commit 974f10de17c41939dc9fd3c83984c4835335d0cb Author: Alexandre Frade Date: Tue Oct 7 00:23:21 2025 +0000 Linux 6.17.1-xanmod1 Signed-off-by: Alexandre Frade commit 030364a7003383895ee2500a1b607371d2230c69 Merge: 66d7c0911236 4a245d5610b1 Author: Alexandre Frade Date: Tue Oct 7 00:22:40 2025 +0000 Merge tag 'v6.17.1' into 6.17 This is the 6.17.1 stable release commit 66d7c091123638475bad66c43079e6311b6dafd7 Author: Alexandre Frade Date: Mon Oct 6 20:11:48 2025 +0000 Linux 6.17.0-xanmod1 Signed-off-by: Alexandre Frade commit abb144ed6b606488e3e2b63aac1ea098f513d555 Author: Alexandre Frade Date: Tue Jul 29 01:01:08 2025 +0000 XANMOD: .gitlab-ci: Add gitlab-ci.yml file Signed-off-by: Alexandre Frade commit 35dd6dce5c3727e27b7929495154ddd41b921081 Author: Serge Hallyn Date: Fri May 31 19:12:12 2013 +0100 sysctl: add sysctl to disallow unprivileged CLONE_NEWUSER by default add sysctl to disallow unprivileged CLONE_NEWUSER by default This is a short-term patch. Unprivileged use of CLONE_NEWUSER is certainly an intended feature of user namespaces. However for at least saucy we want to make sure that, if any security issues are found, we have a fail-safe. Signed-off-by: Serge Hallyn [bwh: Remove unneeded binary sysctl bits] [bwh: Keep this sysctl, but change the default to enabled] Signed-off-by: Alexandre Frade commit 64643216119015fcfa00e628970870f06566f780 Author: Mark Weiman Date: Sun Aug 12 11:36:21 2018 -0400 PCI: Enable overrides for missing ACS capabilities This an updated version of Alex Williamson's patch from: https://lkml.org/lkml/2013/5/30/513 Original commit message follows: PCIe ACS (Access Control Services) is the PCIe 2.0+ feature that allows us to control whether transactions are allowed to be redirected in various subnodes of a PCIe topology. For instance, if two endpoints are below a root port or downsteam switch port, the downstream port may optionally redirect transactions between the devices, bypassing upstream devices. The same can happen internally on multifunction devices. The transaction may never be visible to the upstream devices. One upstream device that we particularly care about is the IOMMU. If a redirection occurs in the topology below the IOMMU, then the IOMMU cannot provide isolation between devices. This is why the PCIe spec encourages topologies to include ACS support. Without it, we have to assume peer-to-peer DMA within a hierarchy can bypass IOMMU isolation. Unfortunately, far too many topologies do not support ACS to make this a steadfast requirement. Even the latest chipsets from Intel are only sporadically supporting ACS. We have trouble getting interconnect vendors to include the PCIe spec required PCIe capability, let alone suggested features. Therefore, we need to add some flexibility. The pcie_acs_override= boot option lets users opt-in specific devices or sets of devices to assume ACS support. The "downstream" option assumes full ACS support on root ports and downstream switch ports. The "multifunction" option assumes the subset of ACS features available on multifunction endpoints and upstream switch ports are supported. The "id:nnnn:nnnn" option enables ACS support on devices matching the provided vendor and device IDs, allowing more strategic ACS overrides. These options may be combined in any order. A maximum of 16 id specific overrides are available. It's suggested to use the most limited set of options necessary to avoid completely disabling ACS across the topology. Note to hardware vendors, we have facilities to permanently quirk specific devices which enforce isolation but not provide an ACS capability. Please contact me to have your devices added and save your customers the hassle of this boot option. Rebased-by: Alexandre Frade Signed-off-by: Mark Weiman Signed-off-by: Alexandre Frade commit a37399888d73579f3468b6a0942e1659424e0a8a Author: Paolo Pisati Date: Tue Jan 23 16:33:16 2024 +0100 file: export file_close_fd() instead of close_fd_get_file() Following the refactor done in: commit a88c955fcfb49727d0ed86b47410f6555a8e69e4 Author: Christian Brauner Date: Thu Nov 30 13:49:07 2023 +0100 file: s/close_fd_get_file()/file_close_fd()/g update the export directive we added in: commit 17f7fa4baad268cc4a93205747222be931699788 Author: Christian Brauner Date: Wed Jan 16 23:13:25 2019 +0100 UBUNTU: SAUCE: binder: turn into module Anbox probably needs a review too. Signed-off-by: Paolo Pisati Signed-off-by: Alexandre Frade commit 1f97ec7c11dd562b4ffeaf2c85b81b6d55023191 Author: Andrea Righi Date: Fri Dec 17 11:14:24 2021 +0100 wait: allow to use __wake_up_pollfree() from GPL modules commit ebafbcf7f32d ("UBUNTU: SAUCE: binder: turn into module") is changing binder to be a module, but __wake_up_pollfree() can only be used internally by the kernel. Make __wake_up_pollfree an EXPORT_SYMBOL_GPL so that it can be used by the binder module. Signed-off-by: Andrea Righi Signed-off-by: Alexandre Frade commit b989cdcdf53834c71546a3a98d4042ac786f27b5 Author: Christian Brauner Date: Wed Jan 23 21:54:23 2019 +0100 binder: give binder_alloc its own debug mask file Currently both binder.c and binder_alloc.c both register the /sys/module/binder_linux/paramters/debug_mask file which leads to conflicts in sysfs. This commit gives binder_alloc.c its own /sys/module/binder_linux/paramters/alloc_debug_mask file. Signed-off-by: Christian Brauner Signed-off-by: Seth Forshee Signed-off-by: Alexandre Frade commit 5634d22ae27d1cf32e0c33d288921fc8684fb56b Author: Christian Brauner Date: Wed Jan 16 23:13:25 2019 +0100 binder: turn into module The Android binder driver needs to become a module for the sake of shipping Anbox. To do this we need to export the following functions since binder is currently still using them: - security_binder_set_context_mgr() - security_binder_transaction() - security_binder_transfer_binder() - security_binder_transfer_file() - can_nice() - __close_fd_get_file() - mmput_async() - task_work_add() - map_kernel_range_noflush() - get_vm_area() - zap_page_range_single() - put_ipc_ns() - get_ipc_ns_exported() - show_init_ipc_ns() Signed-off-by: Christian Brauner [ saf: fix additional reference to init_ipc_ns from 5.0-rc6 ] Signed-off-by: Seth Forshee [ arighi: fix EXPORT_SYMBOL vs EXPORT_SYMBOL_GPL change from 6.0-rc5 ] [ arighi: zap_page_range() has been dropped, export zap_page_range_single() in 6.3 ] Signed-off-by: Andrea Righi [ ppisati: export list_lru_add, list_lru_del, lock_vma_under_rcu] Signed-off-by: Paolo Pisati [ tjaalton: selftests got converted to KUnit ] Signed-off-by: Timo Aaltonen Signed-off-by: Alexandre Frade commit 8011dba3a3ae56c03fd9b3dc02ac5b2505544001 Author: Andrey Smirnov Date: Sun Sep 24 15:02:33 2023 -0700 mfd: steamdeck: Expose controller board power in sysfs As of version 118 Deck's BIOS implements "SCBP" method that allows gating power of the controller board (VBUS). Add a basic WO method to our root MFD device to allow toggling that. Signed-off-by: Andrey Smirnov (cherry picked from commit f97f32718acc10cbb51fef925842392e80904d74) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit 1f7bac3cb8cd68e2b519a103168718cf78e99adc Author: Andrey Smirnov Date: Sat Feb 19 16:08:36 2022 -0800 mfd: Add MFD core driver for Steam Deck Add MFD core driver for Steam Deck. Doesn't really do much so far besides instantiating a number of MFD cells that implement all the interesting functionality. (cherry picked from commit 5f534c2d6ebdefccb9c024eb0f013bc1c0c622d9) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit e2c2bc636774fbd652f3bf23ae3e09a520487252 Author: Andrey Smirnov Date: Sun Feb 27 12:58:05 2022 -0800 leds: steamdeck: Add support for Steam Deck LED (cherry picked from commit 85a86d19aa7022ff0555023d53aef78323a42d0c) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit 2cb3129c5ccf5fe32e8c89bd875047e6c6ac86f2 Author: Andrey Smirnov Date: Sat Jul 15 12:58:54 2023 -0700 hwmon: steamdeck-hwmon: Add support for max battery level/rate Add support for max battery level/charge rate attributes. Signed-off-by: Andrey Smirnov (cherry picked from commit 50af83e8fd75dc52221edd3fb6fd7a7f70c4d8a4) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit 59ce014858a5e7febd590cbcdbb7d7452c8c2d22 Author: Andrey Smirnov Date: Sat Feb 19 16:09:45 2022 -0800 hwmon: Add driver for Steam Deck's EC sensors Add driver for sensors exposed by EC firmware on Steam Deck hardware. (cherry picked from commit 6917aac77bee6185ae3920b936cdbe7876118c0b) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit ef6d29caa3452d65d426f020a8fb79a5ac483a8a Author: Andrey Smirnov Date: Sun Feb 27 14:46:08 2022 -0800 extcon: Add driver for Steam Deck (cherry picked from commit f9f2eddae582ae39d5f89c1218448fc259b90aa8) Signed-off-by: Cristian Ciocaltea Signed-off-by: Alexandre Frade commit d441c4b47611407132f46faaba29375a86adab82 Author: Felix Fietkau Date: Tue Feb 20 15:56:02 2018 +0100 netfilter: add xt_FLOWOFFLOAD target Signed-off-by: Felix Fietkau Signed-off-by: Alexandre Frade commit 7eb773aa4232cbe74f671e0d6ac6a6a6c4f20aa4 Author: Alexandre Frade Date: Mon Feb 27 01:38:18 2023 +0000 netfilter: Add netfilter nf_tables fullcone support Signed-off-by: Syrone Wong Signed-off-by: Alexandre Frade commit 744c6c9db04e808aa84080237009e20e131525ae Author: mfreemon@cloudflare.com Date: Tue Mar 1 17:06:02 2022 -0600 tcp: Add a sysctl to skip tcp collapse processing when the receive buffer is full For context and additional information about this patch, see the blog post at https://blog.cloudflare.com/optimizing-tcp-for-high-throughput-and-low-latency/ sysctl: net.ipv4.tcp_collapse_max_bytes If tcp_collapse_max_bytes is non-zero, attempt to collapse the queue to free up memory if the current amount of memory allocated is less than tcp_collapse_max_bytes. Otherwise, the packet is dropped without attempting to collapse the queue. If tcp_collapse_max_bytes is zero, this feature is disabled and the default Linux behavior is used. The default Linux behavior is to always perform the attempt to collapse the queue to free up memory. When the receive queue is small, we want to collapse the queue. There are two reasons for this: (a) the latency of performing the collapse will be small on a small queue, and (b) we want to avoid sending a congestion signal (via a packet drop) to the sender when the receive queue is small. The result is that we avoid latency spikes caused by the time it takes to perform the collapse logic when the receive queue is large and full, while preserving existing behavior and performance for all other cases. Signed-off-by: Alexandre Frade commit 73b2b04de7004f8feabd52a7d96dafada6e38894 Author: Oleksandr Natalenko Date: Sun Aug 10 19:46:18 2025 +0200 tcp_bbr: v3: update TCP 'bbr' congestion control module to BBRv3 Original patchset Link: https://github.com/google/bbr/tree/v3 Signed-off-by: Oleksandr Natalenko Signed-off-by: Alexandre Frade commit b245778dc189153dbcaf62ba416ae8087d9c4874 Author: Steven Barrett Date: Sat May 21 15:15:09 2022 -0500 ZEN: dm-crypt: Disable workqueues for crypto ops Queueing in dm-crypt for crypto operations reduces performance on modern systems. As discussed in an article from Cloudflare, they discovered that queuing was introduced because the crypto subsystem used to be synchronous. Since it's now asynchronous, we get double queueing when using the subsystem through dm-crypt. This is obviously undesirable and reduces throughput and increases latency. Fixes: https://github.com/zen-kernel/zen-kernel/issues/282 Signed-off-by: Alexandre Frade commit dbdb396e7cecbd3a812794268b06352617c4d1e3 Author: Kenny Levinsen Date: Sun Dec 27 14:43:13 2020 +0000 ZEN: input/evdev: Use call_rcu when detaching client Significant time was spent on synchronize_rcu in evdev_detach_client when applications closed evdev devices. Switching VT away from a graphical environment commonly leads to mass input device