[Bug 2149767] [NEW] SUNRPC: System wide grep leads to NULL pointer deference in sysfs reads

Public bug reported: BugLink: https://bugs.launchpad.net/bugs/2149767 [Impact] An unprivileged user doing a simple system wide grep can cause a NULL pointer dereference and oops in the SUNRPC subsystem, leading to a local Denial Of Service. A user doing a grep such as $ grep -R "something" / will eventually make its way to /sys/kernel/sunrpc/, where it can hit a race where ->sock in SUNRPC can be set to NULL, like if a network was going down and up again, or a nfs server was being restarted, leading to the following oops. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 SMP NOPTI CPU: 2 PID: 4933 Comm: grep Not tainted 5.15.0-176-generic #186-Ubuntu RIP: 0010:kernel_getsockname+0x6/0x20 Code: 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 20 48 8b 40 60 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc cc cc 0f 1f 40 00 0f 1f 44 00 00 55 <48> 8b 47 20 31 d2 48 8b 40 38 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc Call Trace:  <TASK>  ? xs_sock_getport+0x2b/0x70 [sunrpc]  ? kvmalloc_node+0x28/0xa0  ? memcg_slab_post_alloc_hook+0x19e/0x210  get_srcport+0x15/0x20 [sunrpc]  rpc_sysfs_xprt_info_show+0x110/0x130 [sunrpc]  kobj_attr_show+0xf/0x30  sysfs_kf_seq_show+0xa2/0x100  kernfs_seq_show+0x24/0x30  seq_read_iter+0x121/0x4b0  ? _copy_to_user+0x20/0x30  ? cp_new_stat+0x152/0x180  kernfs_fop_read_iter+0x30/0x40  new_sync_read+0x10a/0x190  vfs_read+0x106/0x1a0  ksys_read+0x67/0xf0  __x64_sys_read+0x19/0x20  x64_sys_call+0x1dba/0x1fa0  do_syscall_64+0x56/0xb0  ? do_syscall_64+0x63/0xb0  ? do_syscall_64+0x63/0xb0  ? arch_exit_to_user_mode_prepare.constprop.0+0x1e/0xc0  ? syscall_exit_to_user_mode+0x41/0x80  ? do_syscall_64+0x63/0xb0  entry_SYSCALL_64_after_hwframe+0x6c/0xd6 A workaround is to exclude /sys from your grep or find commands. [Fix] The fix is to ensure that SUNRPC holds the ->recv_mutex during sysfs reads. This makes sure that ->sock cannot be modified by an external change, e.g. a nfs server being restarted. The fix, and their dependencies and fixes are: commit 17f09d3f619a7ad2d2b021b4e5246f08225b1b0f Author: Anna Schumaker <Anna.Schumaker@Netapp.com> Date: Thu Oct 28 15:17:41 2021 -0400 Subject: SUNRPC: Check if the xprt is connected before handling sysfs reads commit b49ea673e119f59c71645e2f65b3ccad857c90ee Author: NeilBrown <neil@brown.name> Date: Mon Jan 17 16:36:53 2022 +1100 Subject: SUNRPC: lock against ->sock changing during sysfs read commit 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe Author: Trond Myklebust <trond.myklebust@hammerspace.com> Date: Fri Mar 25 10:37:31 2022 -0400 Subject: SUNRPC: Do not dereference non-socket transports in sysfs These landed during 5.16-rc1 and 5.18-rc1. [Testcase] Create a fresh jammy VM. Create a NFS share: $ sudo apt install nfs-kernel-server $ sudo mkdir -p /mnt/nfs_share $ sudo chown nobody:nogroup /mnt/nfs_share $ sudo chmod 777 /mnt/nfs_share $ sudo vim /etc/exports /mnt/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check) $ sudo exportfs -a $ sudo systemctl restart nfs-kernel-server Set up a loop where we grep the SUNRPC sysfs interface, causing a read to happen, and some of these reads will happen when the ->recv_mutex is not held. $ while true; do     grep -Rr . /sys/kernel/sunrpc/xprt-switches/; done Set up a loop where we mount and unmount the nfs share. This triggers the SUNRPC transport to disconnect or change states. $ sudo -s # while true; do     mount -t nfs 192.168.122.126:/mnt/nfs_share /mnt/test     umount /mnt/test done Wait a few seconds and the kernel will oops with a null pointer dereference. There is a test kernel available in the following PPA: https://launchpad.net/~mruffell/+archive/ubuntu/sf434838-test If you install the test kernel, you can keep running the loops forever without any kernel oops. [Where problems can occur] We are changing how SUNRPC protects sysfs reads, ensuring we take a mutex to protect the socket transport from changing due to external factors. Taking the mutex might take time, and slow down sysfs read operations, or cause deadlocks in other places in SUNRPC if not done correctly. The patch "SUNRPC: Do not dereference non-socket transports in sysfs" is quite a refactor, but the risk to RDMA users not having the patch is higher than carrying the patch. If a regression were to occur, users could likely work around the issue by not using system wide grep or find commands that parse sysfs entries. [Other info] This is known as CVE-2022-48816. https://ubuntu.com/security/CVE-2022-48816 https://nvd.nist.gov/vuln/detail/cve-2022-48816 ** Affects: linux (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: linux (Ubuntu Jammy) Importance: Undecided Status: In Progress ** Tags: sts ** Description changed: - BugLink: https://bugs.launchpad.net/bugs/ + BugLink: https://bugs.launchpad.net/bugs/2149767 [Impact] An unprivileged user doing a simple system wide grep can cause a NULL pointer - dereference and oops in the SUNRPC subsystem, leading to a local Denial Of + dereference and oops in the SUNRPC subsystem, leading to a local Denial Of Service. A user doing a grep such as $ grep -R "something" / will eventually make its way to /sys/kernel/sunrpc/, where it can hit a race where ->sock in SUNRPC can be set to NULL, like if a network was going down and up again, or a nfs server was being restarted, leading to the following oops. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page - PGD 0 P4D 0 + PGD 0 P4D 0 Oops: 0000 SMP NOPTI CPU: 2 PID: 4933 Comm: grep Not tainted 5.15.0-176-generic #186-Ubuntu RIP: 0010:kernel_getsockname+0x6/0x20 Code: 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 20 48 8b 40 60 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc cc cc 0f 1f 40 00 0f 1f 44 00 00 55 <48> 8b 47 20 31 d2 48 8b 40 38 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc Call Trace: - <TASK> - ? xs_sock_getport+0x2b/0x70 [sunrpc] - ? kvmalloc_node+0x28/0xa0 - ? memcg_slab_post_alloc_hook+0x19e/0x210 - get_srcport+0x15/0x20 [sunrpc] - rpc_sysfs_xprt_info_show+0x110/0x130 [sunrpc] - kobj_attr_show+0xf/0x30 - sysfs_kf_seq_show+0xa2/0x100 - kernfs_seq_show+0x24/0x30 - seq_read_iter+0x121/0x4b0 - ? _copy_to_user+0x20/0x30 - ? cp_new_stat+0x152/0x180 - kernfs_fop_read_iter+0x30/0x40 - new_sync_read+0x10a/0x190 - vfs_read+0x106/0x1a0 - ksys_read+0x67/0xf0 - __x64_sys_read+0x19/0x20 - x64_sys_call+0x1dba/0x1fa0 - do_syscall_64+0x56/0xb0 - ? do_syscall_64+0x63/0xb0 - ? do_syscall_64+0x63/0xb0 - ? arch_exit_to_user_mode_prepare.constprop.0+0x1e/0xc0 - ? syscall_exit_to_user_mode+0x41/0x80 - ? do_syscall_64+0x63/0xb0 - entry_SYSCALL_64_after_hwframe+0x6c/0xd6 +  <TASK> +  ? xs_sock_getport+0x2b/0x70 [sunrpc] +  ? kvmalloc_node+0x28/0xa0 +  ? memcg_slab_post_alloc_hook+0x19e/0x210 +  get_srcport+0x15/0x20 [sunrpc] +  rpc_sysfs_xprt_info_show+0x110/0x130 [sunrpc] +  kobj_attr_show+0xf/0x30 +  sysfs_kf_seq_show+0xa2/0x100 +  kernfs_seq_show+0x24/0x30 +  seq_read_iter+0x121/0x4b0 +  ? _copy_to_user+0x20/0x30 +  ? cp_new_stat+0x152/0x180 +  kernfs_fop_read_iter+0x30/0x40 +  new_sync_read+0x10a/0x190 +  vfs_read+0x106/0x1a0 +  ksys_read+0x67/0xf0 +  __x64_sys_read+0x19/0x20 +  x64_sys_call+0x1dba/0x1fa0 +  do_syscall_64+0x56/0xb0 +  ? do_syscall_64+0x63/0xb0 +  ? do_syscall_64+0x63/0xb0 +  ? arch_exit_to_user_mode_prepare.constprop.0+0x1e/0xc0 +  ? syscall_exit_to_user_mode+0x41/0x80 +  ? do_syscall_64+0x63/0xb0 +  entry_SYSCALL_64_after_hwframe+0x6c/0xd6 A workaround is to exclude /sys from your grep or find commands. [Fix] The fix is to ensure that SUNRPC holds the ->recv_mutex during sysfs reads. This makes sure that ->sock cannot be modified by an external change, e.g. a nfs