----BEGIN PGP SIGNATURE-----
iQJIBAABCAAyFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAmiFLZcUHHN3Ym95ZEBj
aHJvbWl1bS5vcmcACgkQrQKIl8bklSUyyw//VGy/Am1BDCsALNp4JeLeklq4n+/9
Ly0Knl3MFXP+pMum/RF2vlVPaur/ry/Lo9NpY/Te4P+R/i4baJlajDyz6NOicw5W
cIt0aJTt2x9U/YWFofu1NzQkXiK8CntJ8RNy96SwyFWcj8V9+Q9n+lww67daGddk
zNVGA8GpiXF09Vzwx1xTOBT1n2pWuK8r9jH9Sv3Wei4NZGVdKbC61NEP7fpTKkKR
K7BwKhRO98qRr8BYiyhanAtWgrslgVW4lJHO0fkCpyCmNkuBo6pyeO39QXcoHejT
aaSUPE/mb3AAtEa8eiSMmV9KExIX2p9+UNul3aADKrr2408O5eN8usvMI8XYOw1m
03wLCojmSB0qz8R+BQP9SG+vRdokWxsqQjgi7IXecOslvXjJ3kR7ttQhyae2jjqk
p/K8ceMv5imA2FrKMRaSNcbiNo6qRjwXaLgQX5w7qpvGmsdPi2WPvJrn96tye5kz
CM7gfHUflKgpptZnSDeFwk+IU8wjMNtUhvR3CAFtTf4MX3zuI+s60Q8S8z/IJ565
ILVMEqlso9SiGEiUlUs219CkdgBxavh2JMKxPqSH8IG2VeFP7ZHOAE0La6mlgU9W
KSfM8CrpJmfHsmIEB/Wz6mXo3o0B2GYCBFL8xqh3lvCU5TQ8LQmrSaPcB4nTC830
EBNXR311TY7tbeo=
=Q0zO
-----END PGP SIGNATURE-----
Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux
Pull clk fixes from Stephen Boyd:
"A few Allwinner clk driver fixes:
- Mark Allwinner A523 MBUS clock as critical to avoid
system stalls
- Fix names of CSI related clocks on Allwinner V3s. This
includes changes to the driver, DT bindings and DT files.
- Fix parents of TCON clock on Allwinner V3s"
* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
clk: sunxi-ng: v3s: Fix TCON clock parents
clk: sunxi-ng: v3s: Fix CSI1 MCLK clock name
clk: sunxi-ng: v3s: Fix CSI SCLK clock name
clk: sunxi-ng: a523: Mark MBUS clock as critical
- use an absolute path for asm/unified.h in KBUILD_AFLAGS to solve
a regression caused by commit d5c8d6e0fa
("kbuild: Update assembler calls to use proper flags and language
target"),
- fix dead code elimination binutils version check again.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEuNNh8scc2k/wOAE+9OeQG+StrGQFAmiDnecACgkQ9OeQG+St
rGRzHxAAjYw0d2oa59q8hDuOfvHw52ZB6sUZBCqydQOl0nfGpCpgqm391NT+y1Hd
Bnlxk0h0hDT5XDO7cKaq0y5qf6l0i0KKMYv1rUMjsKQeRZbIj+1+1XmLdSNOtUyy
ON1SxpQEBAnwq9EUa/aBbiteFtv3N0xOrbI6lqnL20EW/VTou96eTwY8Suc6wBaZ
xQHAPGF3+8JMMs6xEkAAG1TEmvOiHiIBxngm+kaXyL7SgHSYFLfVxqDyKP+bUYkL
kVrT0nT+XU10W34LLTsNtLUTUTX+Z0gFdJ6Hj7Osnx/K7Bd8wGZBryzg/ywVPVQh
4isxo9R1XXKrp7pGnz0CVRr3B7F9c9a8oK9AE2qMQuCDWQMx/VcVCZ0CNBmI6yQ0
QfJuXfGwnLRzCdf1lHogIOAC2rDjjKkOgrGya1lbwt6Bl3haXXK718jm4x5M2ysC
QK0oacopVxqc+a39GDSyQPzBaf23aPj5tdeGsnSibMxGpZj9rXpPkQQycbEv3uvJ
xRbZhxJwclAyNAeD6Whgdi8Gyn8W2fRwcqdyZfZx7949Pqi0HXsDSJkckgCJIdPG
9cO2q3D2S5xSnGy+shPzAhg7ve41WPvRHQWHHAUrn5KHGxTQUGG+qFuZAxy0WPxy
M2wCYwGxTSF70xyHsmNxxxfrY6OBDVXaMPCqiTuI85mqnzufdn8=
=ouRB
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux
Pull ARM fixes from Russell King:
- use an absolute path for asm/unified.h in KBUILD_AFLAGS to solve a
regression caused by commit d5c8d6e0fa ("kbuild: Update assembler
calls to use proper flags and language target")
- fix dead code elimination binutils version check again
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rmk/linux:
ARM: 9450/1: Fix allowing linker DCE with binutils < 2.36
ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
These are two fixes that came in late, one addresses a regression
on a rockchips based board, the other is for ensuring a consistent
dt binding for a device added in 6.16 before the incorrect one
makes it into a release.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEo6/YBQwIrVS28WGKmmx57+YAGNkFAmiEr0kACgkQmmx57+YA
GNnqng//bMqUF0zvPePqhIuDlrAPyHqczDl+2STs6LM1Y89483QFbqlH1481b5dO
dKeSu/4G4ePcpUcM5ZST5961mLds7JReSDOjQt2RE1P5q2JQCHOnwJD0ptGH0AwJ
LCWFQc5lhj1lUNqj+zkJydoeos48HC7KBniP1E2d00d7vfqq5CoEHHjsAiaz5Yu1
bkd2ATbazFv0eE3W1KEEu6HgPjt+jzz9I8tjhXp9M1oYMA9M7g6Eu08X6Befr7tA
dWDro81YwnoVdXdSGeCHE58Vl413jcpfzDV+RrUG/rzJ8Jb4/5OrIRg4fiH2di//
qSSsD6kgAEajuK36ys7Z3h74cjm6eJif8QkDkA/qGWl9t6fL0BI/Vjd6PL6mNhJz
WmYRq8R/uFeh7Q+rGkaB8vl7fmLhnpBz0UwBpQ0DrV3lU8HnCjWiwEWkk4gXflI5
1p07OfqnjzZ8bqa1P5MEApRcngWNME6IbzL2Yt07FEvLdfJ9xauly/QhIiSlZ2bw
5HjLhfutTJYHGRGQwKw632Vqi1bldUkDOttP71fO4ocGqH7Jx2W8Fz/APGjmIvmG
OEDMSfjQjAQfWGM4KhTIv4zRbndtVJsiMG3xzZl496hSrDJqpBI/cnEJ7bZftfT3
dCIVN8thTP8W6c4Thh3DQllBLln1jwy7zszao3jycEJEuJSO9MA=
=qwRh
-----END PGP SIGNATURE-----
Merge tag 'soc-fixes-6.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
Pull SoC fixes from Arnd Bergmann:
"These are two fixes that came in late, one addresses a regression on a
rockchips based board, the other is for ensuring a consistent dt
binding for a device added in 6.16 before the incorrect one makes it
into a release"
* tag 'soc-fixes-6.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
arm64: dts: rockchip: Drop netdev led-triggers on NanoPi R5S
arm64: dts: allwinner: a523: Rename emac0 to gmac0
qup: avoid potential hang when waiting for bus idle
tegra: improve ACPI reset error handling
virtio: use interruptible wait to prevent hang during transfer
-----BEGIN PGP SIGNATURE-----
iIwEABYKADQWIQScDfrjQa34uOld1VLaeAVmJtMtbgUCaIOznxYcYW5kaS5zaHl0
aUBrZXJuZWwub3JnAAoJENp4BWYm0y1uD4ABALfEdKZJzebUmYe8LIchwE7j3n9p
upZJy0+eQtIgSAQdAP930znDO05ezlUcnxAxA+UDfMFamrKIrpu/I4My9fIBBA==
=d9vN
-----END PGP SIGNATURE-----
Merge tag 'i2c-host-fixes-6.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/andi.shyti/linux into i2c/for-current