closures, which could lead to noticable delays on systems with many input devices. Replace synchronize_rcu with call_rcu, deferring reclaim of the evdev client struct till after the RCU grace period instead of blocking the calling application. While this does not solve all slow evdev fd closures, it takes care of a good portion of them, including this simple test: #include #include int main(int argc, char *argv[]) { int idx, fd; const char *path = "/dev/input/event0"; for (idx = 0; idx < 1000; idx++) { if ((fd = open(path, O_RDWR)) == -1) { return -1; } close(fd); } return 0; } Time to completion of above test when run locally: Before: 0m27.111s After: 0m0.018s Signed-off-by: Kenny Levinsen Signed-off-by: Alexandre Frade commit 5138545fa8ad459906a42b407322a3b0e563bd90 Author: Arjan van de Ven Date: Thu Jun 2 23:36:32 2016 -0500 drivers: initialize ata before graphics ATA init is the long pole in the boot process, and its asynchronous. move the graphics init after it so that ata and graphics initialize in parallel Signed-off-by: Alexandre Frade commit 2cb3659705ffd436b7e9824092be97f17aef5a12 Author: Arjan van de Ven Date: Sun Feb 18 23:35:41 2018 +0000 locking: rwsem: spin faster tweak rwsem owner spinning a bit Signed-off-by: Alexandre Frade commit e55c7e519eb283a3354d1b6bd2106dd1edfe16c7 Author: William Douglas Date: Wed Jun 20 17:23:21 2018 +0000 firmware: Enable stateless firmware loading Prefer the order of specific version before generic and /etc before /lib to enable the user to give specific overrides for generic firmware and distribution firmware. Signed-off-by: Alexandre Frade commit d8cc8f3e9538d703463bcd6257d245e31e8cb833 Author: Arjan van de Ven Date: Thu Dec 13 01:00:49 2018 +0000 sched/wait: Do accept() in LIFO order for cache efficiency Signed-off-by: Alexandre Frade commit 5ec1377ea016113269b620aa7fca9cf9b11a5c9c Author: Alexandre Frade Date: Mon Jul 28 20:00:15 2025 +0000 XANMOD: Makefile: Move x86 instruction set selection to kernel-wide build Signed-off-by: Alexandre Frade commit d2c711798959e913b0757b88ea9322757fdb4db4 Author: graysky Date: Mon Jul 28 18:42:09 2025 +0000 x86/kconfig: more x86-64 ISA levels and uarches FEATURES This patch adds additional tunings via new x86-64 ISA levels and more micro-architecture options to the Linux kernel in three classes. 1. New generic x86-64 ISA levels These are selectable under: Processor type and features ---> x86-64 compiler ISA level • x86-64 A value of (1) is the default • x86-64-v2 A value of (2) brings support for vector instructions up to Streaming SIMD Extensions 4.2 (SSE4.2) and Supplemental Streaming SIMD Extensions 3 (SSSE3), the POPCNT instruction, and CMPXCHG16B. • x86-64-v3 A value of (3) adds vector instructions up to AVX2, MOVBE, and additional bit-manipulation instructions. There is also x86-64-v4 but including this makes little sense as the kernel does not use any of the AVX512 instructions anyway. Users of glibc 2.33 and above can see which level is supported by running: /lib/ld-linux-x86-64.so.2 --help | grep supported Or /lib64/ld-linux-x86-64.so.2 --help | grep supported 2. New micro-architectures These are selectable under: Processor type and features ---> Processor family • AMD Improved K8-family • AMD K10-family • AMD Family 10h (Barcelona) • AMD Family 14h (Bobcat) • AMD Family 16h (Jaguar) • AMD Family 15h (Bulldozer) • AMD Family 15h (Piledriver) • AMD Family 15h (Steamroller) • AMD Family 15h (Excavator) • AMD Family 17h (Zen) • AMD Family 17h (Zen 2) • AMD Family 19h (Zen 3)** • AMD Family 19h (Zen 4)‡ • AMD Family 1Ah (Zen 5)§ • Intel Silvermont low-power processors • Intel Goldmont low-power processors (Apollo Lake and Denverton) • Intel Goldmont Plus low-power processors (Gemini Lake) • Intel 1st Gen Core i3/i5/i7 (Nehalem) • Intel 1.5 Gen Core i3/i5/i7 (Westmere) • Intel 2nd Gen Core i3/i5/i7 (Sandybridge) • Intel 3rd Gen Core i3/i5/i7 (Ivybridge) • Intel 4th Gen Core i3/i5/i7 (Haswell) • Intel 5th Gen Core i3/i5/i7 (Broadwell) • Intel 6th Gen Core i3/i5/i7 (Skylake) • Intel 6th Gen Core i7/i9 (Skylake X) • Intel 8th Gen Core i3/i5/i7 (Cannon Lake) • Intel 10th Gen Core i7/i9 (Ice Lake) • Intel Xeon (Cascade Lake) • Intel Xeon (Cooper Lake)* • Intel 3rd Gen 10nm++ i3/i5/i7/i9-family (Tiger Lake)* • Intel 4th Gen 10nm++ Xeon (Sapphire Rapids)† • Intel 11th Gen i3/i5/i7/i9-family (Rocket Lake)† • Intel 12th Gen i3/i5/i7/i9-family (Alder Lake)† • Intel 13th Gen i3/i5/i7/i9-family (Raptor Lake)‡ • Intel 14th Gen i3/i5/i7/i9-family (Meteor Lake)‡ • Intel 5th Gen 10nm++ Xeon (Emerald Rapids)‡ Notes: If not otherwise noted, gcc >=9.1 is required for support. *Requires gcc >=10.1 or clang >=10.0 **Required gcc >=10.3 or clang >=12.0 †Required gcc >=11.1 or clang >=12.0 ‡Required gcc >=13.0 or clang >=15.0.5 §Required gcc >14.0 or clang >=19.0? 3. Auto-detected micro-architecture levels Compile by passing the '-march=native' option which, "selects the CPU to generate code for at compilation time by determining the processor type of the compiling machine. Using -march=native enables all instruction subsets supported by the local machine and will produce code optimized for the local machine under the constraints of the selected instruction set."[1] MINOR NOTES RELATING TO INTEL ATOM PROCESSORS This patch also changes -march=atom to -march=bonnell in accordance with the gcc v4.9 changes. Upstream is using the deprecated -match=atom flags when I believe it should use the newer -march=bonnell flag for atom processors.[2] It is not recommended to compile on Atom-CPUs with the 'native' option.[3] The recommendation is to use the 'atom' option instead. BENEFITS Small but real speed increases are measurable using a make endpoint comparing a generic kernel to one built with one of the respective microarchs. See the following experimental evidence supporting this statement: https://github.com/graysky2/kernel_compiler_patch?tab=readme-ov-file#benchmarks REQUIREMENTS linux version 6.1.79+ gcc version >=9.0 or clang version >=9.0 ACKNOWLEDGMENTS This patch builds on the seminal work by Jeroen.