Skip to content

NAS-141587 / 26.0.0-RC.1 / Update 6.18 kernel to v6.18.37 (by ixhamza)#305

Merged
creatorcary merged 1081 commits into
stable/26from
NAS-141587-26.0.0-RC.1
Jun 29, 2026
Merged

NAS-141587 / 26.0.0-RC.1 / Update 6.18 kernel to v6.18.37 (by ixhamza)#305
creatorcary merged 1081 commits into
stable/26from
NAS-141587-26.0.0-RC.1

Conversation

@bugclerk

Copy link
Copy Markdown
  • Updated the LTS Linux kernel from v6.18.35 to the latest v6.18.37.
  • Includes upstream CVE fixes, including CVE-2026-46300.
  • No merge conflicts.

Testing

Original PR: #302

Jiawen Wu and others added 30 commits June 19, 2026 13:44
[ Upstream commit 0487cfca46517ff6699c72dc1a8872b0af3c31a9 ]

The module info buffer should be initialized to 0 before the firmware
returns information. Otherwise, there is a risk that the buffer field
not filled by the firmware is random value.

Fixes: 3439297 ("net: txgbe: Support to handle GPIO IRQs for AML devices")
Signed-off-by: Jiawen Wu <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit b70c687b7cf267fb08586667a3946c8851cad672 ]

addrconf_get_prefix_route() can return the fib6_null_entry sentinel
entry which has a NULL fib6_table pointer. Therefore, before setting the
route's expiration time, check that we are not working with this entry,
as otherwise a NPD will be triggered [1].

Note that the other callers of addrconf_get_prefix_route() are not
susceptible to this bug:

1. addrconf_prefix_rcv(): Requests a route with the 'RTF_ADDRCONF |
   RTF_PREFIX_RT' flags which are not set on fib6_null_entry.

2. modify_prefix_route(): Fixed by commit a747e02 ("ipv6: avoid
   possible NULL deref in modify_prefix_route()").

3. __ipv6_ifa_notify(): Calls ip6_del_rt() which specifically checks for
   fib6_null_entry and returns an error.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
[...]
Call Trace:
<TASK>
__kasan_check_byte (mm/kasan/common.c:573)
lock_acquire.part.0 (kernel/locking/lockdep.c:5842 (discriminator 1))
_raw_spin_lock_bh (kernel/locking/spinlock.c:182 (discriminator 1))
cleanup_prefix_route (net/ipv6/addrconf.c:1280)
ipv6_del_addr (net/ipv6/addrconf.c:1342)
inet6_addr_del.isra.0 (net/ipv6/addrconf.c:3119)
inet6_rtm_deladdr (net/ipv6/addrconf.c:4812)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6997)
netlink_rcv_skb (net/netlink/af_netlink.c:2555)
netlink_unicast (net/netlink/af_netlink.c:1344)
netlink_sendmsg (net/netlink/af_netlink.c:1899)
__sock_sendmsg (net/socket.c:802 (discriminator 4))
____sys_sendmsg (net/socket.c:2698)
___sys_sendmsg (net/socket.c:2752)
__sys_sendmsg (net/socket.c:2784)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)

Fixes: 5eb902b ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: Ji'an Zhou <[email protected]>
Reviewed-by: David Ahern <[email protected]>
Signed-off-by: Ido Schimmel <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
commit b2849bec936be642b5420801f902337f2507648e upstream.

The APICv (apic->apicv_active) can be activated or deactivated at runtime,
for instance, because of APICv inhibit reasons. Intel VMX employs different
mechanisms to virtualize LAPIC based on whether APICv is active.

When APICv is activated at runtime, GUEST_INTR_STATUS is used to configure
and report the current pending IRR and ISR states. Unless a specific vector
is explicitly included in EOI_EXIT_BITMAP, its EOI will not be trapped to
KVM. Intel VMX automatically clears the corresponding ISR bit based on the
GUEST_INTR_STATUS.SVI field.

When APICv is deactivated at runtime, the VM_ENTRY_INTR_INFO_FIELD is used
to specify the next interrupt vector to invoke upon VM-entry. The
VMX IDT_VECTORING_INFO_FIELD is used to report un-invoked vectors on
VM-exit. EOIs are always trapped to KVM, so the software can manually clear
pending ISR bits.

There are scenarios where, with APICv activated at runtime, a guest-issued
EOI may not be able to clear the pending ISR bit.

Taking vector 236 as an example, here is one scenario.

1. Suppose APICv is inactive. Vector 236 is pending in the IRR.
2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR,
and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq().
3. After VM-entry, vector 236 is invoked through the guest IDT. At this
point, the data in VM_ENTRY_INTR_INFO_FIELD is no longer valid. The guest
interrupt handler for vector 236 is invoked.
4. Suppose a VM exit occurs very early in the guest interrupt handler,
before the EOI is issued.
5. Nothing is reported through the IDT_VECTORING_INFO_FIELD because
vector 236 has already been invoked in the guest.
6. Now, suppose APICv is activated. Before the next VM-entry, KVM calls
kvm_vcpu_update_apicv() to activate APICv.
7. Unfortunately, GUEST_INTR_STATUS.SVI is not configured, although
vector 236 is still pending in the ISR.
8. After VM-entry, the guest finally issues the EOI for vector 236.
However, because SVI is not configured, vector 236 is not cleared.
9. ISR is stalled forever on vector 236.

Here is another scenario.

1. Suppose APICv is inactive. Vector 236 is pending in the IRR.
2. To handle KVM_REQ_EVENT, KVM moves vector 236 from the IRR to the ISR,
and configures the VM_ENTRY_INTR_INFO_FIELD via vmx_inject_irq().
3. VM-exit occurs immediately after the next VM-entry. The vector 236 is
not invoked through the guest IDT. Instead, it is saved to the
IDT_VECTORING_INFO_FIELD during the VM-exit.
4. KVM calls kvm_queue_interrupt() to re-queue the un-invoked vector 236
into vcpu->arch.interrupt. A KVM_REQ_EVENT is requested.
5. Now, suppose APICv is activated. Before the next VM-entry, KVM calls
kvm_vcpu_update_apicv() to activate APICv.
6. Although APICv is now active, KVM still uses the legacy
VM_ENTRY_INTR_INFO_FIELD to re-inject vector 236. GUEST_INTR_STATUS.SVI is
not configured.
7. After the next VM-entry, vector 236 is invoked through the guest IDT.
Finally, an EOI occurs. However, due to the lack of GUEST_INTR_STATUS.SVI
configuration, vector 236 is not cleared from the ISR.
8. ISR is stalled forever on vector 236.

Using QEMU as an example, vector 236 is stuck in ISR forever.

(qemu) info lapic 1
dumping local APIC state for CPU 1

LVT0	 0x00010700 active-hi edge  masked                      ExtINT (vec 0)
LVT1	 0x00010400 active-hi edge  masked                      NMI
LVTPC	 0x00000400 active-hi edge                              NMI
LVTERR	 0x000000fe active-hi edge                              Fixed  (vec 254)
LVTTHMR	 0x00010000 active-hi edge  masked                      Fixed  (vec 0)
LVTT	 0x000400ec active-hi edge                 tsc-deadline Fixed  (vec 236)
Timer	 DCR=0x0 (divide by 2) initial_count = 0 current_count = 0
SPIV	 0x000001ff APIC enabled, focus=off, spurious vec 255
ICR	 0x000000fd physical edge de-assert no-shorthand
ICR2	 0x00000000 cpu 0 (X2APIC ID)
ESR	 0x00000000
ISR	 236
IRR	 37(level) 236

The issue isn't applicable to AMD SVM as KVM simply writes vmcb01 directly
irrespective of whether L1 (vmcs01) or L2 (vmcb02) is active (unlike VMX,
there is no need/cost to switch between VMCBs).  In addition,
APICV_INHIBIT_REASON_IRQWIN ensures AMD SVM AVIC is not activated until
the last interrupt is EOI'd.

Fix the bug by configuring Intel VMX GUEST_INTR_STATUS.SVI if APICv is
activated at runtime.

Signed-off-by: Dongli Zhang <[email protected]>
Reviewed-by: Chao Gao <[email protected]>
Link: https://patch.msgid.link/[email protected]
[sean: call out that SVM writes vmcb01 directly, tweak comment]
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sean Christopherson <[email protected]>
(cherry picked from commit b2849bec936be642b5420801f902337f2507648e)
Cc: [email protected] # 6.6.x and above
Cc: Gulshan Gabel <[email protected]>
Signed-off-by: Jon Kohler <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
…g parked

[ Upstream commit bc27dbefae6ed11376d991a2921eff806ffef67c ]

Parking disp_cc_mdss_mdp_clk_src at 19.2MHz causing the EFI GOP framebuffer
to stop functioning. The EFI GOP framebuffer should keep working until
the msm display driver loads, to help with boot debugging and to ensure
display output when the msm module is not in the initramfs.

Switch disp_cc_mdss_mdp_clk_src over to clk_rcg2_shared_no_init_park_ops
to keep the EFI GOP working after binding the x1e80100-dispcc driver.

Suggested-by: Dmitry Baryshkov <[email protected]>
Signed-off-by: Hans de Goede <[email protected]>
Reviewed-by: Dmitry Baryshkov <[email protected]>
Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Bjorn Andersson <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 78ee734b36284d82454e87a92094fdb926985b47 ]

In the peric0_clk_regs array, the divider register offset for USI6 was
accidentally listed twice, while the divider for USI7 was omitted.

Missing this DIV register causes the USI7 clock divider setting to be
lost and reset to its hardware default value during a suspend/resume
cycle.

Replace the duplicated USI6 DIV entry with the correct USI7 DIV
register.

Fixes: 893f133 ("clk: samsung: gs101: add support for cmu_peric0")
Signed-off-by: Kuan-Wei Chiu <[email protected]>
Reviewed-by: Peter Griffin <[email protected]>
Reviewed-by: Tudor Ambarus <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Krzysztof Kozlowski <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 5285b046757844435d1db96c1b5c3a6621b2979a ]

Parking disp{0,1}_cc_mdss_mdp_clk_src clk broke simplefb on HUAWEI
Gaokun3, the image will stuck at grey for seconds until msm takes
over framebuffer. Use clk_rcg2_shared_no_init_park_ops to skip it.