i2c-host-fixes for v6.16-rc8
qup: avoid potential hang when waiting for bus idle
tegra: improve ACPI reset error handling
virtio: use interruptible wait to prevent hang during transfer
i915:
- Fix DP 2.7 Gbps DP_LINK_BW value on g4x
- Fix return value on intel_atomic_commit_fence_wait
xe:
- Fix build without debugfs
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmiD6UwACgkQDHTzWXnE
hr5DPRAAqXbmjZVfKlPkFYf7flCT29D8TFO7dVbrnol0P8B0JbMzhcTLY9wKOZOl
dyp5NuTOWOcwV7sgG4yxbkclwUnkFdhPVW7oAqt1b2VwX7Y6f97xQQwxI2CWqsBa
DK8Z+ej17nQrHUknRfhNxpxe3kfnn6O+4A7i7Iqdc0RUrYbe82wrOP6KFgYpX1Ck
QmgU1GhiUmvSRN/XZTIlcyB3LNrow6O0XTMy6j7wwKmnmecGGW/C/nSzhdqfMszI
Qj7GaszS5OyuCk5Grylg0iYGPw+mbGa2qs9hxiwIe6zgR++EP4cVxQtBGoLjmINa
yZOT/8gXdMmFH3QfGMOes+WJVfFxY77y4lyTzB7L0meeZNdTaLYxbsBjnQp2HSF8
x3fFfu0e6Jgz2GfpsPW5jm1w3bAYAG24UNCNts/JhOs/9U2Fl9UY2oHJnGx/cCfd
3xFjJBv6mFD0AmKapmdDKSlS6uBpq0ElfKrPuwwhlrmX01c2jpe5sYT+JxSkeG1R
efLgWSyyuFZ4IwpT2BkEVgYVwEAi1Kyix+/Yyobc2YJjSpzOhaNmRgdWecBJuWMn
CMjb7jciXAxJt+wP+y5301Fk0q73uaQWSypDaX5lZhnD7yjvTFtkUQzPFOd2bQ/E
cHIXzhKolLByaVKZV2r7IAeI+xujJAMT8XLaHe4U/9Vv/CTr7lQ=
=rf5N
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2025-07-26' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes (part 2) from Dave Airlie:
"Just the follow up fixes for i915 and xe, all pretty minor.
i915:
- Fix DP 2.7 Gbps DP_LINK_BW value on g4x
- Fix return value on intel_atomic_commit_fence_wait
xe:
- Fix build without debugfs"
* tag 'drm-fixes-2025-07-26' of https://gitlab.freedesktop.org/drm/kernel:
drm/xe: Fix build without debugfs
drm/i915/display: Fix dma_fence_wait_timeout() return value handling
drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x
-----BEGIN PGP SIGNATURE-----
iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmiDdRYQHGF4Ym9lQGtl
cm5lbC5kawAKCRD301j7KXHgpnkWD/9h7VFAPOxDCWvmp8awU3OoKVbJI5lo0656
Irch2xNlhtCAB6fUYSRPOq5xIZjNQmI5Fvzp7Gyto1fQYmtxsU75Kbgh7gzTOxsI
j0I2KAwD2RrifozONOJa3aCYS8T18nEdcK32zMvVUegBAPhd9wI474fJJSAKa5t2
qhXcYMRyiy4Wc1Sz187kD5H7RBljdkgnmO0VcWbplwTW0vPID70tSacDKUW1Jmuf
kSqDh52jzPaYyt7f2gr/TaiHf1TsUuGKdIS58gdN+CBXEMMo4IKOxrU0qFMytOr9
N1B2VzG9aEUZjZFqArOnO2BpUnfhHwI1JlqONOvdholpqTCVvdxpDlMIc918cQ+v
5mYTWOtYCE+ziLRJlp+ttNOipVLMOPemr/Rnb4w9I84Xsdt1dxAAv8MOuB4lGomT
vSwoK6SLUS5u6PSSTAv8f9I1fgijghbzsXs6TpDwHMYujNQn/MyHJLIYQ4yWhDrJ
25bjLRYJePR83I1AdjbL/fJqCi6gUtzzRrDfN3xSziMo875mP0XxjPOaQeGLpMXM
Br1GFrXHtvUZ/2ipvGzbVDL/qs3a5S/rQJ2HNhgQvd/FcSs1ZMirCEbWmTyDtNdj
MkYu4VGFXwhVxVBXGqnShRRbf6KnLM/MC1GkQVpqfKjhMSBsBaJ68kCXbROVbkGj
3BSu0SlV0w==
=Q1wN
-----END PGP SIGNATURE-----
Merge tag 'block-6.16-20250725' of git://git.kernel.dk/linux
Pull block fix from Jens Axboe:
"Just a single fix for regression in this release, where a module
reference could be leaked"
* tag 'block-6.16-20250725' of git://git.kernel.dk/linux:
block: fix module reference leak in mq-deadline I/O scheduler
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCaIM+0AAKCRCRxhvAZXjc
oopdAP9SviubsueENDGRNvyvjCajdaUcZ481UeWCsvshc1ykmgEAo+Cwu3QxRzF7
BVjSIJSV9r4ae/fNw/MASbJVwyfCJQc=
=hGG6
-----END PGP SIGNATURE-----
Merge tag 'vfs-6.16-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
Pull vfs fixes from Christian Brauner:
"Two last-minute fixes for this cycle:
- Set afs vllist to NULL if addr parsing fails
- Add a missing check for reaching the end of the string in afs"
* tag 'vfs-6.16-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
afs: Set vllist to NULL if addr parsing fails
afs: Fix check for NULL terminator
User reported fixes:
- Fix btree node scan on encrypted filesystems by not using btree node
header fields encrypted
- Fix a race in btree write buffer flush; this caused EROs primarily
during fsck for some people
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEKnAFLkS8Qha+jvQrE6szbY3KbnYFAmiC8nIACgkQE6szbY3K
bnb2Mw//c9gFPpIqCQnMGwG1lXCCDjyKMkaP9OFq/Y2Ul5ERqWr2x3zzj36AYAkn
Ujo4/xNVBTsdvz8Kj4kG926F87UPnSJPJ64Y3L2Ag8WtOImMDWCu2GBHQ6ILdZYp
sPaf3Kd5P8GS221s/Rg45DihHlkoaZiXe7nE9/i/SdrvWyeMG7WQBuwgyTkjbVSh
c95sot66FlKURHDilFxZ1JU7UIf+QLyZRb5d6gQlmCce4c3w7RaRjK/dtnA9wZPQ
GkLim+Ja5oxUxT+pn4g2ImfLDL1nIGN7xtZR8vg0awekIbQxCsFzv6l7t5vvLEQ/
l9Q8bCUFhJ5pQ4uMGsde47G3smmVC8OFDJTNeUog9grcbcsyUh1+bN9Ix886oVnd
14Yji6++WmwekDISw9wH8tKNkGp7PZFMDxRFET8LQf+WReIDr/n1F4j1fhNBL0jr
UVy0F8u3prGwE3TigUX35cBvDmdbhIpkSZIaXskUewkiOByzcLXh5fF5XlfEtAJ0
OhMQQPAOKv5vcmLF3+JYMGj0JDch3s6HJy6AfxQ2EfZs4iozL47aOEiMlQ3PdZfw
CJfMAXwXs/PgznSDBdAdV0iMRM5f43QtHGXfBIsHk+F3Ax05ERvvghtnCYht3ltd
5Fy80Tm1iGxH4nsItR3bXxAnkFQmhJFDPAZ7RD8TkvgkSrDYJhA=
=qe+b
-----END PGP SIGNATURE-----
Merge tag 'bcachefs-2025-07-24' of git://evilpiepirate.org/bcachefs
Pull bcachefs fixes from Kent Overstreet:
"User reported fixes:
- Fix btree node scan on encrypted filesystems by not using btree
node header fields encrypted
- Fix a race in btree write buffer flush; this caused EROs primarily
during fsck for some people"
* tag 'bcachefs-2025-07-24' of git://evilpiepirate.org/bcachefs:
bcachefs: Add missing snapshots_seen_add_inorder()
bcachefs: Fix write buffer flushing from open journal entry
bcachefs: btree_node_scan: don't re-read before initializing found_btree_node