[4] REFERENCES 1. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html#index-x86-Options 2. https://bugzilla.kernel.org/show_bug.cgi?id=77461 3. https://github.com/graysky2/kernel_gcc_patch/issues/15 4. http://www.linuxforge.net/docs/linux/linux-gcc.php Signed-off-by: Alexandre Frade commit a84edade55a2b7d23db7e37df930c429fb0e783a Author: Alexandre Frade Date: Mon Nov 18 20:17:44 2024 +0000 XANMOD: x86/build: Prevent generating avx2 floating-point code Signed-off-by: Alexandre Frade commit 24181c783d186bd5b317c671435729ab17ba7a99 Author: Alexandre Frade Date: Mon Apr 24 04:50:34 2023 +0000 XANMOD: scripts/setlocalversion: Move localversion* files to the end Signed-off-by: Alexandre Frade commit ff961b7a8a00cb4b834f6a352efa952ac43c9ded Author: Alexandre Frade Date: Sun May 29 00:57:40 2022 +0000 XANMOD: scripts/setlocalversion: remove '+' tag for git repo short version Signed-off-by: Alexandre Frade commit 3c5cdf37edaf4d189c985e8b5314518ed00b8f71 Author: Alexandre Frade Date: Mon Sep 16 08:09:56 2024 +0000 XANMOD: lib/kconfig.debug: disable default SYMBOLIC_ERRNAME and DEBUG_BUGVERBOSE Signed-off-by: Alexandre Frade commit 6b4acd9317a980536146cf11b9c568f83aa97073 Author: Alexandre Frade Date: Tue Mar 31 13:32:08 2020 -0300 XANMOD: cpufreq: tunes ondemand and conservative governor for performance Signed-off-by: Alexandre Frade commit 5f279a3a65a99e455fa432d7449efea4f14535e2 Author: Alexandre Frade Date: Wed Jun 15 17:07:29 2022 +0000 XANMOD: sched/autogroup: Add kernel parameter and config option to enable/disable autogroup feature by default Signed-off-by: Alexandre Frade commit 4baf40af8522564e7443effb212dd43362c629f3 Author: Alexandre Frade Date: Fri May 30 19:58:58 2025 +0000 XANMOD: mm/vmscan: Reduce amount of swapping Signed-off-by: Alexandre Frade commit 6a4756e010d83d602ff9a36bee06327b8c1f5544 Author: Alexandre Frade Date: Sun Apr 28 09:06:54 2024 +0000 XANMOD: mm: Raise max_map_count default value Signed-off-by: Alexandre Frade commit 831c1f5233ef8f53120fd9610aae76e9dca54b01 Author: Alexandre Frade Date: Mon Jul 28 17:20:16 2025 +0000 XANMOD: vfs: Decrease rate at which vfs caches are reclaimed Signed-off-by: Alexandre Frade commit df9375d61d6d4f1bb0ad67edc3cf2ff23697c8a1 Author: Alexandre Frade Date: Mon Jan 29 17:26:15 2018 +0000 XANMOD: kconfig: add 500Hz timer interrupt kernel config option Signed-off-by: Alexandre Frade commit 91b0c9b432867c8c58e24f554251fc9d6e60ad9c Author: Alexandre Frade Date: Mon Jul 15 04:50:34 2024 +0000 XANMOD: blk-wbt: Set wbt_default_latency_nsec() to 2msec Signed-off-by: Alexandre Frade commit e46a3d4dc1ebcab142bdbe441a21232b41162f11 Author: Alexandre Frade Date: Mon Sep 16 15:36:01 2024 +0000 XANMOD: block: Set rq_affinity to force complete I/O requests on same CPU Signed-off-by: Alexandre Frade commit 5ec13778bc3060102c27a8c53ae19329fb9324cd Author: Alexandre Frade Date: Thu Jan 6 16:59:01 2022 +0000 XANMOD: block/mq-deadline: Disable front_merges by default Signed-off-by: Alexandre Frade commit b35ab4e1adeb8e4d46e4e47000ef19695596caa6 Author: Alexandre Frade Date: Wed May 11 18:56:51 2022 +0000 XANMOD: block/mq-deadline: Increase write priority to improve responsiveness Signed-off-by: Alexandre Frade commit c1fb42e73c8816792ee7fb52e348663460f06505 Author: Alexandre Frade Date: Sun Sep 15 23:03:38 2024 +0000 XANMOD: sched: Add yield_type sysctl to reduce or disable sched_yield Signed-off-by: Alexandre Frade commit 6acb52013529d82768890a60e9992ae972d2c109 Author: Alexandre Frade Date: Thu May 11 19:41:41 2023 +0000 XANMOD: fair: Set scheduler tunable latencies to unscaled Signed-off-by: Alexandre Frade commit 20059f18950a4fd8f97d951cce80bf18365cd753 Author: Alexandre Frade Date: Thu Nov 28 22:55:27 2024 +0000 kbuild: Re-add .config file required to sign external modules Signed-off-by: Alexandre Frade commit 57fcbe44120658045395648587f0e4751791f6db Author: Alexandre Frade Date: Sun Jul 6 15:56:57 2025 +0000 XANMOD: kbuild: deb-pkg: Create -dbg when make DEB_DEBUG_PKG=1 Signed-off-by: Alexandre Frade commit 77c45e7e4b3d67589fe16f33932d624a1a807f3a Author: Alexandre Frade Date: Fri Jun 20 01:14:28 2025 +0000 XANMOD: kbuild: Add SMS-based software pipelining flags Add support for Swing Modulo Scheduling (SMS) when default optimization level is enabled. This optimization performs software pipelining on innermost loops, overlapping iterations to improve instruction-level parallelism. Signed-off-by: Alexandre Frade commit 35793292742ae6beff22018fb4b3a377e67c5ac6 Author: Alexandre Frade Date: Sat Jul 19 02:28:57 2025 +0000 XANMOD: x86/build: Add LLVM polyhedral loop optimizer flags LLVM's Polly is able to optimize various loops throughout the kernel for cache locality. A mathematical representation of the program, based on polyhedra, is analysed to find opportunistic optimisations in memory access patterns which then leads to loop transformations. Polly is not built with LLVM by default, and requires LLVM to be compiled with the Polly "project". This can be done by adding Polly to -DLLVM_ENABLE_PROJECTS, for example: -DLLVM_ENABLE_PROJECTS="clang;libcxx;libcxxabi;polly" Preliminary benchmarking seems to show an improvement of around two percent across perf benchmarks: Benchmark | Control | Polly -------------------------------------------------------- bonnie++ -x 2 -s 4096 -r 0 | 12.610s | 12.547s perf bench futex requeue | 33.553s | 33.094s perf bench futex wake | 1.032s | 1.021s perf bench futex wake-parallel | 1.049s | 1.025s perf bench futex requeue | 1.037s | 1.020s Furthermore, Polly does not produce a much larger image size netting it to be a "free" optimisation. A comparison of a bzImage for a kernel with and without Polly is shown below: bzImage | stat --printf="%s\n" ------------------------------------- Control | 9333728 Polly | 9345792 