server being restarted. The fix, and their dependencies and fixes are: commit 17f09d3f619a7ad2d2b021b4e5246f08225b1b0f Author: Anna Schumaker <Anna.Schumaker@Netapp.com> Date: Thu Oct 28 15:17:41 2021 -0400 Subject: SUNRPC: Check if the xprt is connected before handling sysfs reads commit b49ea673e119f59c71645e2f65b3ccad857c90ee Author: NeilBrown <neil@brown.name> Date: Mon Jan 17 16:36:53 2022 +1100 Subject: SUNRPC: lock against ->sock changing during sysfs read commit 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe Author: Trond Myklebust <trond.myklebust@hammerspace.com> Date: Fri Mar 25 10:37:31 2022 -0400 Subject: SUNRPC: Do not dereference non-socket transports in sysfs These landed during 5.16-rc1 and 5.18-rc1. [Testcase] Create a fresh jammy VM. Create a NFS share: $ sudo apt install nfs-kernel-server $ sudo mkdir -p /mnt/nfs_share $ sudo chown nobody:nogroup /mnt/nfs_share $ sudo chmod 777 /mnt/nfs_share $ sudo vim /etc/exports /mnt/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check) $ sudo exportfs -a $ sudo systemctl restart nfs-kernel-server Set up a loop where we grep the SUNRPC sysfs interface, causing a read to happen, and some of these reads will happen when the ->recv_mutex is not held. $ while true; do - grep -Rr . /sys/kernel/sunrpc/xprt-switches/; +     grep -Rr . /sys/kernel/sunrpc/xprt-switches/; done Set up a loop where we mount and unmount the nfs share. This triggers the SUNRPC transport to disconnect or change states. $ sudo -s # while true; do - mount -t nfs 192.168.122.126:/mnt/nfs_share /mnt/test - umount /mnt/test +     mount -t nfs 192.168.122.126:/mnt/nfs_share /mnt/test +     umount /mnt/test done Wait a few seconds and the kernel will oops with a null pointer dereference. There is a test kernel available in the following PPA: https://launchpad.net/~mruffell/+archive/ubuntu/sf434838-test If you install the test kernel, you can keep running the loops forever without any kernel oops. [Where problems can occur] We are changing how SUNRPC protects sysfs reads, ensuring we take a mutex to protect the socket transport from changing due to external factors. Taking the mutex might take time, and slow down sysfs read operations, or cause deadlocks in other places in SUNRPC if not done correctly. The patch "SUNRPC: Do not dereference non-socket transports in sysfs" is quite a refactor, but the risk to RDMA users not having the patch is higher than carrying the patch. If a regression were to occur, users could likely work around the issue by not using system wide grep or find commands that parse sysfs entries. [Other info] This is known as CVE-2022-48816. https://ubuntu.com/security/CVE-2022-48816 https://nvd.nist.gov/vuln/detail/cve-2022-48816 ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: New => Fix Released ** Changed in: linux (Ubuntu Jammy) Status: New => In Progress ** Tags added: sts -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2149767 Title: SUNRPC: System wide grep leads to NULL pointer deference in sysfs reads Status in linux package in Ubuntu: Fix Released Status in linux source package in Jammy: In Progress Bug description: BugLink: https://bugs.launchpad.net/bugs/2149767 [Impact] An unprivileged user doing a simple system wide grep can cause a NULL pointer dereference and oops in the SUNRPC subsystem, leading to a local Denial Of Service. A user doing a grep such as $ grep -R "something" / will eventually make its way to /sys/kernel/sunrpc/, where it can hit a race where ->sock in SUNRPC can be set to NULL, like if a network was going down and up again, or a nfs server was being restarted, leading to the following oops. BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 SMP NOPTI CPU: 2 PID: 4933 Comm: grep Not tainted 5.15.0-176-generic #186-Ubuntu RIP: 0010:kernel_getsockname+0x6/0x20 Code: 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 20 48 8b 40 60 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc cc cc 0f 1f 40 00 0f 1f 44 00 00 55 <48> 8b 47 20 31 d2 48 8b 40 38 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc Call Trace:  <TASK>  ? xs_sock_getport+0x2b/0x70 [sunrpc]  ? kvmalloc_node+0x28/0xa0  ? memcg_slab_post_alloc_hook+0x19e/0x210  get_srcport+0x15/0x20 [sunrpc]  rpc_sysfs_xprt_info_show+0x110/0x130 [sunrpc]  kobj_attr_show+0xf/0x30  sysfs_kf_seq_show+0xa2/0x100  kernfs_seq_show+0x24/0x30  seq_read_iter+0x121/0x4b0  ? _copy_to_user+0x20/0x30  ? cp_new_stat+0x152/0x180  kernfs_fop_read_iter+0x30/0x40  new_sync_read+0x10a/0x190  vfs_read+0x106/0x1a0  ksys_read+0x67/0xf0  __x64_sys_read+0x19/0x20  x64_sys_call+0x1dba/0x1fa0  do_syscall_64+0x56/0xb0  ? do_syscall_64+0x63/0xb0  ? do_syscall_64+0x63/0xb0  ? arch_exit_to_user_mode_prepare.constprop.0+0x1e/0xc0  ? syscall_exit_to_user_mode+0x41/0x80  ? do_syscall_64+0x63/0xb0  entry_SYSCALL_64_after_hwframe+0x6c/0xd6 A workaround is to exclude /sys from your grep or find commands. [Fix] The fix is to ensure that SUNRPC holds the ->recv_mutex during sysfs reads. This makes sure that ->sock cannot be modified by an external change, e.g. a nfs server being restarted. The fix, and their dependencies and fixes are: commit 17f09d3f619a7ad2d2b021b4e5246f08225b1b0f Author: Anna Schumaker <Anna.Schumaker@Netapp.com> Date: Thu Oct 28 15:17:41 2021 -0400 Subject: SUNRPC: Check if the xprt is connected before handling sysfs reads commit b49ea673e119f59c71645e2f65b3ccad857c90ee Author: NeilBrown <neil@brown.name> Date: Mon Jan 17 16:36:53 2022 +1100 Subject: SUNRPC: lock against ->sock changing during sysfs read commit 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe Author: Trond Myklebust <trond.myklebust@hammerspace.com> Date: Fri Mar 25 10:37:31 2022 -0400 Subject: SUNRPC: Do not dereference non-socket transports in sysfs These landed during 5.16-rc1 and 5.18-rc1. [Testcase] Create a fresh jammy VM. Create a NFS share: $ sudo apt install nfs-kernel-server $ sudo mkdir -p /mnt/nfs_share $ sudo chown nobody:nogroup /mnt/nfs_share $ sudo chmod 777 /mnt/nfs_share $ sudo vim /etc/exports /mnt/nfs_share 192.168.1.0/24(rw,sync,no_subtree_check) $ sudo exportfs -a $ sudo systemctl restart nfs-kernel-server Set up a loop where we grep the SUNRPC sysfs interface, causing a read to happen, and some of these reads will happen when the ->recv_mutex is not held. $ while true; do     grep -Rr . /sys/kernel/sunrpc/xprt-switches/; done Set up a loop where we mount and unmount the nfs share. This triggers the SUNRPC transport to disconnect or change states. $ sudo -s # while true; do     mount -t nfs 192.168.122.126:/mnt/nfs_share /mnt/test     umount /mnt/test done Wait a few seconds and the kernel will oops with a null pointer dereference. There is a test kernel available in the following PPA: https://launchpad.net/~mruffell/+archive/ubuntu/sf434838-test If you install the test kernel, you can keep running the loops forever without any kernel oops. [Where problems can occur] We are changing how SUNRPC protects sysfs reads, ensuring we take a mutex to protect the socket transport from changing due to external factors. Taking the mutex might take time, and slow down sysfs read operations, or cause deadlocks in other places in SUNRPC if not done correctly. The patch "SUNRPC: Do not dereference non-socket transports in sysfs" is quite a refactor, but the risk to RDMA users not having the patch is higher than carrying the patch. If a regression were to occur, users could likely work around the issue by not using system wide grep or find commands that parse sysfs entries. [Other info] This is known as CVE-2022-48816. https://ubuntu.com/security/CVE-2022-48816 https://nvd.nist.gov/vuln/detail/cve-2022-48816 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2149767/+subscriptions

