Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
I have a kvm with linux-image-6.1.0-43-amd64 running vdr and femon.
On the host I do echovfio-pci >/sys/bus/pci/devices/0000:$PCI/driver_override.
Then I give the DVB Adapter to the kvm.
It works, if I boot linux-image-6.12.63+deb13-amd64 on the host.
If it works dmesg on the kvm says:
05:00.0 Multimedia controller: Digital Devices GmbH Octopus DVB Adapter
dmesg:
[ 2.443770] dvbdev: DVB: registering new adapter (DDBridge)
[ 2.443772] dvbdev: DVB: registering new adapter (DDBridge)
...
[ 2.694180] ddbridge 0000:05:00.0: attach tuner input 0 adr 60
[ 2.694183] ddbridge 0000:05:00.0: DVB: registering adapter 0 frontend 0 (STV090x Multistandard)...
...
[ 2.738542] ddbridge 0000:05:00.0: attach tuner input 1 adr 63
[ 2.738545] ddbridge 0000:05:00.0: DVB: registering adapter 1 frontend 0 (STV090x Multistandard)...
It does not work, if I boot linux-image-6.12.73+deb13-amd64 on thehost.
If it does not work dmesg on th kvm says:
[ 2.413879] ddbridge 0000:05:00.0: detected Digital Devices Cine S2 V6 DVB adapter
[ 2.413901] ddbridge 0000:05:00.0: cannot read registers
[ 2.414569] ddbridge 0000:05:00.0: fail
If I run femon it says:
femon: opening frontend failed: No such file or directory
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these template lines ***
Hi, Given you have the range 6.12.63 (good) .. 6.12.73 (bad), can you 1. confirm if 6.12.74-2 still as well is broken and if so 2. would you be able to bisect the upstream changes beween 6.12.63 and 6.12.73 to identify the commit which introduces this regression for you? (Do you need instructions for that?). Regards, Salvatore
Hi Salvatore, Am Mittwoch, dem 18.03.2026 um 13:41 +0100 schrieb Salvatore Bonaccorso: Yes I confirm, that the same problem exists with: ii linux-image-6.12.74+deb13+1-amd64 6.12.74-2 Yes, I need instructions how I can find the relevant change. Regards Bernd
Hi Bernd,
Thanks for the confirmation.
So first thanks if you find time to do that work, that is great. Here
are the instructions, it will involve doing some rounds of compiling
and testing kernels as follows:
git clone --single-branch -b linux-6.12.y https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
cd linux-stable
git checkout v6.12.63
cp /boot/config-$(uname -r) .config
yes '' | make localmodconfig
make savedefconfig
mv defconfig arch/x86/configs/my_defconfig
# test 6.12.63 to ensure this is "good"
make my_defconfig
make -j $(nproc) bindeb-pkg
... install the resulting .deb package and confirm problem does not exist
# test 6.12.73 to ensure this is "bad"
git checkout v6.12.73
make my_defconfig
make -j $(nproc) bindeb-pkg
... install the resulting .deb package and confirm problem exists.
With that confirmed, the bisection can start:
git bisect start
git bisect good v6.12.63
git bisect bad v6.12.73
In each bisection step git checks out a state between the oldest
known-bad and the newest known-good commit. In each step test using:
make my_defconfig
make -j $(nproc) bindeb-pkg
... install, verify if problem exists
and if the problem is hit run:
git bisect bad
and if the problem doesn't trigger run:
git bisect good
. Please pay attention to always select the just built kernel for
booting, it won't always be the default kernel picked up by grub.
Iterate until git announces to have identified the first bad commit.
Then provide the output of
git bisect log
In the course of the bisection you might have to uninstall previous
kernels again to not exhaust the disk space in /boot. Also in the end
uninstall all self-built kernels again.
Hope this helps so far.
Regards,
Salvatore
Hi Salvatore, Thanks for the clear instructions. git bisect log says: git bisect start # Status: warte auf guten und schlechten Commit # good: [567bd8cbc2fe6b28b78864cbbbc41b0d405eb83c] Linux 6.12.63 git bisect good 567bd8cbc2fe6b28b78864cbbbc41b0d405eb83c # Status: warte auf schlechten Commit, 1 guter Commit bekannt # bad: [5fb0303f6cb6a89bcfb19bd7a68cb793c86e78b2] Linux 6.12.73 git bisect bad 5fb0303f6cb6a89bcfb19bd7a68cb793c86e78b2 # good: [b1dd6860167667008c3b6f27628d071dc3daaf04] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value git bisect good b1dd6860167667008c3b6f27628d071dc3daaf04 # good: [1baa43ebca626aa607a03b1c0023ebac5374e62d] octeontx2-af: Fix error handling git bisect good 1baa43ebca626aa607a03b1c0023ebac5374e62d # good: [3845bd336a406cb7c609b515e6ee4c8818053f69] net/sched: act_ife: convert comma to semicolon git bisect good 3845bd336a406cb7c609b515e6ee4c8818053f69 # bad: [2901d799a26d949ccf648a6c176a0091a7f1c0ed] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU git bisect bad 2901d799a26d949ccf648a6c176a0091a7f1c0ed # bad: [b9b97e6aeb534315f9646b2090d1a5024c6a4e82] procfs: avoid fetching build ID while holding VMA lock git bisect bad b9b97e6aeb534315f9646b2090d1a5024c6a4e82 # good: [b8ea101959ab1a46c92be46c238283b0fe60252e] pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset git bisect good b8ea101959ab1a46c92be46c238283b0fe60252e # good: [dfc3ab6bd64860f8022d69903be299d09be86e11] mm, shmem: prevent infinite loop on truncate race git bisect good dfc3ab6bd64860f8022d69903be299d09be86e11 # bad: [9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7] ublk: fix deadlock when reading partition table git bisect bad 9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7 # good: [ff48c9312d042bfbe826ca675e98acc6c623211c] KVM: Don't clobber irqfd routing type when deassigning irqfd git bisect good ff48c9312d042bfbe826ca675e98acc6c623211c # bad: [d288ba832d92d16f7db0f6996ffbde2e79190ffe] tools/power turbostat: fix GCC9 build regression git bisect bad d288ba832d92d16f7db0f6996ffbde2e79190ffe # bad: [58130e7ce6cb6e1f73221e412fef6c85ee561425] PCI/ERR: Ensure error recoverability at all times git bisect bad 58130e7ce6cb6e1f73221e412fef6c85ee561425 # first bad commit: [58130e7ce6cb6e1f73221e412fef6c85ee561425] PCI/ERR: Ensure error recoverability at all times Hope the output of the bisect helps Regards, Bernd
Hi Bernd, Sorry for the late reply. relation. The commit you point out was as well in 6.18.10 and 6.19-rc1, so might you please test as well the kernel in unstable (6.19.8-1) to see if you can trigger the problem as well? Seconly: Can you confirm, if you revert this commit specifically on top of the packaging, it fixes the issue you are facing? To build a kernel with single patches on top of the current packaging you can use the debian/bin/test-patches script, cf. https://kernel-team.pages.debian.net/kernel-handbook/ch-common-tasks.html#id-1.6.6.4 Regards, Salvatore
Am Sonntag, dem 22.03.2026 um 09:27 +0100 schrieb Salvatore Bonaccorso:
Installing linux-{image,modules,base,binary}-6.19.8+deb14-amd64_6.19.8-
1_amd64.deb and booting 6.19.8+deb14-amd64 (6.19.8-1) works without the
described issues.
packages without further conflicts.
The commit does changes bus.c and pci.c
drivers/pci/bus.c:
+ pci_save_state(dev);
drivers/pci/pci.c
- if (!dev->state_saved)
- return;
Yes I can confirm. If I run 6.12.73 with the commit reverted:
everything works
(cd linux-stable; git checkout v6.12.73)
(cd linux-stable; git revert --no-edit
58130e7ce6cb6e1f73221e412fef6c85ee561425)
(cd linux-stable; make my_defconfig)
(cd linux-stable; make -j $(nproc) bindeb-pkg)
# sudo dpkg -i linux-image-6.12.73+_6.12.73-00001-g051b1435d070-
17_amd64.deb -> good
I also have retested, if I run without reverting the commit: it does
not work:
(cd linux-stable; git checkout v6.12.73)
(cd linux-stable; make my_defconfig)
(cd linux-stable; make -j $(nproc) bindeb-pkg)
# sudo dpkg -i linux-image-6.12.73_6.12.73-15_amd64.deb -> bad
But I am happy that it works with the unstable kernel.
So I think the future is ok.
I can live with the unstable kernel until then.
Regards
Bernd
Hi Bernd, Thanks for this confirmation! I will forward the bugreport upstream including you in case there are followup questions. Regards, Salvatore
Hi,
Bernd Schumacher reported in Debian (report and report from bisection
in https://bugs.debian.org/1131025) a 6.12.y specific regression of
58130e7ce6cb ("PCI/ERR: Ensure error recoverability at all times"):
https://bugs.debian.org/1131025#29 contains the bisect log:
| git bisect log says:
|
| git bisect start
| # Status: warte auf guten und schlechten Commit
| # good: [567bd8cbc2fe6b28b78864cbbbc41b0d405eb83c] Linux 6.12.63
| git bisect good 567bd8cbc2fe6b28b78864cbbbc41b0d405eb83c
| # Status: warte auf schlechten Commit, 1 guter Commit bekannt
| # bad: [5fb0303f6cb6a89bcfb19bd7a68cb793c86e78b2] Linux 6.12.73
| git bisect bad 5fb0303f6cb6a89bcfb19bd7a68cb793c86e78b2
| # good: [b1dd6860167667008c3b6f27628d071dc3daaf04] smb/client: fix
| NT_STATUS_UNABLE_TO_FREE_VM value
| git bisect good b1dd6860167667008c3b6f27628d071dc3daaf04
| # good: [1baa43ebca626aa607a03b1c0023ebac5374e62d] octeontx2-af: Fix
| error handling
| git bisect good 1baa43ebca626aa607a03b1c0023ebac5374e62d
| # good: [3845bd336a406cb7c609b515e6ee4c8818053f69] net/sched: act_ife:
| convert comma to semicolon
| git bisect good 3845bd336a406cb7c609b515e6ee4c8818053f69
| # bad: [2901d799a26d949ccf648a6c176a0091a7f1c0ed] ALSA: hda/realtek:
| Fix headset mic for TongFang X6AR55xU
| git bisect bad 2901d799a26d949ccf648a6c176a0091a7f1c0ed
| # bad: [b9b97e6aeb534315f9646b2090d1a5024c6a4e82] procfs: avoid
| fetching build ID while holding VMA lock
| git bisect bad b9b97e6aeb534315f9646b2090d1a5024c6a4e82
| # good: [b8ea101959ab1a46c92be46c238283b0fe60252e] pmdomain: imx:
| gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset
| git bisect good b8ea101959ab1a46c92be46c238283b0fe60252e
| # good: [dfc3ab6bd64860f8022d69903be299d09be86e11] mm, shmem: prevent
| infinite loop on truncate race
| git bisect good dfc3ab6bd64860f8022d69903be299d09be86e11
| # bad: [9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7] ublk: fix deadlock
| when reading partition table
| git bisect bad 9bcc47343ee0ef346aa7b2b460c8ff56bd882fe7
| # good: [ff48c9312d042bfbe826ca675e98acc6c623211c] KVM: Don't clobber
| irqfd routing type when deassigning irqfd
| git bisect good ff48c9312d042bfbe826ca675e98acc6c623211c
| # bad: [d288ba832d92d16f7db0f6996ffbde2e79190ffe] tools/power
| turbostat: fix GCC9 build regression
| git bisect bad d288ba832d92d16f7db0f6996ffbde2e79190ffe
| # bad: [58130e7ce6cb6e1f73221e412fef6c85ee561425] PCI/ERR: Ensure error
| recoverability at all times
| git bisect bad 58130e7ce6cb6e1f73221e412fef6c85ee561425
| # first bad commit: [58130e7ce6cb6e1f73221e412fef6c85ee561425] PCI/ERR:
| Ensure error recoverability at all times
And https://bugs.debian.org/1131025#43 confirms again the single
revert fixing the issue.
#regzbot introduced: 58130e7ce6cb6e1f73221e412fef6c85ee561425
#regzbot link: https://bugs.debian.org/1131025
Anything else we can provide to identify the issue present in 6.12.y
kernels?
Regards,
Salvatore
Thanks for the report and sorry for the breakage. According to the Debian bug report, the issue only occurs on v6.12-stable. It does not affect v6.18 and v6.19. I note that v6.12-stable commit 58130e7ce6cb differs from upstream commit a2f1e22390ac in that the call to pci_save_state() is at the top of pci_bus_add_device(), not in the middle of the function after pci_bridge_d3_update(). @Bernd, could you test whether moving the call to pci_save_state() as in the small patch below resolves the issue on v6.12-stable? If it does, then the upstream commit was backported to v6.12 in an incorrect manner. If it does not, I need to dig deeper. Thanks! Lukas
TWIMC, "6.12.y specific" seems to be really the case here, to quote from https://bugs.debian.org/1131025: ""Installing linux-{image,modules,base,binary}-6.19.8+deb14-amd64_6.19.8-1_amd64.deb and booting 6.19.8+deb14-amd64 (6.19.8-1) works without the described issues."" similarly in the past; it's great. There is one thing that could make them a lot better: if you always make it unmistakably obvious (ideally at the top of the mail) if mainline is affected or not (here it was close, yes, but sadly some people write "specific" without ever testing mainline, so it was not unmistakably :-/ ). Overall, it IMHO is best to keep this mental model: mainline and stable/longterm series are maintained by different people -- and those from one group do not care about the regressions the other party has to handle. In practice it's of course way more nuanced: for example, many (but not all!) mainline developers help the stable team out somewhat, and some of them might even handle regression reports with longterm kernels; and the members of the stable team are mainline developers as well, so when a bug falls into their domain, it might not be important. But to avoid delays or things falling through the cracks, it's really best to always check if mainline is affected – and report regressions like a mainline problem using a mainline version if they are and leave the stable team out of it, as they most likely will leave things to the mainline developers. And if it's stable-specific regression, state early that mainline is not affected. Ciao, Thorsten
Thank you for your patch. But ... Applying the patch to v6.12.73 did not help. (same errors). Thanks! Bernd Am Samstag, dem 28.03.2026 um 15:11 +0100 schrieb Lukas Wunner:
Hm, could you provide full dmesg output please with "dyndbg=file drivers/pci/* +p" added to the kernel command line (the double quotes need to be included on the command line). Be sure to set CONFIG_DYNAMIC_DEBUG=y in .config when compiling the kernel. Ideally both for a non-working kernel such as 6.12.73 and for a working kernel such as 6.12.63. That should make it easier to root-cause the issue. Thank you! Lukas
Am Samstag, dem 28.03.2026 um 20:14 +0100 schrieb Lukas Wunner: Please find attached the dmesg output created as you described. As expected 6.12.63 is working and 6.12.73 is not working. I hope you will find what you need. Thank you! Bernd
The above is from the non-working kernel version 6.12.73. The BAR at offset 0x14 in config space is restored and saved with a value of "all ones" here (0xffffffff). The working kernel version 6.12.63 is using "all zeroes" instead (0x00000000). I'm guessing that the initial pci_save_state() that the offending commit inserted into device enumeration already saves the incorrect 0xffffffff value and that is subsequently restored by vfio-pci after resetting the device through a D0 -> D3hot -> D0 transition. On the working kernel, the pci_restore_state() performed by vfio-pci probably becomes a no-op because no pci_save_state() was performed beforehand. Question is where the incorrect BAR value is coming from. This could actually be a resource allocation issue that happens to manifest itself as a passthrough failure. It's not visible in the dmesg output because it is truncated. Could you repeat this and add log_buf_len=16M to the kernel command line so that the dmesg output isn't truncated? Thanks! Lukas
Am Sonntag, dem 29.03.2026 um 18:22 +0200 schrieb Lukas Wunner: GRUB_CMDLINE_LINUX="\"dyndbg=file log_buf_len=16M drivers/pci/* +p\"" attached is the dmesg result for 6.12.73 Thanks Bernd
Hi, This doesn't look like a resource assignment issue to me. HOWEVER, despite the assignment being successful, what is worth a note is that BAR 0 changes during resource fitting: pci 0000:07:00.0: BAR 0 [mem 0xfffffffffc500000-0xfffffffffc50ffff 64bit]: can't claim; no compatible bridge window pci 0000:07:00.0: BAR 0 [mem 0xfc500000-0xfc50ffff 64bit]: assigned That is 0xffffffff -> 0x0 for the high order bits happens to match with the change Lukas noted (I've not digged deeply into the logs beyond checking the resource fitting/assignment results from the latest log). Perhaps something on the save/restore side still holds the old value despite the resource & BAR were changed during resource fitting?
BIOS initially sets the BAR address to an incorrect value (the top 32 bits should be all zeroes instead of all ones)... [...] ... this doesn't fit into the window of the bridge above the DVB card, which has the top 32 bits set to all zeroes... ... the kernel fixes the incorrect BAR, but it seems there's an ordering issue such that pci_save_state() is called beforehand. It's weird that this doen't occur with newer kernels and it would be good to understand why. I'm not seeing the ordering issue despite staring at the code for a while. Below is a small debug patch. Could you apply that on top of v6.12.73 (or newer) and provide me with the resulting full dmesg output? The patch emits a stacktrace when correcting the BAR value as well as when saving and restoring config space of the DVB card. This should give a clue where the ordering issue originates from. Please note that the log_buf_len=16M parameter needs to be put outside the double quotes of the dyndbg parameter, i.e.: GRUB_CMDLINE_LINUX='log_buf_len=16M dyndbg="file drivers/pci/* +p"' The dmesg output provided most recently no longer contained the dyndbg output, probably because log_buf_len was intermixed with the double quoted string. Thanks for your continued patience in helping root-cause this issue! Lukas
Sorry, here's the patch:
On Tue, 31 Mar 2026 15:09:34 +0200 Lukas Wunner <lukas@wunner.de> wrote: Do we know this isn't occurring on newer kernels? If we have a bogus BAR address that later gets fixed, this seems like a fairly unique setup. AIUI, we're saving the state via the call chain invoked by subsys_initcall(pcibios_init), but I think we're doing the resource fixes in fs_initcall(pcibios_assign_resources). That suggests that the saved state would have the bogus BAR values. If we toss PM runtime into that mix, pci_pm_default_resume_early() will call pci_restore_state() however pci_save_state() in that file is mostly wrapped around pci_dev->state_saved guards. This suggests we likely won't save the reallocated state, but we will restore the pre-reallocated state. Maybe this can be quickly validated by loading vfio-pci with the disable_idle_d3=1 option to avoid the PM transition. Thanks, Alex
https://bugs.debian.org/1131025 Hm, seems like a valid observation. But a call to pci_bus_add_devices() is generally preceded by a call to pci_assign_unassigned_root_bus_resources(), see e.g. pci_host_probe() or acpi_pci_root_add(). The latter is what's usually used on x86, whereas pcibios_init() (actually I think you meant pci_subsys_init()) is for legacy PCI initialization on x86. Perhaps you're right and the correction of the BAR value happens in the fs_initcall. We should be able to confirm that once the reporter has tested the debug patch I provided, which inserts a dump_stack() in the BAR correction codepath as well as in pci_save_state(). The state_saved guards only serve the purpose of recognizing whether the driver called pci_save_state() on suspend. If it did not, the PCI core calls pci_save_state(). Thanks for taking a look! Lukas
This looks wrong. Please make this: GRUB_CMDLINE_LINUX="\"dyndbg=file drivers/pci/* +p\" log_buf_len=16M" Best regards Uwe
Am Mittwoch, dem 01.04.2026 um 15:10 +0200 schrieb Uwe Kleine-König: Now the CMDLINE should be correct: cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-6.12.73 root=/dev/mapper/vg00-lvroot2 ro "dyndbg=file drivers/pci/* +p" log_buf_len=16M quiet The problem still exists. The attached dmesg output is now larger. Thanks Bernd
Unfortunately this dmesg output was not generated with the debug patch I provided here: https://lore.kernel.org/all/acvIfI3naoGsOpFE@wunner.de/ It's missing the stack traces that the debug patch would have caused. Could you please repeat with the patch applied? Thanks, Lukas
Am Mittwoch, dem 01.04.2026 um 22:18 +0200 schrieb Lukas Wunner: dmesg with patch is now attached /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-6.12.73-dirty root=/dev/mapper/vg00-lvroot2 ro "dyndbg=file drivers/pci/* +p" log_buf_len=16M quiet Thanks Bernd
[cc += Alex, Ilpo]
Thank you Bernd!
If you cherry-pick these two upstream commits onto v6.12.73,
does the issue go away?
4d4c10f763d7 ("PCI: Explicitly put devices into D0 when initializing")
907a7a2e5bf4 ("PCI/PM: Set up runtime PM even for devices without PCI PM")
The second one is a fix for the first one.
I suspect that the first one is the reason why you are seeing
the issue on v6.12.73 but not on current mainline. The commit
went into v6.16 but was not backported to LTS kernels.
@Alex:
The commit sets pci_dev->current_state to PCI_D0 on device enumeration,
whereas previously it was PCI_UNKNOWN. This changes code paths in
a number of places. In particular:
vfio_pci_core_register_device()
vfio_pci_set_power_state()
... calls pci_restore_state() without a prior pci_save_state() if
current_state is PCI_UNKNOWN. The function doesn't do that for PCI_D0.
Also, there is a code comment in vfio_pci_core_register_device()
claiming that "pci-core sets the device power state to an unknown value
at bootup" which is no longer true since commit 4d4c10f763d7.
I recently had to deal with a regression in ASPM code which was
likewise caused by the subtle change of current_state from PCI_UNKNOWN
to PCI_D0, so my non-artificial neural network was trained to recognize
this pattern and seeing the current_state checks in vfio code thus
immediately looked suspicious to me:
https://bugzilla.kernel.org/show_bug.cgi?id=220705
Thanks,
Lukas
Am Freitag, dem 03.04.2026 um 16:58 +0200 schrieb Lukas Wunner:
Yes, with the two patches together it works!!!