Commit e7607f7d6d ("ARM: 9443/1: Require linker to support KEEP within
OVERLAY for DCE") accidentally broke the binutils version restriction
that was added in commit 0d437918fb ("ARM: 9414/1: Fix build issue
with LD_DEAD_CODE_DATA_ELIMINATION"), reintroducing the segmentation
fault addressed by that workaround.
Restore the binutils version dependency by using
CONFIG_LD_CAN_USE_KEEP_IN_OVERLAY as an additional condition to ensure
that CONFIG_HAVE_LD_DEAD_CODE_DATA_ELIMINATION is only enabled with
binutils >= 2.36 and ld.lld >= 21.0.0.
Closes: https://lore.kernel.org/6739da7d-e555-407a-b5cb-e5681da71056@landley.net/
Closes: https://lore.kernel.org/CAFERDQ0zPoya5ZQfpbeuKVZEo_fKsonLf6tJbp32QnSGAtbi+Q@mail.gmail.com/
Cc: stable@vger.kernel.org
Fixes: e7607f7d6d ("ARM: 9443/1: Require linker to support KEEP within OVERLAY for DCE")
Reported-by: Rob Landley <rob@landley.net>
Tested-by: Rob Landley <rob@landley.net>
Reported-by: Martin Wetterwald <martin@wetterwald.eu>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
After commit d5c8d6e0fa ("kbuild: Update assembler calls to use proper
flags and language target"), which updated as-instr to use the
'assembler-with-cpp' language option, the Kbuild version of as-instr
always fails internally for arch/arm with
<command-line>: fatal error: asm/unified.h: No such file or directory
compilation terminated.
because '-include' flags are now taken into account by the compiler
driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
found.
This went unnoticed at the time of the Kbuild change because the last
use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
by commit 541ad0150c ("arm: Remove 32bit KVM host support") but a
stable backport of the Kbuild change to before that point exposed this
potential issue if one were to be reintroduced.
Follow the general pattern of '-include' paths throughout the tree and
make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
be used independently.
Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
Cc: stable@vger.kernel.org
Fixes: d5c8d6e0fa ("kbuild: Update assembler calls to use proper flags and language target")
Reported-by: KernelCI bot <bot@kernelci.org>
Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
This fixes an infinite loop when repairing "extent past end of inode",
when the extent is an older snapshot than the inode that needs repair.
Without the snaphsots_seen_add_inorder() we keep trying to delete the
same extent, even though it's no longer visible in the inode's snapshot.
Fixes: 63d6e93119 ("bcachefs: bch2_fpunch_snapshot()")
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
When flushing the btree write buffer, we pull write buffer keys directly
from the journal instead of letting the journal write path copy them to
the write buffer.
When flushing from the currently open journal buffer, we have to block
new reservations and wait for outstanding reservations to complete.
Recheck the reservation state after blocking new reservations:
previously, we were checking the reservation count from before calling
__journal_block().
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
or aren't considered necessary for -stable kernels.
7 are for MM.
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQTTMBEPP41GrTpTJgfdBJ7gKXxAjgUCaILYBgAKCRDdBJ7gKXxA
jo0uAQDvTlAjH6TcgRW/cbqHRIeiRoZ9Bwh/RUlJXM9neDR2LgEA41B+ohTsxUmZ
OhM3Ce94tiGrHnVlW3SsmVaO+1TjGAU=
=KUR9
-----END PGP SIGNATURE-----
Merge tag 'mm-hotfixes-stable-2025-07-24-18-03' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Pull misc fixes from Andrew Morton:
"11 hotfixes. 9 are cc:stable and the remainder address post-6.15
issues or aren't considered necessary for -stable kernels.
7 are for MM"
* tag 'mm-hotfixes-stable-2025-07-24-18-03' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
sprintf.h requires stdarg.h
resource: fix false warning in __request_region()
mm/damon/core: commit damos_quota_goal->nid
kasan: use vmalloc_dump_obj() for vmalloc error reports
mm/ksm: fix -Wsometimes-uninitialized from clang-21 in advisor_mode_show()
mm: update MAINTAINERS entry for HMM
nilfs2: reject invalid file types when reading inodes
selftests/mm: fix split_huge_page_test for folio_split() tests
mailmap: add entry for Senozhatsky
mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n
mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list
In file included from drivers/crypto/intel/qat/qat_common/adf_pm_dbgfs_utils.c:4:
include/linux/sprintf.h:11:54: error: unknown type name 'va_list'
11 | __printf(2, 0) int vsprintf(char *buf, const char *, va_list);
| ^~~~~~~
include/linux/sprintf.h:1:1: note: 'va_list' is defined in header '<stdarg.h>'; this is probably fixable by adding '#include <stdarg.h>'
Link: https://lkml.kernel.org/r/20250721173754.42865913@canb.auug.org.au
Fixes: 39ced19b9e ("lib/vsprintf: split out sprintf() and friends")
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
A warning is raised when __request_region() detects a conflict with a
resource whose resource.desc is IORES_DESC_DEVICE_PRIVATE_MEMORY.