[Bug 2142250] Re: Questing update: upstream stable patchset 2026-03-04

This broke amdxdna. https://bugs.launchpad.net/ubuntu/+source/linux-oem-6.17/+bug/2149766 -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2142250 Title: Questing update: upstream stable patchset 2026-03-04 Status in linux package in Ubuntu: Invalid Status in linux source package in Questing: Fix Released Bug description: SRU Justification Impact: The upstream process for stable tree updates is quite similar in scope to the Ubuntu SRU process, e.g., each patch has to demonstrably fix a bug, and each patch is vetted by upstream by originating either directly from a mainline/stable Linux tree or a minimally backported form of that patch. The following upstream stable patches should be included in the Ubuntu kernel: upstream stable patchset 2026-03-04 Ported from the following upstream stable releases: v6.18.2, v6.12.64, v6.18.3 from git://git.kernel.org/ bpf: Fix sleepable context for async callbacks bpf: extract generic helper from process_timer_func() bpf: Fix handling maps with no BTF and non-constant offsets for the bpf_wq irqchip: Drop leftover brackets irqchip: Pass platform device to platform drivers bpf: Do not let BPF test infra emit invalid GSO types to stack arm64: dts: exynos: gs101: fix clock module unit reg sizes ice: move service task start out of ice_init_pf() ice: move ice_init_interrupt_scheme() prior ice_init_pf() ice: ice_init_pf: destroy mutexes and xarrays on memory alloc failure ice: move udp_tunnel_nic and misc IRQ setup into ice_init_pf() ice: move ice_init_pf() out of ice_init_dev() ice: extract ice_init_dev() from ice_init() ice: move ice_deinit_dev() to the end of deinit paths ice: remove duplicate call to ice_deinit_hw() on error paths arm64: dts: qcom: lemans: Add missing quirk for HS only USB controller tools/nolibc: x86: fix section mismatch caused by asm "mem*" functions arm64: dts: ti: k3-j784s4: Fix I2C pinmux pull configuration wifi: ath12k: enforce vdev limit in ath12k_mac_vdev_create() ARM: dts: am33xx: Add missing serial console speed arm64: tegra: Add pinctrl definitions for pcie-ep nodes md: init bioset in mddev_init fs/ntfs3: Initialize allocated memory before use scsi: qla2xxx: Clear cmds after chip reset arm64: mm: Move KPTI helpers to mmu.c arm64/mm: Allow __create_pgd_mapping() to propagate pgtable_alloc() errors pwm: Simplify printf to emit chip->npwm in $debugfs/pwm pwm: Use %u to printf unsigned int pwm_chip::npwm and pwm_chip::id soc/tegra: fuse: speedo-tegra210: Update speedo IDs iio: core: add missing mutex_destroy in iio_dev_release() iio: core: Clean up device correctly on iio_device_alloc() failure iommu/vt-d: Set INTEL_IOMMU_FLOPPY_WA depend on BLK_DEV_FD of/fdt: Fix the len check in early_init_dt_check_for_elfcorehdr() of/fdt: Fix the len check in early_init_dt_check_for_usable_mem_range() rtla/tests: Extend action tests to 5s rtla: Fix -a overriding -t argument btrfs: make sure extent and csum paths are always released in scrub_raid56_parity_stripe() iomap: allocate s_dio_done_wq for async reads as well RDMA/irdma: Remove doorbell elision logic selftests/landlock: Fix makefile header list net: vxlan: prevent NULL deref in vxlan_xmit_one landlock: Fix handling of disconnected directories exfat: fix refcount leak in exfat_find io_uring/kbuf: use READ_ONCE() for userspace-mapped memory ALSA: wavefront: Clear substream pointers on close btrfs: do not skip logging new dentries when logging a new name btrfs: fix a potential path leak in print_data_reloc_error() bpf, arm64: Do not audit capability check in do_jit() btrfs: fix memory leak of fs_devices in degraded seed device path shmem: fix recovery on rename failures iomap: adjust read range correctly for non-block-aligned positions iomap: account for unaligned end offsets when truncating read range scripts/faddr2line: Fix "Argument list too long" error perf/x86/amd: Check event before enable to avoid GPF sched/deadline: only set free_cpus for online runqueues sched/fair: Revert max_newidle_lb_cost bump x86/ptrace: Always inline trivial accessors ACPICA: Avoid walking the Namespace if start_node is NULL ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only cpufreq: dt-platdev: Add JH7110S SOC to the allowlist ACPI: fan: Workaround for 64-bit firmware bug cpufreq: s5pv210: fix refcount leak cpuidle: menu: Use residency threshold in polling state override decisions livepatch: Match old_sympos 0 and 1 in klp_find_func() fs/ntfs3: Support timestamps prior to epoch kbuild: Use objtree for module signing key path ntfs: set dummy blocksize to read boot_block when mounting hfsplus: fix volume corruption issue for generic/070 hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create hfsplus: Verify inode mode when loading from disk hfsplus: fix volume corruption issue for generic/073 fs/ntfs3: check for shutdown in fsync wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU wifi: cfg80211: stop radar detection in cfg80211_leave() wifi: cfg80211: use cfg80211_leave() in iftype change wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet btrfs: scrub: always update btrfs_scrub_progress::last_physical gfs2: fix remote evict for read-only filesystems gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad" smb/server: fix return value of smb2_ioctl() ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency ksmbd: vfs: fix race on m_flags in vfs_cache Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Bluetooth: btusb: MT7922: Add VID/PID 0489/e170 Bluetooth: btusb: MT7920: Add VID/PID 0489/e135 Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT net: fec: ERR007885 Workaround for XDP TX path netrom: Fix memory leak in nr_sendmsg() net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() mlxsw: spectrum_router: Fix possible neighbour reference count leak mlxsw: spectrum_router: Fix neighbour use-after-free mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats bnxt_en: Fix XDP_TX path net: openvswitch: fix middle attribute validation in push_nsh() action broadcom: b44: prevent uninitialized value usage netfilter: nf_conncount: fix leaked ct in error paths ipvs: fix ipv4 null-ptr-deref in route error path caif: fix integer underflow in cffrml_receive() net/sched: ets: Remove drr class from the active list if it changes to strict nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() netfilter: nf_nat: remove bogus direction check netfilter: nf_tables: remove redundant chain validation on register store selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel iommufd/selftest: Make it clearer to gcc that the access is not out of bounds iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED ethtool: Avoid overflowing userspace buffer on stats query net/mlx5: fw reset, clear reset requested on drain_fw_reset net/mlx5: Drain firmware reset in shutdown callback net/mlx5: fw_tracer, Validate format string parameters net/mlx5: fw_tracer, Handle escaped percent properly net/mlx5: Serialize firmware reset with devlink net/handshake: duplicate handshake cancellations leak socket net: enetc: do not transmit redirected XDP frames when the link is down net: hns3: using the num_tqps in the vf driver to apply for resources net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx net: hns3: add VLAN id validation before using hwmon: (dell-smm) Limit fan multiplier to avoid overflow hwmon: (ibmpex) fix use-after-free in high/low store hwmon: (tmp401) fix overflow caused by default conversion rate value drm/me/gsc: mei interrupt top half should be in irq disabled context drm/xe: Restore engine registers before restarting schedulers after GT reset MIPS: Fix a reference leak bug in ip22_check_gio() drm/panel: sony-td4353-jdi: Enable prepare_prev_first x86/xen: Fix sparse warning in enlighten_pv.c arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder spi: cadence-quadspi: Fix clock disable on probe failure path block: rnbd-clt: Fix leaked ID in init_dev() drm/xe: Limit num_syncs to prevent oversized allocations drm/xe/oa: Limit num_syncs to prevent oversized allocations hwmon: (ltc4282): Fix reset_history file permissions ksmbd: skip lock-range check on equal size to avoid size==0 underflow ksmbd: Fix refcount leak when invalid session is found on session lookup ksmbd: fix buffer validation by including null terminator size in EA length HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Input: lkkbd - disable pending work before freeing device Input: alps - fix use-after-free bugs caused by dev3_register_work Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails can: gs_usb: gs_can_open(): fix error handling soc/tegra: fuse: Do not register SoC device on ACPI boot ACPI: PCC: Fix race condition by removing static qualifier ACPI: CPPC: Fix missing PCC check for guaranteed_perf spi: fsl-cpm: Check length parity before switching to 16 bit mode mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures ALSA: vxpocket: Fix resource leak in vxpocket_probe error path ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path ALSA: usb-mixer: us16x08: validate meter packet indices ASoC: ak4458: remove the reset operation in probe and remove nfsd: fix memory leak in nfsd_create_serv error paths ipmi: Fix the race between __scan_channels() and deliver_response() ipmi: Fix __scan_channels() failing to rescan channels scsi: ufs: host: mediatek: Fix shutdown/suspend race condition firmware: imx: scu-irq: Init workqueue before request mbox channel ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx scsi: smartpqi: Add support for Hurray Data new controller PCI device clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 powerpc/addnote: Fix overflow on 32-bit builds scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive scsi: qla2xxx: Use reinit_completion on mbx_intr_comp fuse: Always flush the page cache before FOPEN_DIRECT_IO write fuse: Invalidate the page cache after FOPEN_DIRECT_IO write via_wdt: fix critical boot hang due to unnamed resource allocation reset: fix BIT macro reference exfat: fix remount failure in different process environments exfat: zero out post-EOF page cache on file extension usbip: Fix locking bug in RT-enabled kernels usb: typec: ucsi: Handle incorrect num_connectors capability iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains usb: xhci: limit run_graceperiod for only usb 3.0 devices usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive. serial: sprd: Return -EPROBE_DEFER when uart clock is not ready libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware nvme-fc: don't hold rport lock when putting ctrl nvme-fabrics: add ENOKEY to no retry criteria for authentication failures MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits scsi: scsi_debug: Fix atomic write enable module param description block: rnbd-clt: Fix signedness bug in init_dev() vhost/vsock: improve RCU read sections around vhost_vsock_get() cifs: Fix memory and information leak in smb3_reconfigure() KEYS: trusted: Fix a memory leak in tpm2_load_cmd io_uring: fix filename leak in __io_openat_prep() x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems mmc: sdhci-msm: Avoid early clock doubling during HS400 transition perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister() lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit s390/dasd: Fix gendisk parent after copy pair swap wifi: mt76: Fix DTS power-limits on little endian systems block: rate-limit capacity change info log floppy: fix for PAGE_SIZE != 4KB kallsyms: Fix wrong "big" kernel symbol type read from procfs fs/ntfs3: fix mount failure for sparse runs