The diff of the two patches together is:
diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
index a00a2ce01045..4941f7ff95cb 100644
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -555,12 +555,6 @@ static void pci_pm_default_resume(struct pci_dev
*pci_dev)
pci_enable_wake(pci_dev, PCI_D0, false);
}
Hm, that's unexpected. I cooked up the patch below on Saturday but didn't immediately get around to sending it because of a security bug report that came in later that day. Could both of you, Alexandre and Bernd, give that patch a spin to see if it fixes the issue? I believe the patch should at least fix things for Bernd. If it doesn't fix things for you Alexandre, I'll have to dig deeper. Thanks! Lukas
Am Montag, dem 13.04.2026 um 05:40 +0200 schrieb Lukas Wunner: I confirm, the patch applied to 6.12.73 works for me. I also have saved the dmesg (if you need it, please ask for it) Thanks! Bernd
Thanks a lot, glad to hear that. I'm curious what you did so that 4d4c10f763d7 wasn't sufficient to fix the issue. I'd be grateful if you could provide full dmesg output for analysis of a non-working kernel with this debug patch applied: https://lore.kernel.org/all/acvIfI3naoGsOpFE@wunner.de/ and with the following added to the kernel command line log_buf_len=16M dyndbg="file drivers/pci/* +p" and with this option enabled in .config: CONFIG_DYNAMIC_DEBUG=y That would allow me to amend the commit message of the patch with a better explanation why simply backporting 4d4c10f763d7 is not sufficient as a fix. Thanks! Lukas
Bernd reports passthrough failure of a Digital Devices Cine S2 V6 DVB adapter plugged into an ASRock X570S PG Riptide board with BIOS version P5.41 (09/07/2023): ddbridge 0000:05:00.0: detected Digital Devices Cine S2 V6 DVB adapter ddbridge 0000:05:00.0: cannot read registers ddbridge 0000:05:00.0: fail BIOS assigns an incorrect BAR to the DVB adapter which doesn't fit into the upstream bridge window. The kernel corrects the BAR assignment: pci 0000:07:00.0: BAR 0 [mem 0xfffffffffc500000-0xfffffffffc50ffff 64bit]: can't claim; no compatible bridge window pci 0000:07:00.0: BAR 0 [mem 0xfc500000-0xfc50ffff 64bit]: assigned Correction of the BAR assignment happens in an x86-specific fs_initcall, pcibios_assign_resources(), after device enumeration in a subsys_initcall. This order was introduced at the behest of Linus in 2004: https://git.kernel.org/tglx/history/c/a06a30144bbc No other architecture performs such a late BAR correction. Bernd bisected the issue to commit a2f1e22390ac ("PCI/ERR: Ensure error recoverability at all times"), but it only occurs in the absence of commit 4d4c10f763d7 ("PCI: Explicitly put devices into D0 when initializing"). This combination exists in stable kernel v6.12.70, but not in mainline, hence Bernd cannot reproduce the issue with mainline. Since a2f1e22390ac, config space is saved on enumeration, prior to BAR correction. Upon passthrough, the corrected BAR is overwritten with the incorrect saved value by: vfio_pci_core_register_device() vfio_pci_set_power_state() pci_restore_state() But only if the device's current_state is PCI_UNKNOWN, as it was prior to commit 4d4c10f763d7. Since the commit, it is PCI_D0, which changes the behavior of vfio_pci_set_power_state() to no longer restore the state without saving it first. Alexandre is reporting the same issue as Bernd, but in his case, mainline is affected as well. The difference is that on Alexandre's system, the host kernel binds a driver to the device which is unbound prior to passthrough, whereas on Bernd's system no driver gets bound by the host kernel. Unbinding sets current_state to PCI_UNKNOWN in pci_device_remove(), so when vfio-pci is subsequently bound to the device, pci_restore_state() is once again called without invoking pci_save_state() first. To robustly fix the issue, always update saved_config_space upon resource assignment. Reported-by: Bernd Schumacher <bernd@bschu.de> Tested-by: Bernd Schumacher <bernd@bschu.de> Closes: https://lore.kernel.org/r/acfZrlP0Ua_5D3U4@eldamar.lan/ Reported-by: Alexandre N. <an.tech@mailo.com> Tested-by: Alexandre N. <an.tech@mailo.com> Closes: https://lore.kernel.org/r/dd3c3358-de0f-4a56-9c81-04aceaab4058@mailo.com/ Fixes: a2f1e22390ac ("PCI/ERR: Ensure error recoverability at all times") Signed-off-by: Lukas Wunner <lukas@wunner.de> Cc: stable@vger.kernel.org # v6.12+ --- drivers/pci/setup-res.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pci/setup-res.c b/drivers/pci/setup-res.c index e5fcadf..1769ba9 100644 --- a/drivers/pci/setup-res.c +++ b/drivers/pci/setup-res.c @@ -102,6 +102,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno) } pci_write_config_dword(dev, reg, new); + dev->saved_config_space[reg / 4] = new; pci_read_config_dword(dev, reg, &check); if ((new ^ check) & mask) { @@ -112,6 +113,7 @@ static void pci_std_update_resource(struct pci_dev *dev, int resno) if (res->flags & IORESOURCE_MEM_64) { new = region.start >> 16 >> 16; pci_write_config_dword(dev, reg + 4, new); + dev->saved_config_space[(reg + 4) / 4] = new; pci_read_config_dword(dev, reg + 4, &check); if (check != new) { pci_err(dev, "%s: error updating (high %#010x != %#010x)\n",
Thank you! In your case, the host kernel binds a driver to the device which is unbound prior to passthrough. Unbinding sets current_state to PCI_UNKNOWN and that makes the problem re-appear despite 4d4c10f763d7: https://elixir.bootlin.com/linux/v6.19.11/source/drivers/pci/pci-driver.c#L484 On Bernd's system, the host kernel doesn't bind a driver to the DVB adapter, hence 4d4c10f763d7 is sufficient to make the issue disappear in his case. I guess if he'd unbind vfio-pci and rebind it, he'd see the problem again. In any case, the patch is now submitted: https://lore.kernel.org/r/febc3f354e0c1f5a9f5b3ee9ffddaa44caccf651.1776268054.git.lukas@wunner.de/ Thank you both for your efforts in reporting the bug and patiently providing log output for debugging! Lukas
Hi Lukas, I'm wondering if there's something that makes this problem specific to only standard BARs? Can other resources, namely IOV resources or bridge windows, similarly be updated "too late" and not get correctly updated into the saved config space?
[...]
IOV registers are not saved, they're reconstructed from pci_dev->resource[]:
pci_restore_iov_state()
sriov_restore_state()
pci_update_resource()
pci_iov_update_resource()
Bridge windows are saved when portdrv probes (see call to pci_save_state()
in pcie_portdrv_probe()) and that happens after the fs_initcall() because
portdrv is registered from a device_initcall(). So those should be fine
as well.
(FWIW sashiko also flagged the bridge windows not getting saved as an
(alleged) problem.)
Thanks for taking a look!
Lukas
Okay, fair. It feels a bit odd they're all handled differently (not a problem when it comes to this patch). Maybe it would make sense to eventually restore them all from the pci_dev's resource array. Add something like pci_restore_resources() that would restore all the resources that are relevant for the type. I don't know if that's doable when it comes to the order of things, especially with sriov, but if doable, it would prevent them ever getting out of sync again and would avoid the trouble of having to save them elsewhere.
[...] I did consider restoring standard BARs from pci_dev->resource[], but the calculations and iterations involved looked expensive to me, compared to the cheap copying from pci_dev->saved_config_space[] that we currently do. It didn't look like something that lends itself well for a fix that needs to be backported. A different approach that I'm dwelling on is to amend accessors such as pci_write_config_dword() to update pci_dev->saved_config_space[] implicitly if the offset in config space is < 64. And also implicitly update pci_dev->saved_cap_space[]. The former is easy, the latter isn't. The end goal would be to remove pci_save_state() everywhere, except to populate the saved state once on enumeration. I think originally the idea was, we go to system sleep, so we save state. We resume, we restore state. But then error handling came along and that means we cannot always save the state before reset recovery, so ideally we want to save whenever we write to config space so that cache is never stale. I'm thinking of having a helper in <linux/pci.h> to determine whether a register write needs to be saved. Basically, return true for everything with offset < 64 and for Control registers in capabilities, return false for everything else such as Status registers. By having that in a header, the compiler could deduce at compile time whether saving is necessary or can be skipped. The problem is that to save registers in capabilities, the hlist needs to be searched, which is expensive. Maybe we can speed it up by using an xarray. Or cache the offset of all capabilities whose registers are saved. We already cache e.g. aer_cap, but other offsets are not cached. Hmmmm... Thanks, Lukas
Top-posting, to make this easy to process: Bjorn, sorry for bothering you, but I wondered: is below patch still in your review queue? It fixes a regression that made it to a longterm series that two people reported. Ciao, Thorsten
[+cc Thorsten, thanks for the reminder!] a2f1e22390ac appeared in v6.19. Applied this fix to pci/for-linus for v7.1, thanks!