But this warning is only valid for iomem_resources.
The hmem device resource uses resource.desc as the numa node id, which can
cause spurious warnings.
This warning appeared on a machine with multiple cxl memory expanders.
One of the NUMA node id is 6, which is the same as the value of
IORES_DESC_DEVICE_PRIVATE_MEMORY.
In this environment it was just a spurious warning, but when I saw the
warning I suspected a real problem so it's better to fix it.
This change fixes this by restricting the warning to only iomem_resource.
This also adds a missing new line to the warning message.
Link: https://lkml.kernel.org/r/20250719112604.25500-1-akinobu.mita@gmail.com
Fixes: 7dab174e2e ("dax/hmem: Move hmem device registration to dax_hmem.ko")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
DAMOS quota goal uses 'nid' field when the metric is
DAMOS_QUOTA_NODE_MEM_{USED,FREE}_BP. But the goal commit function is not
updating the goal's nid field. Fix it.
Link: https://lkml.kernel.org/r/20250719181932.72944-1-sj@kernel.org
Fixes: 0e1c773b50 ("mm/damon/core: introduce damos quota goal metrics for memory node utilization") [6.16.x]
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-----BEGIN PGP SIGNATURE-----
iQJIBAABCgAyFiEEgMe7l+5h9hnxdsnuWYigwDrT+vwFAmiCrE0UHGJoZWxnYWFz
QGdvb2dsZS5jb20ACgkQWYigwDrT+vyhfRAAv5pB484Q4w1fKw2l3JZeYztBPeFh
S0I4yZQCI+a1ecTSL1IgTUyRWrRoJDNtvJJResNtOuZKE9sxm5V/9h3d0qhMxCqw
dOKk1vDB8im4VDlC+IgEcvKY28T54rWdoklqEf6DztJz5tr10vrSRIvu01wDoeI2
FKH20jSbvhzzhP2JVlIXfYRnJ4jQVjgLbCl37m8oee3ifekzUM213+ZhFoOXR6a9
fJnHBt6pJAOduBATGlutFMetEyQ6Zn7XzT6OWrm5pSJkahgvF2+7hbPynBYXehV+
vn9xRJHKuC9WYpfAn3LEhnjNBNkDV+huYu7tv77htpB6M2Xq0HTlJWC0DeJGcozL
0v9UULZCzV758faUqAyNbGh7MAXt0MAUSOLjKmCM4gK8D0YJRrpVYIG8quQ5sPQO
zts3v6AYyOeliRarsgs+1MUe6/3hUSWwsy0k0wV5KH8NIXp4gc4qIte781vIEJsV
G07LjGIoMQUrjVpXRr5ra53XxPWu0pliTd+A684YUnr/5MMqu2I4lKsP/vqxzOoX
W4G1fDL8itEA3G0VBgTbYHPaZHQBa1+y4yOL6RcG/3gwS4bqkfcJPxN2jhRtHoXb
N3RRkb8rFuNGjTEIXt217BonXZRFeQxwgrXDLrjGE9SryhxNlsN0u/h+7TCeBC58
pPO+RyDQSBV0bBQ=
=ZwhJ
-----END PGP SIGNATURE-----
Merge tag 'pci-v6.16-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci
Pull pci fix from Bjorn Helgaas:
- Create pwrctrl devices only when we need them, i.e., when
CONFIG_PCI_PWRCTRL is enabled.
This allows brcmstb to work around a pwrctrl regression by
disabling CONFIG_PCI_PWRCTRL (Manivannan Sadhasivam)
* tag 'pci-v6.16-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pci/pci:
PCI/pwrctrl: Create pwrctrl devices only when CONFIG_PCI_PWRCTRL is enabled
When CONFIG_DEBUG_FS is off, drivers/gpu/drm/xe/xe_gt_debugfs.o
is not built and build fails on some setups with:
ld: drivers/gpu/drm/xe/xe_gt.o: in function `xe_fault_inject_gt_reset':
drivers/gpu/drm/xe/xe_gt.h:27:(.text+0x1659): undefined reference to `gt_reset_failure'
ld: drivers/gpu/drm/xe/xe_gt.h:27:(.text+0x1c16): undefined reference to `gt_reset_failure'
collect2: error: ld returned 1 exit status
Do not use the gt_reset_failure attribute if debugfs is not enabled.
Fixes: 8f3013e0b2 ("drm/xe: Introduce fault injection for gt reset")
Cc: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Himal Prasad Ghimiray <himal.prasad.ghimiray@intel.com>
Link: https://lore.kernel.org/r/20250722-xe-fix-build-fault-v1-1-157384d50987@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
(cherry picked from commit 4d3bbe9dd28c0a4ca119e4b8823c5f5e9cb3ff90)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Some last-minute fixes. All changes are device-specific small fixes
or quirks, safe to apply.
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmiCKpcOHHRpd2FpQHN1
c2UuZGUACgkQLtJE4w1nLE+4cg//ZnF1BQVX056UpOEL5QrYnQXHnA5p7g1av6Ek
k/E155lAxm8GBgfydC5AlOo7KLtwMDBQ485NVAP+pHMd4VrWp8udptcq6lxMCYS+
5NmCPaePOcTP+fVFKI0miBC60oEfhHDVie15nxARSsCJyIM04edO93KXfrnCyfbx
+PDynl8YQCvLQ4H9Fz6BCI/oPfw6DIocgGpvnyU7zl6lJWVfHvw3pssOfmVHH7dp
dlTUZe+S2MDBSApxogdOtx1BsJi6/V7DnNZc43gLarmE4H042ufcHXjatFdzSFQ6
+X5jWLbRy0mwkRq/gewf8AvPnGKe4jPEup4MZ3yZG0NZz//iLzH3rmDycbgkyEZR
wc01uAnaBY5lB/1YORsE2szI2AUMN7+g06c1yfEtxUsndaviJjWFX9MOOSy/4O3a
3GdqxyFLsQujvYUPyiV/iygv6JTGTRf9pbKB4EdpBbK7yHd9vchKxzqlp40UrIfM
TPd/4L2TZj29xwOl4eBn0Vye4Js3r9OUEqWIUrHMUNXjwx83skCpJ1P5BbH5CD1y
pmXyFlYmbI6QxR5hzm+13K72tGFMPowpreh2JiICsgxrkbLHrX7KQEwn28s0SdH4
QmMOhkV4GOuEdzSzO2z4xRjdpI6i4y4qdjXt1+hFr4sJNfs4UI1lqW1MnHHNvfeH
9JHgTZ0=
=mkoF
-----END PGP SIGNATURE-----
Merge tag 'sound-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"Some last-minute fixes. All changes are device-specific small fixes or
quirks, safe to apply"
* tag 'sound-6.16' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: mediatek: common: fix device and OF node leak
ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop
ALSA: usb-audio: qcom: Adjust mutex unlock order
ASoC: SDCA: correct the calculation of the maximum init table size
ASoC: rt5650: Eliminate the high frequency glitch
ASoC: SOF: Intel: PTL: Add the sdw_process_wakeen op
ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx
ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx
ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv
- Fix broken UUID value for the KVM/arm64 hypervisor SMCCC interface.