in run_unpack() ktest.pl: Fix uninitialized var in config-bisect.pl tpm: Cap the number of PCR banks ext4: fix string copying in parse_apply_sb_mount_options() ext4: xattr: fix null pointer deref in ext4_raw_inode() ext4: clear i_state_flags when alloc inode ext4: fix incorrect group number assertion in mb_check_buddy ext4: align max orphan file size with e2fsprogs limit jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key jbd2: use a weaker annotation in journal handling media: v4l2-mem2mem: Fix outdated documentation selftests: mptcp: pm: ensure unknown flags are ignored mptcp: schedule rtx timer only after pushing data mptcp: avoid deadlock on fallback while reinjecting usb: usb-storage: Maintain minimal modifications to the bcdDevice range. media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() media: pvrusb2: Fix incorrect variable used in trace message phy: broadcom: bcm63xx-usbh: fix section mismatches usb: ohci-nxp: fix device leak on probe failure usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() USB: lpc32xx_udc: Fix error handling in probe usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal usb: phy: isp1301: fix non-OF device reference imbalance usb: gadget: lpc32xx_udc: fix clock imbalance in error path usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe usb: dwc3: keep susphy enabled during exit to avoid controller faults usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() char: applicom: fix NULL pointer dereference in ac_ioctl intel_th: Fix error handling in intel_th_output_open mei: gsc: add dependency on Xe driver serial: sh-sci: Check that the DMA cookie is valid cpuidle: governors: teo: Drop misguided target residency check cpufreq: nforce2: fix reference count leak in nforce2 scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" scsi: aic94xx: fix use-after-free in device removal path NFSD: use correct reservation type in nfsd4_scsi_fence_client scsi: target: Reset t_task_cdb pointer in error case scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error f2fs: ensure node page reads complete before f2fs_put_super() finishes f2fs: fix to avoid potential deadlock f2fs: fix to avoid updating zero-sized extent in extent cache f2fs: invalidate dentry cache on failed whiteout creation f2fs: fix age extent cache insertion skip on counter overflow f2fs: fix uninitialized one_time_gc in victim_sel_policy f2fs: fix return value of f2fs_recover_fsync_data() tools/testing/nvdimm: Use per-DIMM device handle KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot media: vidtv: initialize local pointers upon transfer of memory ownership ocfs2: fix kernel BUG in ocfs2_find_victim_chain KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver scs: fix a wrong parameter in __scs_magic parisc: Do not reprogram affinitiy on ASP chip libceph: make decode_pool() more resilient against corrupted osdmaps powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits xfs: fix a memory leak in xfs_buf_item_init() xfs: fix stupid compiler warning xfs: fix a UAF problem in xattr repair tracing: Do not register unsupported perf events PM: runtime: Do not clear needs_force_resume with enabled runtime PM r8169: fix RTL8117 Wake-on-Lan in DASH mode net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write fsnotify: do not generate ACCESS/MODIFY events on child for special files net/handshake: restore destructor on submit failure NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap NFSD: NFSv4 file creation neglects setting ACL nfsd: Mark variable __maybe_unused to avoid W=1 build break svcrdma: return 0 on success from svc_rdma_copy_inline_range svcrdma: use rc_pageoff for memcpy byte offset SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf powerpc/kexec: Enable SMT before waking offline CPUs btrfs: don't log conflicting inode if it's a dir moved in the current transaction s390/ipl: Clear SBP flag when bootprog is set gpio: regmap: Fix memleak in error path in gpio_regmap_register() io_uring/poll: correctly handle io_poll_add() return value on update io_uring: fix min_wait wakeups for SQPOLL drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() drm/amd/display: Fix scratch registers offsets for DCN35 drm/amd/display: Fix scratch registers offsets for DCN351 drm/displayid: pass iter to drm_find_displayid_extension() ALSA: wavefront: Use guard() for spin locks pinctrl: renesas: rzg2l: Fix ISEL restore on resume arm64: Revamp HCR_EL2.E2H RES1 detection dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets crypto: af_alg - zero initialize memory allocated via sock_kmalloc crypto: caam - Add check for kcalloc() in test_len() amba: tegra-ahb: Fix device leak on SMMU enable virtio: vdpa: Fix reference count leak in octep_sriov_enable() tracing: Fix fixed array of synthetic event soc: samsung: exynos-pmu: fix device leak on regmap lookup soc: qcom: pbs: fix device leak on lookup soc: qcom: ocmem: fix device leak on lookup soc: apple: mailbox: fix device leak on lookup soc: amlogic: canvas: fix device leak on lookup rpmsg: glink: fix rpmsg device leak platform/x86: intel: chtwc_int33fe: don't dereference swnode args i2c: amd-mp2: fix reference leak in MP2 PCI device interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes hwmon: (max16065) Use local variable to avoid TOCTOU hwmon: (max6697) fix regmap leak on probe failure hwmon: (w83791d) Convert macros to functions to avoid TOCTOU hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 x86/msi: Make irq_retrigger() functional for posted MSI iommu/mediatek: fix use-after-free on probe deferral fuse: fix readahead reclaim deadlock wifi: rtw88: limit indirect IO under powered off for RTL8822CS wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() wifi: mac80211: do not use old MBSSID elements i40e: fix scheduling in set_rx_mode i40e: validate ring_len parameter against hardware-specific values iavf: fix off-by-one issues in iavf_config_rss_reg() idpf: reduce mbx_task schedule delay to 300us crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Bluetooth: btusb: revert use of devm_kzalloc in btusb net: mdio: aspeed: add dummy read to avoid read-after-write issue net: openvswitch: Avoid needlessly taking the RTNL on vport destroy ip6_gre: make ip6gre_header() robust platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names platform/x86: msi-laptop: add missing sysfs_remove_group() platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic team: fix check for port enabled in team_queue_override_port_prio_changed() net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() amd-xgbe: reset retries and mode on RX adapt failures net: usb: rtl8150: fix memory leak on usb_submit_urb() failure selftests: net: fix "buffer overflow detected" for tap.c smc91x: fix broken irq-context in PREEMPT_RT genalloc.h: fix htmldocs warning firewire: nosy: Fix dma_free_coherent() size net: dsa: b53: skip multicast entries for fdb_dump() kbuild: fix compilation of dtb specified on command-line without make rule net: usb: asix: validate PHY address before use net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct vfio/pds: Fix memory leak in pds_vfio_dirty_enable() platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" net: stmmac: fix the crash issue for zero copy XDP_TX action ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() ipv4: Fix reference count leak when using error routes with nexthop objects net: rose: fix invalid array index in rose_kill_by_device() ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT RDMA/irdma: avoid invalid read in irdma_net_event RDMA/efa: Remove possible negative shift RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() RDMA/core: always drop device refcount in ib_del_sub_device_and_put() RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send RDMA/bnxt_re: Fix to use correct page size for PDE table md: Fix static checker warning in analyze_sbs md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() ksmbd: Fix memory leak in get_file_all_info() RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation RDMA/bnxt_re: fix dma_free_coherent() pointer blk-mq: skip CPU offline notify on unmapped hctx selftests/ftrace: traceonoff_triggers: strip off names ntfs: Do not overwrite uptodate pages ASoC: codecs: wcd939x: fix regmap leak on probe failure ASoC: stm32: sai: fix device leak on probe ASoC: stm32: sai: fix clk prepare imbalance on probe failure ASoC: stm32: sai: fix OF node leak on probe ASoC: codecs: lpass-tx-macro: fix SM6115 support ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr ASoC: qcom: q6asm-dai: perform correct state check before closing ASoC: qcom: q6adm: the the copp device only during last instance ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment. iommu/amd: Fix pci_segment memleak in alloc_pci_segment() iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga() iommu/apple-dart: fix device leak on of_xlate() iommu/exynos: fix device leak on of_xlate() iommu/ipmmu-vmsa: fix device leak on of_xlate() iommu/mediatek-v1: fix device leak on probe_device() iommu/mediatek-v1: fix device leaks on probe() iommu/mediatek: fix device leak on of_xlate() iommu/omap: fix device leaks on probe_device() iommu/qcom: fix device leak on of_xlate() iommu/sun50i: fix device leak on of_xlate() iommu/tegra: fix device leak on probe_device() iommu: disable SVA when CONFIG_X86 is set HID: logitech-dj: Remove duplicate error logging fgraph: Initialize ftrace_ops->private for function graph ops fgraph: Check ftrace_pids_enabled on registration for early filtering PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator powerpc, mm: Fix mprotect on book3s 32-bit powerpc/64s/slb: Fix SLB multihit issue during SLB preload leds: leds-cros_ec: Skip LEDs without color components leds: leds-lp50xx: Allow LED 0 to be added to module bank leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs leds: leds-lp50xx: Enable chip before any communication block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs clk: samsung: exynos-clkout: Assign .num before accessing .hws mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup mfd: max77620: Fix potential IRQ chip conflict when probing two devices media: rc: st_rc: Fix reset control resource leak media: verisilicon: Fix CPU stalls on G2 bus error mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips parisc: entry.S: fix space adjustment on interruption for 64-bit userspace parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() firmware: stratix10-svc: Add mutex in stratix10 memory management dm-ebs: Mark full buffer dirty even on partial write dm-bufio: align write boundary on physical block size fbdev: gbefb: fix to use physical address instead of dma address fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing fbdev: tcx.c fix mem_map to correct smem_start offset media: cec: Fix debugfs leak on bus_register() failure media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() media: platform: mtk-mdp3: fix device leaks at probe media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled media: samsung: exynos4-is: fix potential ABBA deadlock on init media: TDA1997x: Remove redundant cancel_delayed_work in probe media: verisilicon: Protect G2 HEVC decoder against invalid DPB index media: videobuf2: Fix device reference leak in vb2_dc_alloc error path media: vpif_capture: fix section mismatch media: vpif_display: fix section mismatch media: amphion: Cancel message work before releasing the VPU core media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe media: i2c: adv7842: Remove redundant cancel_delayed_work