Compile times were one percent different at best, which is well within the range of noise. Therefore, I can say with certainty that Polly has a minimal effect on compile times, if none. Link: https://github.com/CachyOS/kernel-patches/blob/master/6.15/misc/0001-clang-polly.patch Signed-off-by: Peter Jung Signed-off-by: Alexandre Frade commit 87ca3f0cb96bacb5ba7afc8b8ca92b8f1d7c34d1 Author: Alexandre Frade Date: Mon Aug 28 05:00:29 2023 +0000 XANMOD: x86/build: Add more CFLAGS optimizations Signed-off-by: Alexandre Frade commit 4a245d5610b1706a1ede4cf1b5f462bb3cf84f1c Author: Greg Kroah-Hartman Date: Mon Oct 6 11:20:06 2025 +0200 Linux 6.17.1 Link: https://lore.kernel.org/r/20251003160359.831046052@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Ronald Warsow Tested-by: Justin M. Forbes Tested-by: Brett A C Sheffield Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Ron Economos Tested-by: Peter Schneider Tested-by: Takeshi Ogasawara Tested-by: Dileep Malepu Tested-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ef08ce6304d30b5778035d07b04514cb70839983 Author: Srinivas Kandagatla Date: Mon Aug 25 11:12:45 2025 +0100 ASoC: qcom: audioreach: fix potential null pointer dereference commit 8318e04ab2526b155773313b66a1542476ce1106 upstream. It is possible that the topology parsing function audioreach_widget_load_module_common() could return NULL or an error pointer. Add missing NULL check so that we do not dereference it. Reported-by: Dan Carpenter Cc: Stable@vger.kernel.org Fixes: 36ad9bf1d93d ("ASoC: qdsp6: audioreach: add topology support") Signed-off-by: Srinivas Kandagatla Link: https://patch.msgid.link/20250825101247.152619-2-srinivas.kandagatla@oss.qualcomm.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4eeafff163e80d576c5efc1360ae310c0ceedd02 Author: Chandra Mohan Sundar Date: Mon Aug 18 15:01:57 2025 +0530 media: stm32-csi: Fix dereference before NULL check commit 80eaf32672871bd2623ce6ba13ffc1f018756580 upstream. In 'stm32_csi_start', 'csidev->s_subdev' is dereferenced directly while assigning a value to the 'src_pad'. However the same value is being checked against NULL at a later point of time indicating that there are chances that the value can be NULL. Move the dereference after the NULL check. Fixes: e7bad98c205d1 ("media: v4l: Convert the users of v4l2_get_link_freq to call it on a pad") Cc: stable@vger.kernel.org Signed-off-by: Chandra Mohan Sundar Signed-off-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit ec2f87ad035e8d1ad67567542842f1f23a4dbde2 Author: Dikshita Agarwal Date: Mon Aug 25 12:30:27 2025 +0530 media: iris: Fix memory leak by freeing untracked persist buffer commit 02a24f13b3a1d9da9f3de56aa5fdb7cc1fe167a2 upstream. One internal buffer which is allocated only once per session was not being freed during session close because it was not being tracked as part of internal buffer list which resulted in a memory leak. Add the necessary logic to explicitly free the untracked internal buffer during session close to ensure all allocated memory is released properly. Fixes: 73702f45db81 ("media: iris: allocate, initialize and queue internal buffers") Cc: stable@vger.kernel.org Reviewed-by: Vikash Garodia Tested-by: Vikash Garodia # X1E80100 Tested-by: Neil Armstrong # on SM8550-HDK Tested-by: Neil Armstrong # on SM8650-HDK Signed-off-by: Dikshita Agarwal Tested-by: Bryan O'Donoghue # x1e80100-crd Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit 500fcc31e488d798937a23dbb1f62db46820c5b2 Author: Matvey Kovalev Date: Wed Sep 17 22:20:01 2025 +0300 wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() commit 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 upstream. If ab->fw.m3_data points to data, then fw pointer remains null. Further, if m3_mem is not allocated, then fw is dereferenced to be passed to ath11k_err function. Replace fw->size by m3_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7db88b962f06 ("wifi: ath11k: add firmware-2.bin support") Cc: stable@vger.kernel.org Signed-off-by: Matvey Kovalev Reviewed-by: Baochen Qiang Reviewed-by: Vasanthakumar Thiagarajan Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru Signed-off-by: Jeff Johnson Signed-off-by: Greg Kroah-Hartman commit e4e99d69b8b8295c501b2eef89e13306b738b667 Author: Charan Teja Kalla Date: Wed Sep 24 23:41:38 2025 +0530 mm: swap: check for stable address space before operating on the VMA commit 1367da7eb875d01102d2ed18654b24d261ff5393 upstream. It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000446--> Loading the memory from offset 0x40 on the XA_ZERO_ENTRY as address. Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault The issue is manifested from the below race between the fork() on a process and swapoff: fork(dup_mmap()) swapoff(unuse_mm) --------------- ----------------- 1) Identical mtree is built using __mt_dup(). 2) copy_pte_range()--> copy_nonpresent_pte(): The dst mm is added into the mmlist to be visible to the swapoff operation. 3) Fatal signal is sent to the parent process(which is the current during the fork) thus skip the duplication of the vmas and mark the vma range with XA_ZERO_ENTRY as a marker for this process that helps during exit_mmap(). 4) swapoff is tried on the 'mm' added to the 'mmlist' as part of the 2. 