- Fix stack corruption on context-switch, primarily seen on (but not
limited to) configurations with both pNMI and SCS enabled.
-----BEGIN PGP SIGNATURE-----
iQFEBAABCgAuFiEEPxTL6PPUbjXGY88ct6xw3ITBYzQFAmiBBXwQHHdpbGxAa2Vy
bmVsLm9yZwAKCRC3rHDchMFjNFitB/9qIwohXTPcwfFux3FJpiUAMzY0KlP2TIJF
+wMRNSkYw/EKKorz4nzdEagyvWLvbFqg8eZDaoVTV7+DyQXb5Fz9R7s8yVQwBIpY
naAPm5A+I9gitiISA8M1Kr44MpTJBUHRpOSIIiTQK0/ijmd02sDkZZJuTUqYRmUP
1SY7A6Ps3Oz3cfqDtOIKUy8LNi22Wha6n9r3YghO5nhlLgrO1vMf/2uX1fRULTee
rpv4vICUjy9JK7F3W2osQ88UQkRY+l7vEtEzDdAYREPbg7m0ye1R1rTp2NiQ/mja
b+YoKudvdce4Mwui3UB5kRCDBB5kJIX7Itvu/AfjJ5e/cr0fI15X
=tkat
-----END PGP SIGNATURE-----
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Will Deacon:
"Two important arm64 fixes ahead of the 6.16 release.
The first fixes a regression introduced during the merge window where
the KVM UUID (which is used to advertise KVM-specific hypercalls for
things like time synchronisation in the guest) was corrupted thanks to
an endianness bug introduced when converting the code to use the
UUID_INIT() helper.
The second fixes a stack-pointer corruption issue during
context-switch which has been observed in the wild when taking a
pseudo-NMI with shadow call stack enabled.
Summary:
- Fix broken UUID value for the KVM/arm64 hypervisor SMCCC interface
- Fix stack corruption on context-switch, primarily seen on (but not
limited to) configurations with both pNMI and SCS enabled"
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
arm64: kvm, smccc: Fix vendor uuid
The TI regression notified last week is actually on our net-next tree,
it does not affect 6.16.
We are investigating a virtio regression which is quite hard to
reproduce - currently only our CI sporadically hits it. Hopefully it
should not be critical, and I'm not sure that an additional week would
be enough to solve it.
Current release - fix to a fix:
- sched: sch_qfq: avoid sleeping in atomic context in qfq_delete_class
Previous releases - regressions:
- xfrm:
- set transport header to fix UDP GRO handling
- delete x->tunnel as we delete x
- eth: mlx5: fix memory leak in cmd_exec()
- eth: i40e: when removing VF MAC filters, avoid losing PF-set MAC
- eth: gve: fix stuck TX queue for DQ queue format
Previous releases - always broken:
- can: fix NULL pointer deref of struct can_priv::do_set_mode
- eth: ice: fix a null pointer dereference in ice_copy_and_init_pkg()
- eth: ism: fix concurrency management in ism_cmd()
- eth: dpaa2: fix device reference count leak in MAC endpoint handling
- eth: icssg-prueth: fix buffer allocation for ICSSG
Misc:
- selftests: mptcp: increase code coverage
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQJGBAABCAAwFiEEg1AjqC77wbdLX2LbKSR5jcyPE6QFAmiCGdASHHBhYmVuaUBy
ZWRoYXQuY29tAAoJECkkeY3MjxOkV2YP/idUgK6lAEHGIVvmhYn7TJCeA4Ekbybt
rjf71bUJRs1w64y2UFaK4/LOdOWoK6ztZIX3tFkkPwMKxvGsvymMcClhghSGU6E5
8h1jcgSCzvtAV6bSDeulDSfqKu4OJ2KCJomwQKKO0bu3RDQTkQdPNLxb6ysAonml
6Y0v2kiclnjtIdXJ+emdgQ3CBjLabPLTzXBVy1yuk0J1JLL2UACzK4xmacKvlpN0
heN7eEontRrPmBVNRY5+rw5yrYBwAg6Y8pa3dF3M8bXiXc0xvoT5c8lA9d0PNRSe
9TBeXwCASdr9vDFORoL87GwDV82pfrXrSAcHBfdW55ItblgkzLBiIkGsGGt5YynZ
1ZA8fGJVJwNbV7jFqQkjFob+Te6dCL1wcFNbbrrRtU5V24D0Q0YE56HHcFqgbuht
dLuDSsxVL1TGlpA5q2f1jylfIekLgMV9d1X8adagY1VRuzK4SzGZpCXEcpBUI2z3
boTpc/BTQx9t42qjegLZqCu+TmvVwYM6zarUvO8jQtC9LZpMY1sPxpu+qFd5yYJ1
VyK+EGOq7At6qwxchUBiwVsek08G5vXWsQFVA9qn+sPTi5iKhDB97dJFnnb1aBo/
aw/lYHFBzn5I31HhLaDKFMqie4JUOfj9gd/Ab7hR4u4jAqUG9tkPjrdCWtLFDrSn
Jn+o05q8HLwK
=7rIq
-----END PGP SIGNATURE-----
Merge tag 'net-6.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from can and xfrm.
The TI regression notified last week is actually on our net-next tree,
it does not affect 6.16.
We are investigating a virtio regression which is quite hard to
reproduce - currently only our CI sporadically hits it. Hopefully it
should not be critical, and I'm not sure that an additional week would
be enough to solve it.
Current release - fix to a fix:
- sched: sch_qfq: avoid sleeping in atomic context in qfq_delete_class
Previous releases - regressions:
- xfrm:
- set transport header to fix UDP GRO handling
- delete x->tunnel as we delete x
- eth:
- mlx5: fix memory leak in cmd_exec()
- i40e: when removing VF MAC filters, avoid losing PF-set MAC
- gve: fix stuck TX queue for DQ queue format
Previous releases - always broken:
- can: fix NULL pointer deref of struct can_priv::do_set_mode
- eth:
- ice: fix a null pointer dereference in ice_copy_and_init_pkg()
- ism: fix concurrency management in ism_cmd()
- dpaa2: fix device reference count leak in MAC endpoint handling
- icssg-prueth: fix buffer allocation for ICSSG
Misc:
- selftests: mptcp: increase code coverage"
* tag 'net-6.16-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (34 commits)
net: hns3: default enable tx bounce buffer when smmu enabled
net: hns3: fixed vf get max channels bug
net: hns3: disable interrupt when ptp init failed
net: hns3: fix concurrent setting vlan filter issue
s390/ism: fix concurrency management in ism_cmd()
selftests: drv-net: wait for iperf client to stop sending
MAINTAINERS: Add in6.h to MAINTAINERS
selftests: netfilter: tone-down conntrack clash test
can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
net/sched: sch_qfq: Avoid triggering might_sleep in atomic context in qfq_delete_class
gve: Fix stuck TX queue for DQ queue format
net: appletalk: Fix use-after-free in AARP proxy probe
net: bcmasp: Restore programming of TX map vector register
selftests: mptcp: connect: also cover checksum
selftests: mptcp: connect: also cover alt modes
e1000e: ignore uninitialized checksum word on tgp
e1000e: disregard NVM checksum on tgp when valid checksum bit is not set
ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
i40e: When removing VF MAC filters, only check PF-set MAC
i40e: report VF tx_dropped with tx_errors instead of tx_discards
...