in probe media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() LoongArch: Add new PCI ID for pci_fixup_vgadev() LoongArch: Correct the calculation logic of thread_count LoongArch: Fix build errors for CONFIG_RANDSTRUCT LoongArch: Use __pmd()/__pte() for swap entry conversions LoongArch: Use unsigned long for _end and _text mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() mm/damon/tests/core-kunit: handle memory failure from damon_test_target() mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() pmdomain: imx: Fix reference count leak in imx_gpc_probe() compiler_types.h: add "auto" as a macro for "__auto_type" mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN kasan: refactor pcpu kasan vmalloc unpoison kasan: unpoison vms[area] addresses with a common tag lockd: fix vfs_test_lock() calls idr: fix idr_alloc() returning an ID out of range mm/page_owner: fix memory leak in page_owner_stack_fops->release() x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo tools/mm/page_owner_sort: fix timestamp comparison for stable sorting samples/ftrace: Adjust LoongArch register restore order in direct calls RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly RDMA/cm: Fix leaking the multicast GID table reference e1000: fix OOB in e1000_tbi_should_accept() fjes: Add missing iounmap in fjes_hw_init() LoongArch: Refactor register restoration in ftrace_common_return LoongArch: BPF: Zero-extend bpf_tail_call() index LoongArch: BPF: Sign extend kfunc call arguments nfsd: Drop the client reference in client_states_open() net: usb: sr9700: fix incorrect command used to write single register net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers drm/buddy: Optimize free block management with RB tree drm/buddy: Separate clear and dirty free block trees drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() drm/mediatek: Fix probe resource leaks drm/mediatek: Fix probe memory leak drm/mediatek: Fix probe device leaks drm/amdkfd: Trap handler support for expert scheduling mode drm/i915: Fix format string truncation warning drm/ttm: Avoid NULL pointer deref for evicted BOs drm/mgag200: Fix big-endian support drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table drm/xe/oa: Disallow 0 OA property values drm/xe: Adjust long-running workload timeslices to reasonable values drm/xe: Use usleep_range for accurate long-running workload timeslicing drm/xe: Drop preempt-fences when destroying imported dma-bufs. drm/msm/dpu: Add missing NULL pointer check for pingpong interface drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb drm/imagination: Disallow exporting of PM/FW protected objects lib/crypto: riscv/chacha: Avoid s0/fp register gfs2: fix freeze error handling btrfs: don't rewrite ret from inode_permission sched/eevdf: Fix min_vruntime vs avg_vruntime erofs: fix unexpected EIO under memory pressure sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks jbd2: fix the inconsistency between checksum and data in memory for journal sb xhci: dbgtty: fix device unregister: fixup f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() f2fs: use global inline_xattr_slab instead of per-sb slab cache f2fs: fix to avoid updating compression context during writeback serial: core: Restore sysfs fwnode information mptcp: pm: ignore unknown endpoint flags mm/ksm: fix exec/fork inheritance support for prctl svcrdma: bound check rq_pages index in inline path ARM: dts: microchip: sama7g5: fix uart fifo size to 32 tpm2-sessions: Fix out of range indexing in name_size tpm2-sessions: Fix tpm2_read_public range checks sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue() sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq() drm/displayid: add quirk to ignore DisplayID checksum errors serial: xilinx_uartps: fix rs485 delay_rts_after_send f2fs: add timeout in f2fs_enable_checkpoint() f2fs: dump more information for f2fs_{enable,disable}_checkpoint() f2fs: fix to propagate error from f2fs_enable_checkpoint() gpiolib: acpi: Add quirk for Dell Precision 7780 serial: core: Fix serial device initialization x86/microcode/AMD: Select which microcode patch to load media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio gve: defer interrupt enabling until NAPI registration ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode block: handle zone management operations completions ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width PCI: brcmstb: Fix disabling L0s capability powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages media: mediatek: vcodec: Use spinlock for context list protection lock media: amphion: Make some vpu_v4l2 functions static media: amphion: Remove vpu_vb_is_codecconfig vfio/pci: Disable qword access to the PCI ROM bar mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio() bpf: Fix truncated dmabuf iterator reads bpf: Fix verifier assumptions of bpf_d_path's output buffer btrfs: fix changeset leak on mmap write after failure to reserve metadata scripts: kdoc_parser.py: warn about Python version only once crypto: ccp - Add support for PCI device 0x115A hfsplus: fix volume corruption issue for generic/101 Bluetooth: btusb: add new custom firmwares net/mlx5: make enable_mpesw idempotent net: phy: realtek: eliminate priv->phycr2 variable net: phy: realtek: eliminate has_phycr2 variable net: phy: realtek: allow CLKOUT to be disabled on RTL8211F(D)(I)-VD-CG net: phy: realtek: eliminate priv->phycr1 variable net: phy: realtek: create rtl8211f_config_phy_eee() helper net: phy: RTL8211FVD: Restore disabling of PHY-mode EEE net: ti: icssg-prueth: add PTP_1588_CLOCK_OPTIONAL dependency selftests: net: Fix build warnings selftests: net: tfo: Fix build warning inet: frags: avoid theoretical race in ip_frag_reinit() inet: frags: add inet_frag_queue_flush() inet: frags: flush pending skbs in fqdir_pre_exit() selftests: netfilter: prefer xfail in case race wasn't triggered can: j1939: make j1939_sk_bind() fail if device is no longer registered net/mlx5e: Use ip6_dst_lookup instead of ipv6_dst_lookup_flow for MAC init net/mlx5e: Trigger neighbor resolution for unresolved destinations drm/tests: hdmi: Handle drm_kunit_helper_enable_crtc_connector() returning EDEADLK drm/tests: Handle EDEADLK in drm_test_check_valid_clones() drm/tests: Handle EDEADLK in set_up_atomic_state() selftests: ublk: fix overflow in ublk_queue_auto_zc_fallback() block: unify elevator tags and type xarrays into struct elv_change_ctx block: move elevator tags into struct elevator_resources block: introduce alloc_sched_data and free_sched_data elevator methods block: use {alloc|free}_sched data methods block: fix race between wbt_enable_default and IO submission spi: microchip: rename driver file and internal identifiers UBUNTU: [Config] Remove CONFIG_SPI_MICROCHIP_CORE spi: mpfs: Fix an error handling path in mpfs_spi_probe() drm/xe: Fix freq kobject leak on sysfs_create_files failure drm/xe: Apply Wa_14020316580 in xe_gt_idle_enable_pg() drm/xe: Increase TDF timeout drm/amdgpu: fix a job->pasid access race in gpu recovery io_uring: fix nr_segs calculation in io_import_kbuf ublk: add parameter `struct io_uring_cmd *` to ublk_prep_auto_buf_reg() ublk: add `union ublk_io_buf` with improved naming ublk: refactor auto buffer register in ublk_dispatch_req() ublk: fix deadlock when reading partition table drm/xe/oa: Always set OAG_OAGLBCTXCTRL_COUNTER_RESUME amd/iommu: Preserve domain ids inside the kdump kernel arm64: dts: mediatek: Apply mt8395-radxa DT overlay at build time Input: apple_z2 - fix reading incorrect reports after exiting sleep Input: xpad - add support for CRKD Guitars platform/x86: intel_pmc_ipc: fix ACPI buffer memory leak x86/mm/tlb/trace: Export the TLB_REMOTE_WRONG_CPU enum in <trace/events/tlb.h> ASoC: fsl_sai: Constrain sample rates from audio PLLs only in master mode ASoC: SDCA: support Q7.8 volume format ASoC: ops: fix snd_soc_get_volsw for sx controls um: init cpu_tasks[] earlier scsi: lpfc: Fix reusing an ndlp that is marked NLP_DROPPED during FLOGI usb: xhci: Don't unchain link TRBs on quirky HCs platform/x86: wmi-gamezone: Add Legion Go 2 Quirks hwmon: (emc2305) fix device node refcount leak in error path hwmon: (emc2305) fix double put in emc2305_probe_childs_from_dt drm/msm/a6xx: move preempt_prepare_postamble after error check ublk: add helpers to check ublk_device flags ublk: clean up user copy references on ublk server exit rust/drm/gem: Fix missing header in `Object` rustdoc rust: dma: add helpers for architectures without CONFIG_HAS_DMA samples: rust: fix endianness issue in rust_driver_pci rust: io: define ResourceSize as resource_size_t rust: io: move ResourceSize to top-level io module rust: io: add typedef for phys_addr_t clk: keystone: syscon-clk: fix regmap leak on probe failure printk: Avoid scheduling irq_work on suspend sched_ext: Fix the memleak for sch->helper objects sched_ext: Fix bypass depth leak on scx_enable() failure dt-bindings: clock: mmcc-sdm660: Add missing MDSS reset phy: exynos5-usbdrd: fix clock prepare imbalance efi: Add missing static initializer for efi_mm::cpus_allowed_lock crypto: scatterwalk - Fix memcpy_sglist() to always succeed printk: Allow printk_trigger_flush() to flush all types printk: Avoid irq_work for printk_deferred() on suspend block: Remove queue freezing from several sysfs store callbacks mm/huge_memory: add pmd folio to ds_queue in do_huge_zero_wp_pmd() crash: let architecture decide crash memory export to iomem_resource usb: typec: ucsi: huawei-gaokin: add DRM dependency f2fs: clean up w/ get_left_section_blocks() f2fs: fix to not account invalid blocks in get_left_section_blocks() media: iris: Add sanity check for stop streaming KVM: selftests: Forcefully override ARCH from x86_64 to x86 KVM: Fix last_boosted_vcpu index assignment bug KVM: TDX: Explicitly set user-return MSRs that *may* be clobbered by the TDX-Module KVM: x86: Apply runtime updates to current CPUID during KVM_SET_CPUID{,2} KVM: selftests: Add missing "break" in rseq_test's param parsing xfs: fix the zoned RT growfs check for zone alignment xfs: validate that zoned RT devices are zone aligned arm64/gcs: Flush the GCS locking state on exec ALSA: hda/realtek: Add Asus quirk for TAS amplifiers NFSD: Clear TIME_DELEG in the suppattr_exclcreat bitmap cgroup: rstat: use LOCK CMPXCHG in css_rstat_updated gpio: loongson: Switch 2K2000/3000 GPIO to BYTE_CTRL_MODE crypto: arm64/ghash - Fix incorrect output from ghash-neon zloop: fail zone append operations that are targeting full zones zloop: make the write pointer of full zones invalid vfio: Fix ksize arg while copying user struct in vfio_df_ioctl_bind_iommufd() rtla/timerlat_bpf: Stop tracing on user latency pwm: rzg2l-gpt: Allow checking period_tick cache value only if sibling channel is enabled lib/crypto: riscv: Depend on RISCV_EFFICIENT_VECTOR_UNALIGNED_ACCESS UBUNTU: [Config] Disable accelerated crypto for riscv64 by default io_uring/rsrc: fix lost entries after cloned range ARM: dts: microchip: sama7d65: fix uart fifo size to 32 fuse: fix io-uring list corruption for terminated non-committed requests fuse: missing copy_finish in fuse-over-io-uring argument copies ice: add missing ice_deinit_hw() in devlink reinit path arp: do not assume dev_hard_header() does not change skb->head firmware: imx: scu-irq: Set mu_resource_id before get handle tpm: Compare HMAC values in constant time keys/trusted_keys: fix handle passed to tpm_buf_append_name during unseal intel_th: fix device leak on output open() UBUNTU: Upstream stable to v6.18.2, v6.12.64, v6.18.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2142250/+subscriptions

[Bug 2148734] Re: AMD Radeon 780M generates constant drm events on battery

** Description changed: Hardware: +       Laptop: ASUS Vivobook 18 M1807HA - - Laptop: ASUS Vivobook 18 M1807HA +       GPU: AMD Radeon 780M (integrated) - - GPU: AMD Radeon 780M (integrated) +       CPU: AMD Ryzen 7 260 - - CPU: AMD Ryzen 7 260 +       Kernel: 6.17.0-20-generic - - Kernel: 6.17.0-20-generic - - - Distribution: Ubuntu 24.04 +       Distribution: Ubuntu 24.04 Issue: When running on battery power, the GPU generates constant drm/card1 change events every 30-40 seconds, triggering device notification sounds in GNOME. - Steps to reproduce: +       Unplug AC adapter - - Unplug AC adapter +       Run sudo udevadm monitor - - Run sudo udevadm monitor - - - - Observe constant KERNEL change /devices/.../drm/card1 (drm) events +       Observe constant KERNEL change /devices/.../drm/card1 (drm) events Observations: +       Only happens on battery power - - Only happens on battery power +       Does not happen when AC adapter is plugged in - - Does not happen when AC adapter is plugged in - - - power_dpm_force_performance_level remains unchanged during events - - Setting amdgpu.runpm=0 does not resolve the issue +       Setting amdgpu.runpm=0 does not resolve the issue - - No error messages in dmesg +       No error messages in dmesg Expected behavior: GPU should not generate constant change events on battery power. Logs: - Output of 'sudo udevadm monitor' while on battery: - KERNEL[1192.228486] change /devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) UDEV [1192.261376] change /devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) KERNEL[1231.346665] change /devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) UDEV [1231.370399] change /devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) + Output of `sudo udevadm monitor` while on battery: + ``` + KERNEL[1192.228486] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) + UDEV [1192.261376] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) + KERNEL[1231.346665] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) + UDEV [1231.370399] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) + ``` - These events repeat every 60-120 seconds continuously while unplugged. No such events occur when AC adapter is connected. + These events repeat every 60-120 seconds continuously while unplugged. + No such events occur when AC adapter is connected. -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2148734 Title: AMD Radeon 780M generates constant drm events on battery Status in linux package in Ubuntu: New Bug description: Hardware:       Laptop: ASUS Vivobook 18 M1807HA       GPU: AMD Radeon 780M (integrated)       CPU: AMD Ryzen 7 260       Kernel: 6.17.0-20-generic       Distribution: Ubuntu 24.04 Issue: When running on battery power, the GPU generates constant drm/card1 change events every 30-40 seconds, triggering device notification sounds in GNOME. Steps to reproduce:       Unplug AC adapter       Run sudo udevadm monitor       Observe constant KERNEL change /devices/.../drm/card1 (drm) events Observations:       Only happens on battery power       Does not happen when AC adapter is plugged in power_dpm_force_performance_level remains unchanged during events       Setting amdgpu.runpm=0 does not resolve the issue       No error messages in dmesg Expected behavior: GPU should not generate constant change events on battery power. Logs: Output of `sudo udevadm monitor` while on battery: ``` KERNEL[1192.228486] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) UDEV [1192.261376] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) KERNEL[1231.346665] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) UDEV [1231.370399] change/devices/pci0000:00/0000:00:08.1/0000:03:00.0/drm/card1 (drm) ``` These events repeat every 60-120 seconds continuously while unplugged. No such events occur when AC adapter is connected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2148734/+subscriptions

[Bug 2139276] Re: [usrmerge] evaluate kernel owned packages for DEP17 compliance

** Also affects: wireless-regdb (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2139276 Title: [usrmerge] evaluate kernel owned packages for DEP17 compliance Status in alsa-driver package in Ubuntu: Triaged Status in linux package in Ubuntu: Fix Released Status in linux-firmware package in Ubuntu: Invalid Status in linux-firmware-xilinx-ap1302 package in Ubuntu: New Status in linux-firmware-xilinx-vcu package in Ubuntu: New Status in nouveau-firmware package in Ubuntu: New Status in nvidia-imex-580 package in Ubuntu: New Status in wireless-regdb package in Ubuntu: New Bug description: The following packages have been identified as having a possible issue related to usr-merge. DEP-17 describes the issue and problems at length[0]. The check done was not perfect, and may lead to false positives. The following was the run to identify possible packages, further refined with slight pruning of obvious false positives apt-file search --package-only --regexp '^/(sbin|bin|lib|lib32|lib64|libx32)/*' Lintian, when run on a suitably new system (such as within a resolute build environment), will provide some errors related to usr-merge. an example of a Lintian error from busybox E: busybox-static: aliased-location [bin/] E: busybox-static: aliased-location [bin/static-sh] Please evaluate the follow packages for any issues dictated in dep17. If any package below is not a part of the Kernel set, please let me know and I'll file separate bugs for those packages (a bunch are nvidia based, and I'm not sure who is owning them) [0] https://dep-team.pages.debian.net/deps/dep17/ alsa-driver fabric-manager-570 fabric-manager-580 fabric-manager-590 linux linux-firmware-xilinx-ap1302 linux-firmware-xilinx-vcu linux-realtime linux-restricted-modules linux-restricted-modules-aws linux-restricted-modules-azure linux-restricted-modules-gcp linux-restricted-modules-oracle linux-restricted-signatures linux-riscv nouveau-firmware nvidia-graphics-drivers-580 nvidia-graphics-drivers-580-server nvidia-graphics-drivers-590 nvidia-graphics-drivers-590-server nvidia-imex-570 nvidia-imex-580 nvidia-imex-590 nvidia-prime To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/2139276/+subscriptions

[Bug 2147400] Re: Remount ext4 to readonly with data=journal mode may dump call trace

I've verified both noble and questing kernels: - noble uname -a Linux noble-vm 6.8.0-114-generic #114-Ubuntu SMP PREEMPT_DYNAMIC Wed Apr 15 12:25:17 UTC 2026 x86_64 x86_64 x86_64 GNU/Linux - questing uname -a Linux questing-vm 6.17.0-24-generic #24-Ubuntu SMP PREEMPT_DYNAMIC Sun Apr 12 03:07:31 UTC 2026 x86_64 GNU/Linux The issue can no longer be reproduced. ** Tags removed: verification-needed-noble-linux verification-needed-questing-linux ** Tags added: verification-done-noble-linux verification-done-questing-linux -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2147400 Title: Remount ext4 to readonly with data=journal mode may dump call trace Status in linux package in Ubuntu: In Progress Status in linux source package in Noble: In Progress Status in linux source package in Questing: In Progress Bug description: [Impact] When journal is filled with some data and remount the filesystem to read-only in data=journal mode it may dump the following call trace: [ 71.629350] CPU: 0 UID: 0 PID: 177 Comm: kworker/u96:5 Tainted: G E 6.19.0-rc7 #1 PREEMPT(voluntary) [ 71.629352] Tainted: [E]=UNSIGNED_MODULE [ 71.629353] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022 [ 71.629354] Workqueue: writeback wb_workfn (flush-7:4) [ 71.629359] RIP: 0010:ext4_journal_check_start+0x8b/0xd0 [ 71.629360] Code: 31 ff 45 31 c0 45 31 c9 e9 42 ad c4 00 48 8b 5d f8 b8 fb ff ff ff c9 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 c3 cc cc cc cc <0f> 0b b8 e2 ff ff ff eb c2 0f 0b eb  a9 44 8b 42 08 68 c7 53 ce b8 [ 71.629361] RSP: 0018:ffffcf32c0fdf6a8 EFLAGS: 00010202 [ 71.629364] RAX: ffff8f08c8505000 RBX: ffff8f08c67ee800 RCX: 0000000000000000 [ 71.629366] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.629367] RBP: ffffcf32c0fdf6b0 R08: 0000000000000001 R09: 0000000000000000 [ 71.629368] R10: ffff8f08db18b3a8 R11: 0000000000000000 R12: 0000000000000000 [ 71.629368] R13: 0000000000000002 R14: 0000000000000a48 R15: ffff8f08c67ee800 [ 71.629369] FS: 0000000000000000(0000) GS:ffff8f0a7d273000(0000) knlGS:0000000000000000 [ 71.629370] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.629371] CR2: 00007b66825905cc CR3: 000000011053d004 CR4: 0000000000772ef0 [ 71.629374] PKRU: 55555554 [ 71.629374] Call Trace: [ 71.629378] <TASK> [ 71.629382] __ext4_journal_start_sb+0x38/0x1c0 [ 71.629383] mpage_prepare_extent_to_map+0x4af/0x580 [ 71.629389] ? sbitmap_get+0x73/0x180 [ 71.629399] ext4_do_writepages+0x3cc/0x10a0 [ 71.629400] ? kvm_sched_clock_read+0x11/0x20 [ 71.629409] ext4_writepages+0xc8/0x1b0 [ 71.629410] ? ext4_writepages+0xc8/0x1b0 [ 71.629411] do_writepages+0xc4/0x180 [ 71.629416] __writeback_single_inode+0x45/0x350 [ 71.629419] ? _raw_spin_unlock+0xe/0x40 [ 71.629423] writeback_sb_inodes+0x260/0x5c0 [ 71.629425] ? __schedule+0x4d1/0x1870 [ 71.629429] __writeback_inodes_wb+0x54/0x100 [ 71.629431] ? queue_io+0x82/0x140 [ 71.629433] wb_writeback+0x1ab/0x330 [ 71.629448] wb_workfn+0x31d/0x410 [ 71.629450] process_one_work+0x191/0x3e0 [ 71.629455] worker_thread+0x2e3/0x420 [Fix] This upstream commit fixes the issue: https://github.com/torvalds/linux/commit/f4a2b42e78914ff15630e71289adc589c3a8eb45 All the discussions are in this thread: https://lore.kernel.org/all/20260128074515.2028982-1-gerald.yang@canonical.com/ [Test Plan] This can be easily reproduced by the following script: mkdir -p mnt dd if=/dev/zero of=ext4disk bs=1G count=2 oflag=direct mkfs.ext4 ext4disk tune2fs -o journal_data ext4disk mount ext4disk mnt fio --name=fiotest --rw=randwrite --bs=4k --runtime=3 --ioengine=libaio --iodepth=128 --numjobs=4 --filename=mnt/fiotest --filesize=1G --group_reporting mount -o remount,ro ext4disk mnt sync [Where problems could occur] When the call trace happens, there is no data lost, all the dirty data has been flushed to file system before remounting. The fix is to make sure folio state is correct and update the xarray, so the writeback thread won't be trigger if there is no dirty data. So if there is something really goes wrong, there still won't be data lost, even remount it to read-write mode again. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2147400/+subscriptions

[Bug 2148742] Re: R9 m370x amdgpu bug

** Also affects: linux Importance: Undecided Status: New -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2148742 Title: R9 m370x amdgpu bug Status in Linux: New Status in linux package in Ubuntu: New Bug description: in ubuntu 26.04 daily the new linux kernel and amdgpu is causing a conflict with the r9 m370x in the macbook pro 2015. it crashes the whole computer even trying to start the installer. to replicate this bug get a macbook pro 2015 with a r9 and try to start the ubuntu 26.04 daily live image. this appears to be some type of graphics bug. To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/2148742/+subscriptions

[Bug 1982483]

(In reply to Ernst Persson from comment #40) > Did your message get cut off or you are uncertain? :-) > > I will try it out next week or so, perhaps I can work it into a kernel patch > if it works. You can try adding quirk to this machine. ALC274_FIXUP_HP_ENVY_GPIO -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/1982483 Title: No sound from built-in speakers HP Pavilion All-in-One Desktop 27-ca1xxx (ALC274) Status in Linux: Confirmed Status in alsa-driver package in Ubuntu: New Status in linux package in Ubuntu: New Bug description: I have tried: options snd-hda-intel model=alc285-hp-amp-init options snd-hda-intel model=alc274-dell-aio and newer kernels up to 5.19-rc6. 21: PCI 1f.3: 0403 Audio device [Created at pci.386] Unique ID: nS1_.2CriaNVEdN5 SysFS ID: /devices/pci0000:00/0000:00:1f.3 SysFS BusID: 0000:00:1f.3 Hardware Class: sound Device Name: "Onboard - Sound" Model: "Intel Audio device" Vendor: pci 0x8086 "Intel Corporation" Device: pci 0x7ad0 SubVendor: pci 0x103c "Hewlett-Packard Company" SubDevice: pci 0x89e9 Revision: 0x11 Driver: "snd_hda_intel" Driver Modules: "snd_hda_intel" Memory Range: 0x6105238000-0x610523bfff (rw,non-prefetchable) Memory Range: 0x6105000000-0x61050fffff (rw,non-prefetchable) IRQ: 161 (1098 events) Module Alias: "pci:v00008086d00007AD0sv0000103Csd000089E9bc04sc03i80" Driver Info #0: Driver Status: snd_hda_intel is active Driver Activation Cmd: "modprobe snd_hda_intel" Driver Info #1: Driver Status: snd_sof_pci_intel_tgl is active Driver Activation Cmd: "modprobe snd_sof_pci_intel_tgl" Config Status: cfg=new, avail=yes, need=no, active=unknown <6>[ 3.582352] snd_hda_codec_realtek hdaudioC0D0: autoconfig for ALC274: line_outs=1 (0x17/0x0/0x0/0x0/0x0) type:speaker <6>[ 3.582359] snd_hda_codec_realtek hdaudioC0D0: speaker_outs=0 (0x0/0x0/0x0/0x0/0x0) <6>[ 3.582362] snd_hda_codec_realtek hdaudioC0D0: hp_outs=1 (0x21/0x0/0x0/0x0/0x0) <6>[ 3.582364] snd_hda_codec_realtek hdaudioC0D0: mono: mono_out=0x0 <6>[ 3.582366] snd_hda_codec_realtek hdaudioC0D0: inputs: <6>[ 3.582367] snd_hda_codec_realtek hdaudioC0D0: Mic=0x19 <6>[ 3.582369] snd_hda_codec_realtek hdaudioC0D0: Internal Mic=0x12 Alsa-info: https://alsa- project.org/db/?f=ed6190cfc9d9eb1c758c6c3106dd236b150f5b31 Here is a kernel bug report: https://bugzilla.kernel.org/show_bug.cgi?id=216139 --- ProblemType: Bug ApportVersion: 2.20.11-0ubuntu82.1 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC1: ernst 1560 F.... pulseaudio /dev/snd/controlC0: ernst 1560 F.... pulseaudio CRDA: N/A CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME DistroRelease: Ubuntu 22.04 InstallationDate: Installed on 2022-06-15 (143 days ago) InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419) MachineType: HP HP Pavilion All-in-One Desktop 27-ca1xxx NonfreeKernelModules: nvidia_modeset nvidia Package: linux (not installed) ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.0.0-1006-oem root=UUID=72ea78e1-7744-4fcc-b63c-3aa577c86a80 ro quiet splash ibt=off mitigations=off vt.handoff=7 ProcVersionSignature: Ubuntu 6.0.0-1006.6-oem 6.0.0 RelatedPackageVersions: linux-restricted-modules-6.0.0-1006-oem N/A linux-backports-modules-6.0.0-1006-oem N/A linux-firmware 20220329.git681281e4-0ubuntu3.6 Tags: jammy wayland-session Uname: Linux 6.0.0-1006-oem x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin lxd plugdev sambashare sudo _MarkForUpload: True dmi.bios.date: 02/09/2022 dmi.bios.release: 15.2 dmi.bios.vendor: AMI dmi.bios.version: F.02 dmi.board.name: 89E9 dmi.board.vendor: HP dmi.board.version: 0100 dmi.chassis.type: 13 dmi.chassis.vendor: HP dmi.ec.firmware.release: 1.16 dmi.modalias: dmi:bvnAMI:bvrF.02:bd02/09/2022:br15.2:efr1.16:svnHP:pnHPPavilionAll-in-OneDesktop27-ca1xxx:pvr:rvnHP:rn89E9:rvr0100:cvnHP:ct13:cvr:sku661Q7EA#UUW: dmi.product.family: 103C_53311M HP Pavilion dmi.product.name: HP Pavilion All-in-One Desktop 27-ca1xxx dmi.product.sku: 661Q7EA#UUW dmi.sys.vendor: HP modified.conffile..etc.default.apport: [modified] mtime.conffile..etc.default.apport: 2022-06-15T22:28:44.879144 To manage notifications about this bug go to: https://bugs.launchpad.net/linux/+bug/1982483/+subscriptions

[Bug 2148718] Re: intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest Resolute kernels, breaking Secure Boot systems

** Changed in: linux (Ubuntu Resolute) Importance: Undecided => High -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2148718 Title: intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest Resolute kernels, breaking Secure Boot systems Status in linux package in Ubuntu: In Progress Status in linux source package in Resolute: In Progress Bug description: Affects: Ubuntu 26.04 (Resolute Raccoon) --- Description: On kernel 7.0.0-13 and 7.0.0-14, the webcam stopped working on my XPS 13 9350 Lunar Lake laptop (sensor: OV02C10) with Secure Boot enabled. The intel-ipu7 and intel-ipu7-isys modules are shipped unsigned, so the kernel refuses to load them under Secure Boot. --- Expected: Staging modules are signed by the Ubuntu kernel build and should load successfully with Secure Boot enabled. Actual: Webcam is non-functional on Secure Boot systems unless modules are manually MOK-signed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2148718/+subscriptions

[Bug 2141536] Re: Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds

** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2141536 Title: Some powerpc test from ubuntu_kernel_selftests timeout with 45 seconds Status in ubuntu-kernel-tests: New Status in linux package in Ubuntu: New Bug description: SRU Justification: [Impact] Some PowerPC tests from Ubuntu_kernel_selftests keep timing out. [Fix] Backport upstream patchset: https://lore.kernel.org/all/20241106130453.1741013-1-mpe@ellerman.id.au [Test Plan] Running all the kernel selftests for the PowerPC platform to see if they still times out. [Where problems could occur] The patches may introduce new test failures due to improved error detection that may reveal previously passing tests now fail. [Other Info] Original bug report: Issue found on J/N. Questing is affected by another build issue (bug 2129844) J/linux 5.15.0-171.181 on power9-lpar:202504-36689: * powerpc/stringloops:memcmp_64   - not ok 1 selftests: powerpc/stringloops: memcmp_64 # TIMEOUT 45 seconds N/linux 6.8.0-101.101 on power9-lpar:202504-36688: * powerpc/mm:hugetlb_vs_thp_test   - not ok 1 selftests: powerpc/mm: hugetlb_vs_thp_test # TIMEOUT 45 seconds * powerpc/stringloops:memcmp_64   - not ok 1 selftests: powerpc/stringloops: memcmp_64 # TIMEOUT 45 seconds * powerpc/security:spectre_v2   - not ok 1 selftests: powerpc/security: spectre_v2 # TIMEOUT 45 seconds I think https://github.com/torvalds/linux/commit/5543d595954eefb3a6faa18a6dc7b1b3d6022052 might be able to fix this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/2141536/+subscriptions

[Bug 2148718] Re: intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest Resolute kernels, breaking Secure Boot systems

so this is caused by the intel-ipu7 being from staging, and those are not signed by default ** Changed in: linux (Ubuntu Resolute) Status: Incomplete => In Progress -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2148718 Title: intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest Resolute kernels, breaking Secure Boot systems Status in linux package in Ubuntu: In Progress Status in linux source package in Resolute: In Progress Bug description: Affects: Ubuntu 26.04 (Resolute Raccoon) --- Description: On kernel 7.0.0-13 and 7.0.0-14, the webcam stopped working on my XPS 13 9350 Lunar Lake laptop (sensor: OV02C10) with Secure Boot enabled. The intel-ipu7 and intel-ipu7-isys modules are shipped unsigned, so the kernel refuses to load them under Secure Boot. --- Expected: Staging modules are signed by the Ubuntu kernel build and should load successfully with Secure Boot enabled. Actual: Webcam is non-functional on Secure Boot systems unless modules are manually MOK-signed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2148718/+subscriptions

[Bug 2144976] Re: no file /etc/default/grub

Hi ! Same issue but I have another file instead of grub called grub.prime-backup… -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2144976 Title: no file /etc/default/grub Status in linux package in Ubuntu: Confirmed Bug description: the file /etc/default/grub is not here jpb@jpb-B760M-U26: ~ $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu Resolute Raccoon (development branch) Release: 26.04 Codename: resolute jpb@jpb-B760M-U26: ~ $ uname -a Linux jpb-B760M-U26.04 7.0.0-7-generic #7-Ubuntu SMP PREEMPT_DYNAMIC Thu Mar 12 11:34:39 UTC 2026 x86_64 GNU/Linux jpb@jpb-B760M-U26: ~ $ jpb@jpb-B760M-U26: ~ $ ls -als /etc/default/g* total 12 4 drwxr-xr-x 2 root root 4096 Mar 13 06:32 . 4 drwxr-xr-x 4 root root 4096 Mar 18 08:15 .. 4 -rw-r--r-- 1 root root 133 Feb 11 23:26 kdump-tools.cfg To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2144976/+subscriptions

[Bug 2148168] Re: Fix headset mic not present on Framework laptop with Realtek ALC285

Verified linux-oem-6.17/6.17.0-1019.19 on FRM13-DVT1-PTL7, the headset mic is working. There is internal speaker and two mic, internal mic(selected) and headset mic, w/o plugging the headset yet. Plug in the headset, there are 2 speakers, headphone and internal speaker, and 2 mic, internal and headset mic. ** Tags removed: verification-needed-noble-linux-oem-6.17 ** Tags added: verification-done-noble-linux-oem-6.17 -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2148168 Title: Fix headset mic not present on Framework laptop with Realtek ALC285 Status in HWE Next: New Status in linux package in Ubuntu: Fix Committed Status in linux-oem-6.17 package in Ubuntu: Invalid Status in linux source package in Noble: Invalid Status in linux-oem-6.17 source package in Noble: Fix Committed Status in linux source package in Resolute: Fix Committed Status in linux-oem-6.17 source package in Resolute: Invalid Bug description: [Impact] Another Framework platform with Realtek ALC285 audio solution has no headset microphone when plug in the headset. [Fix] Backport the upstream fix: bac1e57adf08 ("ALSA: hda/realtek: add quirk for Framework F111:000F") [Test Case] 1. Boot up the machine of new Framework platforms with Realtek audio codec 2. Plug in the headset and the headset mic should be seen on the audio input device list 3. Record the audio clip with `arecord` with headset plugged. [Where problems could occur] It adds the quirk for particular SSIDs of the audio solution. No regression expected. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/2148168/+subscriptions

[Bug 2147494] Re: Fix speaker mute led on a HP EliteBoard G1a platform

This bug is awaiting verification that the linux-oem-6.17/6.17.0-1019.19 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-noble-linux-oem-6.17' to 'verification-done- noble-linux-oem-6.17'. If the problem still exists, change the tag 'verification-needed-noble-linux-oem-6.17' to 'verification-failed- noble-linux-oem-6.17'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-noble-linux-oem-6.17-v2 verification-needed-noble-linux-oem-6.17 -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2147494 Title: Fix speaker mute led on a HP EliteBoard G1a platform Status in HWE Next: New Status in linux package in Ubuntu: Fix Committed Status in linux-oem-6.17 package in Ubuntu: New Status in linux source package in Noble: Invalid Status in linux-oem-6.17 source package in Noble: Fix Committed Status in linux source package in Resolute: Fix Committed Status in linux-oem-6.17 source package in Resolute: New Bug description: SRU Justification: [Impact] New HP platform with Realtek ALC3315+TAS2783 audio solution fail to toggle the speaker mute led accordingly while the speaker mute function work w/o problem. This SRU includes fix for the particular SSID only (NexusX) [Fix] Backport the upstream fix: d3be95efc6a1 ("ALSA: hda/realtek - Fixed Speaker Mute LED for HP EliteBoard G1a platform") [Test Case] 1. Boot up the machine of new HP platforms NexusX 2. Press Fn+F1 for speaker mute function 3. Click led lights up/down in according with the speaker mute functions. [Where problems could occur] It fixes the quirk for particular SSIDs of the audio solution. No regression expected. To manage notifications about this bug go to: https://bugs.launchpad.net/hwe-next/+bug/2147494/+subscriptions