5) unuse_mm(), that iterates through the vma's of this 'mm' will hit the non-NULL zero entry and operating on this zero entry as a vma is resulting into the oops. The proper fix would be around not exposing this partially-valid tree to others when droping the mmap lock, which is being solved with [1]. A simpler solution would be checking for MMF_UNSTABLE, as it is set if mm_struct is not fully initialized in dup_mmap(). Thanks to Liam/Lorenzo/David for all the suggestions in fixing this issue. Link: https://lkml.kernel.org/r/20250924181138.1762750-1-charan.kalla@oss.qualcomm.com Link: https://lore.kernel.org/all/20250815191031.3769540-1-Liam.Howlett@oracle.com/ [1] Fixes: d24062914837 ("fork: use __mt_dup() to duplicate maple tree in dup_mmap()") Signed-off-by: Charan Teja Kalla Suggested-by: David Hildenbrand Cc: Baoquan He Cc: Barry Song Cc: Chris Li Cc: Kairui Song Cc: Kemeng Shi Cc: Liam Howlett Cc: Lorenzo Stoakes Cc: Nhat Pham Cc: Peng Zhang Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 0f140cede24334b3ee55e3e1127071266cbb8287 Author: Thadeu Lima de Souza Cascardo Date: Wed Aug 20 16:08:16 2025 +0000 media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID commit 0e2ee70291e64a30fe36960c85294726d34a103e upstream. Per UVC 1.1+ specification 3.7.2, units and terminals must have a non-zero unique ID. ``` Each Unit and Terminal within the video function is assigned a unique identification number, the Unit ID (UID) or Terminal ID (TID), contained in the bUnitID or bTerminalID field of the descriptor. The value 0x00 is reserved for undefined ID, ``` If we add a new entity with id 0 or a duplicated ID, it will be marked as UVC_INVALID_ENTITY_ID. In a previous attempt commit 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID"), we ignored all the invalid units, this broke a lot of non-compatible cameras. Hopefully we are more lucky this time. This also prevents some syzkaller reproducers from triggering warnings due to a chain of entities referring to themselves. In one particular case, an Output Unit is connected to an Input Unit, both with the same ID of 1. But when looking up for the source ID of the Output Unit, that same entity is found instead of the input entity, which leads to such warnings. In another case, a backward chain was considered finished as the source ID was 0. Later on, that entity was found, but its pads were not valid. Here is a sample stack trace for one of those cases. [ 20.650953] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 20.830206] usb 1-1: Using ep0 maxpacket: 8 [ 20.833501] usb 1-1: config 0 descriptor?? [ 21.038518] usb 1-1: string descriptor 0 read error: -71 [ 21.038893] usb 1-1: Found UVC 0.00 device (2833:0201) [ 21.039299] uvcvideo 1-1:0.0: Entity type for entity Output 1 was not initialized! [ 21.041583] uvcvideo 1-1:0.0: Entity type for entity Input 1 was not initialized! [ 21.042218] ------------[ cut here ]------------ [ 21.042536] WARNING: CPU: 0 PID: 9 at drivers/media/mc/mc-entity.c:1147 media_create_pad_link+0x2c4/0x2e0 [ 21.043195] Modules linked in: [ 21.043535] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.11.0-rc7-00030-g3480e43aeccf #444 [ 21.044101] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 21.044639] Workqueue: usb_hub_wq hub_event [ 21.045100] RIP: 0010:media_create_pad_link+0x2c4/0x2e0 [ 21.045508] Code: fe e8 20 01 00 00 b8 f4 ff ff ff 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb e9 0f 0b eb 0a 0f 0b eb 06 <0f> 0b eb 02 0f 0b b8 ea ff ff ff eb d4 66 2e 0f 1f 84 00 00 00 00 [ 21.046801] RSP: 0018:ffffc9000004b318 EFLAGS: 00010246 [ 21.047227] RAX: ffff888004e5d458 RBX: 0000000000000000 RCX: ffffffff818fccf1 [ 21.047719] RDX: 000000000000007b RSI: 0000000000000000 RDI: ffff888004313290 [ 21.048241] RBP: ffff888004313290 R08: 0001ffffffffffff R09: 0000000000000000 [ 21.048701] R10: 0000000000000013 R11: 0001888004313290 R12: 0000000000000003 [ 21.049138] R13: ffff888004313080 R14: ffff888004313080 R15: 0000000000000000 [ 21.049648] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 21.050271] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.050688] CR2: 0000592cc27635b0 CR3: 000000000431c000 CR4: 0000000000750ef0 [ 21.051136] PKRU: 55555554 [ 21.051331] Call Trace: [ 21.051480] [ 21.051611] ? __warn+0xc4/0x210 [ 21.051861] ? media_create_pad_link+0x2c4/0x2e0 [ 21.052252] ? report_bug+0x11b/0x1a0 [ 21.052540] ? trace_hardirqs_on+0x31/0x40 [ 21.052901] ? handle_bug+0x3d/0x70 [ 21.053197] ? exc_invalid_op+0x1a/0x50 [ 21.053511] ? asm_exc_invalid_op+0x1a/0x20 [ 21.053924] ? media_create_pad_link+0x91/0x2e0 [ 21.054364] ? media_create_pad_link+0x2c4/0x2e0 [ 21.054834] ? media_create_pad_link+0x91/0x2e0 [ 21.055131] ? _raw_spin_unlock+0x1e/0x40 [ 21.055441] ? __v4l2_device_register_subdev+0x202/0x210 [ 21.055837] uvc_mc_register_entities+0x358/0x400 [ 21.056144] uvc_register_chains+0x1fd/0x290 [ 21.056413] uvc_probe+0x380e/0x3dc0 [ 21.056676] ? __lock_acquire+0x5aa/0x26e0 [ 21.056946] ? find_held_lock+0x33/0xa0 [ 21.057196] ? kernfs_activate+0x70/0x80 [ 21.057533] ? usb_match_dynamic_id+0x1b/0x70 [ 21.057811] ? find_held_lock+0x33/0xa0 [ 21.058047] ? usb_match_dynamic_id+0x55/0x70 [ 21.058330] ? lock_release+0x124/0x260 [ 21.058657] ? usb_match_one_id_intf+0xa2/0x100 [ 21.058997] usb_probe_interface+0x1ba/0x330 [ 21.059399] really_probe+0x1ba/0x4c0 [ 21.059662] __driver_probe_device+0xb2/0x180 [ 21.059944] driver_probe_device+0x5a/0x100 [ 21.060170] __device_attach_driver+0xe9/0x160 [ 21.060427] ? __pfx___device_attach_driver+0x10/0x10 [ 21.060872] bus_for_each_drv+0xa9/0x100 [ 21.061312] __device_attach+0xed/0x190 [ 21.061812] device_initial_probe+0xe/0x20 [ 21.062229] bus_probe_device+0x4d/0xd0 [ 21.062590] device_add+0x308/0x590 [ 21.062912] usb_set_configuration+0x7b6/0xaf0 [ 21.063403] usb_generic_driver_probe+0x36/0x80 [ 21.063714] usb_probe_device+0x7b/0x130 [ 21.063936] really_probe+0x1ba/0x4c0 [ 21.064111] __driver_probe_device+0xb2/0x180 [ 21.064577] driver_probe_device+0x5a/0x100 [ 21.065019] __device_attach_driver+0xe9/0x160 [ 21.065403] ? __pfx___device_attach_driver+0x10/0x10 [ 21.065820] bus_for_each_drv+0xa9/0x100 [ 21.066094] __device_attach+0xed/0x190 [ 21.066535] device_initial_probe+0xe/0x20 [ 21.066992] bus_probe_device+0x4d/0xd0 [ 21.067250] device_add+0x308/0x590 [ 21.067501] usb_new_device+0x347/0x610 [ 21.067817] hub_event+0x156b/0x1e30 [ 21.068060] ? process_scheduled_works+0x48b/0xaf0 [ 21.068337] process_scheduled_works+0x5a3/0xaf0 [ 21.068668] worker_thread+0x3cf/0x560 [ 21.068932] ? kthread+0x109/0x1b0 [ 21.069133] kthread+0x197/0x1b0 [ 