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEH7ZpcWbFyOOp6OJbrB3Eaf9PW7cFAmiAj9QACgkQrB3Eaf9P
W7dQEhAAj0ccCgKych/IBx4zlK/TSsPN9PnZmylTgpfWQdClCKjNEa80Umf2wWgc
0j5rA77B2AJSHkRHMW6cWpmZRbicnWDavAtUOB/2lEcw8EDyMcIEEByzBtRkylvb
S1slLlpAYyezHsSr9uGu6+Meb3llkL2+pnF2CiA02uWI0MaEXaqtGfEqZ4DZX9BK
xQcb3St6Mr6pBV0sQ/rlY3Gfe/t/gzUnJNQQtRuKcZmBG4Ls1MLpJ6fYU++k+lfX
my4JehdI2Sg6QujX4HdlBDF1bCzcKpxzJGQVhkjT9OPx25owtoknMezeWdrK3Gdk
0pwIFs0+dFCc6hi2x6seabSBPNZJzT7978XZ0U2PneGoKlSw36UuAvk2ckAaBS+N
I2flFQRGAf7XjxNn53lRailG/nxGYUMEvhlM+uGjy1rujDn8NmdZXAwtQUGP25bJ
DCcXiQp6KUnclIWJ0MjScuFUG++Afn52DgsM+N5Fmjg9U/F1dVqIWjixcOOM4Lx2
DOpJy9gi3r7JZ0b1K7KMq1FibxFGszaW4YeABNPqlcEjnWiVhPNQjxKm0S84UQdL
Qh0s1PiAWhBqt4bvdf6h+r8309JWgo704MWxC2tBodDVJoYgugNXbnPihrr6+wO3
D9SbUJHSdTLOWTWzhlrFEb2oHVHAXc3KZpIQnk+32XaxqcNHpeY=
=MBQn
-----END PGP SIGNATURE-----
Merge tag 'ipsec-2025-07-23' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:
====================
pull request (net): ipsec 2025-07-23
1) Premption fixes for xfrm_state_find.
From Sabrina Dubroca.
2) Initialize offload path also for SW IPsec GRO. This fixes a
performance regression on SW IPsec offload.
From Leon Romanovsky.
3) Fix IPsec UDP GRO for IKE packets.
From Tobias Brunner,
4) Fix transport header setting for IPcomp after decompressing.
From Fernando Fernandez Mancera.
5) Fix use-after-free when xfrmi_changelink tries to change
collect_md for a xfrm interface.
From Eyal Birger .
6) Delete the special IPcomp x->tunnel state along with the state x
to avoid refcount problems.
From Sabrina Dubroca.
Please pull or let me know if there are problems.
* tag 'ipsec-2025-07-23' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec:
Revert "xfrm: destroy xfrm_state synchronously on net exit path"
xfrm: delete x->tunnel as we delete x
xfrm: interface: fix use-after-free after changing collect_md xfrm interface
xfrm: ipcomp: adjust transport header after decompressing
xfrm: Set transport header to fix UDP GRO handling
xfrm: always initialize offload path
xfrm: state: use a consistent pcpu_id in xfrm_state_find
xfrm: state: initialize state_ptrs earlier in xfrm_state_find
====================
Link: https://patch.msgid.link/20250723075417.3432644-1-steffen.klassert@secunet.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The SMMU engine on HIP09 chip has a hardware issue.
SMMU pagetable prefetch features may prefetch and use a invalid PTE
even the PTE is valid at that time. This will cause the device trigger
fake pagefaults. The solution is to avoid prefetching by adding a
SYNC command when smmu mapping a iova. But the performance of nic has a
sharp drop. Then we do this workaround, always enable tx bounce buffer,
avoid mapping/unmapping on TX path.
This issue only affects HNS3, so we always enable
tx bounce buffer when smmu enabled to improve performance.
Fixes: 295ba232a8 ("net: hns3: add device version to replace pci revision")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-5-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Currently, the queried maximum of vf channels is the maximum of channels
supported by each TC. However, the actual maximum of channels is
the maximum of channels supported by the device.
Fixes: 849e460776 ("net: hns3: add ethtool_ops.get_channels support for VF")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Hao Lan <lanhao@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-4-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
When ptp init failed, we'd better disable the interrupt and clear the
flag, to avoid early report interrupt at next probe.
Fixes: 0bf5eb7885 ("net: hns3: add support for PTP")
Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-3-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The vport->req_vlan_fltr_en may be changed concurrently by function
hclge_sync_vlan_fltr_state() called in periodic work task and
function hclge_enable_vport_vlan_filter() called by user configuration.
It may cause the user configuration inoperative. Fixes it by protect
the vport->req_vlan_fltr by vport_lock.
Fixes: 2ba306627f ("net: hns3: add support for modify VLAN filter state")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722125423.1270673-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
The s390x ISM device data sheet clearly states that only one
request-response sequence is allowable per ISM function at any point in
time. Unfortunately as of today the s390/ism driver in Linux does not
honor that requirement. This patch aims to rectify that.
This problem was discovered based on Aliaksei's bug report which states
that for certain workloads the ISM functions end up entering error state
(with PEC 2 as seen from the logs) after a while and as a consequence
connections handled by the respective function break, and for future
connection requests the ISM device is not considered -- given it is in a
dysfunctional state. During further debugging PEC 3A was observed as
well.
A kernel message like
[ 1211.244319] zpci: 061a:00:00.0: Event 0x2 reports an error for PCI function 0x61a
is a reliable indicator of the stated function entering error state
with PEC 2. Let me also point out that a kernel message like
[ 1211.244325] zpci: 061a:00:00.0: The ism driver bound to the device does not support error recovery
is a reliable indicator that the ISM function won't be auto-recovered
because the ISM driver currently lacks support for it.
On a technical level, without this synchronization, commands (inputs to
the FW) may be partially or fully overwritten (corrupted) by another CPU
trying to issue commands on the same function. There is hard evidence that
this can lead to DMB token values being used as DMB IOVAs, leading to
PEC 2 PCI events indicating invalid DMA. But this is only one of the
failure modes imaginable. In theory even completely losing one command
and executing another one twice and then trying to interpret the outputs
as if the command we intended to execute was actually executed and not
the other one is also possible. Frankly, I don't feel confident about
providing an exhaustive list of possible consequences.
Fixes: 684b89bc39 ("s390/ism: add device driver for internal shared memory")
Reported-by: Aliaksei Makarau <Aliaksei.Makarau@ibm.com>
Tested-by: Mahanta Jambigi <mjambigi@linux.ibm.com>
Tested-by: Aliaksei Makarau <Aliaksei.Makarau@ibm.com>
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722161817.1298473-1-wintera@linux.ibm.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
A few device specific fixes, none especially remarkable though all
useful.
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmiBFdUACgkQJNaLcl1U
h9CrBwf/S9zAmKv9zfCgpgyxN8GEJv4pwj/8NGLjv1FlNetX3gMsGq6Xp58b+9Ry
/nPLkKnl3Vgon3QDQCbWNza3wliDDyPFVqqrIsbGrEy3E78UraIKNXIjxlanJkDx
emZGfi4C8tCdaBMjaHTNGcxomYsH0TGascDfng5yrtVDi9mityg+zeC0gLBUuR/Z
07qLIakp5iYavHGuxBkY55eHWncperoQpRv3C3efzXlDM/Eu3HcQoRmKX1M3yTx9
mboJ/xfuLDOSf7ZZJeGnoeZToDgvoUcyM8m6R06uj9th3dq6sP3FraFGHe60E+Mq
qwbBrtGv/dczbf/LyIBnolqXx1xdfg==
=Pl6U
-----END PGP SIGNATURE-----
Merge tag 'asoc-fix-v6.16-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v6.16
A few device specific fixes, none especially remarkable though all
useful.
gem:
- revert all the dma-buf/gem changes
as there as lifetime issues with it.
nouveau:
- revert an ioctl change as it causes issues
- fix NULL ptr on fermi
bridge:
- remove extra semicolon
sched:
- remove hang causing optimisation
amdgpu:
- fix garbage in cleared vram after resume
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmiBfb0ACgkQDHTzWXnE
hr4ZRBAAiGleBHnZGpdByMmmMIW6LVETISJiaBhZ8Cfx3dgFlW13Edhce9wACJ6t
R6zP6fGTDVhhRohIEx+H62R8hdZiL3Y3MYdFh47VwwxTWEs9qqjVMJUVWPgl+xS6
5UTNqb1nm6lrKJHncD2vXCVKsk4XEJaZEXolwrmUpCrVPlv6zz1uxBFRNXBxzaOZ
Q1zz5UgjE67Jv8qb3MaH5rgysTKUUHrC+6LfKvXpauovGVA3g0FlGK7N5gsJm8A7
ThPjwAOs9HUTHeaSZDGW96Kv84ltR5yhPIcAX+U0S4RNl1NTUOQaACHTTWrf7OTb
FXVy1WihM958olRkZeyaa6B8lNRF98eHDJXRa4Kvzr7LmW79J28XyW/9Ht2bjRhq
e2v/XGOWJRLU46ahsFF4cfRo1nE9ctksHvggX7E0uwclRuXLaHDjbWW5FG9THciE
geNQEN3AcoBN1gwQ49wzOvF2UKRFM+CIXiXhriAKe5wpqYt559mSyddCLsL8oH5L
S3ctlcm1R3UYcvWwZ/hzkoFzwGCmj50xslswE2s6lTEFohM9wG84QunZx6u97nNA
nQRuU45juljMMvgVYhngIgEPQbnnh+Rz2UFyRf6mB2n/OmLxZ74zSCJkD/RxB7+h
ffSJgwbYIFs9k7HWYp9u/ReFsYNg3SyNOuEEs8aetQG913OO7ZY=
=4EOG
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2025-07-24' of https://gitlab.freedesktop.org/drm/kernel
Pull drm fixes from Dave Airlie:
"This might just be part one, but I'm sending it a bit early as it has
two sets of reverts for regressions, one is all the gem/dma-buf
handling and another was a nouveau ioctl change.
Otherwise there is an amdgpu fix, nouveau fix and a scheduler fix.
If any other changes come in I'll follow up with another more usual
Fri/Sat MR.
gem:
- revert all the dma-buf/gem changes as there as lifetime issues
with them
nouveau:
- revert an ioctl change as it causes issues
- fix NULL ptr on fermi
bridge:
- remove extra semicolon
sched:
- remove hang causing optimisation
amdgpu:
- fix garbage in cleared vram after resume"
* tag 'drm-fixes-2025-07-24' of https://gitlab.freedesktop.org/drm/kernel:
drm/bridge: ti-sn65dsi86: Remove extra semicolon in ti_sn_bridge_probe()
Revert "drm/nouveau: check ioctl command codes better"
drm/nouveau/nvif: fix null ptr deref on pre-fermi boards
Revert "drm/gem-dma: Use dma_buf from GEM object instance"
Revert "drm/gem-shmem: Use dma_buf from GEM object instance"
Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"
Revert "drm/prime: Use dma_buf from GEM object instance"
Revert "drm/etnaviv: Use dma_buf from GEM object instance"
Revert "drm/vmwgfx: Use dma_buf from GEM object instance"
Revert "drm/virtio: Use dma_buf from GEM object instance"
drm/sched: Remove optimization that causes hang when killing dependent jobs
drm/amdgpu: Reset the clear flag in buddy during resume
A few packets may still be sent out during the termination of iperf
processes. These late packets cause failures in rss_ctx.py when they
arrive on queues expected to be empty.
Example failure observed:
Check failed 2 != 0 traffic on inactive queues (context 1):
[0, 0, 1, 1, 386385, 397196, 0, 0, 0, 0, ...]
Check failed 4 != 0 traffic on inactive queues (context 2):
[0, 0, 0, 0, 2, 2, 247152, 253013, 0, 0, ...]
Check failed 2 != 0 traffic on inactive queues (context 3):
[0, 0, 0, 0, 0, 0, 1, 1, 282434, 283070, ...]
To avoid such failures, wait until all client sockets for the requested
port are either closed or in the TIME_WAIT state.
Fixes: 847aa551fa ("selftests: drv-net: rss_ctx: factor out send traffic and check")
Signed-off-by: Nimrod Oren <noren@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722122655.3194442-1-noren@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Original logic only sets the return value but doesn't jump out of the
loop if the bus is kept active by a client. This is not expected. A
malicious or buggy i2c client can hang the kernel in this case and
should be avoided. This is observed during a long time test with a
PCA953x GPIO extender.
Fix it by changing the logic to not only sets the return value, but also
jumps out of the loop and return to the caller with -ETIMEDOUT.
Fixes: fbfab1ab06 ("i2c: qup: reorganization of driver code to remove polling for qup v1")
Signed-off-by: Yang Xiwen <forbidden405@outlook.com>
Cc: <stable@vger.kernel.org> # v4.17+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250616-qca-i2c-v1-1-2a8d37ee0a30@outlook.com
The current implementation uses wait_for_completion(), which can cause
the caller to hang indefinitely if the transfer never completes.
Switch to wait_for_completion_interruptible() so that the operation can
be interrupted by signals.
Fixes: 84e1d0bf1d ("i2c: virtio: disable timeout handling")
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: <stable@vger.kernel.org> # v5.16+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/b8944e9cab8eb959d888ae80add6f2a686159ba2.1751541962.git.viresh.kumar@linaro.org
The acpi_evaluate_object() returns an ACPI error code and not
Linux one. For the some platforms the err will have positive code
which may be interpreted incorrectly. Use device_reset() for
reset control which handles it correctly.
Fixes: bd2fdedbf2 ("i2c: tegra: Add the ACPI support")
Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Cc: <stable@vger.kernel.org> # v5.17+
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20250710131206.2316-2-akhilrajeev@nvidia.com
My CC-adding automation returned nothing on a future patch to the
include/linux/in6.h file, and I went looking for why. Add the missed
in6.h to MAINTAINERS.
Signed-off-by: Kees Cook <kees@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250722165645.work.047-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
* Fix cleanup mistake (probably a cut-and-paste error) in a Xen
hypercall.
-----BEGIN PGP SIGNATURE-----
iQFIBAABCgAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmiBWM8UHHBib256aW5p
QHJlZGhhdC5jb20ACgkQv/vSX3jHroNC7wf+Oqx6vEB4RyFR2hoLRlQiKiL4uA1y
TLesrbHefK1VwrMn3rEXAzJQh1u67aUBj03u5ggqvRVvbDVaUztrAPM50qnxLIvY
G3nK7N+M3FCjDodXGD9xLywfV5+uFaCTlkeHbzL1CvO+cNKD7DPodH3yTJnuv7mN
4h0dSr1XWhHe+7nTtbkSVObPG1ndlZgbw+yxCel62p/dCBLcQblYjkbfD3XNmv+M
deJnlZt7p/bOSWCQh8qGY54JvF2hnjn/m11dosSXlSdjLUKBqF/YJMfuiBvYwl/C
ffDHVHhtXU0wAzyBwm4LJ7HhG65HoakYPDDEJkcOzQj84EH6F1+C2Y9EJQ==
=gjN5
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm fix from Paolo Bonzini:
- Fix cleanup mistake (probably a cut-and-paste error) in a Xen
hypercall
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls
kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host
for more than one event channel potr (nr_ports > 1).
After the kmalloc_array(), the error paths need to go through the
"out" label, but the call to kvm_read_guest_virt() does not.
Fixes: 92c58965e9 ("KVM: x86/xen: Use kvm_read_guest_virt() instead of open-coding it badly")
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Manuel Andreas <manuel.andreas@tum.de>
[Adjusted commit message. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
drm-misc-fixes for v6.16-rc8/final?:
- Revert all uses of drm_gem_object->dmabuf to
drm_gem_object->import_attach->dmabuf.
- Fix amdgpu returning BIOS cluttered VRAM after resume.
- Scheduler hang fix.
- Revert nouveau ioctl fix as it caused regressions.
- Fix null pointer deref in nouveau.
- Fix unnecessary semicolon in ti_sn_bridge_probe.
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://lore.kernel.org/r/72235afd-c849-49fe-9cc1-2b1781abdf08@linux.intel.com
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQQqUNBr3gm4hGXdBJlZ7Krx/gZQ6wUCaIED9AAKCRBZ7Krx/gZQ
69tPAQD4FLiS82oG1LfSjPFa6of9omdkSQBhZptuFBTZ8MyVJwD/T/fDFnIXdZQb
J4MazfsRCtgRdFlRGH90EQGRygwxdQA=
=UiOi
-----END PGP SIGNATURE-----
Merge tag 'pull-ufs-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull ufs fix from Al Viro:
"Fix regression in ufs options parsing"
* tag 'pull-ufs-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
fix the regression in ufs options parsing
A really dumb braino on rebasing and a dumber fuckup with managing #for-next
Fixes: b70cb45989 ("ufs: convert ufs to the new mount API")
Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
dma_fence_wait_timeout returns a long type but the driver is
only using the lower 32 bits of the retval and discarding the
upper 32 bits.
This is particularly problematic if there are already signalled
or stub fences on some of the hw planes. In this case the
dma_fence_wait_timeout function will immediately return with
timeout value MAX_SCHEDULE_TIMEOUT (0x7fffffffffffffff) since
the fence is already signalled. If the driver only uses the lower
32 bits of this return value then it'll interpret it as an error
code (0xFFFFFFFF or (-1)) and skip the wait on the remaining fences.
This issue was first observed in the xe driver with the Android
compositor where the GPU composited layer was not properly waited
on when there were stub fences in other overlay planes resulting in
visual artifacts.
Fixes: d59cf7bb73 ("drm/i915/display: Use dma_fence interfaces instead of i915_sw_fence")
Signed-off-by: Aakash Deep Sarkar <aakash.deep.sarkar@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Ankit Nautiyal <ankit.k.nautiyal@intel.com>
Link: https://lore.kernel.org/r/20250708074540.1948068-1-aakash.deep.sarkar@intel.com
(cherry picked from commit cdb16039515a5ac4d2c923f7a651cf19a803a3fe)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
NAND devices with different page sizes requires different number
of ECC steps, yet the qcom_spi_ecc_init_ctx_pipelined() function
sets 4 steps in 'ecc_cfg' unconditionally.
The correct number of the steps is calculated earlier in the
function already, so use that instead of the hardcoded value.
Fixes: 7304d19090 ("spi: spi-qpic: add driver for QCOM SPI NAND flash Interface")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://patch.msgid.link/20250723-qpic-snand-fix-steps-v1-1-d800695dde4c@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Make sure to drop the references to the accdet OF node and platform
device taken by of_parse_phandle() and of_find_device_by_node() after
looking up the sound component during probe.
Fixes: cf536e2622 ("ASoC: mediatek: common: Handle mediatek,accdet property")
Cc: stable@vger.kernel.org # 6.15
Cc: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20250722092542.32754-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
syzbot reported a bug in in afs_put_vlserverlist.
kAFS: bad VL server IP address
BUG: unable to handle page fault for address: fffffffffffffffa
...
Oops: Oops: 0002 [#1] SMP KASAN PTI
...
RIP: 0010:refcount_dec_and_test include/linux/refcount.h:450 [inline]
RIP: 0010:afs_put_vlserverlist+0x3a/0x220 fs/afs/vl_list.c:67
...
Call Trace:
<TASK>
afs_alloc_cell fs/afs/cell.c:218 [inline]
afs_lookup_cell+0x12a5/0x1680 fs/afs/cell.c:264
afs_cell_init+0x17a/0x380 fs/afs/cell.c:386
afs_proc_rootcell_write+0x21f/0x290 fs/afs/proc.c:247
proc_simple_write+0x114/0x1b0 fs/proc/generic.c:825
pde_write fs/proc/inode.c:330 [inline]
proc_reg_write+0x23d/0x330 fs/proc/inode.c:342
vfs_write+0x25c/0x1180 fs/read_write.c:682
ksys_write+0x12a/0x240 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Because afs_parse_text_addrs() parses incorrectly, its return value -EINVAL
is assigned to vllist, which results in -EINVAL being used as the vllist
address when afs_put_vlserverlist() is executed.
Set the vllist value to NULL when a parsing error occurs to avoid this
issue.
Fixes: e2c2cb8ef0 ("afs: Simplify cell record handling")
Reported-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5c042fbab0b292c98fc6
Tested-by: syzbot+5c042fbab0b292c98fc6@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/4119365.1753108011@warthog.procyon.org.uk
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