Signed-off-by: Pengyu Luo <[email protected]>
Tested-by: Jérôme de Bretagne <[email protected]>
Fixes: 01a0a6c ("clk: qcom: Park shared RCGs upon registration")
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Bjorn Andersson <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 2673cefa99ca918e7ac5b0388ff578a83656c896 ]

intel_edp_set_sink_rates() reads DP_SUPPORTED_LINK_RATES into a local
stack array and then parses the array unconditionally. If the read
fails, the array contents are not valid and may result in bogus sink
link rates being used.

Use drm_dp_dpcd_read_data() and clear the sink rate array on failure,
so the existing parser falls back to the default sink rate handling.

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Fixes: 68f357c ("drm/i915/dp: generate and cache sink rate array for all DP, not just eDP 1.4")
Signed-off-by: Nikita Zhandarovich <[email protected]>
Reviewed-by: Jani Nikula <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Jani Nikula <[email protected]>
(cherry picked from commit bd61c7756b34157e093028225a69383b4b1203cc)
Signed-off-by: Tvrtko Ursulin <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit f329e8325e054bd6d84d10904f8dd51137281b92 ]

DRM atomic and modesetting aren't initialized if virtio-gpu driver built
with disabled KMS, leading to access of uninitialized data on driver
removal/unbinding and crashing kernel. Fix it by skipping shutting down
atomic core with unavailable KMS.

Fixes: 72122c6 ("drm/virtio: Add option to disable KMS support")
Signed-off-by: Dmitry Osipenko <[email protected]>
Tested-by: Ryosuke Yasuoka <[email protected]>
Reviewed-by: Ryosuke Yasuoka <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 5d563a5da8717629ae72f9eadf1e0e340bd1658b ]

Don't just overwrite the original pointer passed to krealloc()
with its return value without checking latter:

    MEM = krealloc(MEM, SZ, GFP);

If krealloc() returns NULL, that erases the pointer
to the still allocated memory, hence leaks this memory.
Instead, use a temporary variable, check it's not NULL
and only then assign it to the original pointer:

    TMP = krealloc(MEM, SZ, GFP);
    if (!TMP) return;
    MEM = TMP;

While on it, use krealloc_array().

Fixes: 6d45c81 ("drm/vc4: Add support for branching in shader validation.")
Signed-off-by: Alexander A. Klimov <[email protected]>
Signed-off-by: Maíra Canal <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit ba36786b21d19082e696eda85bfcd49e7071944a ]

xe_range_fence_insert() acquires a reference on fence via
dma_fence_get() and stores it in rfence->fence.  It then calls
dma_fence_add_callback() and handles two cases: when the callback
is successfully registered (err == 0) the fence is transferred to
the tree for later cleanup; when the fence is already signaled
(err == -ENOENT) it manually drops the extra reference with
dma_fence_put(fence).

However, dma_fence_add_callback() can fail with other errors
(e.g. -EINVAL) and in that case the code falls through to the free:
label without releasing the acquired reference, leaking it.

Fix the leak by adding an else branch that calls dma_fence_put()
before jumping to free: for any error other than -ENOENT.

Fixes: 845f64b ("drm/xe: Introduce a range-fence utility")
Signed-off-by: Wentao Liang <[email protected]>
Reviewed-by: Matthew Brost <[email protected]>
Signed-off-by: Matthew Brost <[email protected]>
Link: https://patch.msgid.link/[email protected]
(cherry picked from commit 98c4a4201290823c2c5c7ba21692bd9a64b61021)
Signed-off-by: Matthew Brost <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
[ Upstream commit 2f41af638c92bac6f1f9275ea2d1901baef578f3 ]

aie2_populate_range() jumps back to the again label without calling
mmput(mm), leaking a reference to the mm_struct.

Add the missing mmput() before jumping to again.

Fixes: e486147 ("accel/amdxdna: Add BO import and export")
Reviewed-by: Mario Limonciello (AMD) <[email protected]>
Signed-off-by: Lizhi Hou <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.

nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
that took a reference via dst_hold() in nft_tunnel_obj_eval() and
are still queued (e.g. in a netem qdisc) are left with a dangling
pointer. When these packets are eventually dequeued, dst_release()
operates on freed memory.

Replace metadata_dst_free() with dst_release() so the metadata_dst
is freed only after all references are dropped. The dst subsystem
already handles metadata_dst cleanup in dst_destroy() when
DST_METADATA is set.

Fixes: af308b9 ("netfilter: nf_tables: add tunnel support")
Cc: [email protected]
Signed-off-by: Tristan Madani <[email protected]>
Reviewed-by: Fernando Fernandez Mancera <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit c7d573551f9286100a055ef696cde6af54549677 upstream.

NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.

Zero the second register before the memcpy so the full declared span is
written.

Fixes: cbd2257 ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: [email protected]
Signed-off-by: Davide Ornaghi <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream.

register_shm_helper() allocates shm before calling
iov_iter_npages(). If iov_iter_npages() returns 0, the function
jumps to err_ctx_put and leaks shm.

This can be triggered by TEE_IOC_SHM_REGISTER with
struct tee_ioctl_shm_register_data where length is 0.

Jump to err_free_shm instead.

Fixes: 7bdee41 ("tee: Use iov_iter to better support shared buffer registration")
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Georgiy Osokin <[email protected]>
Reviewed-by: Sumit Garg <[email protected]>
Signed-off-by: Jens Wiklander <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.

Existing advertising instances can already hold the maximum extended
advertising payload. When hci_adv_bcast_annoucement() prepends the
Broadcast Announcement service data to that payload, the combined data
may no longer fit in the temporary buffer used to rebuild the
advertising data.

Reject that case before copying the existing payload and report the
failure through the device log. This keeps the existing advertising
data intact and avoids overrunning the temporary buffer.

Fixes: 5725bc6 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
Cc: [email protected]
Reported-by: Yuan Tan <[email protected]>
Reported-by: Zhengchuan Liang <[email protected]>
Reported-by: Xin Liu <[email protected]>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Yuqi Xu <[email protected]>
Signed-off-by: Ren Wei <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit dd214733544427587a95f66dbf3adff072568990 upstream.

net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
signaling packets up to the channel MTU and dispatches each command
without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
within radio range can send a fixed-channel CID 0x0001 packet that is
larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
pairing. In a real-radio stock-kernel run, one 681-byte signaling
packet containing 168 zero-length ECHO_REQ commands made the target
transmit 168 ECHO_RSP frames over about 220 ms.

Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
packet containing packed ECHO_REQ commands.

Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.

The Bluetooth Core spec wording for MTUExceeded says the reject
identifier shall match the first request command in the packet, and
that packets containing only responses shall be silently discarded.
Linux intentionally deviates from that prescription: silently
discarding desynchronizes the peer because the remote stack never
learns its responses were dropped, and locating the first request
command requires walking command headers past MTUsig, i.e. processing
bytes from a packet we have already decided is too large to process.
We therefore always emit one reject and use the identifier from the
first command header, a single fixed-offset byte read.

The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
trace to the initial git import; no later introducing commit is
available for a Fixes tag.

Cc: [email protected]
Suggested-by: Luiz Augusto von Dentz <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Link: https://lore.kernel.org/r/[email protected]
Link: https://lore.kernel.org/r/[email protected]
Assisted-by: Claude:claude-opus-4-7
Assisted-by: Codex:gpt-5-5-xhigh
Signed-off-by: Michael Bommarito <[email protected]>
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit d922113ef91e6e7e8065e9070f349365341ba32e upstream.

The current platform driver design causes probe ordering races with
consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
driver probe has failed due to above reasons or it is waiting for the SCM
driver.

Moreover, there is no devlink dependency between ICE and consumer drivers
as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
have no idea of when the ICE driver is going to probe.

To address these issues, store the error pointer in a global xarray with
ice node phandle as a key during probe in addition to the valid ice pointer
and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.

If the xarray entry is NULL, then it implies that the driver is not
probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
that error pointer directly. Otherwise, add the devlink as usual and return
the valid pointer to the consumer.

Xarray is used instead of platform drvdata, since driver core frees the
drvdata during probe failure. So it cannot be used to pass the error
pointer to the consumers.

Note that this change only fixes the standalone ICE DT node bindings and
not the ones with 'ice' range embedded in the consumer nodes, where there
is no issue.

Fixes: 2afbf43 ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
Reported-by: Sumit Garg <[email protected]>
Tested-by: Sumit Garg <[email protected]> # OP-TEE as TZ
Acked-by: Sumit Garg <[email protected]>
Cc: [email protected] # 6.4
Signed-off-by: Manivannan Sadhasivam <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Bjorn Andersson <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
…hwpoison

commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream.

Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
when racing with a concurrent unmap:

  thread#0                              thread#1
  --------                              --------
  madvise(folio, MADV_HWPOISON)
    -> poisons the folio successfully
  madvise(folio, MADV_HWPOISON)         unmap(folio)
    try_memory_failure_hugetlb
      get_huge_page_for_hwpoison
        spin_lock_irq(&hugetlb_lock)    <- held
        __get_huge_page_for_hwpoison
          hugetlb_update_hwpoison()
            -> MF_HUGETLB_FOLIO_PRE_POISONED
          goto out:
            folio_put()
              refcount: 1 -> 0
              free_huge_folio()
                spin_lock_irqsave(&hugetlb_lock)
                  -> AA DEADLOCK!

The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
the GUP reference while the hugetlb_lock is still held by the hugetlb.c
wrapper get_huge_page_for_hwpoison().  If concurrent unmap has released
the page table mapping reference, folio_put() drops the folio refcount to
zero, triggering free_huge_folio() which attempts to re-acquire the
non-recursive hugetlb_lock.

Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
into get_huge_page_for_hwpoison().  Place spin_unlock_irq() before the
folio_put() at the out: label so the folio is always released outside the
lock.