21.069343] ? __pfx_worker_thread+0x10/0x10 [ 21.069598] ? __pfx_kthread+0x10/0x10 [ 21.069908] ret_from_fork+0x32/0x40 [ 21.070169] ? __pfx_kthread+0x10/0x10 [ 21.070424] ret_from_fork_asm+0x1a/0x30 [ 21.070737] Reported-by: syzbot+0584f746fde3d52b4675@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0584f746fde3d52b4675 Reported-by: syzbot+dd320d114deb3f5bb79b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=dd320d114deb3f5bb79b Reported-by: Youngjun Lee Fixes: a3fbc2e6bb05 ("media: mc-entity.c: use WARN_ON, validate link pads") Cc: stable@vger.kernel.org Signed-off-by: Thadeu Lima de Souza Cascardo Co-developed-by: Ricardo Ribalda Signed-off-by: Ricardo Ribalda Reviewed-by: Laurent Pinchart Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit 2e7fd93b9cc565b839bc55a6662475718963e156 Author: Larshin Sergey Date: Tue Jul 29 13:13:32 2025 +0300 media: rc: fix races with imon_disconnect() commit fa0f61cc1d828178aa921475a9b786e7fbb65ccb upstream. Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Reported-by: syzbot+f1a69784f6efe748c3bf@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f1a69784f6efe748c3bf Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") Cc: stable@vger.kernel.org Signed-off-by: Larshin Sergey Signed-off-by: Sean Young Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit 4266f012806fc18e46da4a04d130df59a4946f93 Author: Duoming Zhou Date: Wed Sep 17 17:56:08 2025 +0800 media: tuner: xc5000: Fix use-after-free in xc5000_release commit 40b7a19f321e65789612ebaca966472055dab48c upstream. The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated below: CPU 0 (release thread) | CPU 1 (delayed work callback) xc5000_release() | xc5000_do_timer_sleep() cancel_delayed_work() | hybrid_tuner_release_state(priv) | kfree(priv) | | priv = container_of() // UAF Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the timer_sleep is properly canceled before the xc5000_priv memory is deallocated. A deadlock concern was considered: xc5000_release() is called in a process context and is not holding any locks that the timer_sleep work item might also need. Therefore, the use of the _sync() variant is safe here. This bug was initially identified through static analysis. Fixes: f7a27ff1fb77 ("[media] xc5000: delay tuner sleep to 5 seconds") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil [hverkuil: fix typo in Subject: tunner -> tuner] Signed-off-by: Greg Kroah-Hartman commit 2610617effb4454d2f1c434c011ccb5cc7140711 Author: Duoming Zhou Date: Wed Sep 17 17:57:42 2025 +0800 media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe commit 79d10f4f21a92e459b2276a77be62c59c1502c9d upstream. The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn't still running when destroyed, similarly cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has terminated if already executing. During probe failure after timer initialization, these may continue running as orphans and reference the already-freed tc358743_state object through tc358743_irq_poll_timer. The following is the trace captured by KASAN. BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __pfx_sched_balance_find_src_group+0x10/0x10 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? rcu_sched_clock_irq+0xb06/0x27d0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? try_to_wake_up+0xb15/0x1960 ? tmigr_update_events+0x280/0x740 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 tmigr_handle_remote_up+0x603/0x7e0 ? __pfx_tmigr_handle_remote_up+0x10/0x10 ? sched_balance_trigger+0x98/0x9f0 ? sched_tick+0x221/0x5a0 ? _raw_spin_lock_irq+0x80/0xe0 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? tick_nohz_handler+0x339/0x440 ? __pfx_tmigr_handle_remote_up+0x10/0x10 __walk_groups.isra.0+0x42/0x150 tmigr_handle_remote+0x1f4/0x2e0 ? __pfx_tmigr_handle_remote+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 ? hrtimer_interrupt+0x322/0x780 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_node_track_caller_noprof+0x198/0x430 devm_kmalloc+0x7b/0x1e0 tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 141: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 release_nodes+0xa4/0x100 devres_release_group+0x1b2/0x380 i2c_device_probe+0x694/0x880 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __device_attach_driver+0x174/0x220 bus_for_each_drv+0x100/0x190 __device_attach+0x206/0x370 bus_probe_device+0x123/0x170 device_add+0xd25/0x1470 i2c_new_client_device+0x7a0/0xcd0 do_one_initcall+0x89/0x300 do_init_module+0x29d/0x7f0 load_module+0x4f48/0x69e0 init_module_from_file+0xe4/0x150 idempotent_init_module+0x320/0x670 __x64_sys_finit_module+0xbd/0x120 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace timer_delete() with timer_delete_sync() and cancel_delayed_work() with cancel_delayed_work_sync() to ensure proper termination of timer and work items before resource cleanup. This bug was initially identified through static analysis. For reproduction and testing, I created a functional emulation of the tc358743 device via a kernel module and introduced faults through the debugfs interface. Fixes: 869f38ae07f7 ("media: i2c: tc358743: Fix crash in the probe error path when using polling") Fixes: d32d98642de6 ("[media] Driver for Toshiba TC358743 HDMI to CSI-2 bridge") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit 6a92f5796880f5aa345f0fed53ef511e3fd6f706 Author: Duoming Zhou Date: Wed Sep 17 17:59:26 2025 +0800 media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream. The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical race condition is illustrated below: CPU 0 (remove) | CPU 1 (delayed work callback) flexcop_pci_remove() | flexcop_pci_irq_check_work() cancel_delayed_work() | flexcop_device_kfree(fc_pci->fc_dev) | | fc = fc_pci->fc_dev; // UAF This is confirmed by a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 Write of size 8 at addr ffff8880093aa8c8 by task bash/135 ... Call Trace: dump_stack_lvl+0x55/0x70 