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1131025@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 11 May 2026 16:11:08 +0200
Source: linux
Architecture: source
Version: 7.1~rc3-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1119093 1131025
Changes:
linux (7.1~rc3-1~exp1) experimental; urgency=medium
.
* New upstream release candidate.
- wifi: ath5k: do not access array OOB (Closes: #1119093)
- PCI: Update saved_config_space upon resource assignment (Closes: #1131025)
.
[ Agathe Porte ]
* d/watch: migrate to version 5
.
[ Loïc Minier ]
* [arm64] Enable Qualcomm Monaco platforms: add PINCTRL_QCS8300,
QCS_GCC_8300, INTERCONNECT_QCOM_QCS8300 as builtins.
* [arm64] Enable Qualcomm Talos platforms: add PINCTRL_QCS615, QCS_GCC_615,
INTERCONNECT_QCOM_QCS615 as builtins.
* [arm64] Enable configs for Qualcomm RB1 boards: change QCOM_CLK_SMD_RPM,
QCM_GCC_2290, QCOM_MPM, QCOM_APCS_IPC, PINCTRL_QCM2290,
RPMSG_QCOM_GLINK_SMEM, QCOM_SMEM and QCOM_SMD_RPM as
built-in (instead of modules) and enable CLK_QCM2290_GPUCC as module.
.
[ Han Gao ]
* [riscv64] Enable CMA and DMA_CMA. Set CMA_SIZE_MBYTES=64
.
[ Weizhao Ouyang ]
* [arm64] Enable BST platform support
.
[ Sjoerd Simons ]
* [arm64] Enable AIR_EN8811H_PHY as module
Checksums-Sha1:
2a0bb392d5ac8661bd8e8d2268f7c85d059245fc 183288 linux_7.1~rc3-1~exp1.dsc
27e70bcd09dcac5844849fa03f87b4bd68b51a1f 161490612 linux_7.1~rc3.orig.tar.xz
3105daf18e8449ed8067d346fd78b12adb0d6be7 1454324 linux_7.1~rc3-1~exp1.debian.tar.xz
c7a6efe3d1ceb8a6aede9835c2ed9f8d071e246c 6900 linux_7.1~rc3-1~exp1_source.buildinfo
Checksums-Sha256:
7b87dc4c0fdbfd3135f6eaeea58da9e11f958c62857d09c453deda5a62fea8f7 183288 linux_7.1~rc3-1~exp1.dsc
7c30a797bb30d910e63c6f6fa93aabf9749174d5f1e523396db8801bbab444aa 161490612 linux_7.1~rc3.orig.tar.xz
d5398548cd6a66ecdebb581ebd252191b23ff78f62725a48aa52ba79b91b76e1 1454324 linux_7.1~rc3-1~exp1.debian.tar.xz
39c305beda15d4215e675544339224013de2f21bd2d1c0812742806c952a87ea 6900 linux_7.1~rc3-1~exp1_source.buildinfo
Files:
2d05c84115ff579b4bae50ae99aa2562 183288 kernel optional linux_7.1~rc3-1~exp1.dsc
bc38beb3ffd1b798ccf20a53e3eb25d6 161490612 kernel optional linux_7.1~rc3.orig.tar.xz
2bf472cde035ae581aea89aa67ef8a4d 1454324 kernel optional linux_7.1~rc3-1~exp1.debian.tar.xz
009816b97c743a9c117220288ae989ed 6900 kernel optional linux_7.1~rc3-1~exp1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoB5K9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EoycP/jp93g6KyZ0qH452AR2seXFnwJci4CbG
zz6Gru5j8dCCTBH07ed1OXmLseASaGVRI2zZqzyq7gsI/v3mOZ/pW+PyMV3G+Myt
QkvteiZBXTw3xpfBPk6mDwXF/bxc8vrXaOEu/1yHuhAPwoNYrRPLyRb2Arr2SWjv
o6kPqM7fYSwmfl3aOc3JtI1LDNvBIUtMdU4VWx1L9tv//nJylYeHaQXeAEl8Abpi
lhZqaRAc2vTGZ2a3uyc7s36G2maidTS1LCh8McP65ieWNtxl7j9F7aKYZVJhf1c6
MxdOQQLNJ6W0YQgbVvDfBMOxVNiAmtnB/e2UOueEOUN9BWeGbD6Ix/289Vv0vc96
bFghWwY6KptBZzR6d/L/GuDdascj9u9XUXEssQMboSXXE1rzJAIveDpAVYQbhyxp
voyRsC8cxPewrFhQ58BEf2poZlg6YrcojqwFVRh5WcNd5lI1TUOT+9PSrPxHiKYa
VewVXqzbr1A8LtTMd/tagBv6a8KdGxbst/qknJ22EcQcIn5ZHfK9LQ7iXiyjdf/p
EHZthtGAa4pUqytkHr5uuX72/SOEktbxOBioIxANr+oL4c+Dndn7p7R48iS/bypX
OmirvhTIZrtbY8rcadXsU4QOOIo93iM/UmNH1Sj1ggQ57ukxhdTblCA2YYgCOYwc
Wj9U9P15Grrb
=/X1u
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of linux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1131025@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Fri, 15 May 2026 08:13:13 +0200 Source: linux Architecture: source Version: 7.0.7-1 Distribution: unstable Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1119093 1131025 Changes: linux (7.0.7-1) unstable; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.5 https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.6 https://www.kernel.org/pub/linux/kernel/v7.x/ChangeLog-7.0.7 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - [arm64] ACPI: arm64: cpuidle: Tolerate platforms with no deep PSCI idle states - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - iommufd: Fix a race with concurrent allocation and unmap - ASoC: SOF: Don't allow pointer operations on unconfigured streams - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - [arm64,armhf] spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - flow_dissector: do not dissect PPPoE PFC frames - smb: client/smbdirect: fix MR registration for coalesced SG lists - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - usb: dwc3: Move GUID programming after PHY initialization - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - usb: typec: tcpm: fix debug accessory mode detection for sink ports - ALSA: hda: cs35l56: Propagate ASP TX source control errors - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: hda/realtek: Fix speaker silence after S3 resume on Xiaomi Mi Laptop Pro 15 - ALSA: firewire-tascam: Do not drop unread control events - ALSA: core: Serialize deferred fasync state checks - ALSA: seq: Fix UMP group 16 filtering - [amd64] x86/efi: Restore IRQ state in EFI page fault handler - sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: fix avdcache auditing - selinux: use sk blob accessor in socket permission helpers - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/checkreqprot - selinux: prune /sys/fs/selinux/disable - selinux: prune /sys/fs/selinux/user - selinux: allow multiple opens of /sys/fs/selinux/policy - io_uring/kbuf: support min length left for incremental buffers - io_uring/tw: serialize ctx->retry_llist with ->uring_lock - [loong64] KVM: Fix missing EMULATE_FAIL in kvm_emu_mmio_read() - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_conn: fix potential UAF in create_big_sync - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() - rust: drm: gem: clean up GEM state in init failure case - rust: allow `clippy::collapsible_match` globally - rust: allow `clippy::collapsible_if` globally - rust: pin-init: internal: move alignment check to `make_field_check` - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - [arm64,armhf] spi: tegra114: fix controller deregistration - [arm64,armhf] spi: tegra20-sflash: fix controller deregistration - staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc - staging: vme_user: fix root device leak on init failure - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - [arm64] signal: Preserve POR_EL0 if poe_context is missing - mm/hugetlb_cma: round up per_node before logging it - [loong64] Fix SYM_SIGFUNC_START definition for 32BIT - [loong64] KVM: Compile switch.S directly into the kernel - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - mptcp: pm: ADD_ADDR rtx: skip inactive subflows - [amd64] perf/x86/intel: Improve validation and configuration of ACR masks - rseq: Set rseq::cpu_id_start to 0 on unregistration - rseq: Protect rseq_reset() against interrupts - rseq: Don't advertise time slice extensions if disabled - [amd64] accel/ivpu: Disallow re-exporting imported GEM objects - sound: ua101: fix division by zero at probe - [ppc64el] pseries/papr-hvpipe: Fix race with interrupt handler - [ppc64el] pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace - [ppc64el] pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() - [ppc64el] pseries/papr-hvpipe: Fix & simplify error handling in papr_hvpipe_init() - [ppc64el] pseries/papr-hvpipe: Fix the usage of copy_to_user() - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net: libwx: use request_irq for VF misc interrupt - netpoll: pass buffer size to egress_dev() to avoid MAC truncation - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - ovl: fix verity lazy-load guard broken by fsverity_active() semantic change - [amd64] x86/efi: Fix graceful fault handling after FPU softirq changes - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - [arm64] fpsimd: ptrace: zero target's fpsimd_state, not the tracer's - pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() - block: add pgmap check to biovec_phys_mergeable - block: fix zone write plug removal - block: only read from sqe on initial invocation of blkdev_uring_cmd() - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - fbcon: Avoid OOB font access if console rotation fails - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS - hv_sock: fix ARM64 support - hv_sock: Report EOF instead of -EIO for FIN - hv_sock: Return -EIO for malformed/short packets - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - tracefs: Fix default permissions not being applied on initial mount - udf: reject descriptors with oversized CRC length - [amd64] x86/boot/e820: Re-enable BIOS fallback if e820 table is empty - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - tracing/fprobe: Avoid kcalloc() in rcu_read_lock section - tracing/fprobe: Remove fprobe from hash in failure path - tracing/fprobe: Unregister fprobe even if memory allocation fails - tracing/probes: Limit size of event probe to 3K - tracing/fprobe: Check the same type fprobe on table as the unregistered one - [riscv64] clk: microchip: mpfs-ccc: fix out of bounds access during output registration - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: do not mark inode incompressible after inline attempt fails - btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak - btrfs: fix double free in create_space_info() error path - btrfs: fix double free in create_space_info_sub_group() error path - btrfs: fix missing last_unlink_trans update when removing a directory - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - dm-verity-fec: fix corrected block count stat - dm-verity-fec: fix reading parity bytes split across blocks (take 3) - dm-verity-fec: fix the size of dm_verity_fec_io::erasures - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [amd64] iommu/vt-d: Block PASID attachment to nested domain with dirty tracking - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/crc: tests: Make crc_kunit test only the enabled CRC variants - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - psp: strip variable-length PSP header in psp_dev_rcv() - RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [riscv64] kvm: fix vector context allocation leak - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - [s390x] debug: Reject zero-length input before trimming a newline - scsi: mpt3sas: Limit NVMe request size to 2 MiB - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - [amd64] KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty - mm/damon/lru_sort: detect and use fresh enabled and kdamond_pid values - mm/damon/reclaim: detect and use fresh enabled and kdamond_pid values - mm/damon/stat: detect and use fresh enabled value - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - [powerpc*] xive: fix kmemleak caused by incorrect chip_data lookup - [amd64] perf/x86/intel: Always reprogram ACR events to prevent stale masks - [amd64] perf/x86/intel: Disable PMI for self-reloaded ACR events - [amd64] perf/x86/intel: Enable auto counter reload for DMR - RDMA/ionic: bound node_desc sysfs read with %.64s - RDMA/ionic: Fix typo in format string - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - remoteproc: imx_rproc: Fix NULL vs IS_ERR() bug in imx_rproc_addr_init() - remoteproc: k3: Fix NULL vs IS_ERR() bug in k3_reserved_mem_init() - sched_ext: idle: Recheck prev_cpu after narrowing allowed mask - sched_ext: Use dsq->first_task instead of list_empty() in dispatch_enqueue() FIFO-tail - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: sockopt: increase seq in mptcp_setsockopt_all_sf - mptcp: fix rx timestamp corruption on fastopen - mptcp: fix scheduling with atomic in timestamp sockopt - mptcp: pm: prio: skip closed subflows - mptcp: pm: kernel: reset fullmesh counter after flush - mptcp: pm: kernel: correctly retransmit ADD_ADDR ID 0 - mptcp: pm: ADD_ADDR rtx: allow ID 0 - mptcp: pm: ADD_ADDR rtx: fix potential data-race - mptcp: pm: ADD_ADDR rtx: always decrease sk refcount - mptcp: pm: ADD_ADDR rtx: free sk if last - mptcp: pm: ADD_ADDR rtx: resched blocked ADD_ADDR quicker - mptcp: pm: ADD_ADDR rtx: return early if no retrans - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix false alarm of lockdep on cp_global_sem lock - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix fsck inconsistency caused by incorrect nat_entry flag usage - f2fs: fix incorrect file address mapping when inline inode is unwritten - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - f2fs: refactor f2fs_move_node_folio function - f2fs: fix inline data not being written to disk in writeback path - f2fs: fix fsck inconsistency caused by FGGC of node block - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - [arm64] KVM: arm64: Fix FEAT_SPE_FnE to use PMSIDR_EL1.FnE, not PMSVer - [arm64] KVM: arm64: Fix FEAT_Debugv8p9 to check DebugVer, not PMUVer - [arm64] KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() - [loong64] Fix potential ADE in loongson_gpu_fixup_dma_hang() - [loong64] KVM: Cap KVM_CAP_NR_VCPUS by KVM_CAP_MAX_VCPUS - [loong64] KVM: Fix "unreliable stack" for kvm_exc_entry - [loong64] KVM: Fix HW timer interrupt lost when inject interrupt by software - [loong64] KVM: Move unconditional delay into timer clear scenery - [loong64] KVM: Use kvm_set_pte() in kvm_flush_pte() - [loong64] Use per-root-bridge PCIH flag to skip mem resource fixup - bpf: Fix use-after-free in arena_vm_close on fork - octeon_ep_vf: add NULL check for napi_build_skb() - mmc: core: Adjust MDT beyond 2025 - mmc: core: Add quirk for incorrect manufacturing date - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - crypto: qat - fix indentation of macros in qat_hal.c - crypto: qat - fix firmware loading failure for GEN6 devices - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - 8021q: use RCU for egress QoS mappings - 8021q: delete cleared egress QoS mappings - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - rust: pin-init: fix incorrect accessor reference lifetime - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic Checksums-Sha1: bdb7e1fbd034dd9fed0e2d77e0bfdaac647b677c 194732 linux_7.0.7-1.dsc 12ad382a2f4e1950cf37d72a450223e8650db54b 160366364 linux_7.0.7.orig.tar.xz 78405e56ed662c127777220c14e0902287d59f0c 1468968 linux_7.0.7-1.debian.tar.xz 2536ac1e279b84c1b255ac6bfa135c95b46eb0bc 6872 linux_7.0.7-1_source.buildinfo Checksums-Sha256: 3dd61ac38ee7357e5e2c010d85f88c1916f7c5d31a99d359e0b85b0f0e91cb1c 194732 linux_7.0.7-1.dsc a14109ce964b753c72ef0d5aef3653686957a491925deea3467c73faaa11ff1d 160366364 linux_7.0.7.orig.tar.xz c50b09443af3d2a06bbf91a1ae8a7f11931065e941e5c0f20ff5ee3c7fa179e2 1468968 linux_7.0.7-1.debian.tar.xz ac35bd612e2612089a371d45dfe22bba4eb6a4edbc17b5bc4235c597efad3baa 6872 linux_7.0.7-1_source.buildinfo Files: 221de020af4ff68409fdc1deb21be3a9 194732 kernel optional linux_7.0.7-1.dsc 3988334628ee990aa5d48fd135f0c77d 160366364 kernel optional linux_7.0.7.orig.tar.xz 16deb5024f5defa802e706107ff8cb5f 1468968 kernel optional linux_7.0.7-1.debian.tar.xz a20bdb2fd34fea159c7f1f858bbcac6a 6872 kernel optional linux_7.0.7-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoGuoNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENiIP/itV76theCauQ+TIsZdNWHZ4NSjCl6ce FAeY3WrlQtfiUJFVVavcvr+LnB/my76Hpxwyg2QvmXpxhVN7qGaWt+wbTfbfoplZ jumq4MaiQ7TV0dgU9AsU+/smLIzvbimyRwDKJOl12cSRW+um98S4T6LyjBCPLHLp Bj39+C4G69WpMw3PBZ1Rehi01/ev2aPKAFjT7f9eFE6EPsFa/kUjS4ba95+GAWkp jNrmaH0SjzK535Zvk9H+imzFgb8rgKRiYowcPnmjD60ywdj58W6oSbTvSGdKVgyF bij6/WYfIckcHgRxOkNXO5nM3F2nWRKmP3tUAqiIpialSmZmwWFaaT1WhwYQ4HeD xgYKEExfXneW1vU7Wbg2uu5DZINmNTIGXWArhm+D9MZTNSZRfrA8Qv5eTRjJrROD iakVKnEn7+5cW3zRnNIFMBFy6L4bdxlcTo9xro0KMUgMOMMOQNo8ReCnarThbsFb +jxc5wImHLJxC+aUif9Y/c06tqo7A0sfiyKUjcLY8Kiv5PyRjzfF4Fp0e6xxFbYQ NJKygJDOZMc3NTjjKE1DnvTdehik1quokdKMrlSKffVEZii8xeI313bkfWVB9hVq MdMA3Zr5qhgo2w8Ms2pARA+DeP2zuY61T9mbFL3Gb8SfUR9nJl5NIz/W2CIj+Reo vGtxp9lfSstL =/7mN -----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of linux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1131025@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <carnil@debian.org> (supplier of updated linux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Fri, 15 May 2026 11:52:56 +0200 Source: linux Architecture: source Version: 6.12.88-1 Distribution: trixie-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1119093 1131025 1135313 Changes: linux (6.12.88-1) trixie-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.87 https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.12.88 - scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() - ipmi: Add limits to event and receive message requests - ipmi: Check event message buffer response for bad data - ipmi:si: Return state to normal if message allocation fails - fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free - ACPI: scan: Use acpi_dev_put() in object add error paths - ACPI: video: Add backlight=native quirk for Dell OptiPlex 7770 AIO - ACPI: CPPC: Fix related_cpus inconsistency during CPU hotplug - ACPI: video: force native backlight on HP OMEN 16 (8A44) - ASoC: SOF: Don't allow pointer operations on unconfigured streams - spi: rockchip: fix controller deregistration - ksmbd: rewrite stop_sessions() with restartable iteration - mm: convert mm_lock_seq to a proper seqcount - [amd64] x86: shadow stacks: proper error handling for mmap lock (CVE-2026-43109) - [amd64] x86/shstk: Prevent deadlock during shstk sigreturn - [amd64] KVM: x86: Fix shadow paging use-after-free due to unexpected GFN - [amd64] iommu/amd: Use atomic64_inc_return() in iommu.c - [amd64] iommu/amd: serialize sequence allocation under concurrent TLB invalidations (CVE-2026-43220) (Closes: #1135313) - flow_dissector: do not dissect PPPoE PFC frames - net: txgbe: fix RTNL assertion warning when remove module - net: af_key: zero aligned sockaddr tail in PF_KEY exports (CVE-2026-43088) - [amd64] KVM: SVM: check validity of VMCB controls when returning from SMM - net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked - Bluetooth: L2CAP: Fix deadlock in l2cap_conn_del() (CVE-2026-31499) - exit: prevent preemption of oopsing TASK_DEAD task - wifi: mt76: mt7925: fix AMPDU state handling in mt7925_tx_check_aggr - wifi: mt76: mt7925: fix incorrect length field in txpower command - wifi: mt76: mt7921: fix a potential clc buffer length underflow - wifi: mt76: mt7921: fix ROC abort flow interruption in mt7921_roc_work - wifi: b43legacy: enforce bounds check on firmware key index in RX path - wifi: mac80211: drop stray 'static' from fast-RX rx_result - wifi: rsi: fix kthread lifetime race between self-exit and external-stop - wifi: mac80211: use safe list iteration in radar detect work - wifi: ath5k: do not access array OOB (Closes: #1119093) - wifi: mac80211: remove station if connection prep fails - wifi: b43: enforce bounds check on firmware key index in b43_rx() - wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task - usb: usblp: fix heap leak in IEEE 1284 device ID via short response - usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl - ALSA: usb-audio: midi2: Restart output URBs on resume - ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() - ALSA: usb-audio: Fix UAC3 cluster descriptor size check - USB: omap_udc: DMA: Don't enable burst 4 mode - USB: serial: option: add Telit Cinterion LE910Cx compositions - usb: ulpi: fix memory leak on ulpi_register() error paths - ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger - ALSA: firewire-tascam: Do not drop unread control events - xfrm: provide message size for XFRM_MSG_MAPPING - xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete - ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() - xfrm: ah: account for ESN high bits in async callbacks - selinux: don't reserve xattr slot when we won't fill it - selinux: shrink critical section in sel_write_load() - selinux: prune /sys/fs/selinux/disable - Bluetooth: virtio_bt: clamp rx length before skb_put - Bluetooth: virtio_bt: validate rx pkt_type header length - Bluetooth: btmtk: validate WMT event SKB length before struct access - Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() - Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() - [armhf] spi: sun4i: fix controller deregistration - [armhf] spi: ti-qspi: fix controller deregistration - spi: sun6i: fix controller deregistration - fanotify: fix false positive on permission events - [arm64] KVM: arm64: Fix kvm_vcpu_initialized() macro parameter - mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() - net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo - sound: ua101: fix division by zero at probe - net: libwx: fix VF illegal register access - ip6_gre: Use cached t->net in ip6erspan_changelink(). - net/rds: handle zerocopy send cleanup before the message is queued - net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler - hwmon: (ltc2992) Clamp threshold writes to hardware range - hwmon: (ltc2992) Fix u32 overflow in power read path - clk: rk808: fix OF node reference imbalance - hwmon: (corsair-psu) Close HID device on probe errors - af_unix: Reject SIOCATMARK on non-stream sockets - block: add pgmap check to biovec_phys_mergeable - cifs: abort open_cached_dir if we don't request leases - cifs: change_conf needs to be called for session setup - extcon: ptn5150: handle pending IRQ events during system resume - gpio: of: clear OF_POPULATED on hog nodes in remove path - hv_sock: fix ARM64 support - ibmveth: Disable GSO for packets with small MSS - ice: fix double free in ice_sf_eth_activate() error path - spi: microchip-core-qspi: fix controller deregistration - udf: reject descriptors with oversized CRC length - thermal: core: Free thermal zone ID later during removal - thermal/drivers/sprd: Fix temperature clamping in sprd_thm_temp_to_rawdata - thermal/drivers/sprd: Fix raw temperature clamping in sprd_thm_rawdata_to_temp - spi: topcliff-pch: fix controller deregistration - spi: topcliff-pch: fix use-after-free on unbind - clk: imx: imx8-acm: fix flags for acm clocks - clk: microchip: mpfs-ccc: fix out of bounds access during output registration - cpuidle: powerpc: avoid double clear when breaking snooze - [amd64] ASoC: amd: yc: Add HP OMEN Gaming Laptop 16-ap0xxx product line in quirk table - [arm64] ASoC: qcom: q6apm-dai: reset queue ptr on trigger stop - [arm64] ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens - [arm64] ASoC: qcom: q6apm: remove child devices when apm is removed - btrfs: fix double free in create_space_info() error path - dm-thin: fix metadata refcount underflow - dm: don't report warning when doing deferred remove - dm: fix a buffer overflow in ioctl processing - eventfs: Hold eventfs_mutex and SRCU when remount walks events - dm-verity-fec: correctly reject too-small FEC devices - dm-verity-fec: correctly reject too-small hash devices - isofs: validate Rock Ridge CE continuation extent against volume size - isofs: validate block number from NFS file handle in isofs_export_iget - [arm64] iommu/arm-smmu-v3: Add a missing dma_wmb() for hitless STE update - lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() - lib/scatterlist: fix length calculations in extract_kvec_to_sg - lib/scatterlist: fix temp buffer in extract_user_to_sg() - libceph: Fix slab-out-of-bounds access in auth message processing - md/raid10: fix divide-by-zero in setup_geo() with zero far_copies - nvme-apple: drop invalid put of admin queue reference count - nvmet-tcp: fix race between ICReq handling and queue teardown - nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free - openvswitch: vport: fix self-deadlock on release of tunnel ports - pmdomain: core: Fix detach procedure for virtual devices in genpd - [arm64] RDMA/hns: Fix unlocked call to hns_roce_qp_remove() - [s390x] debug: Reject zero-length input in debug_input_flush_fn() - smb/client: fix out-of-bounds read in smb2_compound_op() - smb/client: fix out-of-bounds read in symlink_data() - smb: client: use kzalloc to zero-initialize security descriptor buffer - smb: client: validate dacloffset before building DACL pointers - [amd64] KVM: x86: check for nEPT/nNPT in slow flush hypercalls - mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock - PCI: Update saved_config_space upon resource assignment (Closes: #1131025) - PCI/AER: Clear only error bits in PCIe Device Status - PCI/AER: Stop ruling out unbound devices as error source - PCI/ASPM: Fix pci_clear_and_set_config_dword() usage - power: supply: max17042: avoid overflow when determining health - RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() - RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() - RDMA/mana: Validate rx_hash_key_len - RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() - RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() - RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() - RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads - RDMA/rxe: Reject unknown opcodes before ICRC processing - RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path - mptcp: fastclose msk when linger time is 0 - mptcp: use MPJoinSynAckHMacFailure for SynAck HMAC failure - mptcp: use MPTCP_RST_EMPTCP for ACK HMAC validation failure - mptcp: sockopt: set timestamp flags on subflow socket, not msk - mptcp: fix scheduling with atomic in timestamp sockopt - f2fs: add READ_ONCE() for i_blocks in f2fs_update_inode() - f2fs: fix fiemap boundary handling when read extent cache is incomplete - f2fs: fix incorrect multidevice info in trace_f2fs_map_blocks() - f2fs: fix node_cnt race between extent node destroy and writeback - f2fs: fix uninitialized kobject put in f2fs_init_sysfs() - [arm64] KVM: arm64: vgic: Fix IIDR revision field extracted from wrong value - [arm64] KVM: arm64: Fix initialisation order in __pkvm_init_finalise() - bpf: Fix use-after-free in arena_vm_close on fork - fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info - fs: prepare for adding LSM blob to backing_file - dma-mapping: drop unneeded includes from dma-mapping.h - dma-mapping: add __dma_from_device_group_begin()/end() - hwmon: (powerz) Avoid cacheline sharing for DMA buffer - mmc: core: Optimize time for secure erase/trim for some Kingston eMMCs - udf: fix partition descriptor append bookkeeping - mtd: spinand: winbond: Declare the QE bit on W25NxxJW - hfsplus: fix uninit-value by validating catalog record size - hfsplus: fix held lock freed on hfsplus_fill_super() - erofs: move {in,out}pages into struct z_erofs_decompress_req - erofs: tidy up z_erofs_lz4_handle_overlap() - erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() - gtp: disable BH before calling udp_tunnel_xmit_skb() - printk: add print_hex_dump_devel() - crypto: caam - guard HMAC key hex dumps in hash_digest_key - ALSA: aloop: Fix peer runtime UAF during format-change stop - net: stmmac: avoid shadowing global buf_sz - net: stmmac: rename STMMAC_GET_ENTRY() -> STMMAC_NEXT_ENTRY() - net: stmmac: Prevent NULL deref when RX memory exhausted - wifi: mt76: mt7925: fix incorrect TLV length in CLC command - tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() - [arm64] KVM: arm64: Wake-up from WFI when iqrchip is in userspace - [amd64] x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache - ksmbd: validate inherited ACE SID length . [ Salvatore Bonaccorso ] * ptrace: slightly saner 'get_dumpable()' logic Checksums-Sha1: 9b8f33673ff81e734b829154bb8e8f2ad2b5ae47 288306 linux_6.12.88-1.dsc 0b54434c0459caf30e7f292d71c2511396ddff2b 151267944 linux_6.12.88.orig.tar.xz 7a7072dc2dc493acfa2af638b18d218bc332f836 1814308 linux_6.12.88-1.debian.tar.xz 8a6fcd07d62b388ee32d1896049b2f00fcbc971e 6855 linux_6.12.88-1_source.buildinfo Checksums-Sha256: 741aae72868c1a0c637322618bd2c698d5a76a35fd269f58e988844107a95c9e 288306 linux_6.12.88-1.dsc 4181175d5c45476060292e8150687e088cf3f6cc0c4db5166587e79547bb883e 151267944 linux_6.12.88.orig.tar.xz 5d499f004da3c0d8e715cc24a873b3068b040ebe68a653325ea0fc4a71fe3b7f 1814308 linux_6.12.88-1.debian.tar.xz 7d647d259b703ff876ff1741dfcc781b47cf5c96632a242514b6e1104bf467bb 6855 linux_6.12.88-1_source.buildinfo Files: 8cd34123e266fab4dcab26f67e7cb66d 288306 kernel optional linux_6.12.88-1.dsc 48032eac7e3aa60ae58498bbfe6476f8 151267944 kernel optional linux_6.12.88.orig.tar.xz 4cc02e041e6963aaeb1d4cdb5fc95e2d 1814308 kernel optional linux_6.12.88-1.debian.tar.xz c3a0dfefe5a4b55d336c9a530925c457 6855 kernel optional linux_6.12.88-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmoG7aRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E4B8P/jWBmnjzt05dzkueh/+6LjmGQXwY6xFp zIJnMr1dMrZQ9zenbcoZJG7bdiDXznAy5QhqaaPHs159k5mNVIWAPzEOfWwgbMe2 GJtgFVlSGWAOcJKW26Nx2kurzBGlrWJNnsUExFvGGs1GJbN9WBXp8s4wZHb0XhgK m/+modftmt29fHFtX/NM8PWIR9wF4NP0mmHmQ+xFJ6J6YuG89vmmihlIgFqNs69V GzfUllO46RewkKF5Xey2NTGiuVIZgfJ0GJDlbo26DYl1oJ68TF9C0rKU7MGs1Sex pL5uSiQQhbUckYdCtwgY8IdYeSmtMXuLCYuJ5gRV/LH8WfoU43t0/KO+Ev4QOH/Y v4qkVJ9BAuKEKoRSc434VM3/cYajEaqzp8xCfKGAKYKDlmJLfqDvrBMTWBkEPs2i PsOk3gFB5JFreaaQ99lKTT3xCPD++JkvKi9ERQoXUAuayfu404l5SMA0aAUcX4BI YhDb2aXwqXyi+UDIVB2dYB3TGXEVdiVeG2oJOn2quOkH59zO/FP694eoP2Icbyl0 R/IHjMJ4Pezsr1Qq5GJkKCfryiNWnaklV7aSXiMAVgI726wRahOTcUs23sSdB7j6 rhct3lc7/Dkh0PKkKVCnPHK1i6SiK3oiT95D07HDMogbDQqTnf79CiAclxJchFGM 1Jy989l8oGS3 =+AIQ -----END PGP SIGNATURE-----