[[email protected]: fix race, rename label per Miaohe]
  Link: https://sashiko.dev/#/patchset/[email protected]
  Link: https://lore.kernel.org/[email protected]
Link: https://lore.kernel.org/[email protected]
Fixes: 405ce05 ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
Signed-off-by: Wupeng Ma <[email protected]>
Acked-by: Oscar Salvador (SUSE) <[email protected]>
Acked-by: Muchun Song <[email protected]>
Reviewed-by: Kefeng Wang <[email protected]>
Acked-by: Miaohe Lin <[email protected]>
Cc: David Hildenbrand <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Lorenzo Stoakes <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Naoya Horiguchi <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream.

Add validation that read and write indices in the firmware log buffer
are within valid bounds (< data_size) before using them. If
out-of-bounds indices are encountered (from firmware), clamp them to
safe values instead of proceeding with invalid offsets.

This prevents potential out-of-bounds buffer access when firmware
supplies invalid log indices.

Fixes: 1fc1251 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
Cc: [email protected] # v6.18+
Signed-off-by: Andrzej Kacprowski <[email protected]>
Reviewed-by: Karol Wachowski <[email protected]>
Signed-off-by: Karol Wachowski <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream.

Add validation that the info size returned from the metric stream info
query is not exceeded when checked against the allocated buffer size.
If the firmware returns a size larger than the buffer, reject the
operation with -EOVERFLOW instead of proceeding with an incorrect
buffer copy.

Fixes: cdfad4d ("accel/ivpu: Add NPU profiling support")
Cc: [email protected] # v6.18+
Signed-off-by: Andrzej Kacprowski <[email protected]>
Reviewed-by: Karol Wachowski <[email protected]>
Signed-off-by: Karol Wachowski <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream.

Fix potential buffer overflow where firmware-supplied data_size is cast
to signed int before being used in min_t(). Large unsigned values
(>= 0x80000000) become negative, causing unsigned wraparound and
oversized memcpy operations that can overflow the stack buffer.

Change min_t(int, ...) to min() as both values are unsigned and can be
handled by min() without explicit cast.

Fixes: 3b434a3 ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
Cc: [email protected] # v6.12+
Signed-off-by: Andrzej Kacprowski <[email protected]>
Reviewed-by: Karol Wachowski <[email protected]>
Signed-off-by: Karol Wachowski <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream.

The probestub is a function to allow tprobes to hook to a tracepoint to
gain access to its parameters. The function itself is only referenced by
the tracepoint structure which lives in the __tracepoint section. objtool
explicitly ignores that section and when processing functions in the
kernel, if it detects one that has no references it will seal it to have
its ENDBR stripped on boot up.

This means when a tprobe is attached to the sched_wakeup tracepoint, when it
is triggered it will call __probestub_sched_wakeup and due to the missing
ENDBR on a CFI-enabled machine it will take a #CP exception.

Fix this by adding CFI_NOSEAL annotation to probestub declaration.

Cc: [email protected]
Acked-by: Masami Hiramatsu (Google) <[email protected]>
Link: https://patch.msgid.link/[email protected]
Fixes: d5173f7 ("objtool: Exclude __tracepoints data from ENDBR checks")
Signed-off-by: Eva Kurchatova <[email protected]>
[ Updated change log ]
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
…error

commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream.

Fix to point the error offset correctly for eprobe argument error.
In the cleanup commit 1b8b0cd ("tracing/probes: Move event parameter
fetching code to common parser"), due to incorrect backward compatibility
aimed at conforming to the test specifications, the error location was set
to 0 when a non-existent formal parameter was specified for Eprobe.
However, this should be corrected in both the test and the implementation
to point correct error position.

Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/

Fixes: 1b8b0cd ("tracing/probes: Move event parameter fetching code to common parser")
Cc: [email protected]
Signed-off-by: Masami Hiramatsu (Google) <[email protected]>
Reviewed-by: Steven Rostedt <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream.

Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
which is an alias. Otherwise, one gets:

    error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
      |
      = help: run `rustc --print target-list` for a list of built-in targets

Thus conditionally use one or the other depending on the version.

The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
use the newer version instead to avoid changing how the build works for
existing compilers, at least until more testing takes place.

Cc: Ralf Jung <[email protected]>
Cc: [email protected] # Needed in 6.12.y and later (Rust is pinned in older LTSs).
Link: rust-lang/rust#157151 [1]
Link: rust-lang/rust#151154 [2]
Reviewed-by: Alice Ryhl <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Miguel Ojeda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 84a0f7caafc679f763d3868635837e22bb89651a upstream.

When KASAN is enabled, such as with allmodconfig, the build fails when
building the Rust code with:

  error: kernel-address sanitizer is not supported for this target

  error: aborting due to 1 previous error

  make[4]: *** [rust/Makefile:654: rust/core.o] Error 1

The arm-unknown-linux-gnueabi target does not support KASAN, so avoid
saying Rust is supported when it is enabled.

Cc: [email protected]
Fixes: ccb8ce5 ("ARM: 9441/1: rust: Enable Rust support for ARMv7")
Link: Rust-for-Linux/linux#1234
Signed-off-by: Nathan Chancellor <[email protected]>
Reviewed-by: Christian Schrefl <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Miguel Ojeda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream.

Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
uwtable annotation for functions, but not for the module. This means
that compiler-generated functions such as 'asan.module_ctor' do not
receive the uwtable annotation.

When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
failures because the dwarf information emitted for the kasan
constructors is wrong, which causes the SCS boot patching code to
patch the constructor in an illegal manner. Specifically, the paciasp
instruction is patched, but the autiasp instruction is not. This
mismatch leads to a crash when the constructor is called during boot.

	==================================================================
	BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
	Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1

Specifically the faulting instruction is the (*fn)() to invoke the
constructor in do_ctors() of the init/main.c file.

Once the fix lands in rustc, this flag can be made conditional on the
rustc version. Note that passing the flag on a rustc with the fix
present has no effect.

[ The fix [1] has landed for Rust 1.98.0 (expected release on
  2026-08-20).

  Thus add a version check as discussed.

    - Miguel ]

Fixes: d077242 ("rust: support for shadow call stack sanitizer")
Cc: [email protected]
Link: rust-lang/rust#156973 [1]
Reported-by: Bo Ye <[email protected]>
Debugged-by: Isaac Manjarres <[email protected]>
Debugged-by: Sami Tolvanen <[email protected]>
Tested-by: Isaac Manjarres <[email protected]>
Signed-off-by: Alice Ryhl <[email protected]>
Link: https://patch.msgid.link/[email protected]
[ Adjusted link and comment. - Miguel ]
Signed-off-by: Miguel Ojeda <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream.

The Makefile version of rustc-option currently checks whether the option
exists for the host target instead of the target actually being compiled
for. It was done this way in commit 46e24a5 ("rust: kasan/kbuild:
fix missing flags on first build") to avoid a circular dependency on
target.json. However, because of this, rustc-option currently does not
function when cross-compiling from x86_64 to aarch64 if
CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
contains -Zfixed-x18 under this configuration. Since that flag does not
exist on the host target, rustc-option runs into a compilation failure
every time, leading to all flags being rejected as unsupported.

To fix this, update rustc-option to pass a --target parameter so that
the host target is not used. For targets using target.json, use a
built-in target that is as close as possible to the target created with
target.json to avoid the circular dependency on target.json.

One scenario where this causes a boot failure:
* Cross-compiled from x86_64 to aarch64.
* With CONFIG_SHADOW_CALL_STACK=y
* With CONFIG_KASAN_SW_TAGS=y
* With CONFIG_KASAN_INLINE=n
Then the resulting kernel image will fail to boot when it first calls
into Rust code with a crash along the lines of "Unable to handle kernel
paging request at virtual address 0ffffffc08541796". This is because the
call threshold is not specified, so rustc will inline kasan operations,
but the kasan shadow offset is not specified, which leads to the inlined
kasan instructions being incorrect.

Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
lead to a rustc-option failure despite being aarch64-specific because
RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
rustc-option is evaluated by the kasan Makefile.

Cc: [email protected]
Fixes: 46e24a5 ("rust: kasan/kbuild: fix missing flags on first build")
Signed-off-by: Alice Ryhl <[email protected]>
Link: https://patch.msgid.link/[email protected]
[ Edited slightly:
    - Reset variable to avoid using the environment.
    - Use a simply expanded variable flavor for simplicity.
    - Export variable so that behavior in sub-`make`s is consistent.
Signed-off-by: Greg Kroah-Hartman <[email protected]>

  This matches other variables. - Miguel ]
Signed-off-by: Miguel Ojeda <[email protected]>
commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.

The previous clock uses roundup_pow_of_two() to calculate the core
clock frequency. It does not meet the actual hardware meaning.
The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".

Fix the clock divider calculation.

Fixes: 92e0991 ("mmc: Add driver for LiteX's LiteSDCard interface")
Signed-off-by: Inochi Amaoto <[email protected]>
Reviewed-by: Gabriel Somlo <[email protected]>
Cc: [email protected]
Signed-off-by: Ulf Hansson <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream.

That was missed when importing the header.

Reported-by: Doru Blânzeanu <[email protected]>
Reported-by: Magnus Kulke <[email protected]>
Fixes: e68bda7 ("hyperv: Add new Hyper-V headers in include/hyperv")
Cc: [email protected]
Reviewed-by: Easwar Hariharan <[email protected]>
Signed-off-by: Wei Liu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream.

When marking a page dirty, complain about not having a running/loaded vCPU
if and only if the VM is still alive, i.e. its refcount is non-zero.  This
will allow fixing a memory leak for x86 SEV-ES guests without hitting what
is effectively a false positive on the WARN.

For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
across an exit to userspace, and typically unmaps the page on the next
KVM_RUN.  But if userspace never calls KVM_RUN after such an exit, then KVM
needs to unmap the page when the vCPU is destroyed, which in turn triggers
the WARN about not having a running vCPU.

Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
suppressing WARN from nested_put_vmcs12_pages() is pure happenstance).  But
loading a vCPU during destruction is gross (ideally nVMX code would be
cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
the temporarily load()+put() only runs when the vCPU isn't already loaded),
and is ultimately pointless.

The motivation for the WARN is to guard against KVM dirtying guest memory
without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
to ensure userspace doesn't miss a dirty page.  But for the VM's refcount
to reach zero, there can't be _any_ userspace mappings to the dirty ring,
as mapping the dirty ring requires doing mmap() on the vCPU FD.  I.e. if
userspace had a valid mapping for the dirty ring, then the vCPU file and
thus the owning VM would still be alive.  And so since userspace can't
possibly reach the dirty ring, whether or not KVM technically "misses" a
push to the dirty ring is irrelevant.

Reported-by: Michael Roth <[email protected]>
Cc: [email protected]
Reviewed-by: Michael Roth <[email protected]>
Signed-off-by: Sean Christopherson <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Message-ID: <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
ljskernel and others added 18 commits June 27, 2026 11:06
commit 64212ba02e66e705cabce188453ba4e61e9d7325 upstream.

It is useful to be able to designate that certain flags are 'sticky', that
is, if two VMAs are merged one with a flag of this nature and one without,
the merged VMA sets this flag.

As a result we ignore these flags for the purposes of determining VMA flag
differences between VMAs being considered for merge.

This patch therefore updates the VMA merge logic to perform this action,
with flags possessing this property being described in the VM_STICKY
bitmap.

Those flags which ought to be ignored for the purposes of VMA merge are
described in the VM_IGNORE_MERGE bitmap, which the VMA merge logic is also
updated to use.

As part of this change we place VM_SOFTDIRTY in VM_IGNORE_MERGE as it
already had this behaviour, alongside VM_STICKY as sticky flags by
implication must not disallow merge.

Ultimately it seems that we should make VM_SOFTDIRTY a sticky flag in its
own right, but this change is out of scope for this series.

The only sticky flag designated as such is VM_MAYBE_GUARD, so as a result
of this change, once the VMA flag is set upon guard region installation,
VMAs with guard ranges will now not have their merge behaviour impacted as
a result and can be freely merged with other VMAs without VM_MAYBE_GUARD
set.

Also update the comments for vma_modify_flags() to directly reference
sticky flags now we have established the concept.

We also update the VMA userland tests to account for the changes.

Link: https://lkml.kernel.org/r/22ad5269f7669d62afb42ce0c79bad70b994c58d.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <[email protected]>
Reviewed-by: Pedro Falcato <[email protected]>
Reviewed-by: Vlastimil Babka <[email protected]>
Cc: Andrei Vagin <[email protected]>
Cc: Baolin Wang <[email protected]>
Cc: Barry Song <[email protected]>
Cc: David Hildenbrand (Red Hat) <[email protected]>
Cc: Dev Jain <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Jonathan Corbet <[email protected]>
Cc: Lance Yang <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: "Masami Hiramatsu (Google)" <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Nico Pache <[email protected]>
Cc: Ryan Roberts <[email protected]>
Cc: Steven Rostedt <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Zi Yan <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Ahmed Elaidy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit ab04b530e7e8bd5cf9fb0c1ad20e0deee8f569ec upstream.

Gather all the VMA flags whose presence implies that page tables must be
copied on fork into a single bitmap - VM_COPY_ON_FORK - and use this
rather than specifying individual flags in vma_needs_copy().

We also add VM_MAYBE_GUARD to this list, as it being set on a VMA implies
that there may be metadata contained in the page tables (that is - guard
markers) which would will not and cannot be propagated upon fork.

This was already being done manually previously in vma_needs_copy(), but
this makes it very explicit, alongside VM_PFNMAP, VM_MIXEDMAP and
VM_UFFD_WP all of which imply the same.

Note that VM_STICKY flags ought generally to be marked VM_COPY_ON_FORK too
- because equally a flag being VM_STICKY indicates that the VMA contains
metadat that is not propagated by being faulted in - i.e.  that the VMA
metadata does not fully describe the VMA alone, and thus we must propagate
whatever metadata there is on a fork.

However, for maximum flexibility, we do not make this necessarily the case
here.

Link: https://lkml.kernel.org/r/5d41b24e7bc622cda0af92b6d558d7f4c0d1bc8c.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <[email protected]>
Reviewed-by: Pedro Falcato <[email protected]>
Reviewed-by: Vlastimil Babka <[email protected]>
Acked-by: David Hildenbrand (Red Hat) <[email protected]>
Cc: Andrei Vagin <[email protected]>
Cc: Baolin Wang <[email protected]>
Cc: Barry Song <[email protected]>
Cc: Dev Jain <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Jonathan Corbet <[email protected]>
Cc: Lance Yang <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: "Masami Hiramatsu (Google)" <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Nico Pache <[email protected]>
Cc: Ryan Roberts <[email protected]>
Cc: Steven Rostedt <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Zi Yan <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Ahmed Elaidy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 49e14dabed7a294427588d4b315f57fbfcab9990 upstream.

Now we have established the VM_MAYBE_GUARD flag and added the capacity to
set it atomically, do so upon MADV_GUARD_INSTALL.

The places where this flag is used currently and matter are:

* VMA merge - performed under mmap/VMA write lock, therefore excluding
  racing writes.

* /proc/$pid/smaps - can race the write, however this isn't meaningful
  as the flag write is performed at the point of the guard region being
  established, and thus an smaps reader can't reasonably expect to avoid
  races.  Due to atomicity, a reader will observe either the flag being
  set or not.  Therefore consistency will be maintained.

In all other cases the flag being set is irrelevant and atomicity
guarantees other flags will be read correctly.

Note that non-atomic updates of unrelated flags do not cause an issue with
this flag being set atomically, as writes of other flags are performed
under mmap/VMA write lock, and these atomic writes are performed under
mmap/VMA read lock, which excludes the write, avoiding RMW races.

Note that we do not encounter issues with KCSAN by adjusting this flag
atomically, as we are only updating a single bit in the flag bitmap and
therefore we do not need to annotate these changes.

We intentionally set this flag in advance of actually updating the page
tables, to ensure that any racing atomic read of this flag will only
return false prior to page tables being updated, to allow for
serialisation via page table locks.

Note that we set vma->anon_vma for anonymous mappings.  This is because
the expectation for anonymous mappings is that an anon_vma is established
should they possess any page table mappings.  This is also consistent with
what we were doing prior to this patch (unconditionally setting anon_vma
on guard region installation).

We also need to update retract_page_tables() to ensure that madvise(...,
MADV_COLLAPSE) doesn't incorrectly collapse file-backed ranges contain
guard regions.

This was previously guarded by anon_vma being set to catch MAP_PRIVATE
cases, but the introduction of VM_MAYBE_GUARD necessitates that we check
this flag instead.

We utilise vma_flag_test_atomic() to do so - we first perform an
optimistic check, then after the PTE page table lock is held, we can check
again safely, as upon guard marker install the flag is set atomically
prior to the page table lock being taken to actually apply it.

So if the initial check fails either:

* Page table retraction acquires page table lock prior to VM_MAYBE_GUARD
  being set - guard marker installation will be blocked until page table
  retraction is complete.

OR:

* Guard marker installation acquires page table lock after setting
  VM_MAYBE_GUARD, which raced and didn't pick this up in the initial
  optimistic check, blocking page table retraction until the guard regions
  are installed - the second VM_MAYBE_GUARD check will prevent page table
  retraction.

Either way we're safe.

We refactor the retraction checks into a single
file_backed_vma_is_retractable(), there doesn't seem to be any reason that
the checks were separated as before.

Note that VM_MAYBE_GUARD being set atomically remains correct as
vma_needs_copy() is invoked with the mmap and VMA write locks held,
excluding any race with madvise_guard_install().

Link: https://lkml.kernel.org/r/e9e9ce95b6ac17497de7f60fc110c7dd9e489e8d.1763460113.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <[email protected]>
Reviewed-by: Vlastimil Babka <[email protected]>
Cc: Andrei Vagin <[email protected]>
Cc: Baolin Wang <[email protected]>
Cc: Barry Song <[email protected]>
Cc: David Hildenbrand (Red Hat) <[email protected]>
Cc: Dev Jain <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Jonathan Corbet <[email protected]>
Cc: Lance Yang <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: "Masami Hiramatsu (Google)" <[email protected]>
Cc: Mathieu Desnoyers <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Nico Pache <[email protected]>
Cc: Pedro Falcato <[email protected]>
Cc: Ryan Roberts <[email protected]>
Cc: Steven Rostedt <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Zi Yan <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Ahmed Elaidy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 6707915e030a3258868355f989b80140c1a45bbe upstream.

Patch series "make VM_SOFTDIRTY a sticky VMA flag", v2.

Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by
establishing a new VMA, or via merge) as implemented in __mmap_complete()
and do_brk_flags().

However, when performing a merge of existing mappings such as when
performing mprotect(), we may lose the VM_SOFTDIRTY flag.

Now we have the concept of making VMA flags 'sticky', that is that they
both don't prevent merge and, importantly, are propagated to merged VMAs,
this seems a sensible alternative to the existing special-casing of
VM_SOFTDIRTY.

We additionally add a self-test that demonstrates that this logic behaves
as expected.

This patch (of 2):

Currently we set VM_SOFTDIRTY when a new mapping is set up (whether by
establishing a new VMA, or via merge) as implemented in __mmap_complete()
and do_brk_flags().

However, when performing a merge of existing mappings such as when
performing mprotect(), we may lose the VM_SOFTDIRTY flag.

This is because currently we simply ignore VM_SOFTDIRTY for the purposes
of merge, so one VMA may possess the flag and another not, and whichever
happens to be the target VMA will be the one upon which the merge is
performed which may or may not have VM_SOFTDIRTY set.

Now we have the concept of 'sticky' VMA flags, let's make VM_SOFTDIRTY one
which solves this issue.

Additionally update VMA userland tests to propagate changes.

[[email protected]: update comments, per Lorenzo]
  Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/[email protected]
Link: https://lkml.kernel.org/r/955478b5170715c895d1ef3b7f68e0cd77f76868.1763399675.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <[email protected]>
Suggested-by: Vlastimil Babka <[email protected]>
Acked-by: David Hildenbrand (Red Hat) <[email protected]>
Reviewed-by: Pedro Falcato <[email protected]>
Acked-by: Andrey Vagin <[email protected]>
Reviewed-by: Vlastimil Babka <[email protected]>
Acked-by: Cyrill Gorcunov <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Ahmed Elaidy <[email protected]>
Fixes: 34228d4 ("mm: ignore VM_SOFTDIRTY on VMA merging")
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit c7ba92bcfea34f6b4afc744c3b65c8f7420fefe0 upstream.

Assert that we correctly merge VMAs containing VM_SOFTDIRTY flags now that
we correctly handle these as sticky.

In order to do so, we have to account for the fact the pagemap interface
checks soft dirty PTEs and additionally that newly merged VMAs are marked
VM_SOFTDIRTY.

We do this by using use unfaulted anon VMAs, establishing one and clearing
references on that one, before establishing another and merging the two
before checking that soft-dirty is propagated as expected.

We check that this functions correctly with mremap() and mprotect() as
sample cases, because VMA merge of adjacent newly mapped VMAs will
automatically be made soft-dirty due to existing logic which does so.

We are therefore exercising other means of merging VMAs.

Link: https://lkml.kernel.org/r/d5a0f735783fb4f30a604f570ede02ccc5e29be9.1763399675.git.ljs@kernel.org
Signed-off-by: Lorenzo Stoakes <[email protected]>
Cc: Andrey Vagin <[email protected]>
Cc: David Hildenbrand (Red Hat) <[email protected]>
Cc: Jann Horn <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Pedro Falcato <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Cc: Cyrill Gorcunov <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Ahmed Elaidy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 3fdd33697c2be9184668c89ba4f24a5ecbc8ec51 upstream.

dev_open() already is exported, but drivers which use the netdev
instance lock need to use netif_open() instead. netif_close() is
also already exported [1] so this completes the pairing.

This export is required for the following fbnic self tests to
avoid calling ndo_stop() and ndo_open() in favor of the
more appropriate netif_open() and netif_close() that notifies
any listeners that the interface went down to test and is now
coming back up.

Link: https://patch.msgid.link/[email protected] [1]
Signed-off-by: Mike Marciniszyn (Meta) <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Paolo Abeni <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit b84c5632c7b31f8910167075a8128cfb9e50fcfe upstream.

There is netdev_lock_ops() before the NETDEV_REGISTER notifier
in register_netdevice(), so use the non-locking functions
in net_failover_slave_register().
failover_slave_register() in failover_existing_slave_register() adds lock
and unlock ops too.

Call Trace:
 <TASK>
 __schedule+0x30d/0x7a0
 schedule+0x27/0x90
 schedule_preempt_disabled+0x15/0x30
 __mutex_lock.constprop.0+0x538/0x9e0
 __mutex_lock_slowpath+0x13/0x20
 mutex_lock+0x3b/0x50
 dev_set_mtu+0x40/0xe0
 net_failover_slave_register+0x24/0x280
 failover_slave_register+0x103/0x1b0
 failover_event+0x15e/0x210
 ? dropmon_net_event+0xac/0xe0
 notifier_call_chain+0x5e/0xe0
 raw_notifier_call_chain+0x16/0x30
 call_netdevice_notifiers_info+0x52/0xa0
 register_netdevice+0x5f4/0x7c0
 register_netdev+0x1e/0x40
 _mlx5e_probe+0xe2/0x370 [mlx5_core]
 mlx5e_probe+0x59/0x70 [mlx5_core]
 ? __pfx_mlx5e_probe+0x10/0x10 [mlx5_core]

Fixes: 4c975fd ("net: hold instance lock during NETDEV_REGISTER/UP")
Signed-off-by: Faicker Mo <[email protected]>
Signed-off-by: Jakub Kicinski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 307dc4240bd41852d9e0912921e298160db1c109 upstream.

veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield values 0-7.
If it returns a value >= 5, this causes an out-of-bounds array access.
Add a bounds check and return -EINVAL if the index is out of range.

The problem values are reserved so should never be read from the
register. Hence this is hardening against fault device, missprogramming
or bus corruption.

Assisted-by: gkh_clanker_2000
Cc: stable <[email protected]>
Signed-off-by: Sam Daly <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Reviewed-by: Javier Carrasco <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 95e8a48d7a85d4226934020e57815a3316d3a14b upstream.

ads1298_pga_settings has 7 elements but ADS1298_MASK_CH_PGA can yield
values 0-7. If it yields a value >= 7, this causes an out-of-bounds
array access. Add a bounds check and return -EINVAL if the index
is out of range.

Note that the remaining value b111 is reserved so should not be seen
in a correctly functioning system.

Assisted-by: gkh_clanker_2000
Cc: stable <[email protected]>
Cc: Jonathan Cameron <[email protected]>
Cc: David Lechner <[email protected]>
Cc: "Nuno Sá" <[email protected]>
Cc: Andy Shevchenko <[email protected]>
Signed-off-by: Sam Daly <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit d237230728c567297f2f98b425d63156ab2ed17f upstream.

The QAT driver exposes a character device (qat_adf_ctl) with IOCTLs
for device configuration, start, stop, status query and enumeration.
These IOCTLs are not part of any public uAPI header and have no known
in-tree or out-of-tree users. Device lifecycle is already managed via
sysfs.

The ioctl interface also increases the attack surface and is the
subject of a number of bug reports.

Remove the character device, the IOCTL definitions, and the related
data structures (adf_dev_status_info, adf_user_cfg_key_val,
adf_user_cfg_section, adf_user_cfg_ctl_data). Drop the now-unused
adf_cfg_user.h header and strip adf_ctl_drv.c down to the minimal
module_init/module_exit hooks for workqueue, AER, and crypto/compression
algorithm registration.

Clean up leftover dead code that was only reachable from the removed
IOCTL paths: adf_cfg_del_all(), adf_devmgr_verify_id(),
adf_devmgr_get_num_dev(), adf_devmgr_get_dev_by_id(),
adf_get_vf_real_id() and the unused ADF_CFG macros.

Additionally, drop the entry associated to QAT IOCTLs in
ioctl-number.rst.

Cc: [email protected]
Fixes: d8cba25 ("crypto: qat - Intel(R) QAT driver framework")
Reported-by: Zhi Wang <[email protected]>
Reported-by: Bin Yu <[email protected]>
Reported-by: MingYu Wang <[email protected]>
Closes: https://lore.kernel.org/all/[email protected]/
Link: https://lore.kernel.org/all/[email protected]/
Link: https://lore.kernel.org/all/[email protected]/
Link: https://lore.kernel.org/all/[email protected]/
Signed-off-by: Giovanni Cabiddu <[email protected]>
Reviewed-by: Ahsan Atta <[email protected]>
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
…_write

commit a287620312dc6dcb9a093417a0e589bf30fcf38a upstream.

A KASAN null-ptr-deref was observed in vcs_notifier():

BUG: KASAN: null-ptr-deref in vcs_notifier+0x98/0x130
Read of size 2 at addr qmp_cmd_name: qmp_capabilities, arguments: {}

The issue is a race condition in vcs_write(). When the console_lock is
temporarily dropped (to copy data from userspace), the vc_data pointer
obtained from vcs_vc() may become stale. After re-acquiring the lock,
vcs_vc() is called again to re-validate the pointer. If the vc has been
deallocated in the meantime, vcs_vc() returns NULL, and the while loop
breaks (with written > 0). However, after the loop, vcs_scr_updated(vc)
is still called with the now-NULL vc pointer, leading to a null pointer
dereference in the notifier chain (vcs_notifier dereferences param->vc).

Fix this by adding a NULL check for vc before calling vcs_scr_updated().

Fixes: 8fb9ea6 ("vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF")
Cc: [email protected]
Signed-off-by: Yi Yang <[email protected]>
Reviewed-by: Jiri Slaby <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit b93062b6d8a1b2d9bad235cac25558a909819026 upstream.

In qcom_geni_serial_handle_rx_dma(), geni_se_rx_dma_unprep() clears
port->rx_dma_addr before SE_DMA_RX_LEN_IN is read. If the register is zero,
for example when the RX stale counter fires on an idle line, the handler
returns without calling geni_se_rx_dma_prep().

The next RX DMA interrupt then hits the !port->rx_dma_addr guard and
returns immediately, so the RX DMA buffer is never rearmed and later input
is lost.

Keep the handler on the rearm path when rx_in is zero. Warn about the
unexpected zero-length DMA completion, skip received-data handling, and
always call geni_se_rx_dma_prep().

Fixes: 2aaa43c ("tty: serial: qcom-geni-serial: add support for serial engine DMA")
Cc: [email protected]
Reviewed-by: Bartosz Golaszewski <[email protected]>
Signed-off-by: Viken Dadhaniya <[email protected]>
Link: https://patch.msgid.link/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
…tion

commit a2b8d7827f48ee54a686cb80e4a1d0ff954ec42a upstream.

If __add_memory_block() fails at xa_store() (under memory pressure for
example), device_unregister() is called, which eventually triggers
memory_block_release() with mem->altmap still set, causing a
WARN_ON(mem->altmap).  This was triggered by modifying virtio-mem driver.

Fix this by delaying the assignment of mem->altmap until after
__add_memory_block() has succeeded.

Link: https://lore.kernel.org/[email protected]
Fixes: 1a8c64e ("mm/memory_hotplug: embed vmem_altmap details in memory block")
Signed-off-by: Georgi Djakov <[email protected]>
Acked-by: Oscar Salvador (SUSE) <[email protected]>
Cc: Vishal Verma <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Richard Cheng <[email protected]>
Cc: David Hildenbrand <[email protected]>
Cc: Georgi Djakov <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: "Rafael J. Wysocki" <[email protected]>
Cc: <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 609ca17d869d04ba249e32cdcbf13c0b1c66f43c upstream.

smb2_check_user_session() takes a shortcut for any operation that is not
the first in a COMPOUND request: it reuses work->sess (the session bound by
the first operation) and validates only the SessionId, then returns
"valid". It never re-checks work->sess->state == SMB2_SESSION_VALID, and a
SessionId of 0xFFFFFFFFFFFFFFFF (ULLONG_MAX, the MS-SMB2 related-operation
value) skips even the id comparison. The standalone path
(ksmbd_session_lookup_all() plus the SESSION_SETUP state machine) does
enforce the VALID state; the compound branch bypasses all of it.

A SESSION_SETUP carrying only an NTLM Type-1 (NtLmNegotiate) blob publishes
a fresh SMB2_SESSION_IN_PROGRESS session whose sess->user is still NULL
(->user is assigned later, by ntlm_authenticate()). Used as operation 1 of
a COMPOUND with operation 2 = TREE_CONNECT (related, SessionId=ULLONG_MAX,
\\host\IPC$), the tree-connect then runs on that IN_PROGRESS session and
reaches ksmbd_ipc_tree_connect_request(), which dereferences
user_name(sess->user) with sess->user == NULL (transport_ipc.c:687/701/704)
-> remote NULL-pointer dereference and a kernel Oops that wedges the ksmbd
worker for all clients.

Reject any non-first compound operation that lands on a session which is
not SMB2_SESSION_VALID, mirroring the validity the standalone lookup path
enforces. SESSION_SETUP itself legitimately runs on an IN_PROGRESS session,
but it is never carried as a non-first compound operation, so multi-leg
authentication is unaffected by this check.

Fixes: 5005bcb ("ksmbd: validate session id and tree id in the compound request")
Cc: [email protected]
Signed-off-by: Gil Portnoy <[email protected]>
Acked-by: Namjae Jeon <[email protected]>
Signed-off-by: Steve French <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 7d8bf3d8f91073f4db347ed3aa6302b56107499c upstream.

syzbot reported a general protection fault in
vidtv_psi_ts_psi_write_into [1].

vidtv_mux_get_pid_ctx() can return NULL, but vidtv_mux_push_si() does
not check for this before dereferencing the returned pointer to access
the continuity counter. This leads to a general protection fault when
accessing a near-NULL address.

The root cause is that vidtv_mux_pid_ctx_init() does not check the
return value of vidtv_mux_create_pid_ctx_once() for PMT section PIDs.
If the allocation fails, the PID context is never created, but init
returns success. The subsequent vidtv_mux_push_si() call then gets
NULL from vidtv_mux_get_pid_ctx() and crashes.

Fix both the root cause (add error check in vidtv_mux_pid_ctx_init
for PMT PIDs) and add defensive NULL checks in vidtv_mux_push_si for
all vidtv_mux_get_pid_ctx() calls.

[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Workqueue: events vidtv_mux_tick
RIP: 0010:vidtv_psi_ts_psi_write_into+0x54a/0xbc0 drivers/media/test-drivers/vidtv/vidtv_psi.c:197
Call Trace:
 <TASK>
 vidtv_psi_table_header_write_into drivers/media/test-drivers/vidtv/vidtv_psi.c:799 [inline]
 vidtv_psi_pmt_write_into+0x3b2/0xa70 drivers/media/test-drivers/vidtv/vidtv_psi.c:1231
 vidtv_mux_push_si+0x932/0xe80 drivers/media/test-drivers/vidtv/vidtv_mux.c:196
 vidtv_mux_tick+0xe9b/0x1480 drivers/media/test-drivers/vidtv/vidtv_mux.c:408

Fixes: f90cf60 ("media: vidtv: add a bridge driver")
Cc: [email protected]
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=814c351d094f4f1a1b86
Signed-off-by: Ruslan Valiyev <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 06b41351779e9289e8785694ade9042ae85e41ea upstream.

iput() called from fuse_release_end() can Oops if the super block has
already been destroyed.  Normally this is prevented by waiting for
num_waiting to go down to zero before commencing with super block shutdown.

This only works, however, for the last submount instance, as the wait
counter is per connection, not per superblock.

Revert to using synchronous release requests for the auto_submounts case,
which is virtiofs only at this time.

Reported-by: Aurélien Bombo <[email protected]>
Reported-by: Zhihao Cheng <[email protected]>
Cc: Greg Kurz <[email protected]>
Closes: kata-containers/kata-containers#12589
Fixes: 26e5c67 ("fuse: fix livelock in synchronous file put from fuseblk workers")
Cc: [email protected]
Reviewed-by: Greg Kurz <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
commit 35e247032606f06c2f19d90a6562bc315206b7a7 upstream.

Commit ab04b530e7e8 ("mm: introduce copy-on-fork VMAs and make
VM_MAYBE_GUARD one") aggregates flags checks in vma_needs_copy(),
including VM_UFFD_WP.

However in doing so, it incorrectly performed this check against src_vma.
This check was done on the assumption that all relevant flags are copied
upon fork.

However the userfaultfd logic is very innovative in that it implements
custom logic on fork in dup_userfaultfd(), including a rather well hidden
case where lacking UFFD_FEATURE_EVENT_FORK causes VM_UFFD_WP to not be
propagated to the destination VMA.

And indeed, vma_needs_copy(), prior to this patch, did check this property
on dst_vma, not src_vma.

Since all the other relevant flags are copied on fork, we can simply fix
this by checking against dst_vma.

While we're here, we fix a comment against VM_COPY_ON_FORK (noting that it
did indeed already reference dst_vma) to make it abundantly clear that we
must check against the destination VMA.

Link: https://lkml.kernel.org/r/[email protected]
Fixes: ab04b530e7e8 ("mm: introduce copy-on-fork VMAs and make VM_MAYBE_GUARD one")
Signed-off-by: Lorenzo Stoakes <[email protected]>
Reported-by: Chris Mason <[email protected]>
Closes: https://lore.kernel.org/all/[email protected]/
Acked-by: David Hildenbrand (Red Hat) <[email protected]>
Acked-by: Pedro Falcato <[email protected]>
Cc: Liam Howlett <[email protected]>
Cc: Michal Hocko <[email protected]>
Cc: Mike Rapoport <[email protected]>
Cc: Suren Baghdasaryan <[email protected]>
Cc: Vlastimil Babka <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Tested-by: Florian Fainelli <[email protected]>
Tested-by: Brett A C Sheffield <[email protected]>
Tested-by: Peter Schneider <[email protected]>
Tested-by: Shuah Khan <[email protected]>
Tested-by: Ron Economos <[email protected]>
Tested-by: Miguel Ojeda <[email protected]>
Tested-by: Mark Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
@bugclerk

Copy link
Copy Markdown
Author

Automatic cherry-pick failed. Please resolve conflicts by running:

git reset --hard HEAD~1
git cherry-pick -x 2c98343c9b23a4f271272938c49fbf5271719996
git cherry-pick -x 07d9a0870a178843cea44cfd58c27445dc94cf5f
git cherry-pick -x f34689e7a0b3e5e16f9e2486712d7ad1814be291
git cherry-pick -x 656939c67595653fb753930a2f71096f9f2dc089
git cherry-pick -x 3a4fc3617b7ec768f08f1a5df814d98bcc7d5176
git cherry-pick -x 489f6d759fa4de7c6320161845aea8ac85a3eba9
git cherry-pick -x dda720b2928d162ad76273cd35d881bc69b71600
git cherry-pick -x 19a6a00ff50c284f3a9818882ad2be58b33b790a
git cherry-pick -x 02f5e4db57c0cdd7bac89d503b301a093a0fa95c
git cherry-pick -x 361e97d81331ca15fabf80b028b4caeb4a08862c
git cherry-pick -x e83fc4c28226be75fbc0c41f2846935ba2b5f949
git cherry-pick -x 941d7394efda5e054e2d6f3e0dd0f6a9ba19aaa3
git cherry-pick -x 07acb9798477535933bd658ac9fa85b6cb10d995
git cherry-pick -x c10c9c48b2903f41ed4c532043b0576e86228236
git cherry-pick -x dafc9f57140e66a10945127aa7433c3d715dc253
git cherry-pick -x dedc92b96dc1d8919a3bdf2495ede68922ef7ebc
git cherry-pick -x cc160ce085408ae361727682809b352ab2e8cab7
git cherry-pick -x dd77a83915b07e2b0205adb284f08b39ae31dc4b
git cherry-pick -x 8ec70c0dbdf04392a26e03e38798a373934177be
git cherry-pick -x fa598556ecef412edcb391f144b7642e18fdfd45
git cherry-pick -x 45cb105b8642c65e9be286f7058e92314efe7ea3
git cherry-pick -x 09df291fdf962040df5bf347c1d26a19920e9d00
git cherry-pick -x 592be0dc491d1e45c913cdfe7a581612de8e1fe7
git cherry-pick -x 00875811f37221b583fe3f956671622da90e9a81
git cherry-pick -x 5037b2ee1a175f74492a9281c459ade1bca88ef6
git cherry-pick -x d0f25a1755f2c15b1746379c8d9d7dfde85f58f5
git cherry-pick -x a0a4600b396b09a0788352cf6514efecc18867da
git cherry-pick -x 8bcbedce9bfaa582e3870b9e3093f88d8f437bd3
git cherry-pick -x 0864bdde152efe60a7c00c47beaa5e0d7adeb648
git cherry-pick -x 343e95c8ecc40e0738975ef4ee24c0c35e800e6b
git cherry-pick -x 196f1ee137eb4a994266e789cac6a0dc1bd916c4
git cherry-pick -x 0b79bcff7210ed5eb30fcd1346601c3808669919
git cherry-pick -x 32d4c5d328a3ff995420f4f85163e1e403f43628
git cherry-pick -x 0b38870d81ab3a04c1ab0598d9d3285f5d9d0584
git cherry-pick -x 14d2eee0193ac3cd1bf3d014373449f0b8d35d6d
git cherry-pick -x f9b38a8fbfa07f1deaf7ee1eb38fa8b21ea13990
git cherry-pick -x dd66f7f6e360ee82cd905517726f8e9091265de5
git cherry-pick -x a13ca53e47e500854a3b9ec18b5dc83acfec863e
git cherry-pick -x f96cf7bf9fbf15d7fcf0c91fec47ba8a010369ea
git cherry-pick -x 294692d3296eee3391c348d7ea6401916d27806c
git cherry-pick -x 85bd2b3afa0ae9ce9330dc08124750486ff6dddf
git cherry-pick -x 372f33ebed747d91870f57c0a2e62884a870bffa
git cherry-pick -x f46093dd22969037beb1fce2e043f3236be41c92
git cherry-pick -x 3d39da65b5c422c5e5afb7d5651b0698d060a827
git cherry-pick -x 0bbc9481f970b0b4ddb08cfa464db1cc93b74b56
git cherry-pick -x 8348567a6afb24e2c9cafe8a321162d0eebe1411
git cherry-pick -x edabfe80e34efc468abb3ae5586d71830a1ae585
git cherry-pick -x 5f5b604e1e6bde4e889199168ee80fe8306d06ad
git cherry-pick -x cb5230b6d8a0e036c7c15eb25057c8442ed2a3cc
git cherry-pick -x e99807bdcd20988557f56c8b53d5c16ee5e2006d
git cherry-pick -x 96b6e98ff12d50ed5817230c6f1188e1150d225d
git cherry-pick -x bd5e818be7964c1689fba2dad9e6bd3a827fee74
git cherry-pick -x f92a285db7ff6e598591ccbfb551be155c5f4d57
git cherry-pick -x c96786d6ff1acc1d54d9241e97767554c1dfdd5b
git cherry-pick -x 6822eed69572000a181fa4e31fceacc60918c471
git cherry-pick -x 6243a363ec9037d060cd99fcfe496743789b80e0
git cherry-pick -x da295adc9dab3c9a13ef62dad75af692490cad71
git cherry-pick -x 517720913bd3c17a52cd55a740064f68455ab88e
git cherry-pick -x 95f27fcda681021ed3906d3cae7e68b6a57a1d8e
git cherry-pick -x edaf0c955aceff3ff8743090f2254ab88f64337e
git cherry-pick -x 3b8cbba7c0ed31189c89f90be247b8973ffa79ef
git cherry-pick -x 653245266913f03fcf21cbca68eed5c197a33e52
git cherry-pick -x c0c152fc4ae6e29db387cf86d33f61735fae80b5
git cherry-pick -x f591cbc088c950f816915abf9f93714675714a37
git cherry-pick -x 7bbc11437a2024d7e006ff569333a304d8a4a2d3
git cherry-pick -x 6ea1134f1b5f0924b97d2617d762794aa2fa5e1f
git cherry-pick -x 9f21885c11ba9bd24ce746283642bf5e4902edb4
git cherry-pick -x d84ed2f9718efcfe7afae4821cefa1bcdccea970
git cherry-pick -x fcfdff42e841d246397c3756d4218c66c2b3b263
git cherry-pick -x ac2000be0cbedab32c05644f10937dbde804aff5
git cherry-pick -x 265c07c09c837621730d35f02975207a1224bf05
git cherry-pick -x ba9ad6015937a5e46ba1a31370e3efdec8abbdcc
git cherry-pick -x 1d6c2062b77be09ec15d6bf637b2e2221c4482fc
git cherry-pick -x 735dabdf21561a24d8bcae456c9c32f7f961a029
git cherry-pick -x 6f72b902c34d6c18bbb7d5a38898d5e198a4d743
git cherry-pick -x 3884976f87448e269908ae61bd5d62d54ce9c0c7
git cherry-pick -x 32138633e51e6db59e474765cf93268c92b42888
git cherry-pick -x df422fd273c96c2ee5beb80fc21adc8c70c29260
git cherry-pick -x 89b909e9704587bfecc1aab1d37e98faee03b9f9
git cherry-pick -x 2990f143ec865aa728cbe6a4bcdd324f3c1b0f0f
git cherry-pick -x 57a9c085be07f7de76b9866107d8b06a101f06ae
git cherry-pick -x 12df4cfa738aefff21756728e91056d7defb0fe6
git cherry-pick -x 56763afa013444a9d84ca1b74e4b7130942177ba
git cherry-pick -x 16f8e17184b31382076f84751db5ac51fc02733e
git cherry-pick -x b39f30c0a72fdd3a775f03ae52f5771cc908de9e
git cherry-pick -x 9fa82cf393bafc7bd7ca15c1d5cbd5b57ab9de1d
git cherry-pick -x a162a260c8c4db7501c65220e76913e8e351f823
git cherry-pick -x 6018d73137cdcb7191a62cb824a24c5625b4c6c3
git cherry-pick -x 7f59e4f72a789bcda90aff05a3dbba93dc18807d
git cherry-pick -x a3dff1e1a554c992963cae9e1c077a89c90382b4
git cherry-pick -x f35a368fee8aeabd747ce95036f90bcb3805aada
git cherry-pick -x ab61c990a87d084f5565ee70340543e3a5394697
git cherry-pick -x db752ebfdaf2c7f27cd9690ef48b616af068319c
git cherry-pick -x a388e3dfaf9538a680de5ed43a8ebb5dd45b6e53
git cherry-pick -x 89bd8215e25aa6999cc51696da418e0d422bc5e0
git cherry-pick -x 5278ccd357e0d7aeeb1e76c0f3e0e02894a9897c
git cherry-pick -x 992f121796b7ca83a5a8b93da24e971363206218
git cherry-pick -x 53e06f8a3c2b085c31bf1284e2ebcb8036e99625
git cherry-pick -x d5de9cb5355db36438edc621dde3673e3f235767
git cherry-pick -x 0a46c7a5646dd0ffb09c073f640d269d635eea96
git cherry-pick -x e0df4d9c090955c25a641f1df22593da6711a137
git cherry-pick -x 01f7d4b504580664d36faea5671cde5e3f0d8a5b
git cherry-pick -x bcb8fad90f27300add583a8371db504b766d95c7
git cherry-pick -x 4a73cacb55863ca480d8ddda752d3944ad75bbbb
git cherry-pick -x 52b8f5ef82c886f7cd24617915e4b1579ddfd001
git cherry-pick -x 1d4ec754ee3871f7e3670c67bb0298c9c5760926
git cherry-pick -x bef389a210e7dc96073c813fab3a03a5136f8b13
git cherry-pick -x cb85ef5a227b3662b88f4d849a1aad43bfe7f5ae
git cherry-pick -x 4a4d21f531ccf5bb333d99b620e0d66551f3652c
git cherry-pick -x e646b86b3b4809d6af5addc53b6fec692332104c
git cherry-pick -x 3fdcca838f9716e82641a014942fa2f5fad5640b
git cherry-pick -x c888d5198ffcdadb3a0617e6c831733dcac4c45f
git cherry-pick -x d5d37b7b72a9f96f0e0405d0099200068bec993b
git cherry-pick -x 52078596dce19ba355720238090876c8f446b2d1
git cherry-pick -x d83390b21a0225bd03fe6402b1e25c7de855c05b
git cherry-pick -x 6d48f15659395bf1381114f01be91bc68e0be46a
git cherry-pick -x 66bc00ea37fa8ec14be5a3909d067a5967ef234b
git cherry-pick -x ecc24f0a8a3027cdb74157422fe154c58cbb25f0
git cherry-pick -x c72469ac0f274bde3f0df60a4584e14a123d0aa6
git cherry-pick -x c19ff4351214f059349788e13e70e74325831ff6
git cherry-pick -x a8f91ddf67f669f547bb9fb559738da6f8ee2cf3
git cherry-pick -x c677b13671dc5195114aa25da85b29186fd80399
git cherry-pick -x 7f8007be13e6cc1e0a508fe461f9a91ba9a28b8c
git cherry-pick -x 2f72d36f8accd53f9e09e27325826f219e70d820
git cherry-pick -x 535ff092b68601547ec211c644c3fe6de430942d
git cherry-pick -x 0aecf3c7b8f821287c967aeefc93be44911348ad
git cherry-pick -x 0d11992d1898b49bc56c33780d612d2fecb72329
git cherry-pick -x ddcf84b25af0b08b99c27bd5e7104ea4afd86c57
git cherry-pick -x 54f9cdcd731181dc402770373dee2810f42dfd82
git cherry-pick -x 1bf84f4013fac894dd058f84cc534f8ad461e003
git cherry-pick -x 566c4c1244de50fbff1f89ff93c9d7b0fc256db4
git cherry-pick -x 78c4f964b2f94e405721c093773f6250e1e676b2
git cherry-pick -x d5ea0b3e261fcb2cfff142675516165244cab1da
git cherry-pick -x 2e0ddac549ebd713eb9f4a15b6496e3440a17d8b
git cherry-pick -x 60ba6217460792356a238299edd675d91d46bab4
git cherry-pick -x fcbd0cdab92838854a5818be7ed8a097164ef6d5
git cherry-pick -x 46da5c3ea011e884028a91cf913db093920a915b
git cherry-pick -x b5daa920f44cb582272fc9bfaeb67408776cbaef
git cherry-pick -x 6890bd2451a9e994f9a49f6e4a56770df8d6ed57
git cherry-pick -x d6cb003e4661f9bd5321a047c01ae1761412a0f6
git cherry-pick -x 3bb2ac834ed391f15731547bcc8b8df12ce7a521
git cherry-pick -x 24ec89123fc9d0d24ce719dcf7fd6c57e5b0d753
git cherry-pick -x dd8e1025a84e0b556fa17b16e71ad3159c0ca3f2
git cherry-pick -x 5204cd22c1c7f5dc82f557a5231786eca3ae8fde
git cherry-pick -x 8f4b371f4939361926ec3f7eaa27ec87565b0374
git cherry-pick -x 9f0d45d509b434c54da10e01f4ef8086e4583401
git cherry-pick -x c0639ede2f24ac224b2079cd35ecd5fd8ad4e3cd
git cherry-pick -x 72e259a32084c42816152c346096d2edd4213e23
git cherry-pick -x d3efcadfe3eea5b4263b8f2d4463b15c9fc46a64
git cherry-pick -x 0f68ddfaaebfbb5581ee931779757d31f4dc9e24
git cherry-pick -x 4c10fd55187aaf7882bbb281ca37d6729198821e
git cherry-pick -x 11e9bdf8824b9e4e3c06d532c2663edb797c06f0
git cherry-pick -x 3e1947573140a57119294f0bff39ee18d93f23e1
git cherry-pick -x 90b629269088a9fe24a02c032be9f08357f47873
git cherry-pick -x 9655b56b6de918e1c22b92f3880ae41b052cbd00
git cherry-pick -x 68455b117258243e73b9697d15a570158ad93e1c
git cherry-pick -x fcd51a085e9a0d01315606e9d2dad1732563faf2
git cherry-pick -x 39b5397bf8de2c5f110a0599707a7b1e0dbc6bf3
git cherry-pick -x 8979ded4d8997cdaba94a6c58be2ad069c720ee8
git cherry-pick -x 932642791cb1513118847370f4cbe09d69400eed
git cherry-pick -x 57607fe55e6d598bc58c15d1143ba7a266b17103
git cherry-pick -x 0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1
git cherry-pick -x 1906064d50d194a145486e5caf3db3e708b6f6ef
git cherry-pick -x 3f32d52ec604c659725d865cf8cc6a17a33f9c6a
git cherry-pick -x c000da79df787097abdfb1cb4bf94af8151a566a
git cherry-pick -x bb6f705b73b5f191f14ad004e2c8c4b615806187
git cherry-pick -x 454d3b3d499c18373f8960d31aea48338a3ca9e0
git cherry-pick -x e09689286385a66311ac6922af95339d7a3cef8d
git cherry-pick -x 20a93e397abe850c49b6fa0e8cc827b5f634a8f5
git cherry-pick -x 17faa39ba9808fbfcc86de55703cd8b16e58e8a6
git cherry-pick -x 4dac39a4db146921e1d466e58d4349767945e4c5
git cherry-pick -x 37c059d4d92ff0a0160845e5cbe528ab2361c5f6
git cherry-pick -x 0ffcad63b19a1cadb475c9f405a93607fdcd0d7c
git cherry-pick -x ceddd32231dd1f7473f4a4ce96bce04f6db59333
git cherry-pick -x 5f3286ca5fbb3579135c5d9ec73a6a819feec140
git cherry-pick -x f58efaf9fcf7cb48d87356ef45331274a8a1c10c
git cherry-pick -x 2904e985a2917b5dac65df82733065e78a65fc9d
git cherry-pick -x 84d8f58cf28a0415413f43ba7148f7bacd4c1b6e
git cherry-pick -x ebf22feff4921af7ac21d191396455283adb7dc2
git cherry-pick -x cd26d54bfbc2ff093a28dcbde5ff044d9086e4db
git cherry-pick -x afd35fec9297195b759078745549c2671223f24f
git cherry-pick -x cdce1e797addab72393c0dfee31aaca41ef7d937
git cherry-pick -x 9bdc637fde66b63d6cad0caacd034888bb7bf5f5
git cherry-pick -x eca6743b148a8c67c9352d578b3df14bd51fa8a1
git cherry-pick -x e9ea7cb17677ce4ad60863c98e4bb8655fb1b903
git cherry-pick -x 8097f93f9b773cd7f5e8f75625870f17bdf17452
git cherry-pick -x d4fd4282204044fdedd1e42abbe70a9206f74ec0
git cherry-pick -x 99abe00c605ea9217225806c23ad8b89633c32b7
git cherry-pick -x 7b569b3a2f295db7b76ad85cd14aeea1cb0704cb
git cherry-pick -x 36a0faaa4e3d2dc15cf98ac9467542c64ed85b4c
git cherry-pick -x f455405e320773a88ef23df89eceea2433d6cc99
git cherry-pick -x bf7a9cacd95e72bf1b48767474c31324c39982f9
git cherry-pick -x 5d634afb8b83b49de562792fd0d047416a43bd4d
git cherry-pick -x 275d294b2b24abcd65452198551cd8a5b8d4f775
git cherry-pick -x b6099150949f822999b5e989db1ad66e7850d925
git cherry-pick -x 29706ac73f93b72f84deea32dd48aa88f5615538
git cherry-pick -x af2892249d982a1c036ca456cc135374e68b6677
git cherry-pick -x 95f9eb19d5e65f7c32276f2bd77265c3f60727a6
git cherry-pick -x a460935022f512e167b4c5d4c12d85f89ba6aabd
git cherry-pick -x 9cd2087cd7026995c8a8e2c768198ed1de6eb011
git cherry-pick -x 3a408cae608d9c075dd3a9e5cfc03b3cb0726863
git cherry-pick -x 44b8b03a9fb5c575548fc72c674653d6baba142a
git cherry-pick -x e2b143df29003d2704b51f62e9297006953dbacb
git cherry-pick -x 5f4d2bd028ebb6e4c09a9d64842546022321d4a7
git cherry-pick -x 8b17adf6d4fb6bf61fa4c3f58366a7c082799a71
git cherry-pick -x 53483a9f4ee9eeb18aa866ec16cce79e136987e1
git cherry-pick -x 19b3691ec94023aa9953376c48ac84f9aca2c7c1
git cherry-pick -x 7dac298524b415dc26e07f603caf67ac4eaec1fb
git cherry-pick -x fe8cbcc3e79d458d7867009247645a50ea988191
git cherry-pick -x 940f39e153323589b3b55026f7b2dc221b6c44d8
git cherry-pick -x 270ef709257eb65c415973b7d7f40daca363ec13
git cherry-pick -x 1d94857c11d607ff68496866c5c90604f1aa1d8a
git cherry-pick -x 19139026dc1c0a958798fe7b1c26f4cd479b706e
git cherry-pick -x c98cc00c2d3b17d849e0ba806e5740c7e0b6b138
git cherry-pick -x ab849a6972c99e8a83ca92fbe463d782118e39f8
git cherry-pick -x ce27bcdd857a98c9069703a209cbe7fc4c2587ba
git cherry-pick -x c794d35f73a7bc3d77224ccc6395c26f49f51752
git cherry-pick -x 74cbe94c913a4a3e069c0a82d8185586f0c37976
git cherry-pick -x c31a0fa15a4b4c07130ca5bd1ac222b2541ab011
git cherry-pick -x 9e8fc2195f8b5a79af184a4dc3d22c84395a8ce9
git cherry-pick -x 395b6573b389f44473b68285a36020a37a4025c2
git cherry-pick -x 9477cbc5107a8dc31d54f199338449358621d569
git cherry-pick -x bde74af8d4466213007bdd42cc85fa72c861dea7
git cherry-pick -x 072bbd2846d1b7f1c9c95d10ae142b9b786a60e9
git cherry-pick -x 02ac3ba41628ab0c454b7d05b4bc20c011b32783
git cherry-pick -x eee6be6ab63755f7847ce22288f7d722fda419d1
git cherry-pick -x 0de7db2eb27e82b983157016fa604b1ba664ae5f
git cherry-pick -x efce8a486bffcbad9897b059f05a01b8f25197ea
git cherry-pick -x bdeadba743375699b580dff218611d50dab07ba8
git cherry-pick -x a093c80a1f139425c7cf186b91e5ed5c7b27d98e
git cherry-pick -x 05cdec24a858967c7dc768f6b66a71f61f5ed1ee
git cherry-pick -x 3d6cb2ed06f7f3c7b3d05a7d77e4b2c4a3dd930b
git cherry-pick -x b836839c1fd94f9fc7ccdce153844fa26116ccc0
git cherry-pick -x f563ce913a8315bd722c1540a8743a0d12d95d4d
git cherry-pick -x cc1494fd6c65de588d6478811ffc05445ee81ee8
git cherry-pick -x c5b3871b567c24642c3a0408794c29783e986207
git cherry-pick -x 76db05493184641855d3236e694fb5e455d18d0f
git cherry-pick -x 0a89002737ee34decc20fa232204dbe5fe83e0de
git cherry-pick -x d08d82d83ed45fd8c001a9df66ad7ebb86c9d6c6
git cherry-pick -x b8ebf008696de1ec08c90d51f94d7e40bd448be1
git cherry-pick -x 7cc3dd79777f6ae4625ec37e84dd18a26dc88bde
git cherry-pick -x 50b72074c5e8d6fe7d8c39c71277dba6d3ac225c
git cherry-pick -x 6c25bf4e44a2b6a14332f952bba0974521f5b72d
git cherry-pick -x 7cad3ceaf679c55bc9946685dacafce78ce6b51a
git cherry-pick -x f965cf22dda7f512f4922415894c3e528269a4ae
git cherry-pick -x 2abfd3ffbd9452f72535d96ff3982b3ab1f8f2f9
git cherry-pick -x 71003a32bef546b6e31aaa40db621846dbc98582
git cherry-pick -x 0c503cf3dde2e53614f05261ece12f9d3d4c3c20
git cherry-pick -x 01f922226fcde71dc2daf46d198f7ceb86395348
git cherry-pick -x dc2df10a5f5d1932315223743a65dd395b0cb73e

If the original PR was merged via a squash, you can just cherry-pick the squashed commit:

git reset --hard HEAD~1
git cherry-pick -x a68977853eb4ba9494ba84da6dcd4b19193ef41a

@bugclerk

Copy link
Copy Markdown
Author

ixhamza added 2 commits June 29, 2026 22:55
This is the 6.18.37 stable release

Signed-off-by: Ameer Hamza <[email protected]>
@ixhamza ixhamza force-pushed the NAS-141587-26.0.0-RC.1 branch from f43973a to d8af301 Compare June 29, 2026 17:56
@ixhamza ixhamza marked this pull request as ready for review June 29, 2026 17:57
@creatorcary creatorcary merged commit 189b2cb into stable/26 Jun 29, 2026
6 checks passed
@creatorcary creatorcary deleted the NAS-141587-26.0.0-RC.1 branch June 29, 2026 18:04
@bugclerk

Copy link
Copy Markdown
Author

This PR has been merged and conversations have been locked.
If you would like to discuss more about this issue please use our forums or raise a Jira ticket.

@truenas truenas locked as resolved and limited conversation to collaborators Jun 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.