print_report+0xcf/0x610 ? __run_timer_base.part.0+0x7d7/0x8c0 kasan_report+0xb8/0xf0 ? __run_timer_base.part.0+0x7d7/0x8c0 __run_timer_base.part.0+0x7d7/0x8c0 ? __pfx___run_timer_base.part.0+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x60/0x140 ? lapic_next_event+0x11/0x20 ? clockevents_program_event+0x1d4/0x2a0 run_timer_softirq+0xd1/0x190 handle_softirqs+0x16a/0x550 irq_exit_rcu+0xaf/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 1: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_kmalloc+0x7f/0x90 __kmalloc_noprof+0x1be/0x460 flexcop_device_kmalloc+0x54/0xe0 flexcop_pci_probe+0x1f/0x9d0 local_pci_probe+0xdc/0x190 pci_device_probe+0x2fe/0x470 really_probe+0x1ca/0x5c0 __driver_probe_device+0x248/0x310 driver_probe_device+0x44/0x120 __driver_attach+0xd2/0x310 bus_for_each_dev+0xed/0x170 bus_add_driver+0x208/0x500 driver_register+0x132/0x460 do_one_initcall+0x89/0x300 kernel_init_freeable+0x40d/0x720 kernel_init+0x1a/0x150 ret_from_fork+0x10c/0x1a0 ret_from_fork_asm+0x1a/0x30 Freed by task 135: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x3f/0x50 kfree+0x137/0x370 flexcop_device_kfree+0x32/0x50 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0xf8/0x210 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device_locked+0x15/0x30 remove_store+0xcc/0xe0 kernfs_fop_write_iter+0x2c3/0x440 vfs_write+0x871/0xd70 ksys_write+0xee/0x1c0 do_syscall_64+0xac/0x280 entry_SYSCALL_64_after_hwframe+0x77/0x7f ... Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure that the delayed work item is properly canceled and any executing delayed work has finished before the device memory is deallocated. This bug was initially identified through static analysis. To reproduce and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced artificial delays within the flexcop_pci_irq_check_work() function to increase the likelihood of triggering the bug. Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards") Cc: stable@vger.kernel.org Signed-off-by: Duoming Zhou Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit bdb3c41b358cf87d99e39d393e164f9e4a6088e6 Author: Fedor Pchelkin Date: Sat Sep 20 00:08:47 2025 +0300 wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() commit 3e31a6bc07312b448fad3b45de578471f86f0e77 upstream. There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_complete() rcu_read_lock() /* signals completion and * proceeds further */ complete(&wait->completion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs") Cc: stable@vger.kernel.org Suggested-by: Zong-Zhe Yang Signed-off-by: Fedor Pchelkin Acked-by: Ping-Ke Shih Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20250919210852.823912-2-pchelkin@ispras.ru Signed-off-by: Greg Kroah-Hartman commit 353d8c715cc951a980728133c9dd64ca5a0a186c Author: Jeongjun Park Date: Sun Sep 28 02:39:24 2025 +0900 ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 upstream. The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer. However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely. Additionally, since kill-cleanup for urb is also missing, freed memory can be accessed in interrupt context related to urb, which can cause UAF. Therefore, to prevent this, error timer and urb must be killed before freeing the heap memory. Cc: Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a150275831b765b0f1de8b8ff52ec5c6933ac15d Author: Wang Haoran Date: Sat Sep 20 15:44:41 2025 +0800 scsi: target: target_core_configfs: Add length check to avoid buffer overflow commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream. A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev-> dev_group.cg_item) and a newline character, the total formatted string length may exceed the buffer size of 256 bytes. Since snprintf() returns the total number of bytes that would have been written (the length of %s/%sn ), this value may exceed the buffer length (256 bytes) passed to memcpy(), this will ultimately cause function memcpy reporting a buffer overflow error. An additional check of the return value of snprintf() can avoid this buffer overflow. Reported-by: Wang Haoran Reported-by: ziiiro Signed-off-by: Wang Haoran Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 0424e4ee60a621d71ab12b51475292115eac903a Author: Kees Cook Date: Sat Sep 20 16:45:23 2025 -0700 gcc-plugins: Remove TODO_verify_il for GCC >= 16 commit a40282dd3c484e6c882e93f4680e0a3ef3814453 upstream. GCC now runs TODO_verify_il automatically[1], so it is no longer exposed to plugins. Only use the flag on GCC < 16. Link: https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=9739ae9384dd7cd3bb1c7683d6b80b7a9116eaf8 [1] Suggested-by: Christopher Fore Link: https://lore.kernel.org/r/20250920234519.work.915-kees@kernel.org Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman commit 392b1d64911f4de8887fe8b68299fa8bd6e5b923 Author: Yu Kuai Date: Thu Aug 21 14:06:12 2025 +0800 blk-mq: fix blk_mq_tags double free while nr_requests grown commit ba28afbd9eff2a6370f23ef4e6a036ab0cfda409 upstream. In the case user trigger tags grow by queue sysfs attribute nr_requests, hctx->sched_tags will be freed directly and replaced with a new allocated tags, see blk_mq_tag_update_depth(). The problem is that hctx->sched_tags is from elevator->et->tags, while et->tags is still the freed tags, hence later elevator exit will try to free the tags again, causing kernel panic. Fix this problem by replacing et->tags with new allocated tags as well. Noted there are still some long term problems that will require some refactor to be fixed thoroughly[1]. [1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/ Fixes: f5a6604f7a44 ("block: fix lockdep warning caused by lock dependency in elv_iosched_store") Signed-off-by: Yu Kuai Reviewed-by: Ming Lei Reviewed-by: Nilay Shroff Reviewed-by: Hannes Reinecke Reviewed-by: Li Nan Link: https://lore.kernel.org/r/20250821060612.1729939-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman